Bryan Cave Data Breach Lawsuit

Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 1 of 33 PageID #:1
UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
ROCK MEYER, individually and on

behalf of all others similarly situated,
CASE NO. 1:23-CV-04954
Plaintiff,
vs. JURY TRIAL DEMANDED
BRYAN CAVE LEIGHTON PAISNER,

LLP,
Defendant.
CLASS ACTION COMPLAINT
Plaintiff Rock Meyer (“Mr. Meyer” or “Plaintiff”) brings this action on behalf
of himself, and all others similarly situated against Defendant, Bryan Cave Leighton
Paisner LLP (“BCLP” or “Defendant”), and alleges as follows:
I. INTRODUCTION
1. Between February 23, 2023, and March 1, 2023, BCLP, a law firm with
“extensive experience handling the full scope of complex privacy and security issues ,”1
lost control over the highly sensitive personally identifiable information (“PII”) of
Plaintiff and other similarly situated individuals (the “Class” or “Class Members”) in a
massive and preventable data breach perpetuated by cybercriminals (the “Data Breach”
or “Breach”). According to information and belief, the Data Breach affected at least
1 Data Privacy & Security, BCLP, https://www.bclplaw.com/en-

US/practices/corporate/data- privacy-and-security-team/index.html.
1
51,110 individuals.2
2. According to information and belief, the Data Breach began on or around
February 23, 2023, when an unauthorized party gained access to BCLP’s inadequately
protected network and was not discovered by BCLP until four (4) days later, on
February 27, 2022.3 Shockingly, despite discovering the Data Breach on February 27,
2023, BCLP allowed the Data Breach to continue for at least two more days,
providing cybercriminals unfettered access to Plaintiff and the Class’s highly private
information for an entire week.4
3. Following an internal investigation, BCLP learned cybercriminals had
gained unauthorized access to Plaintiff’s and the Class’s PII, including but not limited
to, their names, Social Security numbers, addresses, dates of birth, genders, employee
identification numbers, and retirement and/or thrift plan information. 5
4. On information and belief, cybercriminals bypassed BCLP’s inadequate
security systems to access Plaintiff and the Class’s PII in its computer systems.
5. On or about June 15, 2023 – almost four months after the
unauthorized party first gained access to Plaintiff and the Class’s PII – victims of
the Data Breach were finally notified via letter that their highly sensitive and
2 See https://apps.web.maine.gov/online/aeviewer/ME/40/ca25f29f-db60-4baf-ba53-
8bae79da4d97.shtml.
3 See Exhibit 1.
4 See id.
5 See id.
2
confidential PII was exposed (“Notice of Data Breach Letter”). 6
6. The Notice of Data Breach Letter obscured the nature of the breach and
the threat it posed—failing to notify Plaintiff and the Class how many people were
impacted, how the Breach happened, or why it took so long to begin notifying victims
that hackers had gained access to highly sensitive PII.
7. Defendant’s failure to timely detect and report the Data Breach made the
victims vulnerable to identity theft without any warnings to monitor their financial
accounts or credit reports to prevent unauthorized use of their PII.
8. Defendant knew or should have known that each victim of the Data
Breach deserved prompt and efficient notice of the Data Breach and assistance in
mitigating the effects of PII misuse.
9. In failing to adequately protect Plaintiff’s and the Class’s PII, failing to
adequately notify them of the Breach, and by obfuscating the nature of the breach,
Defendant violated state and federal laws and harmed Plaintiff and the Class.
10. Plaintiff and members of the proposed Class are victims of Defendant’s
negligence and inadequate cyber security measures.
11. Moreover, BCLP failed to properly use up-to-date security practices to
prevent the Data Breach.
12. Plaintiff Rock Meyer is a Data Breach victim.7
6 See id.
7 See id.
3
13. Accordingly, Plaintiff, on his own behalf and on behalf of a class of
similarly situated individuals, brings this lawsuit seeking injunctive relief, damages, and
restitution, together with costs and reasonable attorneys’ fees, the calculation of which
will be based on information in Defendant’s possession.
II. PARTIES
14. Plaintiff, Rock Meyer, is a natural person and citizen of Kentucky, where
he intends to remain. Plaintiff Meyer is a Data Breach victim and received a Notice of
Data Breach Letter.8
15. Defendant, BCLP, is a Missouri Corporation, with its principal place of
business at 221 Bolivar Street Jefferson City, MO 65101. Defendant BCLP can be served
through its registered agent, CSC- Lawyers Incorporating Service Company, at 221
Bolivar Street Jefferson City, MO 65101.
III. JURISDICTION & VENUE
16. This Court has subject matter jurisdiction over this action under 28
U.S.C.§ 1332(d) because this is a class action wherein the amount in controversy
exceeds the sum or value of $5,000,000, exclusive of interest and costs, there are more
than 100 members in the proposed class, and Plaintiff and Defendant are citizens of
different states.
17. This Court has personal jurisdiction over Defendant because Defendant
maintains its principal place of business in this District and does substantial business in
this District.
8 Id.
4
18. Venue is proper in this District under 28 U.S.C. § 1391(b)(2) because a
substantial part of the events or omissions giving rise to the claim occurred in this
District.
IV. FACTUAL ALLEGATIONS

