Rebecca A. King, Et. Al., v. Facebook Inc.

Download as pdf or txt
Download as pdf or txt
You are on page 1of 43

Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 1 of 43

1 FRANKLIN D. AZAR & ASSOCIATES


Ivy Ngo, California SBN 249860
2
[email protected]
3 14426 East Evans Ave
Aurora, CO 80014
4 Telephone: 303-757-3300
Facsimile: 720-213-5131
5

6 UNITED STATES DISTRICT COURT


7
NORTHERN DISTRICT OF CALIFORNIA

8 REBECCA A. KING, AN INDIVIDUAL AND Case No.: Number


9
CALIFORNIA RESIDENT, DOMINIQUE
MARTIN, AN INDIVIDUAL AND NEW
10 JERSEY RESIDENT, RUBIN K. JOHNSON, CLASS ACTION COMPLAINT
AN INDIVIDUAL AND COLORADO
11 RESIDENT, AND ROBERT E. NEWBORN, JURY TRIAL DEMANDED
12 AN INDIVIDUAL AND COLORADO
RESIDENT,
13
(1) UCL – Unlawful Business Practice
Plaintiffs,
14 (2) UCL – Unfair Business Practice
vs (3) UCL – Fraudulent/Deceptive Business
15 Practice
16 (4) Deceit by Concealment
FACEBOOK, INC., (5) Negligence
17 (6) Breach of Implied Contract
Defendant
18
(7) Violation of Colorado Consumer
Protection Act
19 (8) Violation of Colorado Security Breach
Notification Act
20 (9) Violation of California Customer
21 Records Act
(10) Violation of New Jersey
22 Customer Security Breach Disclosure Act
(11) Violation of New Jersey
23
Consumer Fraud Act
24

25

26

27

28

CLASS ACTION COMPLAINT - 1


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 2 of 43

1
TABLE OF CONTENTS
2
SUMMARY OF CASE ................................................................................................................ 4
3
JURISDICTION AND VENUE .................................................................................................. 6
4
PARTIES ...................................................................................................................................... 6
5
A. Plaintiffs ................................................................................................................................ 6
6
B. Defendant .............................................................................................................................. 7
7
FACTUAL BACKGROUND ...................................................................................................... 7
8
A. Facebook Collects and Stores PII for its Own Financial Gain........................................ 7
9
B. PII is Very Valuable on the Black Market ...................................................................... 14
10
C. Facebook’s Inadequate Data Security Allows the Massive Breach of 50 Million User
11
Accounts ............................................................................................................................. 15
12
CLASS ACTION ALLEGATIONS ......................................................................................... 16
13
CLAIMS ALLEGED ON BEHALF OF ALL CLASSES....................................................... 21
14
First Claim for Relief (Violation of California’s Unfair Competition Law (“UCL”) –
15
Unlawful Business Practice Cal. – Cal. Bus. & Prof. Code § 17200, et seq.) ..................... 21
16
Second Claim for Relief (Violation of California’s Unfair Competition Law (“UCL”) –
17
Unfair Business Practice – Cal. Bus. & Prof. Code § 17200, et seq.) ................................ 22
18
Third Claim for Relief (Violation of California’s Unfair Competition Law (“UCL”) –
19
Fraudulent/Deceptive Business Practice – Cal. Bus. & Prof. Code § 17200, et seq.) ....... 25
20
Fourth Claim for Relief (Deceit by Concealment – Cal. Civil Code §§ 1709, 1710) ........ 27
21
Fifth Claim for Relief (Negligence) ....................................................................................... 29
22
Sixth Claim for Relief (Breach of Implied Contract).......................................................... 31
23
ADDITIONAL CLAIMS ALLEGED ON BEHALF OF COLORADO SUB-CLASS
24
ONLY ...................................................................................................................................... 31
25
Seventh Claim for Relief (Violation of Colorado Consumer Protection Act) ..................... 31
26
Eighth Claim for Relief (Violation of Colorado Security Breach Notification Act) ........ 34
27
ADDITIONAL CLAIMS ALLEGED ON BEHALF OF CALIFORNIA SUB-CLASS
28
ONLY ..................................................................................................................................... 35

CLASS ACTION COMPLAINT - 2


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 3 of 43

1
Ninth Claim for Relief (Violation of California Customer Records Act – Cal. Civil Code §
2
1798.80 et seq.) ......................................................................................................................... 35
3
ADDITIONAL CLAIMS ALLEGED ON BEHALF OF NEW JERSEY SUB-CLASS
4
ONLY ..................................................................................................................................... 38
5
Tenth Claim for Relief (Violation of New Jersey Customer Security Breach Disclosure
6
Act – N.J. Stat. Ann. §§ 56:8-163, et seq.) ............................................................................... 38
7
Eleventh Claim for Relief (Violation of New Jersey Consumer Fraud Act – N.J. Stat. Ann.
8
§§ 56:8-1, et seq.)...................................................................................................................... 39
9
PRAYER FOR RELIEF............................................................................................................ 41
10
JURY TRIAL DEMANDED .................................................................................................... 42
11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

CLASS ACTION COMPLAINT - 3


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 4 of 43

1
For their Class Action Complaint, Plaintiffs Rebecca A. King, Dominique Martin,
2
Rubin K. Johnson, and Robert E. Newborn, (“Plaintiffs”), on behalf of themselves and all
3
others similarly situated, allege the following against Defendant Facebook, Inc. (“Defendant”
4
or “Facebook”), based on personal knowledge as to Plaintiffs, and Plaintiffs’ own acts and on
5
information and belief as to all other matters based upon, inter alia, the investigation conducted
6
by and through Plaintiffs’ undersigned counsel:
7
SUMMARY OF CASE
8
1. This case involves a data breach Facebook announced on September 28, 2018,
9
wherein the PII of 50 million of its Users was exposed due to a flaw in Facebook’s code that
10
allowed hackers and other nefarious users to take over User accounts and siphon off personal
11
information for unsavory and illegal purposes (“September 2018 Data Breach”).
12
2. Facebook operates a social networking website that allows people to
13
communicate with their family, friends, coworkers, and acquaintances. Facebook also
14
develops technologies that facilitate the sharing of information, photographs, website links,
15
and videos. Facebook purports to allow its users (“Facebook Users” or “Users”) the ability to
16
share and restrict information based on their own specific criteria. By the end of 2017,
17
Facebook had more than 2.2 billion active Users.
18
3. As part of the sign-up process and as a consequence of interacting with
19
their social network, Facebook Users create, maintain, and update profiles containing
20
significant amounts of personal information, including their names, birthdates, hometowns,
21
addresses, locations, interests, relationships, email addresses, photos, and videos, amongst
22
others, referred to herein as “PII.”
23
4. In an ongoing investigation, Facebook recently revealed that its Users’ personal
24
information was subject to a massive data security breach in September 2018, affecting
25
approximately 50 million Facebook Users’ PII. Facebook publicly exposed details of the
26
September 2018 Data Breach for the first time in a statement on September 28, 2018. According
27
to the statement and subsequent press call, Defendant learned of the breach as early as September
28

CLASS ACTION COMPLAINT - 4


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 5 of 43

1
16, 2018,1 but has not yet directly informed or notified Facebook Users that their PII may be
2
compromised as a result of the breach. Rather, Facebook states that it began “logging users out”
3
on the evening of September 27, 2018, but did not provide Users with any reason for being
4
logged out. The statement further admitted that “attackers exploited a vulnerability in
5
Facebook’s code that impacted “View As” a feature that lets people see what their own profile
6
looks like to someone else. This allowed them to steal Facebook access tokens which they
7
could then use to take over people’s accounts. Access tokens are the equivalent of digital keys
8
that keep people logged in to Facebook so they don’t need to re-enter their password every
9
time they use the app.”2 The vulnerability in Facebook’s code was introduced in July 2017,
10
and Facebook is currently unaware of how long hackers have had access since that time.3
11
5. As a result of Defendant’s failure to maintain adequate security measures and
12
timely security breach notifications, Facebook Users’ personal and private information has been
13
compromised and remains vulnerable. In fact, according to Facebook, they “have yet to
14
determine whether those accounts were misused or any information accessed.” 4 Further,
15
Facebook Users have suffered an ascertainable loss in that they must undertake additional
16
security measures, some at their own expense, to minimize the risk of future data breaches
17
including, without limitation, canceling credit cards associated with their Facebook accounts and
18
changing passwords to Facebook, Instagram, and other linked accounts. However, due to
19
Facebook’s ongoing and incomplete investigation, Facebook Users have no guarantee that the
20
above security measures will in fact adequately protect their personal information. As such,
21
Plaintiffs and other Class Members have an ongoing interest in ensuring that their personal
22
information is protected from past and future cybersecurity threats.
23
6. This Class Action Complaint is filed on behalf of all persons in the United
24
States described more fully in the following sections, whose PII was compromised in the
25
1
“Afternoon Press Call,” Facebook Newsroom, Sept 28, 2018, transcript available at
26
https://fbnewsroomus.files.wordpress.com/2018/09/9-28-afternoon-press-call.pdf (last visited Oct 1, 2018).
2
“Security Update,” Facebook Newsroom, available athttps://newsroom.fb.com/news/2018/09/security-
27
update/ (last visited Oct. 1, 2018)
3
See https://techcrunch.com/2018/09/28/everything-you-need-to-know-aboutfacebooks-data-breach-affecting-50m-
28 users/ (last visited Oct. 1, 2018)
4
Id.

