Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 1 of 62

IN THE UNITED STATES DISTRICT COURT

WESTERN DISTRICT OF TEXAS
SAN ANTONIO DIVISION

MAURICE FITZPATRICK, on behalf of Case No. 5:24-cv-01096

himself and all others similarly situated,

Plaintiff,

v.

UNITED SERVICES AUTOMOBILE

ASSOCIATION d/b/a USAA,
DEMAND FOR A JURY TRIAL
Defendant.

CLASS ACTION COMPLAINT

Plaintiff Maurice Fitzpatrick (“Plaintiff”) brings this Class Action Complaint

(“Complaint”) against United Services Automobile Association d/b/a USAA ("Defendant") as an

individual and on behalf of all others similarly situated, and alleges, upon personal knowledge as

to his own actions and his counsels’ investigation, and upon information and belief as to all other

matters, as follows:

SUMMARY OF ACTION

1. Plaintiff brings this class action against Defendant for its failure to properly secure

and safeguard sensitive information of its customers.

2. Defendant is a financial services company that offers products and services to its

customers, who are military veterans and family members.

3. Plaintiff’s and Class Members’ sensitive personal information—which they

entrusted to Defendant on the mutual understanding that Defendant would protect it against

disclosure—was targeted, compromised and unlawfully accessed due to the Data Breach.

1
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 2 of 62

4. Defendant collected and maintained certain personally identifiable information and

protected health information of Plaintiff and the putative Class Members (defined below), who are

(or were) customers at Defendant.

5. The PII compromised in the Data Breach included Plaintiff’s and Class Members’

full names, addresses, email addresses, dates of birth, driver’s license numbers, passport numbers,

vehicle identification numbers, loan numbers, property and causality insurance policy information,

and Social Security numbers (“personally identifiable information” or “PII”) and medical

information, which is protected health information (“PHI”, and collectively with PII, “Private

Information”) as defined by the Health Insurance Portability and Accountability Act of 1996

(“HIPAA”).

6. The Private Information compromised in the Data Breach was exfiltrated by cyber-

criminals and remains in the hands of those cyber-criminals who target Private Information for its

value to identity thieves.

7. As a result of the Data Breach, Plaintiff and approximately 32,000 Class Members, 1

suffered concrete injuries in fact including, but not limited to: (i) invasion of privacy; (ii) theft of

their Private Information; (iii) lost or diminished value of Private Information; (iv) uncompensated

lost time and opportunity costs associated with attempting to mitigate the actual consequences of

the Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity costs associated with

attempting to mitigate the actual consequences of the Data Breach; (vii) actual misuse of the

compromised data consisting of an increase in spam calls, texts, and/or emails; (viii) Plaintiff’s

Private Information being disseminated on the dark web, according to Capitol One and Credit

Karma; (ix) Plaintiff experiencing fraudulent charges to his American Express card, for

1
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-
a1252b4f8318/225913a2-7f23-4a54-9ce8-40dbfce9f0be.html

2
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 3 of 62

approximately $950. in or about August 2024; (x) nominal damages; and (xi) the continued and

certainly increased risk to their Private Information, which: (a) remains unencrypted and available

for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s

possession and is subject to further unauthorized disclosures so long as Defendant fails to

undertake appropriate and adequate measures to protect the Private Information.

8. The Data Breach was a direct result of Defendant’s failure to implement adequate

and reasonable cyber-security procedures and protocols necessary to protect consumers’ Private

Information from a foreseeable and preventable cyber-attack.

9. Moreover, upon information and belief, Defendant was targeted for a cyber-attack

due to its status as a financial services company that collects and maintains highly valuable Private

Information on its systems.

10. Defendant maintained, used, and shared the Private Information in a reckless

manner. In particular, the Private Information was used and transmitted by Defendant in a

condition vulnerable to cyberattacks. Upon information and belief, the mechanism of the

cyberattack and potential for improper disclosure of Plaintiff’s and Class Members’ Private

Information was a known risk to Defendant, and thus, Defendant was on notice that failing to take

steps necessary to secure the Private Information from those risks left that property in a dangerous

condition.

11. Defendant disregarded the rights of Plaintiff and Class Members by, inter alia,

intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures

to ensure its data systems were protected against unauthorized intrusions; failing to take standard

and reasonably available steps to prevent the Data Breach; and failing to provide Plaintiff and

Class Members prompt and accurate notice of the Data Breach.

3
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 4 of 62

12. Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s

negligent conduct because the Private Information that Defendant collected and maintained has

been accessed and acquired by data thieves.

13. Armed with the Private Information accessed in the Data Breach, data thieves have

already engaged in identity theft and fraud and can in the future commit a variety of crimes

including, e.g., opening new financial accounts in Class Members’ names, taking out loans in Class

Members’ names, using Class Members’ information to obtain government benefits, filing

fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class

Members’ names but with another person’s photograph, and giving false information to police

during an arrest.

14. As a result of the Data Breach, Plaintiff and Class Members have been exposed to

a heightened and imminent risk of fraud and identity theft. Plaintiff and Class Members must now

and in the future closely monitor their financial accounts to guard against identity theft.

15. Plaintiff and Class Members may also incur out of pocket costs, e.g., for purchasing

credit monitoring services, credit freezes, credit reports, or other protective measures to deter and

detect identity theft.

16. Plaintiff brings this class action lawsuit on behalf all those similarly situated to

address Defendant’s inadequate safeguarding of Class Members’ Private Information that it

collected and maintained, and for failing to provide timely and adequate notice to Plaintiff and

other Class Members that their information had been subject to the unauthorized access by an

unknown third party and precisely what specific type of information was accessed.

4
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 5 of 62

17. Through this Complaint, Plaintiff seeks to remedy these harms on behalf of himself

and all similarly situated individuals whose Private Information was accessed during the Data

Breach.

18. Plaintiff and Class Members have a continuing interest in ensuring that their

information is and remains safe, and they should be entitled to injunctive and other equitable relief.

JURISDICTION AND VENUE

19. This Court has subject matter jurisdiction over this action under the Class Action

Fairness Act, 28 U.S.C. § 1332(d)(2). There are at least 100 putative Class Members, the

aggregated claims of the individual Class Members exceed the sum or value of $5,000,000

exclusive of interest and costs, and members of the proposed Class are citizens of states different

from Defendant. 2

20. This Court has jurisdiction over Defendant through its business operations in this

District, the specific nature of which occurs in this District. Defendant’s principal place of business

is located in the San Antonio Division of the Western District of Texas. Defendant intentionally

avails itself of the markets within this District to render the exercise of jurisdiction by this Court

just and proper. Defendant is a citizen of Texas.

21. Venue is proper in this Court pursuant to 28 U.S.C. § 1391(a)(1) because

Defendant’s principal place of business is located in the San Antonio Division of the Western

District of Texas and a substantial part of the events and omissions giving rise to this action

occurred in this District.

2
According to the breach report submitted to the Office of the Maine Attorney General, 156
Maine residents were impacted in the Data Breach. See
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-
a1252b4f8318/225913a2-7f23-4a54-9ce8-40dbfce9f0be.html

5
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 6 of 62

PARTIES

22. Plaintiff Maurice Fitzpatrick is a resident and citizen of Belton, Texas.

23. Defendant United Services Automobile Association d/b/a USAA is a company with

its principal place of business located at 9800 Fredericksburg Road, San Antonio, TX 78288.

FACTUAL ALLEGATIONS

Defendant's Business

24. Defendant is a financial services company that offers products and services to its

customers, who are military veterans and family members.

25. Plaintiff and Class Members are current and former customers at Defendant.

26. In the course of their relationship, customers, including Plaintiff and Class

Members, provided Defendant with at least the following: names, dates of birth, contact

information, Social Security numbers, and other sensitive information.

27. Upon information and belief, in the course of collecting Private Information from

customers, including Plaintiff, Defendant promised to provide confidentiality and adequate

security for the data it collected from customers through its applicable privacy policy and through

other disclosures in compliance with statutory privacy requirements.

28. Indeed, Defendant provides on its website that: "[w]e use administrative,

operational and technical security processes to protect your personal information. Our Site uses

the https protocol, which means that any personal information you send to us is protected by

encryption. Our member logon pages require unique credentials and authentication to limit

access." 3

3
https://www.usaa.com/privacy/online-practices/

6
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 7 of 62

29. Plaintiff and the Class Members, as customers at Defendant, relied on these

promises and on this sophisticated business entity to keep their sensitive Private Information

confidential and securely maintained, to use this information for business purposes only, and to

make only authorized disclosures of this information. Consumers, in general, demand security to

safeguard their Private Information, especially when their Social Security numbers and other

sensitive Private Information is involved.

The Data Breach

30. On or about August 27, 2024, Defendant began sending Plaintiff and other Data

Breach victims a Notice of Data Incident letter (the "Notice Letter"), informing them that:

What Happened
On April 30, 2024, we became aware of a system error that occurred during a routine
update to our document delivery system. As a result of the error, some documents for
members with property and casualty insurance products through USAA were
inadvertently posted to another member’s online account. Upon learning of the error,
USAA promptly took corrective steps to remove the inadvertently posted documents and
commenced an investigation of the incident. Based on our investigation, which concluded
on July 31, 2024, we determined that some of your personal information may have been
inadvertently disclosed to another USAA member.

Although we have no indication of any fraud or identity theft resulting from this incident,
we are sending you this notice to provide you with information about the incident, what
we are doing and steps you can take to help protect your personal information.

What Information Was Involved

The personal information inadvertently disclosed varied by individual, but may have
included the following: name, address, email address, date of birth, Social Security
number, driver’s license number, passport number, vehicle identification number, loan
numbers, health information, and property and casualty insurance policy information. 4

31. Omitted from the Notice Letter were the identity of the cybercriminals who

perpetrated this Data Breach, the date(s) of the Data Breach, the details of the root cause of the

4
The “Notice Letter”. A sample copy is available at
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-
a1252b4f8318/225913a2-7f23-4a54-9ce8-40dbfce9f0be.html

7
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 8 of 62

Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a

breach does not occur again. To date, these omitted details have not been explained or clarified to

Plaintiff and Class Members, who retain a vested interest in ensuring that their Private Information

remains protected.

32. This “disclosure” amounts to no real disclosure at all, as it fails to inform, with any

degree of specificity, Plaintiff and Class Members of the Data Breach’s critical facts. Without

these details, Plaintiff’s and Class Members’ ability to mitigate the harms resulting from the Data

Breach is severely diminished.

33. Despite Defendant’s intentional opacity about the root cause of this incident,

several facts may be gleaned from the Notice Letter, including: a) that this Data Breach was the

work of cybercriminals; b) that the cybercriminals first infiltrated Defendant’s networks and

systems, and downloaded data from the networks and systems (aka exfiltrated data, or in

layperson’s terms “stole” data; and c) that once inside Defendant’s networks and systems, the

cybercriminals targeted information including Plaintiff’s and Class Members’ Social Security

numbers for download and theft.

34. In the context of notice of data breach letters of this type, Defendant’s use of the

phrase “may have included” is misleading lawyer language. Companies only send notice letters

because data breach notification laws require them to do so. And such letters are only sent to those

persons who Defendant itself has a reasonable belief that such personal information was accessed

or acquired by an unauthorized individual or entity. Defendant cannot hide behind legalese – by

sending a notice of data breach letter to Plaintiff and Class Members, it admits that Defendant

itself has a reasonable belief that Plaintiff’s and Class Members’ names, Social Security numbers,

8
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 9 of 62

PHI, and other sensitive information was accessed or acquired by an unknown actor – aka

cybercriminals.