BCLP
19. BCLP is a law firm that touts itself as “groundbreakers and innovators”9
that have “extensive experience handling the full scope of complex privacy and security
issues.”10 BCLP boasts a total annual revenue of $900 million.11
20. BCLP’s services are specialized for companies “including 35% of the
Fortune 500” 12 who manage highly sensitive data. BCLP thus must oversee, manage,
and protect the PII of its clients’13 consumers, including that of Plaintiff and the Class.
21. Indeed, BCLP advertises that it “routinely advise[s] clients in a variety of
sectors, including hospitality, consumer services, healthcare, software and technology,
financial services, travel, manufacturing, and retail” about how “to achieve the most
9 About us, BCLP, https://www.bclplaw.com/en-US/about/about-bclp.html.
10
Data Privacy & Security, BCLP, https://www.bclplaw.com/en-
US/practices/corporate/data- privacy-and-security-team/index.html .
11BCLP Revenue, Zippia, https://www.zippia.com/bryan-cave-careers-

17522/revenue/.
12 About us, BCLP, https://www.bclplaw.com/en-US/about/about-bclp.html.
13“Mondelez Global LLC retained the legal services of the law firm Bryan Cave
Leighton Paisner LLP (“Bryan Cave”) to provide advice on customary legal matter of a
company of its size. To provide these services, Bryan Cave obtained some PII of current
and former Mondelez employees.” Exhibit 1.
5
streamlined international data privacy strategy as possible, and we excel at helping
companies achieve their business goals while balancing and addressing privacy and
security obligations.”14
22. According to information and belief, these third-party employees, whose
PII was collected by BCLP, do not do any business with BCLP.
23. In working with third-party employees’ highly sensitive data, BCLP
assures that it “understand the importance of keeping your PII secure,”15 boasting that
it employs a plethora of ways to ensure the security of PII:
14 Data Privacy and Security, BCLP, https://www.bclplaw.com/en-

US/practices/corporate/data- privacy-and-security-team/index.html#overview.
15Privacy Notice, BCLP, https://www.bclplaw.com/en-US/legal-notices/privacy-
notice.html.
6
24. BCLP also claims that it has “a world class incident response practice
that has helped clients navigate major security incidents and data breaches, including
ransomware attacks,” stating that it “leverage[s] that experience to help companies
identify and remediate gaps in their readi ness and to train companies how to respond to
breaches effectively.”16
25. BCLP promises that, in the event of a data breach, it will “inform you of
this without undue delay.”17
26. As a self-proclaimed “leader” in data Privacy and Security firm and
handling highly sensitive aspects of its clients’ business, BCLP understood the need to
protect Plaintiff’s and the Class’s data and prioritize data security. In fact, BCLP
advertises that its “experience and practical approach to data breach response uniquely
equip us to assist organizations by understanding both the law and the business
implications of data breaches.”18
16 Data Privacy & Security, BCLP, https://www.bclplaw.com/en-

US/practices/corporate/data- privacy-and-security-team/index.html.
17 Id.
18 Id.
7
27. But, according to information and belief, BCLP failed to strictly adhere
to these policies in maintaining Plaintiff’s and the Class’s PII.
The Data Breach
28. Defendant collected and maintained Plaintiff and the Class’s PII in its
computer systems. In collecting and maintaining Plaintiff’s and the Class’s PII,
Defendant implicitly agreed that it would protect and safeguard that PII by complying
with state and federal laws and regulations and applicable industry standards.
Defendant was in possession of Plaintiff and the Class’s PII before, during, and after
the Data Breach.
29. According to the Notice of Data Breach Letter, BCLP first detected
suspicious activity within its network on February 27, 2023.19 Following an internal
investigation, BCLP discovered the Data Breach occurred between February 23, 2023,
and March 1, 2023.20 In other words, BCLP’s investigation revealed that not only had
its network been hacked by cybercriminals at least four days before it discovered the
Breach, but the Data Breach actually continued for another two days after BCLP first
became aware of it.
30. Despite touting itself to be a “leader” in data Privacy and Security firm,
BCLP’s cyber and data security systems were completely inadequate and allowed
cybercriminals to obtain files containing a treasure trove of thousands individuals
19 See Exhibit 1.
20 See id.
8
highly sensitive PII, including Plaintiff and the Class.
31. Additionally, Defendant admitted that PII was actually stolen during the
Data Breach confessing that the information was not just accessed, but that the
“unauthorized third party acquired certain data” that Defendant is still struggling to
identify. 21
32. On or around June 15, 2023 – four months after the Breach first
occurred – Plaintiff and Class Members were finally notified of the Data Breach. 22
33. Despite BCLP’s duties and alleged commitments to safeguard PII, BCLP
did not follow industry standard practices in securing Plaintiff and the Class’s PII, as
evidenced by the Data Breach.
34. In response to the Data Breach, BCLP contends it has or will be taking
“taken steps to address the incident and prevent a similar occurrence in the future.”23
Although BCLP failed to expand on what these alleged “steps” are, such steps should
have been in place before the Data Breach.
35. Through the Notice of Data Breach Letter, Defendant also recognized the
actual imminent harm and injury that flowed from the Data Breach and encouraged
Data Breach victims to “remain vigilant by reviewing account statements and
monitoring free credit reports. You should regularly change your passwords. You may
21 Id.
22 Id.
23 Id.
9
want to temporarily freeze your credit.”24
36. Even though Social Security numbers were exposed here, cybercriminals
need not harvest a person’s Social Security number or financial account information in
order to commit identity fraud or misuse Plaintiff’s and the Class’s PII. Cybercriminals
can cross-reference the data stolen from the Data Breach and combine with other
sources to create “Fullz” packages, which can then be used to commit fraudulent
account activity on Plaintiff’s and the Class’s financial accounts.
37. Plaintiff and the Class were only offered two (2) years of complimentary
credit monitoring services to victims, which does not adequately address the lifelong
harm that victims will face following the Data Breach. Indeed, the Breach involves PII
that cannot be changed, such as Social Security numbers and dates of birth. Further, the
Breach exposed nonpublic, highly private information, disturbing harm in and of itself.
38. Even with complimentary credit monitoring services, the risk of identity
theft and unauthorized use of Plaintiff’s and Class Members’ PII is still substantially
high. The fraudulent activity resulting from the Data Breach may not come to light for
years.
39. On information and belief, Defendant failed to adequately train and
supervise its IT and data security agents and employees on reasonable cybersecurity
protocols or implement reasonable security measures, causing them to lose control over
Plaintiff and the Class’s PII. Defendant’s negligence is evidenced by its failure to
24 Id.
10
prevent the Data Breach and stop cybercriminals from accessing the PII.
The Data Breach was a Foreseeable Risk of which Defendant were on Notice.
40. Defendant’s data security obligations were particularly important given
the substantial increase in cyberattacks and/or data breaches in similar industries
preceding the date of the breach.
41. In light of recent high profile data breaches at other law firms, 25
Defendant knew or should have known that their electronic records and Plaintiff and
the Class’s PII would be targeted by cybercriminals.
42. In 2021, a record 1,862 data breaches occurred, resulting in
approximately 293,927,708 sensitive records being exposed, a 68% increase from
2020.26 The 330 reported breaches reported in 2021 exposed nearly 30 million sensitive
records (28,045,658), compared to only 306 breaches that exposed nearly 10 million
sensitive records (9,700,238) in 2020. 27
43. Indeed, cyberattacks against the both the legal industry have become
increasingly common for over ten years, with the FBI warning as early as 2011 that
25 See https://abovethelaw.com/2023/04/major-biglaw-firm-suffers-cyber-security-
breach-of- mergers-acquisitions-data/; https://www.just-food.com/features/tech- leaves-
food-industry-more-exposed-to-cybersecurity-threat/; see also
https://www.law.com/americanlawyer/2023/01/10/cyberattacks-inevitable-for-law-firms-
highlighting-need-for-comprehensive-incident-response-plans/.
262021 Data Breach Annual Report, ITRC, chrome-

extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.wsav.com/wp-
content/uploads/sites/75/2022/01/20220124_ITRC-2021-Data-Breach-Report.pdf.
27 Id.
11
cybercriminals were “advancing their abilities to attack a system remotely” and “[o]nce
a system is compromised, cyber criminals will use their accesses to obtain PII.” The
FBI further warned that that “the increasing sophistication of cyber criminals will no
doubt lead to an escalation in cybercrime.”28
44. Therefore, the increase in such attacks, and attendant risk of future
attacks, was widely known to the public and to anyone in Defendant’s industry,
including BCLP.
Plaintiff Meyer’s Experience
45. Plaintiff received a Notice of Data Breach Letter, dated June 15, 2023,
notifying him that an unauthorized third-party “acquired certain data” which included his
PII. BCLP was in possession of Plaintiff’s PII before, during, and after the Data Breach.
46. Defendant deprived Plaintiff of the earliest opportunity to guard himself
against the Data Breach’s effects by failing to notify him about it for over four
months.
47. As a result of the Data Breach, Plaintiff spent hours dealing with the
consequences of the Data Breach, which includes time spent verifying the legitimacy of
the Notice of Data Breach Letter, self-monitoring his accounts and credit reports to
monitor suspicious and fraudulent activity. This time has been lost forever and cannot
be recaptured. Plaintiff has spent and will continue to spend considerable time and
28 Gordon M. Snow Statement, FBI