CLASS ACTION COMPLAINT - 5


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 6 of 43

1
September 2018 Data Breach.
2
JURISDICTION AND VENUE
3
7. This Court has jurisdiction over this action pursuant to the Class Action
4
Fairness Act (“CAFA”), 28 U.S.C. § 1332(d), because the aggregate amount in controversy
5
exceeds $5,000,000, exclusive of interests and costs, there are more than 100 class members,
6
and at least one class member is a citizen of a state different from Defendant and is a citizen of
7
a foreign state. The Court also has supplemental jurisdiction over the state law claims pursuant
8
to 28 U.S.C. § 1367.
9
8. Venue is proper under 28 U.S.C. § 1391(c) because Defendant is a corporation
10
that does business in and is subject to personal jurisdiction in this District. Venue is also proper
11
because a substantial part of the events or omissions giving rise to the claims in this action
12
occurred in or emanated from this District, including the decisions made by Facebook’s
13
governance and management personnel that led to the breach. Further, Facebook’s terms of
14
service governing users in the United States provides for California venue for all claims arising
15
out of Plaintiffs’ relationship with Facebook.
16
PARTIES
17
A. Plaintiffs
18
9. Plaintiff Rebecca A. King (“King”) is a resident and citizen of California. Plaintiff
19
King opened a Facebook account and used it for at least nine years, entrusting Facebook with and
20
aggregating PII for this time period. On or about September 28, 2018, Plaintiff King received a
21
notice from Facebook informing her that her account and PII may have been compromised in the
22
September 2018 Data Breach. In addition to the damages detailed herein, the September 2018
23
Data Breach has caused Plaintiff King to be at substantial risk for further identity theft.
24
10. Plaintiff Dominique Martin (“Martin”) is a resident and citizen of New Jersey.
25
Plaintiff Martin opened a Facebook account and used it for at least ten years, entrusting Facebook
26
with and aggregating PII for this time period. On or about September 28, 2018, Plaintiff
27
Newborn received a notice from Facebook informing her that her account and PII may have
28
been compromised in the September 2018 Data Breach. In addition to the damages detailed

CLASS ACTION COMPLAINT - 6


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 7 of 43

1
herein, the September 2018 Data Breach has caused Plaintiff Martin to be at substantial risk for
2
further identity theft.
3
11. Plaintiff Rubin K. Johnson (“Johnson”) is a resident and citizen of Colorado.
4
Plaintiff Johnson opened a Facebook account and used it for at least seven years, entrusting
5
Facebook with and aggregating PII for this time period. On or about September 28, 2018,
6
Plaintiff Johnson received a notice from Facebook informing him that his account and PII may
7
have been compromised in the September 2018 Data Breach. In addition to the damages detailed
8
herein, the September 2018 Data Breach has caused Plaintiff Johnson to be at substantial risk for
9
further identity theft.
10
12. Plaintiff Robert E. Newborn (“Newborn”) is a resident and citizen of Colorado.
11
Plaintiff Newborn opened a Facebook account and used it for at least seven years, entrusting
12
Facebook with and aggregating PII for this time period. On or about September 28, 2018,
13
Plaintiff Newborn received a notice from Facebook informing him that his account and PII may
14
have been compromised in the September 2018 Data Breach. In addition to the damages
15
detailed herein, the September 2018 Data Breach has caused Plaintiff Newborn to be at
16
substantial risk for further identity theft.
17
B. Defendant
18
13. Defendant Facebook, Inc. is a Delaware corporation with its principal executive
19
offices located at 1601 Willow Road, Menlo Park, California 94025. Facebook’s securities trade
20
on the NASDAQ under the ticker symbol “FB.”
21
14. At all relevant times, Defendant was and is engaged in the business of operating
22
a social networking website and mobile application in San Mateo County and throughout the
23
United States of America.
24
FACTUAL BACKGROUND
25
A. Facebook Collects and Stores PII for its Own Financial Gain
26
15. Most of Facebook’s revenue comes from the sale of targeted advertising services.
27
For example, during 2017, Facebook generated $40.65 billion in revenue, of which $39.94 billion
28

CLASS ACTION COMPLAINT - 7


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 8 of 43

1
was advertising revenue.5
2
16. Facebook offers advertising services to its customers (advertisers) that include
3
or have included at various points in time, among other things, assisting customers in
4
developing and creating advertisements and advertising strategies, obtaining information about
5
Facebook Users from Facebook’s website and third-party sources, compiling user data and
6
maintaining databases of information about Facebook Users, developing a marketing and
7
advertising strategy to target and exclude certain groups of Facebook Users from receiving
8
advertisements, tracking and evaluating the effectiveness of advertisements and Facebook User
9
targeting strategies, implementing advertising campaigns, and delivering advertisements to
10
Facebook Users, including via News Feed.
11
17. Facebook’s customers can use Facebook’s advertising services to target its
12
Users with specific attributes. Facebook applies its own algorithm to categorize Users and to
13
determine which Users and groups of Users will be targeted to receive advertisements via its
14
advertising platform. As stated on Facebook’s website: “With our powerful audience selection
15
tools, you can target people who are right for your business. Using what you know about your
16
customers—like demographics, interests and behaviors—you can connect with people similar
17
to them.”
18
18. Facebook also provides detailed analytical data to advertisers on how their ad
19
campaigns are performing, including among certain groups of Facebook Users with specified
20
attributes and characteristics that the advertiser seeks to target. By monitoring this data and
21
providing this information to its customers on an ongoing basis, Facebook captures consumer
22
behavior, profile, preferences, lifestyle, and other attributes which allow Facebook to run
23
targeted ads. This enables advertisers to specify the groups of users that will be targeted to
24
receive the advertisements.
25
19. Targeting advertising of this nature requires Facebook to compile an enormous
26
amount of Personal Information from its users, including PII. This data Facebook has about its
27

28 5
Facebook, Form 10-K, for the fiscal year ended December 31, 2017, at 34.

CLASS ACTION COMPLAINT - 8


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 9 of 43

1
Users is highly valuable. The average cost per click for an online Facebook ad was $1.72 in
2
2017,6 and the average U.S. Facebook User is reportedly worth about $200 a year. 7
3
20. Despite the fact that substantially all of Facebook’s revenue comes directly from
4
its collection of PII, on information and belief, Defendant failed, and continues to fail, to
5
provide adequate protection of its Users’ personal and confidential information and has
6
egregiously failed to provide sufficient and timely notice or warning of potential and actual
7
cybersecurity breaches to its Users.
8
21. At all relevant times, Facebook has made several assurances to its Users that
9
their privacy and security is of utmost importance to Facebook, and its Users have relied on
10
those assurances in providing Facebook with their PII. In fact, Facebook’s Data Policy
11
represents to its Users that Facebook “Promote[s] safety, integrity, and security” by “us[ing]
12
the information we have to verify accounts and activity, combat harmful conduct, detect and
13
prevent spam and other bad experiences, maintain the integrity of our Products, and promote
14
safety and security on and off of Facebook Products.” 8 Facebook has failed to provide the
15
security consistently promised to its Users prior to the September 2018 Data Breach, including
16
that it was “putting stronger protections in place to prevent future abuse of our platform.”9
17
22. Despite these assurances, Facebook publicly revealed on September 28, 2018
18
that its Users’ personal information was subject to a massive data security breach. According to
19
Facebook’s statement publicly exposing details of the September 2018 Data Breach for the first
20
time and subsequent press call, Defendant learned of the breach as early as September 16,
21
2018,10 but has not yet directly informed or notified Facebook Users that their PII may be
22
compromised as a result of the breach. Rather, Facebook stated that it began “logging users
23
6
24 Mark Irvine, Facebook Ad Benchmarks for YOUR Industry [New Data] available at
https://www.wordstream.com/blog/ws/2017/02/28/facebook-advertising-benchmarks (last visited Oct. 10, 2018).
25 7 Sam Harnett, Here’s How Much You Are Worth To Facebook In Dollars and Cents, available at
https://www.kqed.org/news/11661387/heres-how-much-you-are-worth-to-facebook-in-dollars-andcents (last
26 visited Oct. 10, 2018).
8
Facebook, Data Policy, https://www.facebook.com/privacy/explanation (last visited Oct. 1, 2018).
9
27 Facebook Help, How is Facebook working to keep its community safe?, available at
https://www.facebook.com/help/208040513126776?helpref=popular_topics (last visited Oct. 1, 2018).
28 10
https://fbnewsroomus.files.wordpress.com/2018/09/9-28-afternoon-press-call.pdf (last visited Oct. 1,
2018)

CLASS ACTION COMPLAINT - 9


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 10 of 43

1
out” the evening of September 27, 2018, without providing Users with any reason for being
2
logged out. The statement further admitted that “attackers exploited a vulnerability in
3
Facebook’s code that impacted “View As” a feature that lets people see what their own
4
profile looks like to someone else. This allowed them to steal Facebook access tokens which
5
they could then use to take over people’s accounts. Access tokens are the equivalent of digital
6
keys that keep people logged in to Facebook so they don’t need to reenter their password
7
every time they use the app.11 The vulnerability in Facebook’s code was introduced in July
8
2017, and Facebook is currently unaware of how long hackers have had access since that
9
time.12
10
23. As a result of Defendant’s failure to maintain adequate security measures and
11
timely security breach notifications, Facebook Users’ personal and private information has
12
been compromised and remains vulnerable. In fact, according to Facebook, it has “yet to
13
determine whether those accounts were misused or any information accessed.” 13 Further,
14
Facebook Users have suffered an ascertainable loss in that they must undertake additional
15
security measures, some at their own expense, to minimize the risk of future data breaches
16
including, without limitation, canceling credit cards associated with their Facebook accounts
17
and changing passwords to Facebook, Instagram, and other linked accounts. However, due to
18
Facebook’s ongoing and incomplete investigation, Facebook Users have no guarantee that
19
such security measures will in fact adequately protect their personal information.
20
Accordingly, Plaintiffs and other Class Members have an ongoing interest in ensuring that
21
their personal information is protected from past and future cybersecurity threats.
22
24. The insufficient security policies and procedures implemented by Defendant is
23
a material fact that a reasonable consumer would consider when deciding whether to create a
24
Facebook account and provide Defendant with personal and confidential information. Had
25
Plaintiffs and other Class Members known that Defendant failed to employ necessary and
26
11
“Security Update,” Facebook Newsroom, available at https://newsroom.fb.com/news/2018/09/security-
27 update/ (last visited Oct. 1, 2018).
12
See https://techcrunch.com/2018/09/28/everything-you-need-to-know-about¬facebooks-data-breach-
28 affecting-50m-users/ (last visited Oct. 1, 2018).
13
Id.

CLASS ACTION COMPLAINT - 10


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 11 of 43

1
adequate protection of their personal information, they would not have created a Facebook
2
account, or they would have limited the PII they shared with Facebook. Plaintiffs and other
3
Class Members should have been able to rely upon Facebook’s “Privacy Principles” ensuring
4
that “We work around the clock to help protect people’s accounts, and we build security into
5
every Facebook product. Our security systems run millions of times per second to help catch
6
threats automatically and remove them before they ever reach you.”14
7
25. This case involves the continuing and absolute disregard with which Defendant
8
has chosen to treat the PII of account holders who utilize Facebook’s social media platform.
9
While this information was supposed to be protected, Facebook – without authorization –
10
exposed that information to third parties through lax and non-existent data safety and security
11
policies and protocols.
12
26. Facebook’s Terms of Service state that the Facebook user is the owner of all
13
of his or her data. Facebook’s representation to Plaintiffs and Class Members that “Protecting
14
people’s information is at the heart of everything we do” was, in fact, a misrepresentation15 and
15
one which Plaintiffs and Class Members relied upon.
16
27. In addition, Facebook made the following representations to its Users:
17
• “you have control over who sees what you share on Facebook.”16
18
• “We have top-rate security measures in place to help protect you and your data
19
when you use Facebook.”17
20
• “Your activity (ex: posting a status or sending a message) is encrypted, which
21 means it’s turned into code so people can’t access it without your permission.”18
22 • “When it comes to your personal information, we don’t share it without your
23

24
14
https://www.facebook.com/about/bascis/privacy-principles
15
25 Matthew Rosenberg, Nicholas Confessore, and Carole Cadwalladr, How Trump Consultants Exploited
the Facebook Data of Millions, THE NEW YORK TIMES (March 17, 2018)
26 https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html (last visited August
30, 2018).
27 16
Facebook, Privacy Basics, https://www.facebook.com/about/basics (last visited August 30, 2018)
17
Facebook, How You’re Protected, https://www.facebook.com/about/basics/stay-safe-and-secure/how-
28 youre-protected (last visited August 30, 2018).
18
Id.

