Elvey v. TD Ameritrade, Inc.

Filing 9

AMENDED COMPLAINT against all defendants. Filed byGadgetwiz.com, Inc., Matthew Elvey. (Himmelfarb, Alan) (Filed on 6/28/2007)

Download PDF
Elvey v. TD Ameritrade, Inc. Doc. 9 Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 1 of 22 1 Alan Himmelfarb LAW OFFICES OF ALAN HIMMELFARB 2 2757 Leonis Blvd Los Angeles, CA 90058 3 Telephone: (323) 585-8696 Fax: (323) 585-8198 4 consumerlaw1@earthlink.net 5 Scott A. Kamber Ethan Preston 6 KAMBER & ASSOCIATES, LLC 11 Broadway, 22d Floor 7 New York, NY 10004 Telephone: (212) 920-3072 8 Fax: (212) 202-6364 skamber@kolaw.com 9 epreston@kolaw.com 10 11 12 13 Counsel for Plaintiffs IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA SAN FRANCISCO DIVISION No. C 07 2852 MJJ Judge Martin J. Jenkins CLASS ACTION COMPLAINT MATTHEW ELVEY, an individual, and 14 GADGETWIZ, INC., an Arizona corporation, on their own behalf and on behalf of all others 15 similarly situated, 16 17 v. Plaintiffs 18 TD AMERITRADE, INC., a New York corporation, and DOES 1 to 100, 19 Defendants. 20 21 22 FIRST AMENDED COMPLAINT Matthew Elvey ("Elvey") and Gadgetwiz, Inc. ("Gadgetwiz") (collectively "Plaintiffs"), 23 for their complaint, allege as follows upon information and belief, based upon, inter alia, 24 investigation conducted by and through their attorneys, except as to those allegations pertaining to 25 Plaintiffs and their counsel personally, which are alleged upon knowledge: 26 27 1. 28 Nature of the Claim This case is about TD AMERITRADE, Inc.'s ("Ameritrade") disclosure of its accountholder's private email addresses to spammers, which continue to send unsolicited First Amended Complaint 1 No. C 07 2852 MJJ Dockets.Justia.com Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 2 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 6. 5. 4. 3. 2. commercial email promoting certain stocks ("stock spam"). Ameritrade's disclosure of these email addresses is tortious and may indicate still more systematic torts by the company. This is a national class action brought on behalf of two classes: 1) Ameritrade accountholders residing in California ("California Resident Class"), and 2) Internet access services which received spam sen to the email addresses of Ameritrade accountholders, t which spam is traceable to Ameritrade's disclosure of those email addresses ("CAN SPAM Class"). Ameritrade's disclosure of its accountholders' email addresses not only facilitated the transmission of spam to its accountholders, it violated its fiduciary duties and the provisions of its privacy policy. On behalf of the California Resident Class, Elvey seeks damages and injunctive relief under California's Consumer Legal Remedies Act ("CLRA") (Cal. Civ. Code § 1782(a)), equitable relief under California's Unfair Competition Law ("UCL") (Cal. Bus. & Prof. Code § 17203), damages and equitable relief for breach of fiduciary duty, and equitable relief and damages under the Computer Fraud and Abuse Act (18 U.S.C. § 1030). The stock spam which is the subject of this complaint originated with, and would not have occurred but for, Ameritrade's disclosure of its accountholders' email addresses. Ameritrade thus initiated the transmission of the spam which is the subject of this complaint, in violation of the CAN SPAM Act of 2003. On behalf of the CAN SPAM Class, Plaintiffs seek statutory damages and injunctive relief under 15 U.S.C. § 7706(g). Parties Plaintiff Matthew Elvey: Matthew Elvey is a resident of San Francisco, California. Elvey is an accountholder at Ameritrade. Elvey maintains a domain name, and provides that domain name with email and web (http) services. Elvey also provides users of his domain name with email service (including separate email accoun s, forwarding, filtering, t technical support services, and disposable email accounts). Plaintiff Gadgetwiz.com, Inc.: Gadgetwiz.com, Inc. is an Arizona corporation, 2 No. C 07 2852 MJJ First Amended Complaint Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 3 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 11. 10. 9. 8. 