https://archives.fbi.gov/archives/news/testimony/cybersecurity-threats-to-the-financial-
sector.
12
effort monitoring his accounts to protect himself from additional identity theft for the
rest of his life.
48. Plaintiff fears for his personal financial security and uncertainty over
what PII was exposed in the Data Breach. Plaintiff has and is experiencing feelings of
anxiety, sleep disruption, stress, fear, and frustration because of the Data Breach. This
goes far beyond allegations of mere worry or inconvenience; it is exactly the sort of
injury and harm to a Data Breach victim that the law contemplates and addresses.
49. As a result of the Data Breach, Plaintiff has suffered actual misuse of his
PII. Plaintiff received a fraud alert from PNC Bank after the Data Breach, notifying
him of a fraudulent transaction. Due to the proximity of the fraud to the Data Breach,
Plaintiff reasonably believes it was caused by the Data Breach.
50. Plaintiff suffered actual injury in the form of damages to and diminution
in the value of Plaintiff’s PII—a form of intangible property that Plaintiff entrusted to
Defendant, which was compromised in and as a result of the Data Breach.
51. Plaintiff has suffered imminent and impending injury arising from the
substantially increased risk of fraud, identity theft, and misuse resulting from his PII
being placed in the hands of unauthorized third parties and possibly criminals.
52. Plaintiff has a continuing interest in ensuring that his PII, which, upon
information and belief, remains backed up in Defendant’s possession, is protected, and
safeguarded from future breaches.
53. Plaintiff has also suffered injury directly and proximately caused by the
Data Breach, including: (a) theft of Plaintiff’s valuable PII; (b) the imminent and
13
certain impending injury flowing from fraud and identity theft posed by Plaintiff’s PII
being placed in the hands of cyber criminals; (c) damages to and diminution in value of
Plaintiff’s PII; (d) loss of the benefit of the bargain with Defendant to provide adequate
and reasonable data security—i.e., the difference in value between what Plaintiff
should have received from Defendant and Defendant’s defective and deficient
performance of that obligation by failing to provide reasonable and adequate data
security and failing to protect Plaintiff’s PII; (e) continued risk to Plaintiff’s PII, which
remains in the possession of Defendant and which is subject to further breaches so long
as Defendant fails to undertake appropriate and adequate measures to protect the PII
that was entrusted to Defendant; (f) actual misuse of his PII.
Plaintiff and the Proposed Class Face Significant Risk of Continued Identity Theft
54. Plaintiff and members of the proposed Class have suffered injury from
the misuse of their PII that can be directly traced to Defendant.
55. As a result of Defendant’s failure to prevent the Data Breach, Plaintiff
and the proposed Class have suffered and will continue to suffer damages, including
monetary losses, lost time, anxiety, and emotional distress. They have suffered or are at
an increased risk of suffering:
a. The loss of the opportunity to control how their PII is used;
b. The diminution in value of their PII;
c. The compromise and continuing publication of their PII;
d. out-of-pocket costs associated with the prevention, detection, recovery,
and remediation from identity theft or fraud;
14
e. Lost opportunity costs and lost wages associated with the time and effort
expended addressing and attempting to mitigate the actual and future
consequences of the Data Breach, including, but not limited to, efforts
spent researching how to prevent, detect, contest, and recover from
identity theft and fraud;
f. Delay in receipt of tax refund monies;
g. Unauthorized use of stolen PII; and
h. The continued risk to their PII, which remains in Defendant’s possession
and is subject to further breaches so long as Defendant fails to undertake
the appropriate measures to protect the PII in their possession.
56. Stolen PII is one of the most valuable commodities on the criminal
information black market. According to Experian, a credit-monitoring service, stolen
PII can be worth up to $1,000.00 depending on the type of information obtained.
57. The value of Plaintiff’s and the Class’s PII on the black market is
considerable. Stolen PII trades on the black market for years, and criminals frequently
post stolen PII openly and directly on various “dark web” internet websites, making the
information publicly available, for a substantial fee of course.
58. It can take victims years to spot identity theft, giving criminals plenty of
time to use that information for cash.
59. One such example of criminals using PII for profit is the development of
“Fullz” packages.
60. Cyber-criminals can cross-reference two sources of PII to marry
15
unregulated data available elsewhere to criminally stolen data with an astonishingly
complete scope and degree of accuracy in order to assemble complete dossiers on
individuals. These dossiers are known as “Fullz” packages.
61. The development of “Fullz” packages means that stolen PII from the
Data Breach can easily be used to link and identify it to Plaintiff and the proposed
Class’s phone numbers, email addresses, and other unregulated sources and identifiers.
In other words, even if certain information such as emails, phone numbers, or credit
card numbers may not be included in the PII stolen by the cyber-criminals in the Data
Breach, criminals can easily create a Fullz package and sell it at a higher price to
unscrupulous operators and criminals (such as illegal and scam telemarketers) over and
over. That is exactly what is happening to Plaintiff and members of the proposed Class,
and it is reasonable for any trier of fact, including this Court or a jury, to find that
Plaintiff’s and the Class’s stolen PII is being misused, and that such misuse is fairly
traceable to the Data Breach.
62. Defendant disclosed the PII of Plaintiff and the Class for criminals to use
in the conduct of criminal activity. Specifically, Defendant opened up, disclosed, and
exposed the PII of Plaintiff and the Class to people engaged in disruptive and unlawful
business practices and tactics, including online account hacking, unauthorized use of
financial accounts, and fraudulent attempts to open unauthorized financial accounts
(i.e., identity fraud), all using the stolen PII.
63. Defendant’s failure to properly notify Plaintiff and members of the Class
of the Data Breach exacerbated Plaintiff’s and the Class’s injury by depriving them of
16
the earliest ability to take appropriate measures to protect their PII and take other
necessary steps to mitigate the harm caused by the Data Breach.
Defendant failed to adhere to FTC guidelines.
64. According to the Federal Trade Commission (“FTC”), the need for data
security should be factored into all business decision-making. To that end, the FTC has
issued numerous guidelines identifying best data security practices that businesses,
such as Defendant, should employ to protect against the unlawful exposure of PII.
65. In 2016, the FTC updated its publication, Protecting PII: A Guide for
Business, which established guidelines for fundamental data security principles and
practices for business. The guidelines explain that businesses should:
a. protect the sensitive consumer information that they keep;
b. properly dispose of PII that is no longer needed;
c. encrypt information stored on computer networks;
d. understand their network’s vulnerabilities; and
e. implement policies to correct security problems.
66. The guidelines also recommend that businesses watch for large amounts
of data being transmitted from the system and have a response plan ready in the event
of a breach.
67. The FTC recommends that companies not maintain information longer
than is needed for authorization of a transaction; limit access to sensitive data; require
complex passwords to be used on networks; use industry-tested methods for security;
monitor for suspicious activity on the network; and verify that third-party service
17
providers have implemented reasonable security measures.
68. The FTC has brought enforcement actions against businesses for failing
to adequately and reasonably protect consumer data, treating the failure to employ
reasonable and appropriate measures to protect against unauthorized access to
confidential consumer data as an unfair act or practice prohibited by Section 5 of the
Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45. Orders resulting from these
actions further clarify the measures businesses must take to meet their data security
obligations.
69. Defendant’s failure to employ reasonable and appropriate measures to
protect against unauthorized access to employees’ PII constitutes an unfair act or
practice prohibited by Section 5 of the FTCA, 15 U.S.C. § 45.
V. CLASS ACTION ALLEGATIONS
70. Plaintiff sues on behalf of himself and the proposed nationwide class
(“Class”) defined as follows, pursuant to Federal Rule of Civil Procedure 23(b)(2) and
(b)(3):
All individuals residing in the United States whose PII was

