Professional Documents
Culture Documents
Bryan Cave Data Breach Lawsuit
Bryan Cave Data Breach Lawsuit
Defendant.
Plaintiff Rock Meyer (“Mr. Meyer” or “Plaintiff”) brings this action on behalf
of himself, and all others similarly situated against Defendant, Bryan Cave Leighton
I. INTRODUCTION
1. Between February 23, 2023, and March 1, 2023, BCLP, a law firm with
“extensive experience handling the full scope of complex privacy and security issues ,”1
lost control over the highly sensitive personally identifiable information (“PII”) of
Plaintiff and other similarly situated individuals (the “Class” or “Class Members”) in a
massive and preventable data breach perpetuated by cybercriminals (the “Data Breach”
or “Breach”). According to information and belief, the Data Breach affected at least
1
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 2 of 33 PageID #:2
51,110 individuals.2
February 23, 2023, when an unauthorized party gained access to BCLP’s inadequately
protected network and was not discovered by BCLP until four (4) days later, on
February 27, 2022.3 Shockingly, despite discovering the Data Breach on February 27,
2023, BCLP allowed the Data Breach to continue for at least two more days,
providing cybercriminals unfettered access to Plaintiff and the Class’s highly private
gained unauthorized access to Plaintiff’s and the Class’s PII, including but not limited
to, their names, Social Security numbers, addresses, dates of birth, genders, employee
security systems to access Plaintiff and the Class’s PII in its computer systems.
unauthorized party first gained access to Plaintiff and the Class’s PII – victims of
the Data Breach were finally notified via letter that their highly sensitive and
2 See https://apps.web.maine.gov/online/aeviewer/ME/40/ca25f29f-db60-4baf-ba53-
8bae79da4d97.shtml.
3 See Exhibit 1.
4 See id.
5 See id.
2
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 3 of 33 PageID #:3
6. The Notice of Data Breach Letter obscured the nature of the breach and
the threat it posed—failing to notify Plaintiff and the Class how many people were
impacted, how the Breach happened, or why it took so long to begin notifying victims
7. Defendant’s failure to timely detect and report the Data Breach made the
victims vulnerable to identity theft without any warnings to monitor their financial
8. Defendant knew or should have known that each victim of the Data
Breach deserved prompt and efficient notice of the Data Breach and assistance in
adequately notify them of the Breach, and by obfuscating the nature of the breach,
Defendant violated state and federal laws and harmed Plaintiff and the Class.
10. Plaintiff and members of the proposed Class are victims of Defendant’s
6 See id.
7 See id.
3
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 4 of 33 PageID #:4
similarly situated individuals, brings this lawsuit seeking injunctive relief, damages, and
restitution, together with costs and reasonable attorneys’ fees, the calculation of which
II. PARTIES
14. Plaintiff, Rock Meyer, is a natural person and citizen of Kentucky, where
he intends to remain. Plaintiff Meyer is a Data Breach victim and received a Notice of
business at 221 Bolivar Street Jefferson City, MO 65101. Defendant BCLP can be served
through its registered agent, CSC- Lawyers Incorporating Service Company, at 221
16. This Court has subject matter jurisdiction over this action under 28
U.S.C.§ 1332(d) because this is a class action wherein the amount in controversy
exceeds the sum or value of $5,000,000, exclusive of interest and costs, there are more
than 100 members in the proposed class, and Plaintiff and Defendant are citizens of
different states.
17. This Court has personal jurisdiction over Defendant because Defendant
maintains its principal place of business in this District and does substantial business in
this District.
8 Id.
4
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 5 of 33 PageID #:5
substantial part of the events or omissions giving rise to the claim occurred in this
District.
19. BCLP is a law firm that touts itself as “groundbreakers and innovators”9
that have “extensive experience handling the full scope of complex privacy and security
20. BCLP’s services are specialized for companies “including 35% of the
Fortune 500” 12 who manage highly sensitive data. BCLP thus must oversee, manage,
and protect the PII of its clients’13 consumers, including that of Plaintiff and the Class.
financial services, travel, manufacturing, and retail” about how “to achieve the most
10
Data Privacy & Security, BCLP, https://www.bclplaw.com/en-
US/practices/corporate/data- privacy-and-security-team/index.html .