35. Moreover, in its Notice Letter, Defendant failed to specify whether it undertook

any efforts to contact the approximate 32,000 Class Members whose data was accessed and

acquired in the Data Breach to inquire whether any of the Class Members suffered misuse of their

data, whether Class Members should report their misuse to Defendant, and whether Defendant set

up any mechanism for Class Members to report any misuse of their data.

36. Defendant had obligations created by the FTC Act, Gramm-Leach-Bliley Act,

contract, common law, and industry standards to keep Plaintiff’s and Class Members’ Private

Information confidential and to protect it from unauthorized access and disclosure.

37. Defendant did not use reasonable security procedures and practices appropriate to

the nature of the sensitive information they were maintaining for Plaintiff and Class Members,

causing the exposure of Private Information, such as encrypting the information or deleting it when

it is no longer needed.

38. The attacker accessed and acquired files containing unencrypted Private

Information of Plaintiff and Class Members. Plaintiff’s and Class Members’ Private Information

was accessed and stolen in the Data Breach.

39. Plaintiff has been informed by Capitol One and Credit Karma that his Private

Information has been disseminated on the dark web, and Plaintiff further believes that the Private

Information of Class Members was subsequently sold on the dark web following the Data Breach,

as that is the modus operandi of cybercriminals that commit cyber-attacks of this type.

Data Breaches Are Preventable

9
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 10 of 62

40. Defendant did not use reasonable security procedures and practices appropriate to

the nature of the sensitive information they were maintaining for Plaintiff and Class Members,

causing the exposure of Private Information, such as encrypting the information or deleting it when

it is no longer needed.

41. Defendant could have prevented this Data Breach by, among other things, properly

encrypting or otherwise protecting their equipment and computer files containing Private

Information.

42. As explained by the Federal Bureau of Investigation, “[p]revention is the most

effective defense against ransomware and it is critical to take precautions for protection.” 5

43. To prevent and detect cyber-attacks and/or ransomware attacks, Defendant could

and should have implemented, as recommended by the United States Government, the following

measures:

• Implement an awareness and training program. Because end users are targets,
employees and individuals should be aware of the threat of ransomware and how it is
delivered.

• Enable strong spam filters to prevent phishing emails from reaching the end users and
authenticate inbound email using technologies like Sender Policy Framework (SPF),
Domain Message Authentication Reporting and Conformance (DMARC), and
DomainKeys Identified Mail (DKIM) to prevent email spoofing.

• Scan all incoming and outgoing emails to detect threats and filter executable files from
reaching end users.

• Configure firewalls to block access to known malicious IP addresses.

• Patch operating systems, software, and firmware on devices. Consider using a

centralized patch management system.

• Set anti-virus and anti-malware programs to conduct regular scans automatically.

• Manage the use of privileged accounts based on the principle of least privilege: no users

5
How to Protect Your Networks from RANSOMWARE, at 3, available at:
https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

10
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 11 of 62

should be assigned administrative access unless absolutely needed; and those with a
need for administrator accounts should only use them when necessary.

• Configure access controls—including file, directory, and network share permissions—

with least privilege in mind. If a user only needs to read specific files, the user should
not have write access to those files, directories, or shares.

• Disable macro scripts from office files transmitted via email. Consider using Office
Viewer software to open Microsoft Office files transmitted via email instead of full
office suite applications.

• Implement Software Restriction Policies (SRP) or other controls to prevent programs

from executing from common ransomware locations, such as temporary folders
supporting popular Internet browsers or compression/decompression programs,
including the AppData/LocalAppData folder.

• Consider disabling Remote Desktop protocol (RDP) if it is not being used.

• Use application whitelisting, which only allows systems to execute programs known
and permitted by security policy.

• Execute operating system environments or specific programs in a virtualized

environment.

• Categorize data based on organizational value and implement physical and logical
separation of networks and data for different organizational units. 6

44. To prevent and detect cyber-attacks or ransomware attacks, Defendant could and

should have implemented, as recommended by the Microsoft Threat Protection Intelligence Team,

the following measures:

Secure internet-facing assets

- Apply latest security updates

- Use threat and vulnerability management
- Perform regular audit; remove privileged credentials;

Thoroughly investigate and remediate alerts

- Prioritize and treat commodity malware infections as potential full

compromise;

6
Id. at 3-4.

11
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 12 of 62

Include IT Pros in security discussions

- Ensure collaboration among [security operations], [security admins], and

[information technology] admins to configure servers and other endpoints
securely;

Build credential hygiene

- Use [multifactor authentication] or [network level authentication] and use

strong, randomized, just-in-time local admin passwords;

Apply principle of least-privilege

- Monitor for adversarial activities

- Hunt for brute force attempts
- Monitor for cleanup of Event Logs
- Analyze logon events;

Harden infrastructure

- Use Windows Defender Firewall

- Enable tamper protection
- Enable cloud-delivered protection
- Turn on attack surface reduction rules and [Antimalware Scan Interface]
for Office [Visual Basic for Applications]. 7

45. Given that Defendant was storing the Private Information of its current and former

customers, Defendant could and should have implemented all of the above measures to prevent

and detect cyberattacks.

46. The occurrence of the Data Breach indicates that Defendant failed to adequately

implement one or more of the above measures to prevent cyberattacks, resulting in the Data Breach

and data thieves acquiring and accessing the Private Information of more than thirty thousand

individuals, including that of Plaintiff and Class Members.

Defendant Acquires, Collects, And Stores Its Customers’ Private Information

7
See Human-operated ransomware attacks: A preventable disaster (Mar 5, 2020), available at:
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-
preventable-disaster/

12
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 13 of 62

47. Defendant acquires, collects, and stores a massive amount of Private Information

on its current and former customers.

48. As a condition of obtaining services at Defendant, Defendant requires that

customers and other personnel entrust it with highly sensitive personal information.

49. By obtaining, collecting, and using Plaintiff’s and Class Members’ Private

Information, Defendant assumed legal and equitable duties and knew or should have known that

it was responsible for protecting Plaintiff’s and Class Members’ Private Information from

disclosure.

50. Plaintiff and the Class Members have taken reasonable steps to maintain the

confidentiality of their Private Information and would not have entrusted it to Defendant absent a

promise to safeguard that information.

51. Upon information and belief, in the course of collecting Private Information from

customers, including Plaintiff, Defendant promised to provide confidentiality and adequate

security for their data through its applicable privacy policy and through other disclosures in

compliance with statutory privacy requirements.

52. Plaintiff and the Class Members relied on Defendant to keep their Private

Information confidential and securely maintained, to use this information for business purposes

only, and to make only authorized disclosures of this information.

Defendant Knew, Or Should Have Known, of the Risk Because Financial Services
Companies In Possession Of Private Information Are Particularly Susceptible To
Cyber Attacks

53. Defendant’s data security obligations were particularly important given the

substantial increase in cyber-attacks and/or data breaches targeting financial services companies

that collect and store Private Information, like Defendant, preceding the date of the breach.

13
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 14 of 62

54. Data breaches, including those perpetrated against financial services companies

that store Private Information in their systems, have become widespread.

55. In 2023, an all-time high for data compromises occurred, with 3,205 compromises

affecting 353,027,892 total victims. Of the 3,205 recorded data compromises, 809 of them, or

25.2% were in the medical or healthcare industry. The estimated number of organizations

impacted by data compromises has increased by +2,600 percentage points since 2018, and the

estimated number of victims has increased by +1400 percentage points. The 2023 compromises

represent a 78 percentage point increase over the previous year and a 72 percentage point hike

from the previous all-time high number of compromises (1,860) set in 2021.

56. In light of recent high profile data breaches at other industry leading companies,

including T-Mobile, USA (37 million records, February-March 2023), 23andMe, Inc. (20 million

records, October 2023), Wilton Reassurance Company (1.4 million records, June 2023), NCB

Management Services, Inc. (1 million records, February 2023), Defendant knew or should have

known that the Private Information that they collected and maintained would be targeted by

cybercriminals.

57. Indeed, cyber-attacks, such as the one experienced by Defendant, have become so

notorious that the Federal Bureau of Investigation (“FBI”) and U.S. Secret Service have issued a

warning to potential targets so they are aware of, and prepared for, a potential attack. As one report

explained, smaller entities that store Private Information are “attractive to ransomware

criminals…because they often have lesser IT defenses and a high incentive to regain access to

their data quickly.” 8

8
https://www.law360.com/consumerprotection/articles/1220974/fbi-secret-service-warn-of-
targeted-ransomware?nl_pk=3ed44a08-fcc2-4b6c-89f0-
aa0155a8bb51&utm_source=newsletter&utm_medium=email&utm_campaign=consumerprotect
ion

14
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 15 of 62

58. Additionally, as companies became more dependent on computer systems to run

their business, 9 e.g., working remotely as a result of the Covid-19 pandemic, and the Internet of

Things (“IoT”), the danger posed by cybercriminals is magnified, thereby highlighting the need

for adequate administrative, physical, and technical safeguards. 10

59. Defendant knew and understood unprotected or exposed Private Information in the

custody of insurance companies, like Defendant, is valuable and highly sought after by nefarious

third parties seeking to illegally monetize that Private Information through unauthorized access.

60. At all relevant times, Defendant knew, or reasonably should have known, of the

importance of safeguarding the Private Information of Plaintiff and Class Members and of the

foreseeable consequences that would occur if Defendant’s data security system was breached,

including, specifically, the significant costs that would be imposed on Plaintiff and Class Members

as a result of a breach.

61. Plaintiff and Class Members now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. The Class is incurring and will

continue to incur such damages in addition to any fraudulent use of their Private Information.

62. The injuries to Plaintiff and Class Members were directly and proximately caused

by Defendant’s failure to implement or maintain adequate data security measures for the Private

Information of Plaintiff and Class Members.

63. The ramifications of Defendant’s failure to keep secure the Private Information of

Plaintiff and Class Members are long lasting and severe. Once Private Information is stolen––

9
https://www.federalreserve.gov/econres/notes/feds-notes/implications-of-cyber-risk-for-
financial-stability-20220512.html
10
https://www.picussecurity.com/key-threats-and-cyber-risks-facing-financial-services-and-
banking-firms-in-2022

15
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 16 of 62

particularly Social Security numbers and PHI––fraudulent use of that information and damage to

victims may continue for years.

64. In the Notice Letter, Defendant makes an offer of 24 months of identity monitoring

services. This is wholly inadequate to compensate Plaintiff and Class Members as it fails to provide

for the fact victims of data breaches and other unauthorized disclosures commonly face multiple

years of ongoing identity theft, financial fraud, and it entirely fails to provide sufficient

compensation for the unauthorized release and disclosure of Plaintiff’s and Class Members’

Private Information.

65. Defendant's offer of credit and identity monitoring establishes that Plaintiff’s and

Class Members’ sensitive Private Information was in fact affected, accessed, compromised, and

exfiltrated from Defendant's computer systems.

66. As a financial services company in custody of the Private Information of its

customers, Defendant knew, or should have known, the importance of safeguarding Private

Information entrusted to it by Plaintiff and Class Members, and of the foreseeable consequences

if its data security systems were breached. This includes the significant costs imposed on Plaintiff

and Class Members as a result of a breach. Defendant failed, however, to take adequate

cybersecurity measures to prevent the Data Breach.