compromised in the Data Breach discovered by BCLP on
or around February 27, 2023, and received a Notice of
Data Breach Letter.
Excluded from the Class is Defendant, its agents, affiliates, parents, subsidiaries,
any entity in which Defendant has a controlling interest, any of Defendant’s officers or
directors, any successors, and any Judge who adjudicates this case, including their staff
and immediate family.
18
71. Plaintiff reserves the right to amend the class definition.
72. This action satisfies the numerosity, commonality, typicality, and
adequacy requirements under Fed. R. Civ. P. 23.
a. Numerosity. Plaintiff is representative of the Class, consisting of
at least 51,000 members, far too many to join in a single action;
b. Ascertainability. Members of the Class are readily
identifiable from information in Defendant’s possession, custody,
and control;
c. Typicality. Plaintiff’s claims are typical of class claims as each
arises from the same Data Breach, the same alleged violations
by Defendant, and the same unreasonable manner of notifying
individuals about the Data Breach.
d. Adequacy. Plaintiff will fairly and adequately protect the proposed
Class’s interests. His interests do not conflict with the Class’s
interests, and he has retained counsel experienced in complex class
action litigation and data privacy to prosecute this action on the
Class’s behalf, including as lead counsel.
e. Commonality. Plaintiff’s and the Class’s claims raise
predominantly common fact and legal questions that a class wide
proceeding can answer for the Class. Indeed, it will be necessary to
answer the following questions:
i. Whether Defendant had a duty to use reasonable care in
19
safeguarding Plaintiff’s and the Class’s PII;
ii. Whether Defendant failed to implement and maintain reasonable
security procedures and practices appropriate to the nature and
scope of the information compromised in the Data Breach;
iii. Whether Defendant was negligent in maintaining, protecting,
and securing PII;
iv. Whether Defendant breached contract promises to safeguard
Plaintiff’s and the Class’s PII;
v. Whether Defendant took reasonable measures to determine the
extent of the Data Breach after discovering it;
vi. Whether Defendant’s Breach Notice was reasonable;
vii. Whether the Data Breach caused Plaintiff’s and the Class’s
injuries;
viii. What the proper damages measure is; and
ix. Whether Plaintiff and the Class are entitled to damages, treble
damages, or injunctive relief.
73. Further, common questions of law and fact predominate over any
individualized questions, and a class action is superior to individual litigation or any
other available method to fairly and efficiently adjudicate the controversy. The damages
available to individual plaintiffs are insufficient to make individual lawsuits
economically feasible.
20
VI. CAUSES OF ACTION
COUNT I
Negligence
74. Plaintiff realleges all previous paragraphs as if fully set forth below.
75. Plaintiff and members of the Class’s PII was entrusted to Defendant.
Defendant owed to Plaintiff and the Class a duty to exercise reasonable care in
handling and using the PII in its care and custody, including implementing industry-
standard security procedures sufficient to reasonably protect the information from the
Data Breach, theft, and unauthorized use that came to pass, and to promptly detect
attempts at unauthorized access.
76. Defendant owed a duty of care to Plaintiff and members of the Class
because it was foreseeable that Defendant’s failure to adequately safeguard their PII in
accordance with state-of-the-art industry standards concerning data security would
result in the compromise of that PII—just like the Data Breach that ultimately came to
pass. Defendant acted with wanton and reckless disregard for the security and
confidentiality of Plaintiff’s and the Class’s PII by disclosing and providing access to
this information to unauthorized third parties and by failing to properly supervise both
the way the PII was stored, used, and exchanged, and those in its employ who were
responsible for making that happen.
77. Defendant owed to Plaintiff and members of the Class a duty to notify
them within a reasonable timeframe of any breach to the security of their PII.
Defendant also owed a duty to timely and accurately disclose to Plaintiff and members
21
of the Class the scope, nature, and occurrence of the Data Breach. This duty is required
and necessary for Plaintiff and the Class to take appropriate measures to protect their
PII, to be vigilant in the face of an increased risk of harm, and to take other necessary
steps to mitigate the harm caused by the Data Breach.
78. Defendant owed these duties to Plaintiff and members of the Class
because they are members of a well-defined, foreseeable, and probable class of
individuals whom Defendant knew or should have known would suffer injury-in-fact
from Defendant’s inadequate security protocols. Defendant actively sought and
obtained Plaintiff’s and the Class’s PII.
79. The risk that unauthorized persons would attempt to gain access to the
PII and misuse it was foreseeable. Given that Defendant held vast amounts of PII, it
was inevitable that unauthorized individuals would attempt to access Defendant’s
databases containing the PII — whether by malware or otherwise.
80. PII is highly valuable, and Defendant knew, or should have known, the
risk in obtaining, using, handling, emailing, and storing the PII of Plaintiff and the
Class and the importance of exercising reasonable care in handling it. Especially with
multiple other law firms experiencing data breaches.
81. Defendant breached its duties by failing to exercise reasonable care in
protecting the PII of Plaintiff and the Class, supervising and monitoring its employees,
agents, contractors, vendors, and suppliers, and in handling and securing the PII of
Plaintiff and the Class which actually and proximately caused the Data Breach and
Plaintiff’s and the Class’s injury. Defendant further breached its duties by failing to
22
provide reasonably timely notice of the Data Breach to Plaintiff and members of the
Class, which actually and proximately caused and exacerbated the harm from the
Data Breach and Plaintiff’s and members of the Class’s injuries-in-fact. As a direct
and traceable result of Defendant’s negligence and/or negligent supervision, Plaintiff
and the Class have suffered or will suffer damages, including monetary damages,
increased risk of future harm, embarrassment, humiliation, frustration, and emotional
distress.
82. Defendant’s breach of their common-law duties to exercise reasonable
care and their failures and negligence actually and proximately caused Plaintiff and
members of the Class actual, tangible, injury-in-fact and damages, including, without
limitation, the theft of their PII by criminals, improper disclosure of their PII, lost
benefit of their bargain, lost value of their PII, and lost time and money incurred to
mitigate and remediate the effects of the Data Breach that resulted from and were
caused by Defendant’s negligence, which injury-in-fact and damages are ongoing,
imminent, immediate, and which they continue to face.
COUNT II
Negligence Per Se
84. Pursuant to the FTC Act, 15 U.S.C. § 45, Defendant had a duty to provide
fair and adequate computer systems and data security practices to safeguard Plaintiff’s
and the Class’s PII.
85. Section 5 of the FTC Act prohibits “unfair . . . practices in or affecting
23
commerce,” including, as interpreted and enforced by the FTC, the unfair act or practice
by businesses, such as Defendant, of failing to use reasonable measures to protect
customers or, in this case, employees’ PII. The FTC publications and orders
promulgated pursuant to the FTC Act also form part of the basis of Defendant’s duty to
protect Plaintiff’s and the members of the Class’s PII.
86. Defendant breached its respective duties to Plaintiff and Class Members
under the FTC Act by failing to provide fair, reasonable, or adequate computer systems
and data security practices to safeguard PII.
87. Defendant’s duty to use reasonable care in protecting confidential data
arose not only as a result of the statutes and regulations described above, but also
because Defendant is bound by industry standards to protect confidential PII.
88. Defendant violated its duty under Section 5 of the FTC Act by failing to
use reasonable measures to protect Plaintiff’s and the Class’s PII and not complying
with applicable industry standards as described in detail herein. Defendant’s conduct
was particularly unreasonable given the nature and amount of PII Defendant collected
and stored and the foreseeable consequences of a data breach, including, specifically,
the immense damages that would result to individuals in the event of a breach, which
ultimately came to pass.
89. The harm that has occurred is the type of harm the FTC Act is intended
to guard against. Indeed, the FTC has pursued numerous enforcement actions against
businesses that, because of their failure to employ reasonable data security measures and
avoid unfair and deceptive practices, caused the same harm as that suffered by Plaintiff
24
and the Class.
90. But for Defendant’s wrongful and negligent breach of the duties owed to
Plaintiff and members of the Class, Plaintiff and members of the Class would not have
been injured.
91. The injury and harm suffered by Plaintiff and members of the Class were
the reasonably foreseeable result of Defendant’s breach of its duties. Defendant knew
or should have known that it was failing to meet its duties and that its breach would
cause Plaintiff and members of the Class to suffer the foreseeable harms associated
with the exposure of their PII.