CLASS ACTION COMPLAINT - 11


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 12 of 43

1 permission (unless required by law).”19


2
• “Facebook gives people control over what they share, who they share it with, the
3 content they see and experience, and who can contact them.” 20

4
28. At all relevant times, Facebook has maintained a Data Use Policy on its website

5
which advised Facebook users, in part:

6 Granting us permission to use your information not only allows us to provide


Facebook as it exists today, but it also allows us to provide you with innovative
7 features and services we develop in the future that use the information we receive
about you in new ways. While you are allowing us to use the information we
8
receive about you, you always own all of your information. Your trust is
9 important to us, which is why we don’t share information we receive about you
with others unless we have:
10 received your permission
given you notice, such as by telling you about it in this policy; or
11
removed your name and any other personally identifying information from it.
12
(Emphases Added). 21
13
29. Even before Facebook’s Chief Executive Mark Zuckerberg made statements (and
14
before Facebook provided a series of written responses) to Congress, he declared that “Every
15
piece of content that you share on Facebook you own. . . . You have complete control over who
16
sees it and how you share it”.22 Facebook users, including Plaintiffs and the Class Members,
17
reasonably relied on Defendant’s representations for the security of their PII in using Facebook
18
and posting PII on Facebook.
19
30. On June 29, 2018, Facebook provided written responses to seven hundred
20
questions the United States House of Representatives Commerce and Energy Committee had
21
submitted to Facebook in April 2018. (“June 2018 Responses”). 23
22
31. In the June 2018 Responses, Facebook identified the types of data it collects
23
19
Id.
24 20
Facebook, Safety, https://www.facebook.com/safety (last visited August 30, 2018).
21
Facebook, Data Use Policy, https://www.facebook.com/full_data_use_policy (last visited August 30,
25 2018)
22
Gabriel Dance, Nicholas Confessore, and Michael LaForgia, Facebook Gave Device Makers Deep
26 Access to Data on Users and Friends, THE NEW YORK TIMES (June 3, 2018)
https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends¬data.html
27 (last visited August 30, 2018)
23
Facebook, Letter to House Commerce and Energy Committee, June 29, 2018, available at
28 https://docs.house.gov/meetings/IF/IF00/20180411/108090/HHRG-115-IF00-Wstate-ZuckerbergM-20180411-
SD003.pdf (hereinafter, “Letter to House”).

CLASS ACTION COMPLAINT - 12


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 13 of 43

1
from users:
2 • Device attributes: information such as the operating system, hardware and
software versions, battery level, signal strength, available storage space, browser
3
type, app and file names and types, and plugins.
4
• Device operations: information about operations and behaviors performed on the
5 device, such as whether a window is foregrounded or backgrounded, or mouse
6
movements (which can help distinguish humans from bots).

7 • Identifiers: unique identifiers, device IDs, and other identifiers, such as from
games, apps or accounts people use, and Family Device IDs (or other identifiers
8 unique to Facebook Company Products associated with the same device or
9 account).

10 • Device signals: Bluetooth signals, and information about nearby Wi-Fi access
points, beacons, and cell towers.
11

12 • Data from device settings: information users allow us to receive through device
settings people turn on, such as access to their GPS location, camera, or photos.
13
• Network and connections: information such as the name of users’ mobile
14
operator or ISP, language, time zone, mobile phone number, IP address,
15 connection speed and, in some cases, information about other devices that are
nearby or on users’ network, so we can do things like help people stream a video.
16

17
• Cookie data: data from cookies stored on a user’s device, including cookie IDs
and settings.24
18
32. Despite Facebook’s tumultuous 2018—including the Cambridge Analytica
19
revelations, reading and collecting the contents of messages on Android Devices, and the
20
device partnerships Facebook secretly entered into to share PII with other, unauthorized
21
entities—Facebook’s lax approach to data security resulted in the September 2018 Data Breach
22
affecting 50 million users.
23
33. On March 19, 2018, Bloomberg published an article entitled “FTC Probing
24
Facebook For Use of Personal Data, Source Says,” disclosing that the U.S. Federal Trade
25

26

27

28
24
Letter to House, at p. 112.

CLASS ACTION COMPLAINT - 13


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 14 of 43

1
Commission (“FTC”) was investigating whether Facebook violated the terms of a 2011 FTC
2
consent decree regarding its handling of user data. 25
3
34. Under the 2011 settlement with the FTC, Facebook “agreed to get user consent
4
for certain changes to privacy settings” as part of a settlement of federal charges that it deceived
5
Users and forced them to share more Personal Information than they had intended.26
6
B. PII is Very Valuable on the Black Market
7
35. The types of information compromised in the September 2018 Data Breach are
8
highly valuable to identity thieves. The names, email addresses, recovery email accounts,
9
telephone numbers, dates of birth, passwords, security question answers, and other valuable PII
10
can all be used to gain access to a variety of existing accounts and websites.
11
36. Identity thieves can also use the PII to harm Plaintiffs and Class members
12
through embarrassment, blackmail, or harassment in person or online, or to commit other types
13
of fraud including obtaining ID cards or driver’s licenses, fraudulently obtaining tax returns and
14
refunds, and obtaining government benefits. A Presidential Report on identity theft from 2008
15
states that:
16
In addition to the losses that result when identity thieves fraudulently open accounts or
17 misuse existing accounts, . . . individual victims often suffer indirect financial costs,
18 including the costs incurred in both civil litigation initiated by creditors and in
overcoming the many obstacles they face in obtaining or retaining credit. Victims of
19 non-financial identity theft, for example, health-related or criminal record fraud, face
other types of harm and frustration.
20
In addition to out-of-pocket expenses that can reach thousands of dollars for the victims
21
of new account identity theft, and the emotional toll identity theft can take, some
22 victims have to spend what can be a considerable amount of time to repair the damage
caused by the identity thieves. Victims of new account identity theft, for example, must
23 correct fraudulent information in their credit reports and monitor their reports for future
inaccuracies, close existing bank accounts and open new ones, and dispute charges with
24
individual creditors.27
25
25
Bloomberg Markets, FTC Said to Probe Facebook on Personal Data Use, Bloomberg (March 19, 2018)
26 https://www.bloomberg.com/news/videos/2018-03-20/facebook-said-to-face-ftc-probe-on-use-of-personal-data-
video (last visited August 30, 2018)
27 26
Id.
27
The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, Federal Trade
28 Commission, 11 (April 2007), http://www.ftc.gov/sites/default/files/documents/reports/combating-identity-theft-
strategic-plan/strategicplan.pdf.

CLASS ACTION COMPLAINT - 14


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 15 of 43

1
37. To put it into context, as demonstrated in the chart below, the 2013 Norton
2
report, based on one of the largest consumer cybercrime studies ever conducted, estimated that
3
the global price tag of cybercrime was around $113 billion at that time, with the average cost
4
per victim being $298 dollars. That number will no doubt increase exponentially after the PII of
5
over 50 million users was leaked in the September 2018 Data Breach.
6
38. The problems associated with identity theft are exacerbated by the fact that
7
many identity thieves will wait years before attempting to use the PII they have obtained.
8
Indeed, in order to protect themselves, Class members will need to remain vigilant against
9
unauthorized data use for years and decades to come.
10
39. Once stolen, PII can be used in a number of different ways. One of the most
11
common is that it is offered for sale on the “dark web,” a heavily encrypted part of the Internet
12
that makes it difficult for authorities to detect the location or owners of a website. The dark web
13
is not indexed by normal search engines such as Google and is only accessible using a Tor
14
browser (or similar tool), which aims to conceal users’ identities and online activity. The dark
15
web is notorious for hosting marketplaces selling illegal items such as weapons, drugs, and PII.28
16
Websites appear and disappear quickly, making it a very dynamic environment.
17
40. Once someone buys PII, it is then used to gain access to different areas of the
18
victim’s digital life, including bank accounts, social media, and credit card details. During that
19
process, other sensitive data may be harvested from the victim’s accounts, as well as from those
20
belonging to family, friends, and colleagues.
21
41. In addition to PII, a hacked Facebook account can be very valuable to
22
cybercriminals. Since Facebook accounts are linked to a myriad of accounts, a hacked Facebook
23
account could open up a number of other accounts to an attacker.
24
C. Facebook’s Inadequate Data Security Allowed the Massive Breach of 50
25 Million User Accounts
26 42. On September 28, 2018, Facebook announced the “previously unreported attack
27

28 28Brian Hamrick, The dark web: A trip into the underbelly of the internet, WLWT News (Feb. 9, 2017
8:51 PM), http://www.wlwt.com/article/the-dark-web-a-trip-into-theunderbelly-of-the-internet/8698419.

CLASS ACTION COMPLAINT - 15


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 16 of 43

1
on its network,” exposing the PII of “nearly 50 million users.”29
2
43. Facebook claimed it discovered the vulnerability “earlier this week,” that it
3
entirely fixed the vulnerability, and law enforcement was notified. 30
4
44. However, Facebook did not know the origin or identity of the hackers. In fact,
5
Facebook had not fully assessed the scope of the attack, despite its representations that the
6
vulnerability was fixed. 31
7
45. The vulnerability Facebook disclosed was a bug in its site’s “view as” feature,
8
which permits users to view their profiles posing as someone else, which, ironically, was built
9
in to give users more control over their privacy. 32
10
46. Guy Rosen, a vice president of product management at Facebook, admitted
11
during the September 28, 2018 conference call that the September 2018 Data Breach was
12
“complex” and “leveraged three separate bugs in Facebook’s code that, once compounded,
13
provided widespread access to user accounts.”33
14
47. As Senator Mark Warner, a Democrat from Virginia, stated “This is another
15
sobering indicator that Congress needs to step up and take action to protect the privacy and
16
security of social media users,” underscoring the lack of protections Facebook and other
17
companies have when storing and securing the PII of millions of United States citizens. 34
18
48. Unfortunately, despite numerous lapses in its approach to data security,
19
Facebook still lacks the safeguards and protections for Users’ PII, and that information remains
20
at risk today and into the future, until Facebook is compelled to secure the PII stored on
21
millions of United States citizens who are its Users.
22
CLASS ACTION ALLEGATIONS
23
49. Pursuant to Rule 23(b)(2), (b)(3) and (c)(4) of the Federal Rules of Civil
24
29
Chris Mills, Facebook Says New Hack Leaded Data of 50 Million Users, BGR (Sept. 28, 2018)
25 https://bgr.com/2018/09/28/facebook-data-breach-2018-yep-another-one
30
Mike Issac and Sheera Frenkel, Facebook Network is Breached, Putting 50 Million Users’
26 Data at Risk, NY Times (Sept. 28, 2018) https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-
breach.html
27 31
Id.
32
Id.
28 33
Id.
34
Id.