Value Of Personally Identifying Information

67. The Federal Trade Commission (“FTC”) defines identity theft as “a fraud

committed or attempted using the identifying information of another person without authority.” 11

The FTC describes “identifying information” as “any name or number that may be used, alone or

in conjunction with any other information, to identify a specific person,” including, among other

11
17 C.F.R. § 248.201 (2013).

16
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 17 of 62

things, “[n]ame, Social Security number, date of birth, official State or government issued driver’s

license or identification number, alien registration number, government passport number,

employer or taxpayer identification number.” 12

68. The PII of individuals remains of high value to criminals, as evidenced by the prices

they will pay through the dark web. Numerous sources cite dark web pricing for stolen identity

credentials. 13

69. For example, Personal Information can be sold at a price ranging from $40 to

$200. 14 Criminals can also purchase access to entire company data breaches from $900 to $4,500.15

70. Of course, a stolen Social Security number – standing alone – can be used to wreak

untold havoc upon a victim’s personal and financial life. The popular person privacy and credit

monitoring service LifeLock by Norton notes “Five Malicious Ways a Thief Can Use Your Social

Security Number,” including 1) Financial Identity Theft that includes “false applications for loans,

credit cards or bank accounts in your name or withdraw money from your accounts, and which

can encompass credit card fraud, bank fraud, computer fraud, wire fraud, mail fraud and

employment fraud; 2) Government Identity Theft, including tax refund fraud; 3) Criminal Identity

Theft, which involves using someone’s stolen Social Security number as a “get out of jail free

card;” 4) Medical Identity Theft, and 5) Utility Fraud.

12
Id.
13
Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends, Oct.
16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-dark-
web-how-much-it-costs/
14
Here’s How Much Your Personal Information Is Selling for on the Dark Web, Experian, Dec. 6,
2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-
personal-information-is-selling-for-on-the-dark-web/
15
In the Dark, VPNOverview, 2019, available at: https://vpnoverview.com/privacy/anonymous-
browsing/in-the-dark/

17
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 18 of 62

71. It is little wonder that courts have dubbed a stolen Social Security number as the

“gold standard” for identity theft and fraud. Social Security numbers are among the worst kind of

Private Information to have stolen because they may be put to a variety of fraudulent uses and are

difficult for an individual to change.

72. According to the Social Security Administration, each time an individual’s Social

Security number is compromised, “the potential for a thief to illegitimately gain access to bank

accounts, credit cards, driving records, tax and employment histories and other private information
16
increases.” Moreover, “[b]ecause many organizations still use SSNs as the primary identifier,

exposure to identity theft and fraud remains.” 17

73. The Social Security Administration stresses that the loss of an individual’s Social

Security number, as experienced by Plaintiff and some Class Members, can lead to identity theft

and extensive financial fraud:

A dishonest person who has your Social Security number can use it to get other
personal information about you. Identity thieves can use your number and your
good credit to apply for more credit in your name. Then, they use the credit cards
and don’t pay the bills, it damages your credit. You may not find out that someone
is using your number until you’re turned down for credit, or you begin to get calls
from unknown creditors demanding payment for items you never bought. Someone
illegally using your Social Security number and assuming your identity can cause
a lot of problems. 18

16
See
https://www.ssa.gov/phila/ProtectingSSNs.htm#:~:text=An%20organization's%20collection%20
and%20use,and%20other%20private%20information%20increases.
17
Id.
18
Social Security Administration, Identity Theft and Your Social Security Number, available at:
https://www.ssa.gov/pubs/EN-05-10064.pdf

18
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 19 of 62

74. In fact, “[a] stolen Social Security number is one of the leading causes of identity

theft and can threaten your financial health.” 19 “Someone who has your SSN can use it to

impersonate you, obtain credit and open bank accounts, apply for jobs, steal your tax refunds, get

medical treatment, and steal your government benefits.” 20

75. What’s more, it is no easy task to change or cancel a stolen Social Security number.

An individual cannot obtain a new Social Security number without significant paperwork and

evidence of actual misuse. In other words, preventive action to defend against the possibility of

misuse of a Social Security number is not permitted; an individual must show evidence of actual,

ongoing fraud activity to obtain a new number.

76. Even then, a new Social Security number may not be effective. According to Julie

Ferguson of the Identity Theft Resource Center, “[t]he credit bureaus and banks are able to link

the new number very quickly to the old number, so all of that old bad information is quickly

inherited into the new Social Security number.” 21

77. For these reasons, some courts have referred to Social Security numbers as the

“gold standard” for identity theft. Portier v. NEO Tech. Sols., No. 3:17-CV-30111, 2019 WL

7946103, at *12 (D. Mass. Dec. 31, 2019) (“Because Social Security numbers are the gold standard

for identity theft, their theft is significant . . . . Access to Social Security numbers causes long-

lasting jeopardy because the Social Security Administration does not normally replace Social

Security numbers.”), report and recommendation adopted, No. 3:17-CV-30111, 2020 WL 877035

(D. Mass. Jan. 30, 2020); see also McFarlane v. Altice USA, Inc., 2021 WL 860584, at *4 (citations

19
See https://www.equifax.com/personal/education/identity-theft/articles/-/learn/social-security-
number-identity-theft/
20
See https://www.investopedia.com/terms/s/ssn.asp
21
Bryan Naylor, Victims of Social Security Number Theft Find It’s Hard to Bounce Back, NPR
(Feb. 9, 2015), available at: http://www.npr.org/2015/02/09/384875839/data-stolen-by-anthem-s-
hackers-has-millionsworrying-about-identity-theft

19
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 20 of 62

omitted) (S.D.N.Y. Mar. 8, 2021) (the court noted that Plaintiff’s Social Security numbers are:

arguably “the most dangerous type of personal information in the hands of identity thieves”

because it is immutable and can be used to “impersonat[e] [the victim] to get medical services,

government benefits, ... tax refunds, [and] employment.” . . . Unlike a credit card number, which

can be changed to eliminate the risk of harm following a data breach, “[a] social security number

derives its value in that it is immutable,” and when it is stolen it can “forever be wielded to identify

[the victim] and target his in fraudulent schemes and identity theft attacks.”)

78. Similarly, the California state government warns consumers that: “[o]riginally,

your Social Security number (SSN) was a way for the government to track your earnings and pay

you retirement benefits. But over the years, it has become much more than that. It is the key to a

lot of your personal information. With your name and SSN, an identity thief could open new credit

and bank accounts, rent an apartment, or even get a job.” 22

79. Theft of PHI is also gravely serious: “[a] thief may use your name or health

insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider,

or get other care. If the thief’s health information is mixed with yours, your treatment, insurance

and payment records, and credit report may be affected.” 23

80. The greater efficiency of electronic health records brings the risk of privacy

breaches. These electronic health records contain a lot of sensitive information (e.g., patient data,

patient diagnosis, lab results, medications, prescriptions, treatment plans, etc.) that is valuable to

cybercriminals. One patient’s complete record can be sold for hundreds of dollars on the dark web.

As such, PHI/PII is a valuable commodity for which a “cyber black market” exists where criminals

22
See https://oag.ca.gov/idtheft/facts/your-ssn
23
Medical I.D. Theft, EFraudPrevention
https://efraudprevention.net/home/education/?a=187#:~:text=A%20thief%20may%20use%20yo
ur,credit%20report%20may%20be%20affected. (last visited Nov. 6, 2023).

20
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 21 of 62

openly post stolen payment card numbers, Social Security numbers, and other personal

information on several underground internet websites. Unsurprisingly, the pharmaceutical industry

is at high risk and is acutely affected by cyberattacks, like the Data Breach here.

81. Between 2005 and 2019, at least 249 million people were affected by healthcare

data breaches. 24 Indeed, during 2019 alone, over 41 million healthcare records were exposed,

stolen, or unlawfully disclosed in 505 data breaches. 25 In short, these sorts of data breaches are

increasingly common, especially among healthcare systems, which account for 30.03 percent of

overall health data breaches, according to cybersecurity firm Tenable. 26

82. According to account monitoring company LogDog, medical data sells for $50 and

up on the Dark Web. 27

83. “Medical identity theft is a growing and dangerous crime that leaves its victims

with little to no recourse for recovery,” reported Pam Dixon, executive director of World Privacy

Forum. “Victims often experience financial repercussions and worse yet, they frequently discover

erroneous information has been added to their personal medical files due to the thief’s activities.” 28

84. A study by Experian found that the average cost of medical identity theft is “about

$20,000” per incident and that most victims of medical identity theft were forced to pay out-of-

24
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7349636/#B5-healthcare-08-00133/ (last
accessed July 24, 2023).
25
https://www.hipaajournal.com/december-2019-healthcare-data-breach-report/ (last accessed
July 24, 2023).
26
https://www.tenable.com/blog/healthcare-security-ransomware-plays-a-prominent-role-
incovid-19-era-breaches/ (last accessed July 24, 2023).
27
Lisa Vaas, Ransomware Attacks Paralyze, and Sometimes Crush, Hospitals, Naked Security
(Oct. 3, 2019), https://nakedsecurity.sophos.com/2019/10/03/ransomware-attacks-paralyze-and-
sometimes-crush-hospitals/#content (last accessed July 20, 2021)
28
Michael Ollove, “The Rise of Medical Identity Theft in Healthcare,” Kaiser Health News, Feb.
7, 2014, https://khn.org/news/rise-of-indentity-theft/ (last accessed July 24, 2023).

21
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 22 of 62

pocket costs for healthcare they did not receive to restore coverage. 29 Almost half of medical

identity theft victims lose their healthcare coverage as a result of the incident, while nearly one-

third of medical identity theft victims saw their insurance premiums rise, and 40 percent were

never able to resolve their identity theft at all. 30

85. Based on the foregoing, the information compromised in the Data Breach is

significantly more valuable than the loss of, for example, credit card information in a retailer data

breach because, there, victims can cancel or close credit and debit card accounts. The information

compromised in this Data Breach is impossible to “close” and difficult, if not impossible, to

change—Social Security numbers, PHI, dates of birth, and names.

86. This data demands a much higher price on the black market. Martin Walter, senior

director at cybersecurity firm RedSeal, explained, “Compared to credit card information,

personally identifiable information and Social Security numbers are worth more than 10x on the

black market.” 31

87. Among other forms of fraud, identity thieves may obtain driver’s licenses,

government benefits, medical services, and housing or even give false information to police.

88. The fraudulent activity resulting from the Data Breach may not come to light for

years. There may be a time lag between when harm occurs versus when it is discovered, and also

29
See Elinor Mills, “Study: Medical Identity Theft is Costly for Victims,” CNET (Mar, 3, 2010),
https://www.cnet.com/news/study-medical-identity-theft-is-costly-for-victims/ (last accessed July
24, 2023).
30
Id.; see also Healthcare Data Breach: What to Know About them and What to Do After One,
EXPERIAN, https://www.experian.com/blogs/ask-experian/healthcare-data-breach-what-
toknow-about-them-and-what-to-do-after-one/ (last accessed July 24, 2023).
31
Tim Greene, Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card
Numbers, IT World, (Feb. 6, 2015), available at:
https://www.networkworld.com/article/2880366/anthem-hack-personal-data-stolen-sells-for-10x-
price-of-stolen-credit-card-numbers.html

22
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 23 of 62

between when Private Information is stolen and when it is used. According to the U.S. Government

Accountability Office (“GAO”), which conducted a study regarding data breaches:

[L]aw enforcement officials told us that in some cases, stolen data may be held for
up to a year or more before being used to commit identity theft. Further, once stolen
data have been sold or posted on the Web, fraudulent use of that information may
continue for years. As a result, studies that attempt to measure the harm resulting
from data breaches cannot necessarily rule out all future harm. 32

89. Plaintiff and Class Members now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. The Class is incurring and will

continue to incur such damages in addition to any fraudulent use of their Private Information.