92. Had Plaintiff and the Class known that Defendant did not adequately
protect their PII, Plaintiff and members of the Class would not have allowed Defendant
to access their PII.
93. Defendant’s various violations and their failure to comply with applicable
laws and regulations constitutes negligence per se.
94. As a direct and proximate result of Defendant’s negligence per se,
Plaintiff and the Class have suffered harm, including loss of time and money resolving
fraudulent charges; loss of time and money obtaining protections against future identity
theft; lost control over the value of PII; harm resulting from damaged credit scores and
information; and other harm resulting from the unauthorized use or threat of
unauthorized use of stolen PII, entitling them to damages in an amount to be proven at
trial.
95. Additionally, as a direct and proximate result of Defendant’s negligence
25
per se, Plaintiff and Class members have suffered and will suffer the continued risks of
exposure of their PII, which remain in Defendant’s possession and is subject to further
unauthorized disclosures so long as Defendant fails to undertake appropriate and
adequate measures to protect their PII in its continued possession.
COUNT III
Unjust Enrichment
97. This claim is pleaded in the alternative to the breach of contract claim(s).
98. Plaintiff and members of the Class conferred a benefit upon Defendant in
providing their PII to Defendant.
99. Defendant appreciated or had knowledge of the benefits conferred upon it
by Plaintiff and the Class. Defendant also benefited from the receipt of Plaintiff’s and the
Class’s PII, as this was used to facilitate the services it sold to businesses.
100. Under principles of equity and good conscience, Defendant should not be
permitted to retain the full value of the benefit because Defendant failed to adequately
protect their PII. Plaintiff and the proposed Class would not have provided their PII to
Defendant had they known Defendant would not adequately protect their PII.
101. Defendant should be compelled to disgorge into a common fund for the
benefit of Plaintiff and members of the Class all unlawful or inequitable proceeds
received by them because of their misconduct and Data Breach.
26
COUNT IV
Invasion of Privacy
103. Plaintiff and Class Members had a legitimate expectation of privacy
regarding their PII and were accordingly entitled to the protection of this information
against disclosure to unauthorized third parties.
104. Defendant owed a duty to Plaintiff and Class Member to keep their PII
confidential.
105. Defendant affirmatively and recklessly disclosed Plaintiff’s and Class
Members’ PII to unauthorized third-parties.
106. The unauthorized disclosure and/or acquisition (i.e., theft) by a third
party of Plaintiff’s and Class Members’ PII is highly offensive to a reasonable person.
107. Defendant’s reckless and negligent failure to protect Plaintiff’s and Class
Members’ PII constitutes an intentional interference with Plaintiff’s and the Class
Members’ interest in solitude or seclusion, either as to their person or as to their private
affairs or concerns, of a kind that would be highly offensive to a reasonable person.
108. Defendant’s failure to protect Plaintiff’s and Class Members’ PII acted
with a knowing state of mind when it permitted the Data Breach because it knew its
information security practices were inadequate.
109. Defendant knowingly did not notify Plaintiff and Class Members in a
timely fashion about the Data Breach.
110. Because Defendant failed to properly safeguard Plaintiff’s and Class
27
Members’ PII, Defendant had notice and knew that its inadequate cybersecurity
practices would cause injury to Plaintiff and the Class.
111. As a proximate result of Defendant’s acts and omissions, Plaintiff’s and
the Class Members’ private and sensitive PII was stolen by a third party and is now
available for disclosure and redisclosure without authorization, causing Plaintiff and
the Class to suffer damages.
112. Defendant’s wrongful conduct will continue to cause great and
irreparable injury to Plaintiff and the Class since their PII are still maintained by
Defendant with its inadequate cybersecurity system and policies.
113. Plaintiff and Class Members have no adequate remedy at law for the
injuries relating to Defendant’s continued possession of their sensitive and confidential
records. A judgment for monetary damages will not end Defendant’s inability to
safeguard Plaintiff’s and the Class’s PII.
114. Plaintiff, on behalf of himself and Class Members, seeks injunctive relief
to enjoin Defendant from further intruding into the privacy and confidentiality of
Plaintiff’s and Class Members’ PII.
115. Plaintiff, on behalf of himself and Class Members, seeks compensatory
damages for Defendant’s invasion of privacy, which includes the value of the privacy
interest invaded by Defendant, the costs of future monitoring of their credit history for
identity theft and fraud, plus prejudgment interest, and costs.
28
COUNT V
Violations of the Illinois Consumer Fraud and
Deceptive Business Practices Act (“CFA”), 815 Ill. Comp. Stat. §§ 505/1, et seq.
117. Plaintiff and the Class are “consumers” as defined in 815 Ill. Comp. Stat.
§ 505/1(e). Plaintiff, the Class, and Defendant are “persons” as defined in 815 Ill.
Comp. Stat. § 505/1(c).
118. Defendant engaged in “trade” or “commerce,” including the provision of
services, as defined under 815 Ill. Comp. Stat. § 505/1(f). Defendant engages in the
sale of “merchandise” (including services) as defined by 815 Ill. Comp. Stat. §
505/1(b) and (d).
119. Defendant engaged in deceptive and unfair acts and practices,
misrepresentation, and the concealment and omission of material facts in connection
with the sale and advertisement of their services in violation of the CFA, including: (i)
failing to maintain adequate data security to keep Plaintiff’s and the Class Members’
sensitive PII from being stolen by cybercriminals and failing to comply with applicable
state and federal laws and industry standards pertaining to data security, including the
FTC Act; (ii) failing to disclose or omitting materials facts to Plaintiff and the Class
regarding their lack of adequate data security and inability or unwillingness to properly
secure and protect the PII of Plaintiff and the Class; (iii) failing to disclose or omitting
materials facts to Plaintiff and the Class about Defendant’s failure to comply with the
requirements of relevant federal and state laws pertaining to the privacy and security of
the PII of Plaintiff and the Class; and (iv) failing to take proper action following the
29
Data Breach to enact adequate privacy and security measures and protect Plaintiff’s
and the Class’s PII and other PII from further unauthorized disclosure, release, data
breaches, and theft.
120. These actions also constitute deceptive and unfair acts or practices
because Defendant knew the facts about their inadequate data security and failure to
comply with applicable state and federal laws and industry standards would be
unknown to and not easily discoverable by Plaintiff and the Class and defeat their
reasonable expectations about the security of their PII.
121. Defendant intended that Plaintiff and the Class rely on its deceptive and
unfair acts and practices and the concealment and omission of material facts in
connection with Defendant’s offering of goods and services.
122. Defendant’s wrongful practices were and are injurious to the public
because those practices were part of Defendant’s generalized course of conduct that
applied to the Class. Plaintiff and the Class have been adversely affected by
Defendant’s conduct and the public was and is at risk as a result thereof.
123. Defendant also violated 815 ILCS 505/2 by failing to immediately notify
Plaintiff and the Class of the nature and extent of the Data Breach pursuant to the
Illinois PII Protection Act, 815 ILCS 530/1, et seq.
124. As a result of Defendant’s wrongful conduct, Plaintiff and the Class were
injured in that they never would have provided their PII to Defendant, or purchased
Defendant’s services, had they known or been told that Defendant failed to maintain
sufficient security to keep their PII from being hacked and taken and misused by
30
others.
125. As a direct and proximate result of Defendant’s violations of the CFA,
Plaintiff and the Class have suffered harm: (i) actual identity theft; (ii) the loss of the
opportunity how their PII is used; (iii) the compromise, publication, and/or theft of
their PII; (iv) out-of-pocket expenses associated with the prevention, detection, and
recovery from identity theft, and/or unauthorized use of their PII; (v) lost opportunity
costs associated with effort expended and the loss of productivity addressing and
attempting to mitigate the actual and future consequences of the Data Breach, including
but not limited to efforts spent researching how to prevent, detect, contest, and recover
from identity theft; (vi) the continued risk to their PII, which remain in Defendant’s
possession and is subject to further unauthorized disclosures so long as Defendant fail
to undertake appropriate and adequate measures to protect PII in their continued
possession; and (vii) future costs in terms of time, effort, and money that will be
expended to prevent, detect, contest, and repair the impact of the PII compromised as a
result of the Data Breach for the remainder of the lives of Plaintiff and Class Members.
126. Pursuant to 815 Ill. Comp. Stat. § 505/10a(a), Plaintiff and the Class seek
actual and compensatory damages, injunctive relief, and court costs and attorneys’ fees
as a result of Defendant’s violations of the CFA.
VII. PRAYER FOR RELIEF