13“Mondelez Global LLC retained the legal services of the law firm Bryan Cave
Leighton Paisner LLP (“Bryan Cave”) to provide advice on customary legal matter of a
company of its size. To provide these services, Bryan Cave obtained some PII of current
and former Mondelez employees.” Exhibit 1.
5
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 6 of 33 PageID #:6
companies achieve their business goals while balancing and addressing privacy and
security obligations.”14
assures that it “understand the importance of keeping your PII secure,”15 boasting that
6
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 7 of 33 PageID #:7
24. BCLP also claims that it has “a world class incident response practice
that has helped clients navigate major security incidents and data breaches, including
identify and remediate gaps in their readi ness and to train companies how to respond to
breaches effectively.”16
25. BCLP promises that, in the event of a data breach, it will “inform you of
handling highly sensitive aspects of its clients’ business, BCLP understood the need to
protect Plaintiff’s and the Class’s data and prioritize data security. In fact, BCLP
advertises that its “experience and practical approach to data breach response uniquely
equip us to assist organizations by understanding both the law and the business
17 Id.
18 Id.
7
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 8 of 33 PageID #:8
27. But, according to information and belief, BCLP failed to strictly adhere
28. Defendant collected and maintained Plaintiff and the Class’s PII in its
computer systems. In collecting and maintaining Plaintiff’s and the Class’s PII,
Defendant implicitly agreed that it would protect and safeguard that PII by complying
with state and federal laws and regulations and applicable industry standards.
Defendant was in possession of Plaintiff and the Class’s PII before, during, and after
29. According to the Notice of Data Breach Letter, BCLP first detected
suspicious activity within its network on February 27, 2023.19 Following an internal
investigation, BCLP discovered the Data Breach occurred between February 23, 2023,
and March 1, 2023.20 In other words, BCLP’s investigation revealed that not only had
its network been hacked by cybercriminals at least four days before it discovered the
Breach, but the Data Breach actually continued for another two days after BCLP first
30. Despite touting itself to be a “leader” in data Privacy and Security firm,
BCLP’s cyber and data security systems were completely inadequate and allowed
19 See Exhibit 1.
20 See id.
8
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 9 of 33 PageID #:9
31. Additionally, Defendant admitted that PII was actually stolen during the
Data Breach confessing that the information was not just accessed, but that the
“unauthorized third party acquired certain data” that Defendant is still struggling to
identify. 21
32. On or around June 15, 2023 – four months after the Breach first
occurred – Plaintiff and Class Members were finally notified of the Data Breach. 22
33. Despite BCLP’s duties and alleged commitments to safeguard PII, BCLP
did not follow industry standard practices in securing Plaintiff and the Class’s PII, as
34. In response to the Data Breach, BCLP contends it has or will be taking
“taken steps to address the incident and prevent a similar occurrence in the future.”23
Although BCLP failed to expand on what these alleged “steps” are, such steps should
35. Through the Notice of Data Breach Letter, Defendant also recognized the
actual imminent harm and injury that flowed from the Data Breach and encouraged
monitoring free credit reports. You should regularly change your passwords. You may
21 Id.
22 Id.
23 Id.
9
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 10 of 33 PageID #:10
36. Even though Social Security numbers were exposed here, cybercriminals
need not harvest a person’s Social Security number or financial account information in
order to commit identity fraud or misuse Plaintiff’s and the Class’s PII. Cybercriminals
can cross-reference the data stolen from the Data Breach and combine with other
sources to create “Fullz” packages, which can then be used to commit fraudulent
37. Plaintiff and the Class were only offered two (2) years of complimentary
credit monitoring services to victims, which does not adequately address the lifelong
harm that victims will face following the Data Breach. Indeed, the Breach involves PII
that cannot be changed, such as Social Security numbers and dates of birth. Further, the
Breach exposed nonpublic, highly private information, disturbing harm in and of itself.