Defendant Fails To Comply With FTC Guidelines

90. The Federal Trade Commission (“FTC”) has promulgated numerous guides for

businesses which highlight the importance of implementing reasonable data security practices.

According to the FTC, the need for data security should be factored into all business decision-

making.

91. In 2016, the FTC updated its publication, Protecting Personal Information: A Guide

for Business, which established cyber-security guidelines for businesses. These guidelines note

that businesses should protect the personal consumer information that they keep; properly dispose

of personal information that is no longer needed; encrypt information stored on computer

networks; understand their network’s vulnerabilities; and implement policies to correct any

security problems. 33

32
Report to Congressional Requesters, GAO, at 29 (June 2007), available at:
https://www.gao.gov/assets/gao-07-737.pdf
33
Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016).
Available at https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-
personal-information.pdf

23
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 24 of 62

92. The guidelines also recommend that businesses use an intrusion detection system

to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating someone

is attempting to hack the system; watch for large amounts of data being transmitted from the

system; and have a response plan ready in the event of a breach. 34

93. The FTC further recommends that companies not maintain Private Information

longer than is needed for authorization of a transaction; limit access to sensitive data; require

complex passwords to be used on networks; use industry-tested methods for security; monitor for

suspicious activity on the network; and verify that third-party service providers have implemented

reasonable security measures.

94. The FTC has brought enforcement actions against businesses for failing to

adequately and reasonably protect consumer data, treating the failure to employ reasonable and

appropriate measures to protect against unauthorized access to confidential consumer data as an

unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15

U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take

to meet their data security obligations.

95. These FTC enforcement actions include actions against financial services

companies, like Defendant.

96. Section 5 of the FTC Act, 15 U.S.C. § 45, prohibits “unfair . . . practices in or

affecting commerce,” including, as interpreted and enforced by the FTC, the unfair act or practice

by businesses, such as Defendant, of failing to use reasonable measures to protect Private

Information. The FTC publications and orders described above also form part of the basis of

Defendant's duty in this regard.

34
Id.

24
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 25 of 62

97. Defendant failed to properly implement basic data security practices.

98. Defendant's failure to employ reasonable and appropriate measures to protect

against unauthorized access to the Private Information of its customers or to comply with

applicable industry standards constitutes an unfair act or practice prohibited by Section 5 of the

FTC Act, 15 U.S.C. § 45.

99. Upon information and belief, Defendant was at all times fully aware of its

obligation to protect the Private Information of its customers, Defendant was also aware of the

significant repercussions that would result from its failure to do so. Accordingly, Defendant's

conduct was particularly unreasonable given the nature and amount of Private Information it

obtained and stored and the foreseeable consequences of the immense damages that would result

to Plaintiff and the Class.

Defendant Failed to Comply with the Gramm-Leach-Bliley Act

100. Defendant is a financial institution, as that term is defined by Section 509(3)(A) of

the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. § 6809(3)(A), and thus is subject to the

GLBA.

101. The GLBA defines a financial institution as “any institution the business of which

is engaging in financial activities as described in Section 1843(k) of Title 12 [The Bank Holding

Company Act of 1956].” 15 U.S.C. § 6809(3)(A).

102. Defendant collects nonpublic personal information, as defined by 15 U.S.C. §

6809(4)(A), 16 C.F.R. § 313.3(n) and 12 C.F.R. § 1016.3(p)(1). Accordingly, during the relevant

time period Defendant were subject to the requirements of the GLBA, 15 U.S.C. §§ 6801.1, et

seq., and is subject to numerous rules and regulations promulgated on the GLBA statutes.

25
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 26 of 62

103. The GLBA Privacy Rule became effective on July 1, 2001. See 16 C.F.R. Part 313.

Since the enactment of the Dodd-Frank Act on July 21, 2010, the CFPB became responsible for

implementing the Privacy Rule. In December 2011, the CFPB restated the implementing

regulations in an interim final rule that established the Privacy of Consumer Financial Information,

Regulation P, 12 C.F.R. § 1016 (“Regulation P”), with the final version becoming effective on

October 28, 2014.

104. Accordingly, Defendant's conduct is governed by the Privacy Rule prior to

December 30, 2011 and by Regulation P after that date.

105. Both the Privacy Rule and Regulation P require financial institutions to provide

customers with an initial and annual privacy notice. These privacy notices must be “clear and

conspicuous.” 16 C.F.R. §§ 313.4 and 313.5; 12 C.F.R. §§ 1016.4 and 1016.5. “Clear and

conspicuous means that a notice is reasonably understandable and designed to call attention to the

nature and significance of the information in the notice.” 16 C.F.R. § 313.3(b)(1); 12 C.F.R. §

1016.3(b)(1). These privacy notices must “accurately reflect[] [the financial institution’s] privacy

policies and practices.” 16 C.F.R. § 313.4 and 313.5; 12 C.F.R. §§ 1016.4 and 1016.5. They must

include specified elements, including the categories of nonpublic personal information the

financial institution collects and discloses, the categories of third parties to whom the financial

institution discloses the information, and the financial institution’s security and confidentiality

policies and practices for nonpublic personal information. 16 C.F.R. § 313.6; 12 C.F.R. § 1016.6.

These privacy notices must be provided “so that each consumer can reasonably be expected to

receive actual notice.” 16 C.F.R. § 313.9; 12 C.F.R. § 1016.9. As alleged herein, Defendant

violated the Privacy Rule and Regulation P.

26
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 27 of 62

106. Upon information and belief, Defendant failed to provide annual privacy notices to

customers after the customer relationship ended, despite retaining these customers’ PII and storing

that PII on Defendant's network systems.

107. Defendant failed to adequately inform their customers that they were storing and/or

sharing, or would store and/or share, the customers’ PII on an insecure platform, accessible to

unauthorized parties from the internet, and would do so after the customer relationship ended.

108. The Safeguards Rule, which implements Section 501(b) of the GLBA, 15 U.S.C. §

6801(b), requires financial institutions to protect the security, confidentiality, and integrity of

customer information by developing a comprehensive written information security program that

contains reasonable administrative, technical, and physical safeguards, including: (1) designating

one or more employees to coordinate the information security program; (2) identifying reasonably

foreseeable internal and external risks to the security, confidentiality, and integrity of customer

information, and assessing the sufficiency of any safeguards in place to control those risks; (3)

designing and implementing information safeguards to control the risks identified through risk

assessment, and regularly testing or otherwise monitoring the effectiveness of the safeguards’ key

controls, systems, and procedures; (4) overseeing service providers and requiring them by contract

to protect the security and confidentiality of customer information; and (5) evaluating and

adjusting the information security program in light of the results of testing and monitoring, changes

to the business operation, and other relevant circumstances. 16 C.F.R. §§ 314.3 and 314.4.

109. As alleged herein, Defendant violated the Safeguard Rule.

110. Defendant failed to assess reasonably foreseeable risks to the security,

confidentiality, and integrity of customer information and failed to monitor the systems of its IT

partners or verify the integrity of those systems.

27
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 28 of 62

111. Defendant violated the GLBA and its own policies and procedures by sharing the

PII of Plaintiff and Class Members with a non-affiliated third party without providing Plaintiff and

Class Members (a) an opt-out notice and (b) a reasonable opportunity to opt out of such disclosure.

Defendant Fails To Comply With Industry Standards

112. As noted above, experts studying cyber security routinely identify financial

services companies in possession of Private Information as being particularly vulnerable to

cyberattacks because of the value of the Private Information which they collect and maintain.

113. Several best practices have been identified that, at a minimum, should be

implemented by financial services companies in possession of Private Information, like Defendant,

including but not limited to: educating all employees; strong passwords; multi-layer security,

including firewalls, anti-virus, and anti-malware software; encryption, making data unreadable

without a key; multi-factor authentication; backup data and limiting which employees can access

sensitive data. Defendant failed to follow these industry best practices, including a failure to

implement multi-factor authentication.

114. Other best cybersecurity practices that are standard for financial services companies

include installing appropriate malware detection software; monitoring and limiting the network

ports; protecting web browsers and email management systems; setting up network systems such

as firewalls, switches and routers; monitoring and protection of physical security systems;

protection against any possible communication system; training staff regarding critical points.

Defendant failed to follow these cybersecurity best practices, including failure to train staff.

115. Upon information and belief Defendant failed to meet the minimum standards of

one or more of the following frameworks: the NIST Cybersecurity Framework Version 2.0

(including without limitation PR.AA-01, PR.AA.-02, PR.AA-03, PR.AA-04, PR.AA-05, PR.AT-

28
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 29 of 62

01, PR.DS-01, PR-DS-02, PR.DS-10, PR.PS-01, PR.PS-02, PR.PS-05, PR.IR-01, DE.CM-01,

DE.CM-03, DE.CM-06, DE.CM-09, and RS.CO-04), and the Center for Internet Security’s

Critical Security Controls (CIS CSC), which are all established standards in reasonable

cybersecurity readiness.

116. These foregoing frameworks are existing and applicable industry standards for

financial services companies, and upon information and belief, Defendant failed to comply with

at least one––or all––of these accepted standards, thereby opening the door to the threat actor and

causing the Data Breach.

Common Injuries & Damages

117. As a result of Defendant's ineffective and inadequate data security practices, the

Data Breach, and the foreseeable consequences of Private Information ending up in the possession

of criminals, the risk of identity theft to the Plaintiff and Class Members has materialized and is

imminent, and Plaintiff and Class Members have all sustained actual injuries and damages,

including: (i) invasion of privacy; (ii) theft of their Private Information; (iii) lost or diminished

value of Private Information; (iv) uncompensated lost time and opportunity costs associated with

attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the

bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences

of the Data Breach; (vii) nominal damages; and (viii) the continued and certainly increased risk to

their Private Information, which: (a) remains unencrypted and available for unauthorized third

parties to access and abuse; and (b) remains backed up in Defendant’s possession and is subject to

further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate

measures to protect the Private Information.

Data Breaches Increase Victims' Risk Of Identity Theft

29
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 30 of 62

118. The unencrypted Private Information of Class Members will end up for sale on the

dark web as that is the modus operandi of hackers.

119. Unencrypted Private Information may also fall into the hands of companies that

will use the detailed Private Information for targeted marketing without the approval of Plaintiff

and Class Members. Simply put, unauthorized individuals can easily access the Private

Information of Plaintiff and Class Members.

120. The link between a data breach and the risk of identity theft is simple and well

established. Criminals acquire and steal Private Information to monetize the information.

Criminals monetize the data by selling the stolen information on the black market to other

criminals who then utilize the information to commit a variety of identity theft related crimes

discussed below.

121. Plaintiff’s and Class Members’ Private Information is of great value to hackers and

cyber criminals, and the data stolen in the Data Breach has been used and will continue to be used

in a variety of sordid ways for criminals to exploit Plaintiff and Class Members and to profit off

their misfortune.

122. Due to the risk of one’s Social Security number being exposed, state legislatures

have passed laws in recognition of the risk: “[t]he social security number can be used as a tool to

perpetuate fraud against a person and to acquire sensitive personal, financial, medical, and familial

information, the release of which could cause great financial or personal harm to an individual.