Plaintiff and the Class demand a jury trial on all claims so triable and request
that the Court enter an order:
A. Certifying this case as a class action on behalf of Plaintiff and the
31
proposed Class, appointing Plaintiff as class representatives, and
appointing their counsel to represent the Class;
B. Awarding declaratory and other equitable relief as is necessary to
protect the interests of Plaintiff and the Class;
C. Awarding injunctive relief as is necessary to protect the interests of
Plaintiff and the Class;
D. Enjoining Defendant from further deceptive practices and making
untrue statements about the Data Breach and the stolen PII;
E. Awarding Plaintiff and the Class damages that include applicable
compensatory, exemplary, punitive damages, and statutory damages, as
allowed by law;
F. Awarding restitution and damages to Plaintiff and the Class in an
amount to be determined at trial;
G. Awarding attorneys’ fees and costs, as allowed by law;
H. Awarding prejudgment and post-judgment interest, as provided by law;
I. Granting Plaintiff and the Class leave to amend this complaint to
conform to the evidence produced at trial; and
J. Granting such other or further relief as may be appropriate
under the circumstances.
VIII. JURY DEMAND
Plaintiff hereby demands that this matter be tried before a jury.
32
Dated: July 28, 2023 Respectfully submitted,
/s/: Thomas A. Zimmerman