38. Even with complimentary credit monitoring services, the risk of identity
theft and unauthorized use of Plaintiff’s and Class Members’ PII is still substantially
high. The fraudulent activity resulting from the Data Breach may not come to light for
years.
supervise its IT and data security agents and employees on reasonable cybersecurity
protocols or implement reasonable security measures, causing them to lose control over
Plaintiff and the Class’s PII. Defendant’s negligence is evidenced by its failure to
24 Id.
10
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 11 of 33 PageID #:11
prevent the Data Breach and stop cybercriminals from accessing the PII.
The Data Breach was a Foreseeable Risk of which Defendant were on Notice.
41. In light of recent high profile data breaches at other law firms, 25
Defendant knew or should have known that their electronic records and Plaintiff and
2020.26 The 330 reported breaches reported in 2021 exposed nearly 30 million sensitive
records (28,045,658), compared to only 306 breaches that exposed nearly 10 million
43. Indeed, cyberattacks against the both the legal industry have become
increasingly common for over ten years, with the FBI warning as early as 2011 that
25 See https://abovethelaw.com/2023/04/major-biglaw-firm-suffers-cyber-security-
breach-of- mergers-acquisitions-data/; https://www.just-food.com/features/tech- leaves-
food-industry-more-exposed-to-cybersecurity-threat/; see also
https://www.law.com/americanlawyer/2023/01/10/cyberattacks-inevitable-for-law-firms-
highlighting-need-for-comprehensive-incident-response-plans/.
11
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 12 of 33 PageID #:12
cybercriminals were “advancing their abilities to attack a system remotely” and “[o]nce
a system is compromised, cyber criminals will use their accesses to obtain PII.” The
FBI further warned that that “the increasing sophistication of cyber criminals will no
44. Therefore, the increase in such attacks, and attendant risk of future
attacks, was widely known to the public and to anyone in Defendant’s industry,
including BCLP.
45. Plaintiff received a Notice of Data Breach Letter, dated June 15, 2023,
notifying him that an unauthorized third-party “acquired certain data” which included his
PII. BCLP was in possession of Plaintiff’s PII before, during, and after the Data Breach.
against the Data Breach’s effects by failing to notify him about it for over four
months.
47. As a result of the Data Breach, Plaintiff spent hours dealing with the
consequences of the Data Breach, which includes time spent verifying the legitimacy of
the Notice of Data Breach Letter, self-monitoring his accounts and credit reports to
monitor suspicious and fraudulent activity. This time has been lost forever and cannot
be recaptured. Plaintiff has spent and will continue to spend considerable time and
12
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 13 of 33 PageID #:13
effort monitoring his accounts to protect himself from additional identity theft for the
48. Plaintiff fears for his personal financial security and uncertainty over
what PII was exposed in the Data Breach. Plaintiff has and is experiencing feelings of
anxiety, sleep disruption, stress, fear, and frustration because of the Data Breach. This
goes far beyond allegations of mere worry or inconvenience; it is exactly the sort of
injury and harm to a Data Breach victim that the law contemplates and addresses.
49. As a result of the Data Breach, Plaintiff has suffered actual misuse of his
PII. Plaintiff received a fraud alert from PNC Bank after the Data Breach, notifying
him of a fraudulent transaction. Due to the proximity of the fraud to the Data Breach,
50. Plaintiff suffered actual injury in the form of damages to and diminution
in the value of Plaintiff’s PII—a form of intangible property that Plaintiff entrusted to
51. Plaintiff has suffered imminent and impending injury arising from the
substantially increased risk of fraud, identity theft, and misuse resulting from his PII
being placed in the hands of unauthorized third parties and possibly criminals.