While the social security number was intended to be used solely for the administration of the

federal Social Security System, over time this unique numeric identifier has been used extensively

for identity verification purposes[.]” 35

35
See N.C. Gen. Stat. § 132-1.10(1).

30
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 31 of 62

123. Moreover, “SSNs have been central to the American identity infrastructure for

years, being used as a key identifier[.] . . . U.S. banking processes have also had SSNs baked into

their identification process for years. In fact, SSNs have been the gold standard for identifying and

verifying the credit history of prospective customers.” 36

124. “Despite the risk of fraud associated with the theft of Social Security numbers, just

five of the nation’s largest 25 banks have stopped using the numbers to verify a customer’s identity

after the initial account setup[.]” 37 Accordingly, since Social Security numbers are frequently used

to verify an individual’s identity after logging onto an account or attempting a transaction,

“[h]aving access to your Social Security number may be enough to help a thief steal money from

your bank account” 38

125. One such example of criminals piecing together bits and pieces of compromised

Private Information for profit is the development of “Fullz” packages. 39

36
See https://www.americanbanker.com/opinion/banks-need-to-stop-relying-on-social-security-
numbers
37
See https://archive.nytimes.com/bucks.blogs.nytimes.com/2013/03/20/just-5-banks-prohibit-
use-of-social-security-numbers/
38
See https://www.credit.com/blog/5-things-an-identity-thief-can-do-with-your-social-security-
number-108597/
39
“Fullz” is fraudster speak for data that includes the information of the victim, including, but not
limited to, the name, address, credit card information, social security number, date of birth, and
more. As a rule of thumb, the more information you have on a victim, the more money that can be
made off of those credentials. Fullz are usually pricier than standard credit card credentials,
commanding up to $100 per record (or more) on the dark web. Fullz can be cashed out (turning
credentials into money) in various ways, including performing bank transactions over the phone
with the required authentication details in-hand. Even “dead Fullz,” which are Fullz credentials
associated with credit cards that are no longer valid, can still be used for numerous purposes,
including tax refund scams, ordering credit cards on behalf of the victim, or opening a “mule
account” (an account that will accept a fraudulent money transfer from a compromised account)
without the victim’s knowledge. See, e.g., Brian Krebs, Medical Records for Sale in Underground
Stolen From Texas Life Insurance Firm, Krebs on Security (Sep. 18, 2014),
https://krebsonsecuritv.eom/2014/09/medical-records-for-sale-in-underground-stolen-from-texas-
life-insurance-](https://krebsonsecuritv.eom/2014/09/medical-records-for-sale-in-underground-
stolen-from-texas-life-insurance-finn/

31
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 32 of 62

126. With “Fullz” packages, cyber-criminals can cross-reference two sources of Private

Information to marry unregulated data available elsewhere to criminally stolen data with an

astonishingly complete scope and degree of accuracy in order to assemble complete dossiers on

individuals.

127. The development of “Fullz” packages means here that the stolen Private

Information from the Data Breach can easily be used to link and identify it to Plaintiff’s and Class

Members’ phone numbers, email addresses, and other unregulated sources and identifiers. In other

words, even if certain information such as emails, phone numbers, or credit card numbers may not

be included in the Private Information that was exfiltrated in the Data Breach, criminals may still

easily create a Fullz package and sell it at a higher price to unscrupulous operators and criminals

(such as illegal and scam telemarketers) over and over.

128. The existence and prevalence of “Fullz” packages means that the Private

Information stolen from the data breach can easily be linked to the unregulated data (like contact

information) of Plaintiff and the other Class Members.

129. Thus, even if certain information (such as contact information) was not stolen in

the data breach, criminals can still easily create a comprehensive “Fullz” package.

130. Then, this comprehensive dossier can be sold—and then resold in perpetuity—to

crooked operators and other criminals (like illegal and scam telemarketers).

Loss Of Time To Mitigate Risk Of Identity Theft & Fraud

131. As a result of the recognized risk of identity theft, when a Data Breach occurs, and

an individual is notified by a company that their Private Information was compromised, as in this

Data Breach, the reasonable person is expected to take steps and spend time to address the

dangerous situation, learn about the breach, and otherwise mitigate the risk of becoming a victim

32
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 33 of 62

of identity theft of fraud. Failure to spend time taking steps to review accounts or credit reports

could expose the individual to greater financial harm – yet, the resource and asset of time has been

lost.

132. Thus, due to the actual and imminent risk of identity theft, Defendant, in its Notice

Letter instructs Plaintiff and Class Members to take the following measures to protect themselves:

“remain vigilant, including over the next 12-24 months, for signs of fraud or identity theft, and

consider taking one or more of the below steps to protect your personal information.” 40

133. In addition, Defendant’s Notice letter includes a full two pages devoted to “Steps

To Take To Protect Your Personal Information” that recommend Plaintiff and Class Members to

partake in activities such as placing security freezes on their accounts, placing fraud alerts on their

accounts, and contacting consumer reporting bureaus. 41

134. Defendant’s extensive suggestion of steps that Plaintiff and Class Members must

take in order to protect themselves from identity theft and/or fraud demonstrates the significant

time that Plaintiff and Class Members must undertake in response to the Data Breach. Plaintiff’s

and Class Members’ time is highly valuable and irreplaceable, and accordingly, Plaintiff and Class

Members suffered actual injury and damages in the form of lost time that they spent on mitigation

activities in response to the Data Breach and at the direction of Defendant’s Notice Letter.

135. Plaintiff and Class Members have spent, and will spend additional time in the

future, on a variety of prudent actions, such as researching and verifying the legitimacy of the Data

Breach, disputing fraudulent charges on their accounts, replacing impacted cards, and monitoring

their financial accounts for unusual activity. Accordingly, the Data Breach has caused Plaintiff and

40
Notice Letter.
41
Id.

33
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 34 of 62

Class Members to suffer actual injury in the form of lost time—which cannot be recaptured—

spent on mitigation activities.

136. Plaintiff’s mitigation efforts are consistent with the U.S. Government

Accountability Office that released a report in 2007 regarding data breaches (“GAO Report”) in

which it noted that victims of identity theft will face “substantial costs and time to repair the

damage to their good name and credit record.” 42

137. Plaintiff’s mitigation efforts are also consistent with the steps that FTC

recommends that data breach victims take several steps to protect their personal and financial

information after a data breach, including: contacting one of the credit bureaus to place a fraud

alert (consider an extended fraud alert that lasts for seven years if someone steals their identity),

reviewing their credit reports, contacting companies to remove fraudulent charges from their

accounts, placing a credit freeze on their credit, and correcting their credit reports. 43

138. And for those Class Members who experience actual identity theft and fraud, the

United States Government Accountability Office released a report in 2007 regarding data breaches

(“GAO Report”) in which it noted that victims of identity theft will face “substantial costs and

time to repair the damage to their good name and credit record.”[4]

Diminution of Value of Private Information

139. Private Information is a valuable property right. 44 Its value is axiomatic,

considering the value of Big Data in corporate America and the consequences of cyber thefts

42
See United States Government Accountability Office, GAO-07-737, Personal Information: Data
Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full
Extent Is Unknown (June 2007), https://www.gao.gov/new.items/d07737.pdf.
43
See Federal Trade Commission, Identity Theft.gov, https://www.identitytheft.gov/Steps
44
See “Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited;
However, the Full Extent Is Unknown,” p. 2, U.S. Government Accountability Office, June 2007,
https://www.gao.gov/new.items/d07737.pdf (“GAO Report”).

34
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 35 of 62

include heavy prison sentences. Even this obvious risk to reward analysis illustrates beyond doubt

that Private Information has considerable market value.

140. Sensitive Private Information can sell for as much as $363 per record according to

the Infosec Institute. 45

141. An active and robust legitimate marketplace for Private Information also exists. In

2019, the data brokering industry was worth roughly $200 billion.46

142. In fact, the data marketplace is so sophisticated that consumers can actually sell

their non-public information directly to a data broker who in turn aggregates the information and

provides it to marketers or app developers. 47,48

143. Consumers who agree to provide their web browsing history to the Nielsen

Corporation can receive up to $50.00 a year. 49

144. As a result of the Data Breach, Plaintiff’s and Class Members’ Private Information,

which has an inherent market value in both legitimate and dark markets, has been damaged and

diminished by its compromise and unauthorized release. However, this transfer of value occurred

without any consideration paid to Plaintiff or Class Members for their property, resulting in an

economic loss. Moreover, the Private Information is now readily available, and the rarity of the

Data has been lost, thereby causing additional loss of value.

45
See, e.g., John T. Soma, et al, Corporate Privacy Trend: The “Value” of Personally Identifiable
Information (“Private Information”) Equals the “Value" of Financial Assets, 15 Rich. J.L. & Tech.
11, at *3-4 (2009) (“Private Information, which companies obtain at little cost, has quantifiable
value that is rapidly reaching a level comparable to the value of traditional financial assets.”)
(citations omitted).
46
See Ashiq Ja, Hackers Selling Healthcare Data in the Black Market, InfoSec (July 27, 2015),
https://resources.infosecinstitute.com/topic/hackers-selling-healthcare-data-in-the-black-market/
47
https://www.latimes.com/business/story/2019-11-05/column-data-brokers
48
https://datacoup.com/
49
https://digi.me/what-is-digime/

35
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 36 of 62

145. At all relevant times, Defendant knew, or reasonably should have known, of the

importance of safeguarding the Private Information of Plaintiff and Class Members, and of the

foreseeable consequences that would occur if Defendant's data security system was breached,

including, specifically, the significant costs that would be imposed on Plaintiff and Class Members

as a result of a breach.

146. The fraudulent activity resulting from the Data Breach may not come to light for

years.

147. Plaintiff and Class Members now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. The Class is incurring and will

continue to incur such damages in addition to any fraudulent use of their Private Information.

148. Defendant was, or should have been, fully aware of the unique type and the

significant volume of data on Defendant's network, amounting to more than thirty thousand

individuals’ detailed personal information and, thus, the significant number of individuals who

would be harmed by the exposure of the unencrypted data.

149. The injuries to Plaintiff and Class Members were directly and proximately caused

by Defendant's failure to implement or maintain adequate data security measures for the Private

Information of Plaintiff and Class Members.

Future Cost of Credit and Identity Theft Monitoring is Reasonable and Necessary

150. Given the type of targeted attack in this case, sophisticated criminal activity, the

type of Private Information involved, and Plaintiff’s Private Information already being

disseminated on the dark web, there is a strong probability that entire batches of stolen information

have been placed, or will be placed, on the black market/dark web for sale and purchase by

criminals intending to utilize the Private Information for identity theft crimes –e.g., opening bank

36
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 37 of 62

accounts in the victims’ names to make purchases or to launder money; file false tax returns; take

out loans or lines of credit; or file false unemployment claims.

151. Such fraud may go undetected until debt collection calls commence months, or even

years, later. An individual may not know that his or her Private Information was used to file for

unemployment benefits until law enforcement notifies the individual’s employer of the suspected

fraud. Fraudulent tax returns are typically discovered only when an individual’s authentic tax

return is rejected.

152. Consequently, Plaintiff and Class Members are at an increased risk of fraud and

identity theft for many years into the future.

153. The retail cost of credit monitoring and identity theft monitoring can cost around

$200 a year per Class Member. This is reasonable and necessary cost to monitor to protect Class

Members from the risk of identity theft that arose from Defendant's Data Breach.

Loss Of Benefit Of The Bargain

154. Furthermore, Defendant’s poor data security practices deprived Plaintiff and Class

Members of the benefit of their bargain. When agreeing to pay Defendant and/or its agents for

financial services, Plaintiff and other reasonable consumers understood and expected that they

were, in part, paying for the product and/or service and necessary data security to protect the

Private Information, when in fact, Defendant did not provide the expected data security.