CLASS ACTION COMPLAINT - 16


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 17 of 43

1
Procedure, Plaintiffs, individually and on behalf of all others similarly situated, bring this
2
lawsuit on behalf of themselves and as a class action on behalf of the following Class and Sub-
3
Class:
4
Nationwide Class: All persons who registered for Facebook
5 accounts in the United States and whose PII was accessed,
6 compromised, or stolen from Facebook in the September 2018 Data
Breach.
7
Colorado Sub-Class: All persons in Colorado who registered for
8 Facebook accounts and whose PII was accessed, compromised, or
9 stolen from Facebook in the September 2018 Data Breach.

10 California Sub-Class: All persons in California who registered for


Facebook accounts and whose PII was accessed, compromised, or
11 stolen from Facebook in the September 2018 Data Breach.
12
New Jersey Sub-Class: All persons in New Jersey who registered
13 for Facebook accounts and whose PII was accessed, compromised, or
stolen from Facebook in the September 2018 Data Breach.
14
50. Excluded from the Class are Defendant and any entities in which Defendant or
15
its subsidiaries or affiliates have a controlling interest, and Defendant’s officers, agents, and
16
employees. Also excluded from the Class are the judge assigned to this action, members of the
17
judge’s staff, and any member of the judge’s immediate family. Plaintiffs reserve the right to
18
amend the Class and Sub-Class definition if discovery and further investigation reveal that the
19
Class should be expanded or otherwise modified.
20
51. Numerosity: The members of each Class are so numerous that joinder of all
21
members of any Class would be impracticable. Plaintiffs reasonably believe that Class
22
members number hundreds of millions of people or more in the aggregate and well over 1,000
23
in the smallest of the classes. The names and addresses of Class members are identifiable
24
through documents maintained by Defendant.
25
52. Commonality and Predominance: This action involves common questions of
26
law or fact, which predominate over any questions affecting individual Class members,
27
including:
28

CLASS ACTION COMPLAINT - 17


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 18 of 43

1 a. Whether Defendant represented to the Class that it would safeguard Class


members’ PII;
2

3 b. Whether Defendant owed a legal duty to Plaintiffs and the Class to exercise due
care in collecting, storing, and safeguarding their PII;
4
c. Whether Defendant breached a legal duty to Plaintiffs and the Class to exercise
5 due care in collecting, storing, and safeguarding their PII;
6
d. Whether Class members’ PII was accessed, compromised, or stolen in the
7 September 2018 Data Breach;

8 e. Whether Defendant knew about the September 2018 Data Breach before it was
announced to the public and failed to timely notify the public of the September
9 2018 Data Breach;
10
f. Whether Defendant’s conduct violated Cal. Civ. Code § 1750, et seq;
11
g. Whether Defendant’s conduct was an unlawful or unfair business practice under
12 Cal. Bus. & Prof. Code § 17200, et seq.;
13 h. Whether Defendant’s conduct violated the Consumer Records Act, Cal. Civ.
Code § 1798.80 et seq.;
14

15 i. Whether Defendant’s conduct violated the Online Privacy Protection Act, Cal.
Bus. & Prof. Code § 22575, et seq.;
16
j. Whether Defendant’s conduct violated § 5 of the FTC Act, 15 U.S.C. § 45, et
17 seq.;
18
k. Whether Plaintiffs and the Class are entitled to equitable relief, including,
19 but not limited to, injunctive relief and restitution; and

20 l. Whether Plaintiffs and the other Class members are entitled to actual,
statutory, or other forms of damages, and other monetary relief.
21

22 53. As further indication of the common questions of law, Facebook’s terms of

23 service provides that “[f]or any claim, cause of action, or dispute you have against us that arise

24 out of or relates to these Terms or the Facebook Products (“claim”)…the laws of the State of

25 California will govern these Terms of any claim.”

26 54. Similar or identical statutory and common law violations, business

27 practices, and injuries are involved. Individual questions, if any, pale by comparison, in

28 both quantity and quality, to the numerous common questions that dominate this action.

CLASS ACTION COMPLAINT - 18


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 19 of 43

1
55. Typicality: Plaintiffs’ claims are typical of the claims of the other members
2
of their respective classes because, among other things, Plaintiffs and the other Class
3
members were injured through the substantially uniform misconduct by Defendant.
4
Plaintiffs are advancing the same claims and legal theories on behalf of themselves and
5
all other Class members, and there are no defenses that are unique to Plaintiffs. The
6
claims of Plaintiffs and those of other Class members arise from the same operative facts
7
and are based on the same legal theories.
8
56. Adequacy of Representation: Plaintiffs are adequate representatives of the
9
classes because their interests do not conflict with the interests of the other Class
10
members they seek to represent; they have retained counsel competent and experienced in
11
complex class action litigation and Plaintiffs will prosecute this action vigorously. The
12
Class members’ interests will be fairly and adequately protected by Plaintiffs and their
13
counsel.
14
57. Superiority: A class action is superior to any other available means for the fair
15
and efficient adjudication of this controversy, and no unusual difficulties are likely to be
16
encountered in the management of this matter as a class action. The damages, harm, or other
17
financial detriment suffered individually by Plaintiffs and the other members of their respective
18
classes are relatively small compared to the burden and expose the would be required to litigate
19
their claims on an individual basis against Defendant, making it impracticable for Class
20
members to individually seek redress for Defendant’s wrongful conduct. Even if Class
21
members could afford individual litigation, the court system could not. Individualized litigation
22
would create a potential for inconsistent or contradictory judgments, and increase the delay and
23
expense to all parties and the court system. By contrast, the class action device presents far
24
fewer management difficulties and provides the benefits of single adjudication, economies of
25
scale, and comprehensive supervision by a single court.
26
58. Further, Defendant has acted or refused to act on grounds generally applicable
27
to the Class and, accordingly, final injunctive or corresponding declaratory relief with regard to
28
the members of the Class as a whole is appropriate under Rule 23(b)(2) of the Federal Rules of

CLASS ACTION COMPLAINT - 19


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 20 of 43

1
Civil Procedure.
2
59. Likewise, particular issues under Rule 23(c)(4) are appropriate for certification
3
because such claims present only particular, common issues, the resolution of which would
4
advance the disposition of this matter and the parties’ interests therein. Such particular issues
5
include, but are not limited to:
6
a. Whether Class members’ PII was accessed, compromised, or stolen in the
7 September 2018 Data Breach;
8
b. Whether (and when) Defendant knew about any security vulnerabilities that led
9 to the September 2018 Data Breach before they were announced to the public and
whether Defendant failed to timely notify the public of those vulnerabilities and
10 the September 2018 Data Breach;
11
c. Whether Defendant’s conduct was an unlawful or unfair business practice under
12 Cal. Bus. & Prof. Code § 17200, et seq.;

13 d. Whether Defendant’s representations that it would secure and protect the PII of
Plaintiffs and members of the classes were facts that reasonable persons could be
14 expected to rely upon when deciding whether to use Defendant’s services;
15
e. Whether Defendant misrepresented the safety of its many systems and services,
16 specifically the security thereof, and its ability to safely store Plaintiffs’ and
Class members’ PII;
17
f. Whether Defendant concealed crucial information about its inadequate data
18 security measures from Plaintiffs and the Class;
19
g. Whether Defendant failed to comply with its own policies and applicable laws,
20 regulations, and industry standards relating to data security;

21 h. Whether Defendant knew or should have known that it did not employ
reasonable measures to keep Plaintiffs’ and Class members’ PII secure and
22
prevent the loss or misuse of that information;
23
i. Whether Defendant failed to “implement and maintain reasonable security
24 procedures and practices” for Plaintiffs’ and Class members’ PII in violation of
California Civil Code § 1798.81.5, subdivision (b) and § 5 of the FTC Act;
25
j. Whether Defendant failed to provide timely notice of the September 2018 Data
26
Breach in violation of California Civil Code § 1798.82;
27
k. Whether Defendant’s conduct violated Cal. Bus. & Prof. Code § 22575, et seq.;
28
l. Whether Defendant owed a duty to Plaintiffs and the Classes to safeguard their

CLASS ACTION COMPLAINT - 20


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 21 of 43

1 PII and to implement adequate data security measures;


2 m. Whether Defendant breached that duty;
3
n. Whether Defendant failed to adhere to its posted privacy policy concerning
4 the care it would take to safeguard Plaintiffs’ and Class members’ PII in
violation of California Business and Professions Code § 22576;
5
o. Whether Defendant negligently and materially failed to adhere to its posted
6
privacy policy with respect to the extent of its disclosure of users’ data, in
7 violation of California Business and Professions Code § 22576;

8 p. Whether such representations were false with regard to storing and


safeguarding Class members’ PII; and
9
q. Whether such representations were material with regard to storing and
10
safeguarding Class members’ PII.
11
CLAIMS ALLEGED ON BEHALF OF ALL CLASSES
12

13 First Claim for Relief

14 Violation of California’s Unfair Competition Law (“UCL”) – Unlawful Business Practice


(Cal. Bus. & Prof. Code § 17200, et seq.)
15

16 60. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every
17 allegation contained above as though the same were fully set forth herein.
18 61. Facebook’s terms of service provide that “[f]or any claim, cause of action, or
19 dispute you have against us that arises out of or relates to these Terms or the Facebook
20 Products (“claim”)… the laws of the State of California will govern these Terms and any claim.”
21 62. By reason of the conduct alleged herein, Defendant engaged in unlawful
22 practices within the meaning of the UCL. The conduct alleged herein is a “business practice”
23 within the meaning of the UCL.
24 63. Facebook represented that it would not disclose Users’ PII without consent
25 and/or notice. Facebook further represented that it would utilize sufficient data security
26 protocols and mechanisms to protect Users’ PII.
27 64. Defendant stored the PII of Plaintiffs and members of their respective Classes in
28 Defendant’s electronic and consumer information databases. Defendant falsely represented to