52. Plaintiff has a continuing interest in ensuring that his PII, which, upon
53. Plaintiff has also suffered injury directly and proximately caused by the
Data Breach, including: (a) theft of Plaintiff’s valuable PII; (b) the imminent and
13
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 14 of 33 PageID #:14
certain impending injury flowing from fraud and identity theft posed by Plaintiff’s PII
being placed in the hands of cyber criminals; (c) damages to and diminution in value of
Plaintiff’s PII; (d) loss of the benefit of the bargain with Defendant to provide adequate
and reasonable data security—i.e., the difference in value between what Plaintiff
should have received from Defendant and Defendant’s defective and deficient
security and failing to protect Plaintiff’s PII; (e) continued risk to Plaintiff’s PII, which
remains in the possession of Defendant and which is subject to further breaches so long
as Defendant fails to undertake appropriate and adequate measures to protect the PII
Plaintiff and the Proposed Class Face Significant Risk of Continued Identity Theft
54. Plaintiff and members of the proposed Class have suffered injury from
and the proposed Class have suffered and will continue to suffer damages, including
monetary losses, lost time, anxiety, and emotional distress. They have suffered or are at
14
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 15 of 33 PageID #:15
e. Lost opportunity costs and lost wages associated with the time and effort
consequences of the Data Breach, including, but not limited to, efforts
56. Stolen PII is one of the most valuable commodities on the criminal
57. The value of Plaintiff’s and the Class’s PII on the black market is
considerable. Stolen PII trades on the black market for years, and criminals frequently
post stolen PII openly and directly on various “dark web” internet websites, making the
58. It can take victims years to spot identity theft, giving criminals plenty of
59. One such example of criminals using PII for profit is the development of
“Fullz” packages.
15
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 16 of 33 PageID #:16
61. The development of “Fullz” packages means that stolen PII from the
Data Breach can easily be used to link and identify it to Plaintiff and the proposed
Class’s phone numbers, email addresses, and other unregulated sources and identifiers.
In other words, even if certain information such as emails, phone numbers, or credit
card numbers may not be included in the PII stolen by the cyber-criminals in the Data
Breach, criminals can easily create a Fullz package and sell it at a higher price to
unscrupulous operators and criminals (such as illegal and scam telemarketers) over and
over. That is exactly what is happening to Plaintiff and members of the proposed Class,
and it is reasonable for any trier of fact, including this Court or a jury, to find that
Plaintiff’s and the Class’s stolen PII is being misused, and that such misuse is fairly
62. Defendant disclosed the PII of Plaintiff and the Class for criminals to use
in the conduct of criminal activity. Specifically, Defendant opened up, disclosed, and
exposed the PII of Plaintiff and the Class to people engaged in disruptive and unlawful
business practices and tactics, including online account hacking, unauthorized use of
63. Defendant’s failure to properly notify Plaintiff and members of the Class
of the Data Breach exacerbated Plaintiff’s and the Class’s injury by depriving them of
16
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 17 of 33 PageID #:17
the earliest ability to take appropriate measures to protect their PII and take other
64. According to the Federal Trade Commission (“FTC”), the need for data
security should be factored into all business decision-making. To that end, the FTC has
issued numerous guidelines identifying best data security practices that businesses,
such as Defendant, should employ to protect against the unlawful exposure of PII.
65. In 2016, the FTC updated its publication, Protecting PII: A Guide for
Business, which established guidelines for fundamental data security principles and
66. The guidelines also recommend that businesses watch for large amounts
of data being transmitted from the system and have a response plan ready in the event
of a breach.
67. The FTC recommends that companies not maintain information longer
than is needed for authorization of a transaction; limit access to sensitive data; require
monitor for suspicious activity on the network; and verify that third-party service
17
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 18 of 33 PageID #:18
68. The FTC has brought enforcement actions against businesses for failing
to adequately and reasonably protect consumer data, treating the failure to employ
Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45. Orders resulting from these
actions further clarify the measures businesses must take to meet their data security
obligations.
70. Plaintiff sues on behalf of himself and the proposed nationwide class
(“Class”) defined as follows, pursuant to Federal Rule of Civil Procedure 23(b)(2) and
(b)(3):
Excluded from the Class is Defendant, its agents, affiliates, parents, subsidiaries,
any entity in which Defendant has a controlling interest, any of Defendant’s officers or
directors, any successors, and any Judge who adjudicates this case, including their staff
18
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 19 of 33 PageID #:19
and control;
arises from the same Data Breach, the same alleged violations
19
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 20 of 33 PageID #:20
vii. Whether the Data Breach caused Plaintiff’s and the Class’s
injuries;
ix. Whether Plaintiff and the Class are entitled to damages, treble
73. Further, common questions of law and fact predominate over any
other available method to fairly and efficiently adjudicate the controversy. The damages
economically feasible.