Accordingly, Plaintiff and Class Members received services that were of a lesser value than what

they reasonably expected to receive under the bargains they struck with Defendant.

Plaintiff Maurice Fitzpatrick’s Experience

155. Plaintiff Maurice Fitzpatrick is a customer of Defendant’s.

37
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 38 of 62

156. As a condition of obtaining financial services at Defendant, he was required to

provide his Private Information to Defendant, including his name, date of birth, contact

information, Social Security number, and other sensitive information.

157. Upon information and belief, at the time of the Data Breach, Defendant maintained

Plaintiff’s Private Information in its system.

158. Plaintiff Fitzpatrick is very careful about sharing his sensitive Private Information.

Plaintiff stores any documents containing his Private Information in a safe and secure location. he

has never knowingly transmitted unencrypted sensitive Private Information over the internet or

any other unsecured source. Plaintiff would not have entrusted his Private Information to

Defendant had he known of Defendant’s lax data security policies.

159. Plaintiff Maurice Fitzpatrick received the Notice Letter, by U.S. mail, directly from

Defendant, dated August 27, 2024. According to the Notice Letter, Plaintiff’s Private Information

was improperly accessed and obtained by unauthorized third parties, including his name, address,

email address, date of birth, driver’s license number, passport number, vehicle identification

number, loan number, property and causality insurance policy information, health information,

and Social Security number.

160. As a result of the Data Breach, and at the direction of Defendant’s Notice Letter,

which instructs Plaintiff to “remain vigilant, including over the next 12-24 months, for signs of

fraud or identity theft, and consider taking one or more of the below steps to protect your personal

information[,]” 50 Plaintiff made reasonable efforts to mitigate the impact of the Data Breach,

including researching and verifying the legitimacy of the Data Breach, disputing fraudulent

charges on his accounts, replacing impacted cards, and monitoring his financial accounts for

50
Notice Letter.

38
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 39 of 62

unusual activity. Plaintiff has spent significant time dealing with the Data Breach₋₋valuable time

Plaintiff otherwise would have spent on other activities, including but not limited to work and/or

recreation. This time has been lost forever and cannot be recaptured.

161. Plaintiff suffered actual injury from having his Private Information compromised

as a result of the Data Breach including, but not limited to: (i) invasion of privacy; (ii) theft of his

Private Information; (iii) lost or diminished value of Private Information; (iv) uncompensated lost

time and opportunity costs associated with attempting to mitigate the actual consequences of the

Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity costs associated with

attempting to mitigate the actual consequences of the Data Breach; (vii) nominal damages; and

(viii) the continued and certainly increased risk to his Private Information, which: (a) remains

unencrypted and available for unauthorized third parties to access and abuse; and (b) remains

backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as

Defendant fails to undertake appropriate and adequate measures to protect the Private Information.

162. Plaintiff additionally suffered actual injury in the form of experiencing a fraudulent

charge, for approximately $950. to his American Express card, in or about August 2024, which,

upon information and belief, was caused by the Data Breach.

163. Plaintiff also suffered actual injury in the form of his Private Information being

disseminated on the dark web, according to Credit Karma and Capitol One, which, upon

information and belief, was caused by the Data Breach.

164. Plaintiff additionally suffered actual injury in the form of experiencing an increase

in spam calls, texts, and/or emails, which, upon information and belief, was caused by the Data

Breach. This misuse of his Private Information was caused, upon information and belief, by the

fact that cybercriminals are able to easily use the information compromised in the Data Breach to

39
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 40 of 62

find more information about an individual, such as their phone number or email address, from

publicly available sources, including websites that aggregate and associate personal information

with the owner of such information. Criminals often target data breach victims with spam emails,

calls, and texts to gain access to their devices with phishing attacks or elicit further personal

information for use in committing identity theft or fraud.

165. The Data Breach has caused Plaintiff to suffer fear, anxiety, and stress, which has

been compounded by the fact that Defendant has still not fully informed him of key details about

the Data Breach’s occurrence.

166. As a result of the Data Breach, Plaintiff anticipates spending considerable time and

money on an ongoing basis to try to mitigate and address harms caused by the Data Breach.

167. As a result of the Data Breach, Plaintiff is at a present risk and will continue to be

at increased risk of identity theft and fraud for years to come.

168. Plaintiff Maurice Fitzpatrick has a continuing interest in ensuring that his Private

Information, which, upon information and belief, remains backed up in Defendant’s possession, is

protected and safeguarded from future breaches.

CLASS ALLEGATIONS

169. Plaintiff brings this nationwide class action on behalf of himself and on behalf of

all others similarly situated, pursuant to Fed. R. Civ. P. 23(a), 23(b)(1), 23(b)(2), 23(b)(3), 23(c)(4)

and/or 23(c)(5).

170. The Class that Plaintiff seeks to represent is defined as follows:

Nationwide Class
All individuals residing in the United States whose Private Information was
accessed and/or acquired by an unauthorized party as a result of the data breach
reported by Defendant in August 2024 (the “Class”).

40
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 41 of 62

171. Excluded from the Class are the following individuals and/or entities: Defendant

and Defendant's parents, subsidiaries, affiliates, officers and directors, and any entity in which

Defendant have a controlling interest; all individuals who make a timely election to be excluded

from this proceeding using the correct protocol for opting out; and all judges assigned to hear any

aspect of this litigation, as well as their immediate family members.

172. Plaintiff reserves the right to amend the definitions of the Class or add a Class or

Subclass if further information and discovery indicate that the definitions of the Class should be

narrowed, expanded, or otherwise modified.

173. Numerosity: The members of the Class are so numerous that joinder of all members

is impracticable, if not completely impossible. According to the breach report submitted to the

Office of the Maine Attorney General, at least 32,000 Class Members were impacted in the Data

Breach. 51 The Class is apparently identifiable within Defendant's records, and Defendant has

already identified these individuals (as evidenced by sending them breach notification letters).

174. Common questions of law and fact exist as to all members of the Class and

predominate over any questions affecting solely individual members of the Class. Among the

questions of law and fact common to the Class that predominate over questions which may affect

individual Class members, including the following:

a. Whether and to what extent Defendant had a duty to protect the Private Information

of Plaintiff and Class Members;

b. Whether Defendant had respective duties not to disclose the Private Information of

Plaintiff and Class Members to unauthorized third parties;

51
See https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-
a1252b4f8318/225913a2-7f23-4a54-9ce8-40dbfce9f0be.html

41
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 42 of 62

c. Whether Defendant had respective duties not to use the Private Information of

Plaintiff and Class Members for non-business purposes;

d. Whether Defendant failed to adequately safeguard the Private Information of

Plaintiff and Class Members;

e. Whether and when Defendant actually learned of the Data Breach;

f. Whether Defendant adequately, promptly, and accurately informed Plaintiff and

Class Members that their Private Information had been compromised;

g. Whether Defendant violated the law by failing to promptly notify Plaintiff and

Class Members that their Private Information had been compromised;

h. Whether Defendant failed to implement and maintain reasonable security

procedures and practices appropriate to the nature and scope of the information

compromised in the Data Breach;

i. Whether Defendant adequately addressed and fixed the vulnerabilities which

permitted the Data Breach to occur;

j. Whether Plaintiff and Class Members are entitled to actual damages and/or nominal

damages as a result of Defendant's wrongful conduct;

k. Whether Plaintiff and Class Members are entitled to injunctive relief to redress the

imminent and currently ongoing harm faced as a result of the Data Breach.

175. Typicality: Plaintiff’s claims are typical of those of the other members of the Class

because Plaintiff, like every other Class Member, was exposed to virtually identical conduct and

now suffers from the same violations of the law as each other member of the Class.

176. Policies Generally Applicable to the Class: This class action is also appropriate for

certification because Defendant acted or refused to act on grounds generally applicable to the

42
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 43 of 62

Class, thereby requiring the Court’s imposition of uniform relief to ensure compatible standards

of conduct toward the Class Members and making final injunctive relief appropriate with respect

to the Class as a whole. Defendant's policies challenged herein apply to and affect Class Members

uniformly and Plaintiff’s challenges of these policies hinges on Defendant's conduct with respect

to the Class as a whole, not on facts or law applicable only to Plaintiff.

177. Adequacy: Plaintiff will fairly and adequately represent and protect the interests of

the Class Members in that he has no disabling conflicts of interest that would be antagonistic to

those of the other Class Members. Plaintiff seeks no relief that is antagonistic or adverse to the

Class Members and the infringement of the rights and the damages he has suffered are typical of

other Class Members. Plaintiff has retained counsel experienced in complex class action and data

breach litigation, and Plaintiff intend to prosecute this action vigorously.

178. Superiority and Manageability: The class litigation is an appropriate method for fair

and efficient adjudication of the claims involved. Class action treatment is superior to all other

available methods for the fair and efficient adjudication of the controversy alleged herein; it will

permit a large number of Class Members to prosecute their common claims in a single forum

simultaneously, efficiently, and without the unnecessary duplication of evidence, effort, and

expense that hundreds of individual actions would require. Class action treatment will permit the

adjudication of relatively modest claims by certain Class Members, who could not individually

afford to litigate a complex claim against large corporations, like Defendant. Further, even for

those Class Members who could afford to litigate such a claim, it would still be economically

impractical and impose a burden on the courts.

179. The nature of this action and the nature of laws available to Plaintiff and Class

Members make the use of the class action device a particularly efficient and appropriate procedure

43
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 44 of 62

to afford relief to Plaintiff and Class Members for the wrongs alleged because Defendant would

necessarily gain an unconscionable advantage since they would be able to exploit and overwhelm

the limited resources of each individual Class Member with superior financial and legal resources;

the costs of individual suits could unreasonably consume the amounts that would be recovered;

proof of a common course of conduct to which Plaintiff was exposed is representative of that

experienced by the Class and will establish the right of each Class Member to recover on the cause

of action alleged; and individual actions would create a risk of inconsistent results and would be

unnecessary and duplicative of this litigation.

180. The litigation of the claims brought herein is manageable. Defendant's uniform

conduct, the consistent provisions of the relevant laws, and the ascertainable identities of Class

Members demonstrates that there would be no significant manageability problems with

prosecuting this lawsuit as a class action.

181. Adequate notice can be given to Class Members directly using information

maintained in Defendant's records.

182. Unless a Class-wide injunction is issued, Defendant may continue in its failure to

properly secure the Private Information of Class Members, Defendant may continue to refuse to

provide proper notification to Class Members regarding the Data Breach, and Defendant may

continue to act unlawfully as set forth in this Complaint.

183. Further, Defendant has acted on grounds that apply generally to the Class as a

whole, so that class certification, injunctive relief, and corresponding declaratory relief are

appropriate on a class- wide basis.

44
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 45 of 62

184. Likewise, particular issues are appropriate for certification because such claims

present only particular, common issues, the resolution of which would advance the disposition of

this matter and the parties’ interests therein. Such particular issues include, but are not limited to:

a. Whether Defendant failed to timely notify the Plaintiff and the class of the Data

Breach;

b. Whether Defendant owed a legal duty to Plaintiff and the Class to exercise due care

in collecting, storing, and safeguarding their Private Information;

c. Whether Defendant's security measures to protect their data systems were

reasonable in light of best practices recommended by data security experts;

d. Whether Defendant's failure to institute adequate protective security measures

amounted to negligence;

e. Whether Defendant failed to take commercially reasonable steps to safeguard

consumer Private Information; and Whether adherence to FTC data security

recommendations, and measures recommended by data security experts would have

reasonably prevented the Data Breach.