CLASS ACTION COMPLAINT - 21


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 22 of 43

1
Plaintiffs and members of the Classes that the PII databases were secure and that class members’
2
PII would remain private. Defendant knew or should have known it did not employ reasonable,
3
industry standard, and appropriate security measures that complied “with federal regulations”
4
and that would have kept Plaintiffs’ and the other Class members’ PII secure and prevented the
5
loss or misuse of Plaintiffs’ and the other class members’ PII.
6
65. Even without these misrepresentations, Plaintiffs and Class members were
7
entitled to assume and did assume, that Defendant would take appropriate measures to keep
8
their PII safe. At no time did Defendant disclose that Plaintiffs’ PII was vulnerable to hackers
9
because Defendant’s data security measures were inadequate. Such material information was
10
only in the possession of Defendant, which it had a duty to disclose. Defendant violated the
11
UCL by misrepresenting – by affirmative conduct and by omission – the safety of its many
12
systems and services, specifically the security thereof, and its ability to safely store Plaintiff’s
13
and Class members’ PII. Defendant also violated the UCL by failing to implement reasonable
14
and appropriate security measures or follow industry standards for data security – and failing to
15
comply with its own posted privacy policies. If Defendant had complied with these legal
16
requirements, Plaintiffs and the other Class members would not have suffered the damages
17
described herein.
18
66. Defendant’s acts, omissions, and misrepresentations as alleged herein were
19
unlawful and in violation of, inter alia, Cal. Civ. Code § 1798.81.5(b), § 5(a) of the FTC Act,
20
15 U.S.C. § 45(a), Cal. Bus. & Prof. Code § 22576 (as a result of Facebook failing to comply
21
with its own posted privacy policies).
22
67. Plaintiffs and the other Class members suffered injury in fact and lost money or
23
property as the result of Defendant’s unlawful business practices. Plaintiffs recognize that this
24
Court has ruled that out-of-pocket expenses and the risk of future harm are not sufficient to
25
confer standing under the UCL. However, Plaintiffs’ and Class members’ PII was taken and is
26
in the hands of those who will use it for their own advantage, or is being sold for value (making
27
it clear that information is of tangible value), as a result of the September 2018 Data Breach.
28
68. 2 As a result of Defendant’s unlawful business practices, violations of the UCL,
2
8

CLASS ACTION COMPLAINT - 22


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 23 of 43

1
Plaintiffs and the Class members are entitled to restitution, disgorgement of wrongfully
2
obtained profits, and injunctive relief.
3
Second Claim for Relief
4
Violation of California’s Unfair Competition Law (“UCL”) – Unfair Business Practice
5 (Cal. Bus. & Prof. Code § 17200, et seq.)
6
69. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every
7
allegation contained above as though the same were fully set forth herein.
8
70. Facebook’s terms of service provide that “[f]or any claim, cause of action, or
9
dispute you have against us that arises out of or relates to these Terms or the Facebook
10
Products (“claim”)… the laws of the State of California will govern these Terms and any claim.”
11
71. By reason of the conduct alleged herein, Defendant engaged in unfair “business
12
practices” within the meaning of the UCL.
13
72. Defendant stored the PII of Plaintiffs and members of their respective Classes in
14
their electronic and consumer information databases. Defendant represented to Plaintiffs and
15
members of the classes that its PII databases were secure and that class members’ PII would
16
remain private. Defendant engaged in unfair acts and business practices by representing that it
17
had safeguards which complied with federal regulations to protect PII.
18
73. Even without these misrepresentations, Plaintiffs and Class members were
19
entitled to, and did, assume that Defendant would take appropriate measures to keep their PII
20
safe. Defendant did not disclose at any time that Plaintiffs’ PII was vulnerable to hackers
21
because Defendant’s data security measures were inadequate and outdated. Defendant was the
22
only one in possession of that material information, which it had a duty to disclose.
23
74. Defendant knew or should have known it did not employ reasonable
24
measures to keep Plaintiffs’ and the other Class members’ PII secure and to prevent the
25
loss or misuse of Plaintiffs’ and the other Class members’ PII.
26
75. Defendant violated the UCL by misrepresenting – by affirmative conduct
27
and by omission – the security of its many systems and services and its ability to safely
28
store Plaintiffs’ and Class members’ PII. Defendant also violated the UCL by failing to

CLASS ACTION COMPLAINT - 23


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 24 of 43

1
implement and maintain reasonable security procedures and practices appropriate to
2
protect all class members’ PII. If Defendant followed the industry standards and legal
3
requirements, Plaintiffs and the Class would not have suffered the damages alleged
4
herein.
5
76. Defendant also violated its commitment to maintain the confidentiality and
6
security of the PII of Plaintiffs and their respective Classes and failed to comply with its own
7
policies and applicable laws, regulations, and industry standards relating to data security.
8
77. Defendant engaged in unfair business practices under the “balancing test.” The
9
harm caused by Defendant’s actions and omissions, as described in detail above, greatly
10
outweigh any perceived utility. Indeed, Defendant’s failure to follow basic data security protocols
11
and misrepresentations to consumers about Defendant’s data security cannot be said to have had
12
any utility at all.
13
78. Defendant engaged in unfair business practices under the “tethering test.”
14
Defendant’s actions and omissions, as described in detail above, violated fundamental public
15
policies expressed by the California Legislature. See, e.g., Cal. Civ. Code § 1798.1 (“The
16
Legislature declares that . . . all individuals have a right of privacy in information pertaining to
17
them . . . The increasing use of computers . . . has greatly magnified the potential risk to
18
individual privacy that can occur from the maintenance of personal information.”); Cal. Civ.
19
Code § 1798.81.5(5) (“It is the intent of the Legislature to ensure that personal information
20
about California residents is protected.”); Cal. Bus. & Prof. Code § 22578 (“It is the intent of the
21
Legislature that this chapter [including the Online Privacy Protection Act] is a matter of
22
statewide concern.”) Defendant’s acts and omissions, and the injuries caused by them are thus
23
“comparable to or the same as a violation of the law ...” Cel-Tech Communications, Inc. v. Los
24
Angeles Cellular Telephone Co. (1999) 20 Cal.4th 163, 187.
25
79. Defendant engaged in unfair business practices under the “FTC test.” The harm
26
caused by Defendant’s actions and omissions, as described in detail above, is substantial in that it
27
affects approximately 50 million Class members and has caused those persons to suffer actual
28
harms. Such harms include a substantial risk of identity theft, disclosure of Class members’ PII to

CLASS ACTION COMPLAINT - 24


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 25 of 43

1
third parties without their consent, diminution in value of their PII, consequential out-of-pocket
2
losses for procuring credit freeze or protection services, identity theft monitoring, and other
3
expenses relating to identity theft losses or protective measures. This harm continues given the
4
fact that Class members’ PII remains in Defendant’s possession, without adequate protection, and
5
is also in the hands of those who obtained it without their consent. Defendant’s actions and
6
omissions violated, inter alia, § 5(a) of the FTC Act, 15 U.S.C. § 45. See, e.g., F.T.C. v.
7
Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 613 (D.N.J. 2014), aff’d, 799 F.3d 236 (3d Cir.
8
2015); In re LabMD, Inc., FTC Docket No. 9357, FTC File No. 102-3099 (July 28, 2016) (failure
9
to employ reasonable and appropriate measures to secure personal information collected violated
10
§ 5(a) of FTC Act); In re BJ’s Wholesale Club, Inc., FTC Docket No. C-4148, FTC File No. 042-
11
3160 (Sept. 20, 2005) (same); In re CardSystems Solutions, Inc., FTC Docket No. C-4168, FTC
12
File No. 052- 3148 (Sept. 5, 2006) (same); see also United States v. ChoicePoint, Inc., Civil
13
Action No. 1:06-cv-0198-JTC (N.D. Ga. Oct. 14, 2009) (“failure to establish and implement, and
14
thereafter maintain, a comprehensive information security program that is reasonably designed to
15
protect the security, confidentiality, and integrity of personal information collected from or
16
about consumers” violates § 5(a) of FTC Act); 15 U.S.C. § 45(n) (defining “unfair acts or
17
practices” as those that “cause[] or [are] likely to cause substantial injury to consumers which
18
[are] not reasonably avoidable by consumers themselves and not outweighed by countervailing
19
benefits to consumers or to competition.”).
20
80. Plaintiffs and the other Class members suffered injury in fact and lost money or
21
property as the result of Defendant’s unfair business practices. In particular, Plaintiffs and the
22
other Class members have suffered from hacked Facebook accounts and any accounts linked to
23
their Facebook accounts, and other similar harm, all as a result of the September 2018 Data
24
Breach. In addition, their PII was taken and is in the hands of those who will use it for their
25
own advantage or is being sold for value – making it clear that the hacked information is of
26
tangible value. Plaintiffs and Class members have also suffered consequential out-of-pocket
27
losses for procuring credit freeze or protection services, identity theft monitoring, and other
28
expenses relating to identity theft losses or protective measures.

CLASS ACTION COMPLAINT - 25


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 26 of 43

1
81. As a result of Defendant’s unfair business practices and violations of the UCL,
2
Plaintiffs and the other Class members are entitled to restitution, disgorgement of wrongfully
3
obtained profits, and injunctive relief.
4
Third Claim for Relief
5 Violation of California’s Unfair Competition Law (“UCL”) – Fraudulent/Deceptive
6 Business Practice (Cal. Bus. & Prof. Code § 17200, et seq.)

7 82. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every
8 allegation contained above as though the same were fully set forth herein.
9 83. Facebook engaged in fraudulent and deceptive acts and practices with regard to
10 the services it provided to the Class by representing and advertising that (1) it would maintain
11 adequate data privacy and security practices and procedures to safeguard Class Members’ PII
12 from unauthorized disclosure, release, data breaches, and theft and that (2) it did and would
13 comply with the requirements of relevant federal and state laws pertaining to the privacy and
14 security of Class Members’ PII. These representations were likely to deceive members of the
15 public, including Plaintiff and the Class Members, into believing their PII was securely stored –
16 when it was not – and that Facebook was complying with relevant law – when it was not.
17 84. Facebook engaged in fraudulent and deceptive acts and practices with regard to
18 the services provided to the Class by omitting, suppressing, and concealing the material fact
19 that the privacy and security protections for Class Members’ PII was woefully inadequate. At
20 the time that Class members were using Facebook’s services, Facebook failed to disclose to
21 Class Members that its data security systems failed to meet legal and industry standards for the
22 protection of their PII. These representations likely deceived members of the public, including
23 Plaintiffs and the Class, into believing that their PII was securely stored – when it was not –
24 and that Facebook was complying with relevant law and industry standards – when it was not.
25 85. As a direct and proximate result of Facebook’s deceptive practices and acts,
26 Plaintiffs and the Class were injured and lost money or property, including but not limited to
27 the loss of their legally protected interest in the confidentiality and privacy of their PII, and
28 additional losses described above.

CLASS ACTION COMPLAINT - 26


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 27 of 43

1
86. Facebook knew or should have known that its computer systems and data
2
security practices were inadequately safeguarding Class Members’ PII and that the risk of a
3
data breach or theft was very high.
4
87. Facebook’s actions in engaging in the above-named unlawful practices and acts
5
were negligent, knowing and willful, and/or wanton and reckless with respect to the rights of
6
members of the Class.
7
88. Class Members seek relief under Cal. Bus. & Prof. Code § 17200, et. seq.,
8
including, but not limited to, restitution to Plaintiffs and the Class of money or property that
9
Facebook may have acquired by means of its fraudulent and deceptive business practices,
10
restitutionary disgorgement of all profits accruing to Facebook because of its fraudulent and
11
deceptive business practices, declaratory relief, attorney’s fees and costs (pursuant to Cal. Code
12
Civ. Proc. § 1021.5), and injunctive or other equitable relief.
13
Fourth Claim for Relief
14 Deceit by Concealment (Cal. Civil Code §§ 1709, 1710)
15
89. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every
16
allegation contained above as though the same were fully set forth herein.
17
90. As alleged above, Defendant knew its data security measures were grossly
18
inadequate by, at the absolute latest, March 2018 when the Cambridge Analytica matter came to
19
light, exposing Facebook’s lax and inadequate approach to data security. At that time, Facebook
20
was on notice that its systems were extremely vulnerable to attack – facts that Defendant
21
should have already known given its previous exposures and security problems.
22
91. In response to all of these facts, Defendant chose to do nothing to protect
23
Plaintiffs and the Class or warn them about the security problems. Instead, Defendant openly
24
represented to Congress and foreign governments that Facebook was dedicated to the highest
25
and most advanced security practices and protocols.
26
92. Defendant had an obligation to disclose to all class members that their Facebook
27
accounts and PII were an easy target for hackers and Defendant was not implementing measures to
28
protect them.