20
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 21 of 33 PageID #:21
COUNT I
Negligence
74. Plaintiff realleges all previous paragraphs as if fully set forth below.
75. Plaintiff and members of the Class’s PII was entrusted to Defendant.
Defendant owed to Plaintiff and the Class a duty to exercise reasonable care in
handling and using the PII in its care and custody, including implementing industry-
standard security procedures sufficient to reasonably protect the information from the
Data Breach, theft, and unauthorized use that came to pass, and to promptly detect
76. Defendant owed a duty of care to Plaintiff and members of the Class
because it was foreseeable that Defendant’s failure to adequately safeguard their PII in
result in the compromise of that PII—just like the Data Breach that ultimately came to
pass. Defendant acted with wanton and reckless disregard for the security and
confidentiality of Plaintiff’s and the Class’s PII by disclosing and providing access to
this information to unauthorized third parties and by failing to properly supervise both
the way the PII was stored, used, and exchanged, and those in its employ who were
77. Defendant owed to Plaintiff and members of the Class a duty to notify
them within a reasonable timeframe of any breach to the security of their PII.
Defendant also owed a duty to timely and accurately disclose to Plaintiff and members
21
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 22 of 33 PageID #:22
of the Class the scope, nature, and occurrence of the Data Breach. This duty is required
and necessary for Plaintiff and the Class to take appropriate measures to protect their
PII, to be vigilant in the face of an increased risk of harm, and to take other necessary
78. Defendant owed these duties to Plaintiff and members of the Class
individuals whom Defendant knew or should have known would suffer injury-in-fact
79. The risk that unauthorized persons would attempt to gain access to the
PII and misuse it was foreseeable. Given that Defendant held vast amounts of PII, it
80. PII is highly valuable, and Defendant knew, or should have known, the
risk in obtaining, using, handling, emailing, and storing the PII of Plaintiff and the
Class and the importance of exercising reasonable care in handling it. Especially with
protecting the PII of Plaintiff and the Class, supervising and monitoring its employees,
agents, contractors, vendors, and suppliers, and in handling and securing the PII of
Plaintiff and the Class which actually and proximately caused the Data Breach and
Plaintiff’s and the Class’s injury. Defendant further breached its duties by failing to
22
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 23 of 33 PageID #:23
provide reasonably timely notice of the Data Breach to Plaintiff and members of the
Class, which actually and proximately caused and exacerbated the harm from the
Data Breach and Plaintiff’s and members of the Class’s injuries-in-fact. As a direct
and the Class have suffered or will suffer damages, including monetary damages,
distress.
care and their failures and negligence actually and proximately caused Plaintiff and
members of the Class actual, tangible, injury-in-fact and damages, including, without
limitation, the theft of their PII by criminals, improper disclosure of their PII, lost
benefit of their bargain, lost value of their PII, and lost time and money incurred to
mitigate and remediate the effects of the Data Breach that resulted from and were