Thomas A. Zimmerman, Jr.
(IL #6231944)
[email protected]
Sharon A. Harris
[email protected]
Matthew C. De Re
[email protected]
Jeffrey D. Blake
[email protected]
ZIMMERMAN LAW
OFFICES, P.C.
77 W. Washington Street
Suite 1220
Chicago, Illinois 60602
(312) 440-0020 telephone
(312) 440-4180 facsimile
www.attorneyzim.com
M. Anderson Berry
(pro hac vice application forthcoming)
CLAYEO C. ARNOLD,
A PROFESSIONAL CORP.
865 Howe Avenue
Sacramento, CA 95825
Telephone: (916) 239-4778
Facsimile: (916) 924-1829
[email protected]
33

Bryan Cave Data Breach Lawsuit

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bryan Cave Data Breach Lawsuit

Uploaded by

Copyright:

Available Formats

Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 1 of 33 PageID #:1

UNITED STATES DISTRICT COURT

ROCK MEYER, individually and on

vs. JURY TRIAL DEMANDED

BRYAN CAVE LEIGHTON PAISNER,

CLASS ACTION COMPLAINT

Paisner LLP (“BCLP” or “Defendant”), and alleges as follows:

1 Data Privacy & Security, BCLP, https://www.bclplaw.com/en-

2. According to information and belief, the Data Breach began on or around

information for an entire week.4

3. Following an internal investigation, BCLP learned cybercriminals had

identification numbers, and retirement and/or thrift plan information. 5

4. On information and belief, cybercriminals bypassed BCLP’s inadequate

5. On or about June 15, 2023 – almost four months after the

confidential PII was exposed (“Notice of Data Breach Letter”). 6

that hackers had gained access to highly sensitive PII.

accounts or credit reports to prevent unauthorized use of their PII.

mitigating the effects of PII misuse.

9. In failing to adequately protect Plaintiff’s and the Class’s PII, failing to

negligence and inadequate cyber security measures.

11. Moreover, BCLP failed to properly use up-to-date security practices to

prevent the Data Breach.

12. Plaintiff Rock Meyer is a Data Breach victim.7

13. Accordingly, Plaintiff, on his own behalf and on behalf of a class of

will be based on information in Defendant’s possession.

Data Breach Letter.8

15. Defendant, BCLP, is a Missouri Corporation, with its principal place of

Bolivar Street Jefferson City, MO 65101.

III. JURISDICTION & VENUE

18. Venue is proper in this District under 28 U.S.C. § 1391(b)(2) because a

IV. FACTUAL ALLEGATIONS

issues.”10 BCLP boasts a total annual revenue of $900 million.11

21. Indeed, BCLP advertises that it “routinely advise[s] clients in a variety of

sectors, including hospitality, consumer services, healthcare, software and technology,

9 About us, BCLP, https://www.bclplaw.com/en-US/about/about-bclp.html.

11BCLP Revenue, Zippia, https://www.zippia.com/bryan-cave-careers-

12 About us, BCLP, https://www.bclplaw.com/en-US/about/about-bclp.html.

streamlined international data privacy strategy as possible, and we excel at helping

22. According to information and belief, these third-party employees, whose

PII was collected by BCLP, do not do any business with BCLP.

23. In working with third-party employees’ highly sensitive data, BCLP

it employs a plethora of ways to ensure the security of PII:

14 Data Privacy and Security, BCLP, https://www.bclplaw.com/en-

ransomware attacks,” stating that it “leverage[s] that experience to help companies

this without undue delay.”17

26. As a self-proclaimed “leader” in data Privacy and Security firm and

implications of data breaches.”18

16 Data Privacy & Security, BCLP, https://www.bclplaw.com/en-

to these policies in maintaining Plaintiff’s and the Class’s PII.

The Data Breach

the Data Breach.

became aware of it.

cybercriminals to obtain files containing a treasure trove of thousands individuals

highly sensitive PII, including Plaintiff and the Class.

evidenced by the Data Breach.

have been in place before the Data Breach.

Data Breach victims to “remain vigilant by reviewing account statements and

want to temporarily freeze your credit.”24

account activity on Plaintiff’s and the Class’s financial accounts.

39. On information and belief, Defendant failed to adequately train and

40. Defendant’s data security obligations were particularly important given

the substantial increase in cyberattacks and/or data breaches in similar industries

preceding the date of the breach.