CLASS ACTION COMPLAINT - 27


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 28 of 43

1
93. Defendant did not do these things. Instead, Defendant willfully deceived
2
Plaintiffs and the Class by concealing the true facts concerning its poor data security, which
3
Defendant were obligated to, and had a duty to, disclose. Additionally, Facebook made
4
numerous representations following the prior exposures to assure Users that their PII and other
5
data was safe and that Facebook was dedicated to maintaining the security of their data.
6
94. Had Defendant disclosed the true facts about its poor data security, Plaintiffs
7
and the Class would have taken measures to protect themselves. Plaintiffs and the Class
8
justifiably relied on Defendant to provide accurate and complete information about Defendant’s
9
data security, which Defendant failed to do.
10
95. Alternatively, given the security holes in Defendant’s services and Defendant’s
11
refusal to take measures to detect those holes, much less fix them, Defendant simply should have
12
shut down their current service. Independent of any representations made by Defendant, Plaintiffs
13
and the Class justifiably relied on Defendant to provide a service with at least minimally adequate
14
security measures and to disclose facts undermining that reliance.
15
96. Rather than cease offering a clearly unsafe and defective service or disclosing
16
to Plaintiffs and the Class that its services were unsafe and Users’ PII was exposed to theft on a
17
grand scale, Defendant continued on, concealing information relating to the inadequacy of its
18
security measures.
19
97. These actions are “deceit” under Cal. Civil Code § 1710 in that they are the
20
suppression of a fact, by one who is bound to disclose it, or who gives information of other
21
facts which are likely to mislead for want of communication of that fact.
22
98. As a result of this deceit by Defendant, it is liable under Cal. Civil Code § 1709
23
for “any damage which [Plaintiffs and the Class] thereby suffer[].”
24
99. As a result of this deceit by Defendant, the PII of Plaintiffs and the Class was
25
compromised, placing them at a greater risk of identity theft or subjecting them to identity theft,
26
and their PII was disclosed to third parties without their consent. Plaintiffs and the other Class
27
members also suffered diminution in value of their PII in that it now has become easily available
28
to hackers on the Dark Web. Plaintiffs and the Class have also suffered consequential out-of-

CLASS ACTION COMPLAINT - 28


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 29 of 43

1
pocket losses for procuring credit freeze or protection services, identity theft monitoring, and
2
other expenses relating to identity theft losses or protective measures.
3
100. Defendant’s deceit as alleged herein is fraud under Civil Code § 3294(c)(3) in
4
that it was a deceit or concealment of a material fact known to the Defendant conducted with
5
the intent on the part of Defendant of depriving Plaintiffs and the Class of “legal rights or
6
otherwise causing injury.” As a result, Plaintiffs and the Class are entitled to punitive damages
7
against Defendant under Civil Code § 3294(a).
8
Fifth Claim for Relief
9 Negligence
10
101. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every
11
allegation contained above as though the same were fully set forth herein.
12
102. Defendant owed a duty to Plaintiffs and the Class to exercise reasonable
13
care in safeguarding and protecting their PII and keeping it from being compromised, lost,
14
stolen, misused, and or/disclosed to unauthorized parties. This duty included, inter alia,
15
designing, maintaining, and testing Defendant’s security systems to ensure that the PII of
16
Plaintiffs’ and the Class was adequately secured and protected, including using
17
encryption technologies. Defendant further had a duty to implement processes that would
18
detect a breach of its security system in a timely manner.
19
103. Defendant knew that the PII of Plaintiffs and the Class was personal and
20
sensitive information that is valuable to identity thieves and other criminals. Defendant
21
also knew of the serious harms that could happen if the PII of Plaintiffs and the Class was
22
wrongfully disclosed, that disclosure was not fixed, or Plaintiffs and the Class were not
23
told about the disclosure in a timely manner.
24
104. By entrusting Defendant to safeguard their PII, Plaintiffs and the Class had a
25
special relationship with Defendant. Plaintiffs and the Class signed up for Defendant’s services
26
and agreed to provide their PII with the understanding that Defendant would take appropriate
27
measures to protect it, and would inform Plaintiffs and the Class of any breaches or other security
28
concerns that might call for action by Plaintiffs and the Class. But Defendant did not. Defendant

CLASS ACTION COMPLAINT - 29


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 30 of 43

1
not only knew its data security was inadequate, Defendant also knew it didn’t have the tools to
2
detect and document intrusions or exfiltration of PII. Defendant is morally culpable, given its
3
repeated security breaches, wholly inadequate safeguards, and refusal to notify Plaintiffs and the
4
Class of breaches or security vulnerabilities.
5
105. Defendant breached its duty to exercise reasonable care in safeguarding and
6
protecting Plaintiffs’ and the Class members’ PII by failing to adopt, implement, and maintain
7
adequate security measures to safeguard that information, despite repeated failures and
8
intrusions, and allowing unauthorized access to Plaintiffs’ and the other Class members’ PII.
9
106. Defendant’s failure to comply with industry and federal regulations further
10
evidences Defendant’s negligence in failing to exercise reasonable care in safeguarding and
11
protecting Plaintiffs’ and the Class members’ PII.
12
107. Defendant’s breaches of these duties were not merely isolated incidents or small
13
mishaps. Rather, the breaches of the duties set forth above resulted from a long-term company-
14
wide refusal by Defendant to acknowledge and correct serious and ongoing data security
15
problems.
16
108. But for Defendant’s wrongful and negligent breach of its duties owed to
17
Plaintiffs and the Class, their PII would not have been compromised, stolen, and viewed by
18
unauthorized persons. Defendant’s negligence was a direct and legal cause of the theft of the
19
PII of Plaintiffs and the Class and all resulting damages.
20
109. The injury and harm suffered by Plaintiffs and the other Class members was the
21
reasonably foreseeable result of Defendant’s failure to exercise reasonable care in safeguarding
22
and protecting Plaintiffs’ and the other class members’ PII. Defendant knew its systems and
23
technologies for processing and securing the PII of Plaintiffs and the Class had numerous
24
security vulnerabilities.
25
110. As a result of this misconduct by Defendant, the PII of Plaintiffs and the Class
26
were compromised, placing them at a greater risk of identity theft or subjecting them to identity
27
theft, and their PII was disclosed to third parties without their consent. Plaintiffs and Class
28
members also suffered diminution in value of their PII in that it is now easily available to

CLASS ACTION COMPLAINT - 30


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 31 of 43

1
hackers on the Dark Web. Plaintiffs and the Class have also suffered consequential out of
2
pocket losses for procuring credit freeze or protection services, identity theft monitoring, and
3
other expenses relating to identity theft losses or protective measures.
4
111. Defendant’s misconduct as alleged herein is malice or oppression in that it was
5
despicable conduct carried on by Defendant with a willful and conscious disregard of the rights
6
or safety of Plaintiffs and the Class and despicable conduct that has subjected Plaintiffs and the
7
Class to cruel and unjust hardship in conscious disregard of their rights. As a result, Plaintiffs
8
and the Class are entitled to punitive damages against Defendant.
9
Sixth Claim for Relief
10 Breach of Implied Contract
11 112. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every

12 allegation contained above as though the same were fully set forth herein.

13 113. Facebook solicited and invited Plaintiffs and Class Members to use its services.

14 Plaintiffs and Class members accepted Facebook’s offers and created user accounts requiring

15 the provision of PII with Facebook during the period of the September 2018 Data Breach.

16 114. When Plaintiffs and Class Members used Facebook services and products, they

17 provided their PII. In so doing, Plaintiffs and Class Members entered into implied contracts

18 with Facebook pursuant to which Facebook agreed to safeguard and protect such information.

19 115. Each use of a Facebook service or product made by Plaintiffs and Class

20 Members was made pursuant to the mutually agreed-upon implied contract with Facebook

21 under which Facebook agreed to safeguard and protect Plaintiffs and Class Members’ PII.

22 116. Plaintiffs and Class Members would not have provided and entrusted their PII to

23 Facebook in the absence of the implied contract between them and Facebook.

24 117. Plaintiffs and Class Members fully performed their obligations under the

25 implied contracts with Facebook.

26 118. Facebook breached the implied contracts it made with Plaintiffs and Class

27 Members by failing to safeguard and protect the PII of Plaintiffs and Class.

28 119. As a direct and proximate result of Facebook’s breaches of the implied contracts

CLASS ACTION COMPLAINT - 31


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 32 of 43

1
between Facebook and Plaintiffs and Class Members, Plaintiffs and Class Members sustained
2
actual losses and damages as described in detail above.
3
ADDITIONAL CLAIMS ALLEGED ON BEHALF OF THE COLORADO SUB-CLASS
4 ONLY
5
Seventh Claim for Relief
6 Violation of Colorado Consumer Protection Act
(Colo. Rev. Stat 6-1-101, et seq.)
7
120. Plaintiffs Johnson and Newborn (“Colorado Plaintiffs”) hereby repeat, reallege,
8
and incorporate by reference each and every allegation contained above as though the same
9
were fully set forth herein.
10
121. Colorado Plaintiffs bring this claim on behalf of the Colorado Sub-Class who
11
are all residents of Colorado.
12
122. Facebook is a “person” as defined by Colo. Rev. Stat. § 6-1-102(6). Colorado
13
Plaintiffs and Colorado Sub-Class Members are actual or potential consumers of the products
14
and services offered by Facebook.
15
123. Facebook, operating in Colorado, engaged in deceptive, unfair, and unlawful
16
trade acts or practices in the course of its business, vocation or occupation, in violation of Colo.
17
Rev. Stat. § 6-1-105, including but not limited to the following:
18

19
a. Knowingly misrepresenting and fraudulently advertising material facts
20 pertaining to its products and services to the Colorado Sub-Class by representing
and advertising that it would maintain adequate data privacy and security
21 practices and procedures to safeguard Colorado Sub-Class Members’ Personal
Information from unauthorized disclosure, release, data breaches, and theft, in
22
violation of Colo. Rev. Stat. §§ 6-1-105(e), (g), (i), and (u);
23 b. Knowingly misrepresenting material facts pertaining to its products and services
24 to the Colorado Sub-Class by representing and advertising that it did and would
comply with the requirements of relevant federal and state laws pertaining to the
25 privacy and security of Colorado Sub-Class Members’ Personal Information, in
violation of Colo. Rev. Stat. §§ 6-1-105(e), (g), (i), and (u);
26
c. Knowingly omitting, suppressing, and concealing the material fact of the
27 inadequacy of the privacy and security protections for Colorado Sub-Class
Members’ Personal Information (intending to induce others to enter into a
28
transaction), in violation of Colo. Rev. Stat. §§ 6-1-105(e), (g), (i), and (u);