COUNT II
Negligence Per Se
83. Plaintiff realleges all previous paragraphs as if fully set forth below.
84. Pursuant to the FTC Act, 15 U.S.C. § 45, Defendant had a duty to provide
fair and adequate computer systems and data security practices to safeguard Plaintiff’s
23
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 24 of 33 PageID #:24
commerce,” including, as interpreted and enforced by the FTC, the unfair act or practice
customers or, in this case, employees’ PII. The FTC publications and orders
promulgated pursuant to the FTC Act also form part of the basis of Defendant’s duty to
86. Defendant breached its respective duties to Plaintiff and Class Members
under the FTC Act by failing to provide fair, reasonable, or adequate computer systems
arose not only as a result of the statutes and regulations described above, but also
88. Defendant violated its duty under Section 5 of the FTC Act by failing to
use reasonable measures to protect Plaintiff’s and the Class’s PII and not complying
was particularly unreasonable given the nature and amount of PII Defendant collected
and stored and the foreseeable consequences of a data breach, including, specifically,
the immense damages that would result to individuals in the event of a breach, which
89. The harm that has occurred is the type of harm the FTC Act is intended
to guard against. Indeed, the FTC has pursued numerous enforcement actions against
businesses that, because of their failure to employ reasonable data security measures and
avoid unfair and deceptive practices, caused the same harm as that suffered by Plaintiff
24
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 25 of 33 PageID #:25
90. But for Defendant’s wrongful and negligent breach of the duties owed to
Plaintiff and members of the Class, Plaintiff and members of the Class would not have
been injured.
91. The injury and harm suffered by Plaintiff and members of the Class were
the reasonably foreseeable result of Defendant’s breach of its duties. Defendant knew
or should have known that it was failing to meet its duties and that its breach would
cause Plaintiff and members of the Class to suffer the foreseeable harms associated
92. Had Plaintiff and the Class known that Defendant did not adequately
protect their PII, Plaintiff and members of the Class would not have allowed Defendant
93. Defendant’s various violations and their failure to comply with applicable
Plaintiff and the Class have suffered harm, including loss of time and money resolving
fraudulent charges; loss of time and money obtaining protections against future identity
theft; lost control over the value of PII; harm resulting from damaged credit scores and
information; and other harm resulting from the unauthorized use or threat of
trial.
25
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 26 of 33 PageID #:26
per se, Plaintiff and Class members have suffered and will suffer the continued risks of
exposure of their PII, which remain in Defendant’s possession and is subject to further
COUNT III
Unjust Enrichment
96. Plaintiff realleges all previous paragraphs as if fully set forth below.
97. This claim is pleaded in the alternative to the breach of contract claim(s).
98. Plaintiff and members of the Class conferred a benefit upon Defendant in
by Plaintiff and the Class. Defendant also benefited from the receipt of Plaintiff’s and the
Class’s PII, as this was used to facilitate the services it sold to businesses.
100. Under principles of equity and good conscience, Defendant should not be
permitted to retain the full value of the benefit because Defendant failed to adequately
protect their PII. Plaintiff and the proposed Class would not have provided their PII to
Defendant had they known Defendant would not adequately protect their PII.
101. Defendant should be compelled to disgorge into a common fund for the
benefit of Plaintiff and members of the Class all unlawful or inequitable proceeds
26
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 27 of 33 PageID #:27
COUNT IV
Invasion of Privacy
102. Plaintiff realleges all previous paragraphs as if fully set forth below.
regarding their PII and were accordingly entitled to the protection of this information
104. Defendant owed a duty to Plaintiff and Class Member to keep their PII
confidential.
party of Plaintiff’s and Class Members’ PII is highly offensive to a reasonable person.
107. Defendant’s reckless and negligent failure to protect Plaintiff’s and Class
Members’ PII constitutes an intentional interference with Plaintiff’s and the Class
108. Defendant’s failure to protect Plaintiff’s and Class Members’ PII acted
with a knowing state of mind when it permitted the Data Breach because it knew its
109. Defendant knowingly did not notify Plaintiff and Class Members in a
27
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 28 of 33 PageID #:28
Members’ PII, Defendant had notice and knew that its inadequate cybersecurity
the Class Members’ private and sensitive PII was stolen by a third party and is now
available for disclosure and redisclosure without authorization, causing Plaintiff and
irreparable injury to Plaintiff and the Class since their PII are still maintained by
113. Plaintiff and Class Members have no adequate remedy at law for the
records. A judgment for monetary damages will not end Defendant’s inability to
114. Plaintiff, on behalf of himself and Class Members, seeks injunctive relief
to enjoin Defendant from further intruding into the privacy and confidentiality of
damages for Defendant’s invasion of privacy, which includes the value of the privacy
interest invaded by Defendant, the costs of future monitoring of their credit history for
28
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 29 of 33 PageID #:29
COUNT V
Violations of the Illinois Consumer Fraud and
Deceptive Business Practices Act (“CFA”), 815 Ill. Comp. Stat. §§ 505/1, et seq.