CAUSES OF ACTION

COUNT I
Negligence
(On Behalf of Plaintiff and the Class)

185. Plaintiff re-alleges and incorporates by reference all preceding allegations, as if

fully set forth herein.

186. Defendant requires its customers, including Plaintiff and Class Members, to submit

non-public Private Information in the ordinary course of providing its financial services.

45
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 46 of 62

187. Defendant gathered and stored the Private Information of Plaintiff and Class

Members as part of its business of soliciting its services to its customers, which solicitations and

services affect commerce.

188. Plaintiff and Class Members entrusted Defendant with their Private Information

with the understanding that Defendant would safeguard their information.

189. Defendant had full knowledge of the sensitivity of the Private Information and the

types of harm that Plaintiff and Class Members could and would suffer if the Private Information

were wrongfully disclosed.

190. By voluntarily undertaking and assuming the responsibility to collect and store this

data, and in fact doing so, and sharing it and using it for commercial gain, Defendant had a duty

of care to use reasonable means to secure and safeguard their computer property—and Class

Members’ Private Information held within it—to prevent disclosure of the information, and to

safeguard the information from theft. Defendant’s duty included a responsibility to implement

processes by which they could detect a breach of its security systems in a reasonably expeditious

period of time and to give prompt notice to those affected in the case of a data breach.

191. Defendant had a duty to employ reasonable security measures under Section 5 of

the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair . . . practices in or

affecting commerce,” including, as interpreted and enforced by the FTC, the unfair practice of

failing to use reasonable measures to protect confidential data.

192. Defendant's duty to use reasonable security measures also arose under the GLBA,

under which they were required to protect the security, confidentiality, and integrity of customer

information by developing a comprehensive written information security program that contains

reasonable administrative, technical, and physical safeguards.

46
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 47 of 62

193. Defendant owed a duty of care to Plaintiff and Class Members to provide data

security consistent with industry standards and other requirements discussed herein, and to ensure

that its systems and networks adequately protected the Private Information.

194. Defendant's duty of care to use reasonable security measures arose as a result of the

special relationship that existed between Defendant and Plaintiff and Class Members. That special

relationship arose because Plaintiff and the Class entrusted Defendant with their confidential

Private Information, a necessary part of being customers at Defendant.

195. Defendant’s duty to use reasonable care in protecting confidential data arose not

only as a result of the statutes and regulations described above, but also because Defendant is

bound by industry standards to protect confidential Private Information.

196. Defendant was subject to an “independent duty,” untethered to any contract

between Defendant and Plaintiff or the Class.

197. Defendant also had a duty to exercise appropriate clearinghouse practices to remove

former customers’ Private Information it was no longer required to retain pursuant to regulations.

198. Moreover, Defendant had a duty to promptly and adequately notify Plaintiff and

the Class of the Data Breach.

199. Defendant had and continues to have a duty to adequately disclose that the Private

Information of Plaintiff and the Class within Defendant’s possession might have been

compromised, how it was compromised, and precisely the types of data that were compromised

and when. Such notice was necessary to allow Plaintiff and the Class to take steps to prevent,

mitigate, and repair any identity theft and the fraudulent use of their Private Information by third

parties.

47
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 48 of 62

200. Defendant breached its duties, pursuant to the FTC Act and other applicable

standards, and thus was negligent, by failing to use reasonable measures to protect Class Members’

Private Information. The specific negligent acts and omissions committed by Defendant include,

but are not limited to, the following:

a. Failing to adopt, implement, and maintain adequate security measures to safeguard

Class Members’ Private Information;

b. Failing to adequately monitor the security of their networks and systems;

c. Allowing unauthorized access to Class Members’ Private Information;

d. Failing to detect in a timely manner that Class Members’ Private Information had

been compromised;

e. Failing to remove former customers’ Private Information it was no longer required

to retain pursuant to regulations, and

f. Failing to timely and adequately notify Class Members about the Data Breach’s

occurrence and scope, so that they could take appropriate steps to mitigate the

potential for identity theft and other damages.

201. Defendant violated Section 5 of the FTC Act and GLBA by failing to use

reasonable measures to protect Private Information and not complying with applicable industry

standards, as described in detail herein. Defendant’s conduct was particularly unreasonable given

the nature and amount of Private Information it obtained and stored and the foreseeable

consequences of the immense damages that would result to Plaintiff and the Class.

202. Plaintiff and Class Members were within the class of persons the Federal Trade

Commission Act and GLBA were intended to protect and the type of harm that resulted from the

Data Breach was the type of harm that the statutes were intended to guard against.

48
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 49 of 62

203. Defendant’s violation of Section 5 of the FTC Act and GLBA constitutes

negligence.

204. The FTC has pursued enforcement actions against businesses, which, as a result of

their failure to employ reasonable data security measures and avoid unfair and deceptive practices,

caused the same harm as that suffered by Plaintiff and the Class.

205. A breach of security, unauthorized access, and resulting injury to Plaintiff and the

Class was reasonably foreseeable, particularly in light of Defendant’s inadequate security

practices.

206. It was foreseeable that Defendant’s failure to use reasonable measures to protect

Class Members’ Private Information would result in injury to Class Members. Further, the breach

of security was reasonably foreseeable given the known high frequency of cyberattacks and data

breaches in the financial services industry.

207. Defendant has full knowledge of the sensitivity of the Private Information and the

types of harm that Plaintiff and the Class could and would suffer if the Private Information were

wrongfully disclosed.

208. Plaintiff and the Class were the foreseeable and probable victims of any inadequate

security practices and procedures. Defendant knew or should have known of the inherent risks in

collecting and storing the Private Information of Plaintiff and the Class, the critical importance of

providing adequate security of that Private Information, and the necessity for encrypting Private

Information stored on Defendant’s systems or transmitted through third party systems.

209. It was therefore foreseeable that the failure to adequately safeguard Class Members’

Private Information would result in one or more types of injuries to Class Members.

49
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 50 of 62

210. Plaintiff and the Class had no ability to protect their Private Information that was

in, and possibly remains in, Defendant’s possession.

211. Defendant was in a position to protect against the harm suffered by Plaintiff and

the Class as a result of the Data Breach.

212. Defendant’s duty extended to protecting Plaintiff and the Class from the risk of

foreseeable criminal conduct of third parties, which has been recognized in situations where the

actor’s own conduct or misconduct exposes another to the risk or defeats protections put in place

to guard against the risk, or where the parties are in a special relationship. See Restatement

(Second) of Torts § 302B. Numerous courts and legislatures have also recognized the existence of

a specific duty to reasonably safeguard personal information.

213. Defendant has admitted that the Private Information of Plaintiff and the Class was

wrongfully lost and disclosed to unauthorized third persons as a result of the Data Breach.

214. But for Defendant’s wrongful and negligent breach of duties owed to Plaintiff and

the Class, the Private Information of Plaintiff and the Class would not have been compromised.

215. There is a close causal connection between Defendant’s failure to implement

security measures to protect the Private Information of Plaintiff and the Class and the harm, or risk

of imminent harm, suffered by Plaintiff and the Class. The Private Information of Plaintiff and the

Class was lost and accessed as the proximate result of Defendant’s failure to exercise reasonable

care in safeguarding such Private Information by adopting, implementing, and maintaining

appropriate security measures.

216. As a direct and proximate result of Defendant’s negligence, Plaintiff and the Class

have suffered and will suffer injury, including but not limited to: (i) invasion of privacy; (ii) theft

of their Private Information; (iii) lost or diminished value of Private Information; (iv)

50
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 51 of 62

uncompensated lost time and opportunity costs associated with attempting to mitigate the actual

consequences of the Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity costs

associated with attempting to mitigate the actual consequences of the Data Breach; (vii) actual

misuse of the compromised data consisting of an increase in spam calls, texts, and/or emails; (viii)

Plaintiff’s Private Information being disseminated on the dark web, according to Capitol One and

Credit Karma; (ix) Plaintiff experiencing fraudulent charges to his American Express card, for

approximately $950. in or about August 2024; (x) nominal damages; and (xi) the continued and

certainly increased risk to their Private Information, which: (a) remains unencrypted and available

for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s

possession and is subject to further unauthorized disclosures so long as Defendant fails to

undertake appropriate and adequate measures to protect the Private Information.

217. Additionally, as a direct and proximate result of Defendant’s negligence, Plaintiff

and the Class have suffered and will suffer the continued risks of exposure of their Private

Information, which remain in Defendant’s possession and is subject to further unauthorized

disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect

the Private Information in its continued possession.

218. Plaintiff and Class Members are entitled to compensatory and consequential

damages suffered as a result of the Data Breach.

219. Plaintiff and Class Members are also entitled to injunctive relief requiring

Defendant to (i) strengthen its data security systems and monitoring procedures; (ii) submit to

future annual audits of those systems and monitoring procedures; and (iii) continue to provide

adequate credit monitoring to all Class Members.

COUNT II
Breach Of Implied Contract

51
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 52 of 62

(On Behalf of Plaintiff and the Class)

220. Plaintiff re-alleges and incorporates by reference all preceding allegations, as if

fully set forth herein.

221. Plaintiff and Class Members were required deliver their Private Information to

Defendant as part of the process of obtaining financial services provided by Defendant. Plaintiff

and Class Members paid money, or money was paid on their behalf, to Defendant in exchange for

services.

222. Defendant solicited, offered, and invited Class Members to provide their Private

Information as part of Defendant’s regular business practices. Plaintiff and Class Members

accepted Defendant’s offers and provided their Private Information to Defendant.

223. Defendant accepted possession of Plaintiff’s and Class Members’ Private

Information for the purpose of providing services to Plaintiff and Class Members.

224. Plaintiff and the Class entrusted their Private Information to Defendant. In so doing,

Plaintiff and the Class entered into implied contracts with Defendant by which Defendant agreed

to safeguard and protect such information, to keep such information secure and confidential, and

to timely and accurately notify Plaintiff and the Class if their data had been breached and

compromised or stolen.

225. In entering into such implied contracts, Plaintiff and Class Members reasonably

believed and expected that Defendant’s data security practices complied with relevant laws and

regulations (including FTC guidelines on data security) and were consistent with industry

standards.

226. Implicit in the agreement between Plaintiff and Class Members and the Defendant

to provide Private Information, was the latter’s obligation to: (a) use such Private Information for

52
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 53 of 62

business purposes only, (b) take reasonable steps to safeguard that Private Information, (c) prevent

unauthorized disclosures of the Private Information, (d) provide Plaintiff and Class Members with

prompt and sufficient notice of any and all unauthorized access and/or theft of their Private

Information, (e) reasonably safeguard and protect the Private Information of Plaintiff and Class

Members from unauthorized disclosure or uses, (f) retain the Private Information only under

conditions that kept such information secure and confidential.

227. The mutual understanding and intent of Plaintiff and Class Members on the one

hand, and Defendant, on the other, is demonstrated by their conduct and course of dealing.

228. On information and belief, at all relevant times Defendant promulgated, adopted,

and implemented written privacy policies whereby it expressly promised Plaintiff and Class

Members that it would only disclose Private Information under certain circumstances, none of

which relate to the Data Breach.

229. On information and belief, Defendant further promised to comply with industry

standards and to make sure that Plaintiff’s and Class Members’ Private Information would remain

protected.

230. Plaintiff and Class Members paid money to Defendant with the reasonable belief

and expectation that Defendant would use part of its earnings to obtain adequate data security.