CLASS ACTION COMPLAINT - 32


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 33 of 43

1 d. Engaging in deceptive, unfair, and unlawful trade acts or practices, in violation


of Colo. Rev. Stat. § 6-1-105(3), by failing to maintain the privacy and security
2
of Colorado Sub-Class Members’ Personal Information, in violation of duties
3 imposed by and public policies reflected in applicable federal and state laws,
including Colo. Rev. Stat. § 6-1-713.5, resulting in the September 2018 Data
4 Breach.
5 e. Engaging in deceptive, unfair, and unlawful trade acts or practices, in violation
of Colo. Rev. Stat. § 6-1-105(3), by failing to disclose the September 2018
6 Breach to Colorado Sub-Class Members in a timely and accurate manner,
7
contrary to the duties imposed by Colo. Rev. Stat. § 6-1-716(2); and
f. Engaging in deceptive, unfair, and unlawful trade acts or practices, in violation
8 of Colo. Rev. Stat. § 6-1-105(3), by failing to take proper action following the
9 September 2018 Data Breach to enact adequate privacy and security measures
and protect Colorado Sub-Class Members’ Personal Information from further
10 unauthorized disclosure, release, data breaches, and theft.
11 124. Under Colo. Rev. Stat. § 6-1-713.5, Facebook “maintains, owns, or licenses
12 personal identifying information of an individual residing in [Colorado],” and thus is required
13 to “implement and maintain reasonable security procedures and practices that are appropriate to
14 the nature of the personal identifying information and the nature and size of the business and its
15 operations.” Facebook failed to maintain reasonable securities procedures and practices
16 appropriate for the nature and size of the business and its operation.
17 125. Facebook’s representations and omissions were material because they were
18 likely to deceive reasonable consumers about the adequacy of Facebook’s data security and
19 ability to protect the confidentiality of consumers’ Personal Information.
20 126. Facebook intended to mislead Colorado Plaintiffs and Colorado Sub-Class
21 members and induce them to rely on its misrepresentations and omissions.
22 127. Had Colorado Plaintiffs and other Colorado Sub-Class Members known that
23 Defendant failed to employ necessary and adequate protection of their personal information,
24 they would not have created a Facebook account or limited the PII they shared with Facebook.
25 128. Facebook engaged in the above unfair and deceptive acts or practices in the
26 course of its business.
27 129. Facebook engaged in above unfair and deceptive acts or practices with malice
28 and/or willfulness.

CLASS ACTION COMPLAINT - 33


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 34 of 43

1
130. As a direct and proximate result of Facebook’s unfair and deceptive practices,
2
Colorado Sub-Class Members suffered injuries to legally protected interests, including their
3
legally protected interest in the confidentiality and privacy of their personal information.
4
131. The above unfair and deceptive practices and acts by Facebook were immoral,
5
unethical, oppressive, and unscrupulous. These acts caused substantial injury to Colorado
6
Plaintiffs and Colorado Sub-Class Members that they could not reasonably avoid. This
7
substantial injury outweighed any benefits to consumers or to competition.
8
132. Facebook knew or should have known that its computer systems and data
9
security practices were inadequate to safeguard Colorado Sub-Class Members’ Personal
10
Information and that risk of a data breach or theft was high. Facebook’s actions in engaging in
11
the above-named unfair practices and deceptive acts were negligent, knowing and willful,
12
and/or wanton and reckless with respect to the rights of members of the Colorado Sub-Class.
13
133. Colorado Plaintiffs and Colorado Sub-Class Members seek relief under Colo.
14
Rev. Stat. §§ 6-1-101, et seq., including, but not limited to, compensatory damages, statutory
15
damages, restitution, penalties, injunctive relief, and/or attorneys’ fees and costs.
16
Eighth Claim for Relief
17 Violation of Colorado Security Breach Notification Act
(Colo. Rev. Stat 6-1-716, et seq.)
18
134. Colorado Plaintiffs hereby repeats, realleges and incorporates by reference each
19
and every allegation contained above as though the same were fully set forth herein.
20
135. Facebook is a business that owns or licenses computerized data that includes
21
Personal Information as defined by Colo. Rev. Stat. §§ 6-1-716(1) and 6 1-716(2).
22
136. Colorado Plaintiffs and Colorado Sub-Class PII includes Personal Information
23
as covered by Colo. Rev. Stat. §§ 6-1-716(1) and 6-1-716(2).
24
137. Under Colo. Rev. Stat. § 6-1-713.5, Facebook “maintains, owns, or licenses
25
personal identifying information of an individual residing in [Colorado],” and thus is required
26
to “implement and maintain reasonable security procedures and practices that are appropriate to
27
the nature of the personal identifying information and the nature and size of the business and its
28
operations.”

CLASS ACTION COMPLAINT - 34


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 35 of 43

1
138. Defendant is required to accurately notify Colorado Plaintiffs and Colorado Sub-
2
Class members if it becomes aware of a breach of its data security system in the most expedient
3
time possible and without unreasonable delay under Colo. Rev. Stat. § 6-1-716(2).
4
139. Because Facebook was aware of a breach of its security system, it had an
5
obligation to disclose the September 2018 Data Breach in a timely and accurate fashion as
6
mandated by Colo. Rev. Stat. § 6-1-716(2).
7
140. By failing to disclose the September 2018 Data Breach in a timely and accurate
8
manner, Facebook violated Colo. Rev. Stat. § 6-1-716(2).
9
141. As a direct and proximate result of Facebook’s violations of Colo. Rev. Stat. §
10
6-1-716(2), Colorado Plaintiffs and Colorado Sub-Class members suffered damages, as
11
described above.
12
142. Colorado Plaintiffs and Colorado Sub-Class members seek relief under Colo.
13
Rev. Stat. § 6-1-716(4), including actual damages and equitable relief
14
ADDITIONAL CLAIMS ALLEGED ON BEHALF OF THE CALIFORNIA SUB-
15
CLASS ONLY
16
Ninth Claim for Relief
17 Violation of California Customer Records Act
18 (California Civil Code § 1798.80, et seq.)

19 143. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every

20
allegation contained above as though the same were fully set forth herein.

21 144. Plaintiff King (“California Plaintiff”) brings this cause of action on behalf of

22 herself and on behalf of the California Sub-Class who are all California residents.

23
145. The California Legislature enacted Civil Code § 1798.81.5 “to ensure that

24 personal information about California residents is protected.” The statute requires that any

25 business that “owns, licenses, or maintains personal information about a California resident …

26 implement and maintain reasonable security procedures and practices appropriate to the nature

27
of the information, to protect the personal information from unauthorized access, destruction,

28 use, modification, or disclosure.”

CLASS ACTION COMPLAINT - 35


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 36 of 43

1
146. Defendant is a “business” as defined by Civil Code § 1798.80(a).
2
147. California Plaintiff and California Sub-Class Members are “individual[s]” as
3
defined by Civil Code § 1798.80(d).
4
148. The personal information taken in the data breach was “personal information” as
5
defined by Civil Code §§ 1798.80(e) and 1798.81.5(d), which includes “information that
6
identifies, relates to, describes, or is capable of being associated with, a particular individual,
7
including, but not limited to, his or her name, signature, Social Security number, physical
8
characteristics or description, address, telephone number, passport number, driver’s license or
9
state identification card number, insurance policy number, education, employment,
10
employment history, bank account number, credit card number, debit card number, or any other
11
financial information, medical information, or health insurance information.”
12
149. The breach of the personal information of “50 million Facebook users” was a
13
“breach of the security system” of Defendant as defined by Civil Code § 1798.82(g).
14
150. By failing to implement reasonable security measures appropriate to the nature
15
of the personal information of Facebook Users, Defendant violated Civil Code § 1798.81.5.
16
151. In addition, by failing to immediately notify all affected Facebook Users that
17
their personal information had been acquired or may have been acquired by unauthorized
18
persons in the data breach, Defendant violated Civil Code § 1798.82.
19
152. Defendant’s failure to immediately notify Facebook Users of the breach caused
20
California Sub-Class Members to suffer damages because they have lost the opportunity to
21
immediately: (i) buy identity protection, monitoring, and recovery services; (ii) flag asset,
22
credit, and tax accounts for fraud, including reporting the theft of their Social Security numbers
23
to financial institutions, credit agencies, and the Internal Revenue Service; (iii) purchase or
24
otherwise obtain credit reports; (iv) monitor credit, financial, utility, explanation of benefits,
25
and other account statements on a monthly basis for unrecognized credit inquiries, Social
26
Security numbers, home addresses, charges, and/or medical services; (v) place and renew credit
27
fraud alerts on a quarterly basis; (vi) routinely monitor public records, loan data, or criminal
28
records; (vii) contest fraudulent charges and other forms of criminal, financial and medical

CLASS ACTION COMPLAINT - 36


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 37 of 43

1
identity theft, and repair damage to credit and other financial accounts; and (viii) take other
2
steps to protect themselves and recover from identity theft and fraud.
3
153. Because they violated Civil Code §§ 1798.81.5 and 1798.82, Defendant “may be
4
enjoined” under Civil Code § 1798.84(e).
5
154. California Plaintiff requests that the Court enter an injunction requiring
6
Defendant to implement and maintain reasonable security procedures to protect its Users’
7
personal information, including, but not limited to, ordering that Defendants: (a) engage third
8
party security auditors/penetration testers as well as internal security personnel to conduct
9
testing consistent with prudent industry practices, including simulated attacks, penetration tests,
10
and audits on Defendant’s systems on a periodic basis; (b) engage third party security auditors
11
and internal personnel to run automated security monitoring consistent with prudent industry
12
practices; (c) audit, test, and train its security personnel regarding any new or modified
13
procedures; (d) purge, delete and destroy, in a secure manner, Facebook Users data not
14
necessary for its business operations; (e) conduct regular database scanning and securing
15
checks consistent with prudent industry practices; (f) periodically conduct internal training and
16
education to inform internal security personnel how to identify and contain a breach when it
17
occurs and what to do in response to a breach consistent with prudent industry practices; (g)
18
receive periodic compliance audits by a third party regarding the security of the computer
19
systems, cloud-based services, and application software Defendant uses to store the personal
20
information of current and former Facebook Users; (h) meaningfully educate its current and
21
former Facebook Users about the threats they face as a result of the loss of their personal
22
information to third parties, as well as the steps they must take to protect themselves; and (i)
23
provide ongoing identity theft protection, monitoring, and recovery services to California
24
Plaintiff and California Sub-Class Members.
25
155. As a result of Defendant’s violation of Cal. Civ. Code § 1798.81.5, California
26
Plaintiff and California Sub-Class Members have incurred and will incur damages, including
27
but not necessarily limited to: (1) the loss of the opportunity to control how their personal
28
information is used; (2) the diminution in the value and/or use of their personal information