116. Plaintiff realleges all previous paragraphs as if fully set forth below.
117. Plaintiff and the Class are “consumers” as defined in 815 Ill. Comp. Stat.
§ 505/1(e). Plaintiff, the Class, and Defendant are “persons” as defined in 815 Ill.
services, as defined under 815 Ill. Comp. Stat. § 505/1(f). Defendant engages in the
with the sale and advertisement of their services in violation of the CFA, including: (i)
failing to maintain adequate data security to keep Plaintiff’s and the Class Members’
sensitive PII from being stolen by cybercriminals and failing to comply with applicable
state and federal laws and industry standards pertaining to data security, including the
FTC Act; (ii) failing to disclose or omitting materials facts to Plaintiff and the Class
regarding their lack of adequate data security and inability or unwillingness to properly
secure and protect the PII of Plaintiff and the Class; (iii) failing to disclose or omitting
materials facts to Plaintiff and the Class about Defendant’s failure to comply with the
requirements of relevant federal and state laws pertaining to the privacy and security of
the PII of Plaintiff and the Class; and (iv) failing to take proper action following the
29
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 30 of 33 PageID #:30
Data Breach to enact adequate privacy and security measures and protect Plaintiff’s
and the Class’s PII and other PII from further unauthorized disclosure, release, data
120. These actions also constitute deceptive and unfair acts or practices
because Defendant knew the facts about their inadequate data security and failure to
comply with applicable state and federal laws and industry standards would be
unknown to and not easily discoverable by Plaintiff and the Class and defeat their
121. Defendant intended that Plaintiff and the Class rely on its deceptive and
unfair acts and practices and the concealment and omission of material facts in
122. Defendant’s wrongful practices were and are injurious to the public
because those practices were part of Defendant’s generalized course of conduct that
applied to the Class. Plaintiff and the Class have been adversely affected by
Defendant’s conduct and the public was and is at risk as a result thereof.
123. Defendant also violated 815 ILCS 505/2 by failing to immediately notify
Plaintiff and the Class of the nature and extent of the Data Breach pursuant to the
124. As a result of Defendant’s wrongful conduct, Plaintiff and the Class were
injured in that they never would have provided their PII to Defendant, or purchased
Defendant’s services, had they known or been told that Defendant failed to maintain
sufficient security to keep their PII from being hacked and taken and misused by
30
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 31 of 33 PageID #:31
others.
Plaintiff and the Class have suffered harm: (i) actual identity theft; (ii) the loss of the
opportunity how their PII is used; (iii) the compromise, publication, and/or theft of
their PII; (iv) out-of-pocket expenses associated with the prevention, detection, and
recovery from identity theft, and/or unauthorized use of their PII; (v) lost opportunity
costs associated with effort expended and the loss of productivity addressing and
attempting to mitigate the actual and future consequences of the Data Breach, including
but not limited to efforts spent researching how to prevent, detect, contest, and recover
from identity theft; (vi) the continued risk to their PII, which remain in Defendant’s
possession; and (vii) future costs in terms of time, effort, and money that will be
expended to prevent, detect, contest, and repair the impact of the PII compromised as a
result of the Data Breach for the remainder of the lives of Plaintiff and Class Members.
126. Pursuant to 815 Ill. Comp. Stat. § 505/10a(a), Plaintiff and the Class seek
actual and compensatory damages, injunctive relief, and court costs and attorneys’ fees
31
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 32 of 33 PageID #:32
untrue statements about the Data Breach and the stolen PII;
allowed by law;
32
Case: 1:23-cv-04954 Document #: 1 Filed: 07/28/23 Page 33 of 33 PageID #:33
M. Anderson Berry
(pro hac vice application forthcoming)
CLAYEO C. ARNOLD,
A PROFESSIONAL CORP.
865 Howe Avenue
Sacramento, CA 95825
Telephone: (916) 239-4778
Facsimile: (916) 924-1829
[email protected]
33