Defendant failed to do so.

231. Plaintiff and Class Members would not have entrusted their Private Information to

Defendant in the absence of the implied contract between them and Defendant to keep their

information reasonably secure.

53
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 54 of 62

232. Plaintiff and Class Members would not have entrusted their Private Information to

Defendant in the absence of their implied promise to monitor their computer systems and networks

to ensure that it adopted reasonable data security measures.

233. Every contract in this State has an implied covenant of good faith and fair dealing,

which is an independent duty and may be breached even when there is no breach of a contract’s

actual and/or express terms.

234. Plaintiff and Class Members fully and adequately performed their obligations under

the implied contracts with Defendant.

235. Defendant breached the implied contracts it made with Plaintiff and the Class by

failing to safeguard and protect their personal information, by failing to delete the information of

Plaintiff and the Class once the relationship ended, and by failing to provide accurate notice to

them that personal information was compromised as a result of the Data Breach.

236. Defendant breached the implied covenant of good faith and fair dealing by failing

to maintain adequate computer systems and data security practices to safeguard Private

Information, failing to timely and accurately disclose the Data Breach to Plaintiff and Class

Members and continued acceptance of Private Information and storage of other personal

information after Defendant knew, or should have known, of the security vulnerabilities of the

systems that were exploited in the Data Breach.

237. As a direct and proximate result of Defendant’s breach of the implied contracts,

Plaintiff and Class Members sustained damages, including, but not limited to: (i) invasion of

privacy; (ii) theft of their Private Information; (iii) lost or diminished value of Private Information;

(iv) uncompensated lost time and opportunity costs associated with attempting to mitigate the

actual consequences of the Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity

54
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 55 of 62

costs associated with attempting to mitigate the actual consequences of the Data Breach; (vii)

actual misuse of the compromised data consisting of an increase in spam calls, texts, and/or emails;

(viii) Plaintiff’s Private Information being disseminated on the dark web, according to Capitol One

and Credit Karma; (ix) Plaintiff experiencing fraudulent charges to his American Express card, for

approximately $950. in or about August 2024; (x) nominal damages; and (xi) the continued and

certainly increased risk to their Private Information, which: (a) remains unencrypted and available

for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s

possession and is subject to further unauthorized disclosures so long as Defendant fails to

undertake appropriate and adequate measures to protect the Private Information.

238. Plaintiff and Class Members are entitled to compensatory, consequential, and

nominal damages suffered as a result of the Data Breach.

239. Plaintiff and Class Members are also entitled to injunctive relief requiring

Defendant to, e.g., (i) strengthen its data security systems and monitoring procedures; (ii) submit

to future annual audits of those systems and monitoring procedures; and (iii) immediately provide

adequate credit monitoring to all Class Members.

COUNT III
Unjust Enrichment
(On Behalf of Plaintiff and the Class)

240. Plaintiff re-alleges and incorporates by reference all preceding allegations, as if

fully set forth herein.

241. Plaintiff brings this Count in the alternative to the breach of implied contract count

above.

242. Plaintiff and Class Members conferred a monetary benefit on Defendant.

Specifically, they paid Defendant and/or its agents for financial services and in so doing also

55
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 56 of 62

provided Defendant with their Private Information. In exchange, Plaintiff and Class Members

should have received from Defendant the services that were the subject of the transaction and

should have had their Private Information protected with adequate data security.

243. Defendant knew that Plaintiff and Class Members conferred a benefit upon it and

has accepted and retained that benefit by accepting and retaining the Private Information entrusted

to it. Defendant profited from Plaintiff’s retained data and used Plaintiff’s and Class Members’

Private Information for business purposes.

244. Defendant failed to secure Plaintiff’s and Class Members’ Private Information and,

therefore, did not fully compensate Plaintiff or Class Members for the value that their Private

Information provided.

245. Defendant acquired the Private Information through inequitable record retention as

it failed to investigate and/or disclose the inadequate data security practices previously alleged.

246. If Plaintiff and Class Members had known that Defendant would not use adequate

data security practices, procedures, and protocols to adequately monitor, supervise, and secure

their Private Information, they would have entrusted their Private Information at Defendant or

obtained services at Defendant.

247. Plaintiff and Class Members have no adequate remedy at law.

248. Defendant enriched itself by saving the costs it reasonably should have expended

on data security measures to secure Plaintiff’s and Class Members’ Personal Information. Instead

of providing a reasonable level of security that would have prevented the hacking incident,

Defendant instead calculated to increase its own profit at the expense of Plaintiff and Class

Members by utilizing cheaper, ineffective security measures and diverting those funds to its own

profit. Plaintiff and Class Members, on the other hand, suffered as a direct and proximate result of

56
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 57 of 62

Defendant’s decision to prioritize its own profits over the requisite security and the safety of their

Private Information.

249. Under the circumstances, it would be unjust for Defendant to be permitted to retain

any of the benefits that Plaintiff and Class Members conferred upon it.

250. As a direct and proximate result of Defendant’s conduct, Plaintiff and Class

Members have suffered and will suffer injury, including but not limited to: (i) invasion of privacy;

(ii) theft of their Private Information; (iii) lost or diminished value of Private Information; (iv)

uncompensated lost time and opportunity costs associated with attempting to mitigate the actual

consequences of the Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity costs

associated with attempting to mitigate the actual consequences of the Data Breach; (vii) actual

misuse of the compromised data consisting of an increase in spam calls, texts, and/or emails; (viii)

Plaintiff’s Private Information being disseminated on the dark web, according to Capitol One and

Credit Karma; (ix) Plaintiff experiencing fraudulent charges to his American Express card, for

approximately $950. in or about August 2024; (x) nominal damages; and (xi) the continued and

certainly increased risk to their Private Information, which: (a) remains unencrypted and available

for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s

possession and is subject to further unauthorized disclosures so long as Defendant fails to

undertake appropriate and adequate measures to protect the Private Information.

251. Plaintiff and Class Members are entitled to full refunds, restitution, and/or damages

from Defendant and/or an order proportionally disgorging all profits, benefits, and other

compensation obtained by Defendant from its wrongful conduct. This can be accomplished by

establishing a constructive trust from which the Plaintiff and Class Members may seek restitution

or compensation.

57
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 58 of 62

252. Plaintiff and Class Members may not have an adequate remedy at law against

Defendant, and accordingly, they plead this claim for unjust enrichment in addition to, or in the

alternative to, other claims pleaded herein.

PRAYER FOR RELIEF

WHEREFORE, Plaintiff, on behalf of himself and Class Members, requests judgment

against Defendant and that the Court grants the following:

A. For an Order certifying the Class, and appointing Plaintiff and his Counsel to

represent the Class;

B. For equitable relief enjoining Defendant from engaging in the wrongful conduct

complained of herein pertaining to the misuse and/or disclosure of the Private

Information of Plaintiff and Class Members;

C. For injunctive relief requested by Plaintiff, including but not limited to, injunctive

and other equitable relief as is necessary to protect the interests of Plaintiff and

Class Members, including but not limited to an order:

i. prohibiting Defendant from engaging in the wrongful and unlawful acts

described herein;

ii. requiring Defendant to protect, including through encryption, all data

collected through the course of its business in accordance with all applicable

regulations, industry standards, and federal, state or local laws;

iii. requiring Defendant to delete, destroy, and purge the personal identifying

information of Plaintiff and Class Members unless Defendant can provide to

the Court reasonable justification for the retention and use of such information

when weighed against the privacy interests of Plaintiff and Class Members;

58
Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 59 of 62

iv. requiring Defendant to provide out-of-pocket expenses associated with the

prevention, detection, and recovery from identity theft, tax fraud, and/or

unauthorized use of their Private Information for Plaintiff’s and Class

Members’ respective lifetimes;

v. requiring Defendant to implement and maintain a comprehensive Information

Security Program designed to protect the confidentiality and integrity of the

Private Information of Plaintiff and Class Members;

vi. prohibiting Defendant from maintaining the Private Information of Plaintiff

and Class Members on a cloud-based database;

vii. requiring Defendant to engage independent third-party security

auditors/penetration testers as well as internal security personnel to conduct

testing, including simulated attacks, penetration tests, and audits on

Defendant’s systems on a periodic basis, and ordering Defendant to promptly

correct any problems or issues detected by such third-party security auditors;

viii. requiring Defendant to engage independent third-party security auditors and

internal personnel to run automated security monitoring;

ix. requiring Defendant to audit, test, and train its security personnel regarding

any new or modified procedures;

x. requiring Defendant to segment data by, among other things, creating

firewalls and controls so that if one area of Defendant’s network is

compromised, hackers cannot gain access to portions of Defendant’s systems;

xi. requiring Defendant to conduct regular database scanning and securing

checks;

59
Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 60 of 62

xii. requiring Defendant to establish an information security training program that

includes at least annual information security training for all employees, with

additional training to be provided as appropriate based upon the employees’

respective responsibilities with handling personal identifying information, as

well as protecting the personal identifying information of Plaintiff and Class

Members;

xiii. requiring Defendant to routinely and continually conduct internal training and

education, and on an annual basis to inform internal security personnel how to

identify and contain a breach when it occurs and what to do in response to a

breach;

xiv. requiring Defendant to implement a system of tests to assess its respective

employees’ knowledge of the education programs discussed in the preceding

subparagraphs, as well as randomly and periodically testing employees’

compliance with Defendant’s policies, programs, and systems for protecting

personal identifying information;

xv. requiring Defendant to implement, maintain, regularly review, and revise as

necessary a threat management program designed to appropriately monitor

Defendant’s information networks for threats, both internal and external, and

assess whether monitoring tools are appropriately configured, tested, and

updated;

xvi. requiring Defendant to meaningfully educate all Class Members about the

threats that they face as a result of the loss of their confidential personal

identifying information to third parties, as well as the steps affected

60
 Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 61 of 62

individuals must take to protect himself;

xvii. requiring Defendant to implement logging and monitoring programs sufficient

to track traffic to and from Defendant’s servers; and

xviii. for a period of 10 years, appointing a qualified and independent third party

assessor to conduct a SOC 2 Type 2 attestation on an annual basis to evaluate

Defendant’s compliance with the terms of the Court’s final judgment, to

provide such report to the Court and to counsel for the class, and to report any

deficiencies with compliance of the Court’s final judgment;

D. For an award of damages, including actual, nominal, consequential, and punitive

damages, as allowed by law in an amount to be determined;

E. For an award of attorneys’ fees, costs, and litigation expenses, as allowed by law;

F. For prejudgment interest on all amounts awarded; and

G. Such other and further relief as this Court may deem just and proper.

JURY TRIAL DEMANDED

Plaintiff hereby demands a trial by jury on all claims so triable.

Dated: September 27, 2024 Respectfully Submitted,

By: /s/_Joe Kendall _

JOE KENDALL
Texas Bar No. 11260700
KENDALL LAW GROUP, PLLC
3811 Turtle Creek Blvd., Suite 825
Dallas, Texas 75219
214-744-3000
214-744-3015 (Facsimile)
jkendall@kendalllawgroup.com

John J. Nelson*
MILBERG COLEMAN BRYSON
PHILLIPS GROSSMAN, PLLC
402 W Broadway, Suite 1760

61
Case 5:24-cv-01096 Document 1 Filed 09/27/24 Page 62 of 62

San Diego, CA 92101

Tel.: (858) 209-6941
Email: jnelson@milberg.com

Attorney for Plaintiff and

The Proposed Class

*Pro Hac Vice application forthcoming

62