CLASS ACTION COMPLAINT - 37


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 38 of 43

1
entrusted to Defendant for the purpose of deriving services from Defendant and with the
2
understanding that Defendant would safeguard their personal information against theft and not
3
allow access and misuse of their personal information by others; (3) the compromise,
4
publication, and/or theft of their personal information; (4) out-of-pocket costs associated with
5
the prevention, detection, and recovery from identity theft and/or unauthorized use of financial
6
and medical accounts; (5) lost opportunity costs associated with effort expended and the loss of
7
productivity addressing and attempting to mitigate the actual and future consequences of the
8
breach, including but not limited to efforts spent researching how to prevent, detect, contest and
9
recover from identity data misuse; (6) costs associated with the ability to use credit and assets
10
frozen or flagged due to credit misuse, including complete credit denial and/or increased costs
11
to use credit, credit scores, credit reports and assets; (7) unauthorized use of compromised
12
personal information to open new financial and/or health care or medical accounts; (8) tax
13
fraud and/or other unauthorized charges to financial, health care or medical accounts and
14
associated lack of access to funds while proper information is confirmed and corrected; (9) the
15
continued risk to their personal information, which remain in Defendant’s possession and are
16
subject to further breaches so long as Defendant fails to undertake appropriate and adequate
17
measures to protect the personal information in their possession; and (10) future costs in terms
18
of time, effort and money that will be expended, to prevent, detect, contest, and repair the
19
impact of the personal information compromised as a result of the data breach for the
20
remainder of the lives of the California Sub-Class Members.
21
156. California Plaintiff seeks all remedies available under Civil Code § 1798.84,
22
including actual and statutory damages, equitable relief, and reasonable attorneys’ fees.
23
California Plaintiff also seeks reasonable attorneys’ fees and costs under applicable law
24
including California Code of Civil Procedure § 1021.5.
25
ADDITIONAL CLAIMS ALLEGED ON BEHALF OF THE NEW JERSEY
26
SUB-CLASS ONLY
27
Tenth Claim for Relief
28 Violation of New Jersey Customer Security Breach Disclosure Act
(N.J. Stat. Ann. §§ 56:8-163, et seq.)

CLASS ACTION COMPLAINT - 38


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 39 of 43

1
157. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every
2
allegation contained above as though the same were fully set forth herein.
3
158. Plaintiff Martin (“New Jersey Plaintiff”) brings this cause of action on behalf of
4
herself and on behalf of the New Jersey Sub-Class who are all New Jersey residents.
5
159. Facebook is a business that compiles or maintains computerized records that
6
include Personal Information on behalf of another business under N.J. Stat. Ann. § 56:8-163(b).
7
160. New Jersey Plaintiff’s and New Jersey Sub-Class members’ PII includes
8
Personal Information covered under N.J. Stat. Ann. §§ 56:8-163, et seq.
9
161. Under N.J. Stat. Ann. § 56:8-163(b), “[a]ny business . . . that compiles or
10
maintains computerized records that include Personal Information on behalf of another
11
business or public entity shall notify that business or public entity, who shall notify its New
12
Jersey customers . . . of any breach of security of the computerized records immediately
13
following discovery, if the Personal Information was, or is reasonably believed to have been,
14
accessed by an unauthorized person.”
15
162. Because Facebook discovered a breach of its security system in which Personal
16
Information was, or is reasonably believed to have been, acquired by an unauthorized person
17
and the Personal Information was not secured, Facebook had an obligation to disclose the
18
September 2018 Data Breach in a timely and accurate fashion as mandated under N.J. Stat. Ann.
19
§§ 56:8-163, et seq.
20
163. By failing to disclose the September 2018 Data Breach in a timely and accurate
21
manner, Facebook violated N.J. Stat. Ann. § 56:8-163(b).
22
164. As a direct and proximate result of Facebook’s violations of N.J. Stat. Ann. §
23
56:8-163(b), New Jersey Plaintiff and New Jersey Sub-Class members suffered the damages
24
described above.
25
165. New Jersey Plaintiff and New Jersey Sub-Cclass members seek relief under N.J.
26
Stat. Ann. § 56:8-19, including treble damages, attorney’s fees and costs, and injunctive relief.
27
Eleventh Claim for Relief
28
Violation of New Jersey Consumer Fraud Act

CLASS ACTION COMPLAINT - 39


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 40 of 43

1 (N.J. Stat. Ann. §§ 56:8-1, et seq.)


2 166. Plaintiffs hereby repeat, reallege, and incorporate by reference each and every
3 allegation contained above as though the same were fully set forth herein.
4 167. Plaintiff Martin brings this cause of action on behalf of herself and on behalf of
5 the New Jersey Sub-Class who are all New Jersey residents.
6 168. Facebook is a “person,” as defined by N.J. Stat. Ann. § 56:8-1(d).
7 169. Facebook sells “merchandise,” as defined by N.J. Stat. Ann. § 56:8-1(c) & (e).
8 170. The New Jersey Consumer Fraud Act, N.J. Stat. §§ 56:8-1, et seq., prohibits
9 unconscionable commercial practices, deception, fraud, false pretense, false promise,
10 misrepresentation, as well as the knowing concealment, suppression, or omission of any
11 material fact with the intent that others rely on the concealment, omission, or fact, in
12 connection with the sale or advertisement of any merchandise.
13 171. Facebook’s unconscionable and deceptive practices include:
14 a. Failing to implement and maintain reasonable security and privacy measures to
protect New Jersey Plaintiff and New Jersey Sub-Class members PII, which was
15
a direct and proximate cause of the September 2018 Data Breach;
16
b. Failing to identify foreseeable security and privacy risks and remediate
17 identified security and privacy risks, which was a direct and proximate cause of
the September 2018 Data Breach;
18

19
c. Failing to comply with common law and statutory duties pertaining to the
security and privacy of New Jersey Plaintiff and New Jersey Sub-Class
20 members’ PII, which was a direct and proximate cause of the September 2018
Data Breach;
21
d. Misrepresenting that it would protect the privacy and confidentiality of New
22
Jersey Plaintiff and New Jersey Sub-Class members’ PII, including by
23 implementing and maintaining reasonable security measures;

24 e. Misrepresenting that it would comply with common law and statutory duties
pertaining to the security and privacy of New Jersey Plaintiff and New Jersey
25 Sub-Class members’ PII;
26
f. Omitting, suppressing, and concealing the material fact that it did not reasonably
27 or adequately secure New Jersey Plaintiff and New Jersey Sub-Class members’
PII; and
28

CLASS ACTION COMPLAINT - 40


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 41 of 43

1 g. Omitting, suppressing, and concealing the material fact that it did not comply
with common law and statutory duties pertaining to the security and privacy of
2
New Jersey Plaintiff and New Jersey Sub-Class members’ PII.
3
172. Facebook’s representations and omissions were material because they were
4
likely to deceive reasonable consumers about the adequacy of Facebook’s data security and
5
ability to protect the confidentiality of consumers’ PII.
6
173. Facebook intended to mislead New Jersey Plaintiff and New Jersey Sub-Class
7
members and induce them to rely on its misrepresentations and omissions.
8
174. Facebook acted intentionally, knowingly, and maliciously to violate New
9
Jersey’s Consumer Fraud Act, and recklessly disregarded New Jersey Plaintiff and New Jersey
10
Sub-Class members’ rights. Facebook’s past data breaches put it on notice that its security and
11
privacy protections were inadequate. Facebook knew its data security measures were grossly
12
inadequate by, at the absolute latest, March 2018 when the Cambridge Analytica matter came
13
to light, exposing Facebook’s lax and inadequate approach to data security. At that time
14
Facebook was on notice that its systems were extremely vulnerable to attack – facts that
15
Facebook should have already known given its previous exposures and security problems.
16
175. As a direct and proximate result of Facebook’s unconscionable and deceptive
17
practices, New Jersey Plaintiff and New Jersey Sub-Class members have suffered and will
18
continue to suffer injury, ascertainable losses of money or property, and monetary and non-
19
monetary damages, including from fraud and identity theft; time and expenses related to
20
monitoring their financial accounts for fraudulent activity; an increased, imminent risk of fraud
21
and identity theft; and loss of value of their PII.
22
176. New Jersey Plaintiff and New Jersey Sub-Class members seek all monetary and
23
non-monetary relief allowed by law, including injunctive relief, other equitable relief, actual
24
damages, treble damages, restitution, and attorneys’ fees, filing fees, and costs.
25
PRAYER FOR RELIEF
26
WHEREFORE, Plaintiffs, individually and on behalf of the other Class and Sub-Class
27
members, respectfully request that this Court enter an Order:
28

CLASS ACTION COMPLAINT - 41


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 42 of 43

1 a. Certifying the United States Class and the Colorado, New Jersey, and California
Sub-Classes, and appointing Plaintiffs as Class and Sub-Class Representatives;
2

3 b. Finding that Defendant’s conduct was negligent, deceptive, unfair, and unlawful
as alleged herein;
4
c. Enjoining Defendant from engaging in further negligent, deceptive, unfair, and
5 unlawful business practices alleged herein;
6
d. Awarding Plaintiffs and Class and Sub-Class members actual, compensatory,
7 and consequential damages;

8 e. Awarding Plaintiffs and Class and Sub-Class members statutory damages and
penalties, as allowed by law;
9
f. Awarding Plaintiffs and Class and Sub-Class members restitution and
10
disgorgement;
11
g. Requiring Defendant to provide appropriate credit monitoring services to
12 Plaintiffs and the other Class and Sub-Class members;
13 h. Awarding Plaintiffs and Class and Sub-Class members punitive damages;
14
i. Awarding Plaintiffs and Class and Sub-Class members pre-judgment and
15 post-judgment interest;

16 j. Awarding Plaintiffs and Class and Sub-Class members reasonable


attorneys’ fees costs and expenses, and;
17
k. Granting such other relief as the Court deems just and proper.
18

19 JURY TRIAL DEMANDED


20 Plaintiffs demand a trial by jury of all claims in this Class Action Complaint so
21 triable.
22

23 DATED: October 11, 2018 Respectfully submitted,


24
/s/ Ivy T. Ngo
25

26

27

28

CLASS ACTION COMPLAINT - 42


Case 3:18-cv-06246 Document 1 Filed 10/11/18 Page 43 of 43

1 Ivy T. Ngo (249860)


2 Franklin D. Azar & Associates, P.C.
14426 E. Evans Avenue
3 Aurora, CO 80014
4 Telephone: 303-757-3300
Facsimile: 720-213-5131
5
Email: [email protected]
6

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

CLASS ACTION COMPLAINT - 43

You might also like