7. headquartered in Arizona. Gadgetwiz maintains a domain name, and provides that domain name with email and web (http) services. Gadgetwiz provides users of its domain name with email services (including email forwarding and technical support services). One of Gadgetwiz's users is an accountholder at Ameritrade. Defendant TD AMERITRADE, Inc.: TD AMERITRADE, Inc. is a New York corporation which maintains its headquarters at 4211 South 102d Street, Omaha, Nebraska 68127. Ameritrade provides securities brokerage services, with retail brokerage representing the vast majority of its business. Ameritrade was established in 1971 as a local investment banking firm and began operations as a retail discount securities brokerage firm in 1975. As of September 2006, Ameritrade had an estimated 6,191,000 accountholders. Defendants Does: Plaintiffs are currently ignorant of the true names and capacities, whether individual, corporate, associate, or otherwise, of the defendants sued herein under the fictitious names Does 1 through 100, inclusive, and therefore, sue such defendants by such fictitious names. Plaintiffs allege on information and belief that Doe defendants were at all relevant times acting as Ameritrade's agents, ostensible agents, partners and/or joint venturers and employees, and that all acts alleged herein occurred within the course and scope of said agency, employment, partnership, and joint venture, or enterprise; however, each of these allegations are deemed "alternative" theories whenever not doing so would result in a contraction with the other allegations. Jurisdiction and Venue Elvey and Gadgetwiz assert claims under CFAA and the CAN SPAM Act for damages and injunctive remedies on behalf of themseves and all others similarly situated. This Court l has federal subject matter jurisdiction over this case under 28 U.S.C. § 1331. Ameritrade is a New York corporation headquartered in Nebraska. Ameritrade can only be a citizen in New York and Nebraska. The members of the California Resident Class (and the California CAN SPAM Class) are diverse from Ameritrade. The CAN SPAM Class is First Amended Complaint 3 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 4 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 17. 16. 15. 13. 12. a national class whose members are scattered throughout the fifty states (including the 48 states besides New York and Nebraska) and the U.S. territories: there is minimal diversity of citizenship between the proposed CAN SPAM Class members and Ameritrade. The aggregate of claims asserted in both classes exceed the sum or value of $5,000,000. This Court has subject matter jurisdiction over this case under 28 U.S.C. § 1332(d)(2). This Court has personal jurisdiction over the Defendant under Cal. Code Civ. Proc. § 410.10 because some of the acts alleged herein were committed, and Elvey incurred his injury, in California (and, specifically, the Northern District of California). Venue is also proper before this Court under 28 U.S.C. § 1391(b)(1) ,(2), (c). Intradistrict Assignment 14. A substantial part of the events which give rise to the claim occurred in the place of Elvey's business and residence, San Francisco, in San Francisco County, California. Under Local Rule 3-2(e), this civil action should be assigned to the San Francisco division of the Northern District of California. Factual Background Email Anatomy: The domain name portion of an email address follows the @ symbol. (Thus, the domain name portion for "webmaster@cand.uscour s.gov" is t "cand.uscourts.gov".) Email systems use domain names to direct email to the correct email server, which in turn provide users with email accounts with the relevant domain name access to the messages sent to their address. The CAN SPAM Act defines "domain name" as "any alphanumeric designation which is registered with or assigned by any domain name registrar, domain name registry, or other domain name registration authority as part of an electronic address on the Internet." 15 U.S.C. § 7702(4). The CAN SPAM Act defines "header information" as "the source, destination, and routing information attached to an electronic mail message, including the originating domain name and originating electronic mail address, and any other information that appears in the line identifying, or purporting to identify, a person initiating the message." 15 U.S.C. § First Amended Complaint 4 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 5 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 21. 20. 19. 18. 7702(8). Stock Spam: Stock spam is a technique for manipulating stock prices ­ essentially a contemporary version of a classic pump-and-dump scheme. The scheme typically involves purchasing stock in a small, thinly-traded company (whose pr ces can be driven up easily), i transmitting a massive volume of email touting the company's stock and urging recipients to buy, and then selling the stock after its price rises on the purchases of spam recipients. See Laura Frieder & Jonathan Zittrain, Spam Works: Evidence from Stock Touts and Corresponding Market Activity, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=92055 3 (Mar. 14, 2007); Rainer Böhme & Thorsten Holz, The Effect of Stock Spam on Financial Markets, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=897431 (Apr. 2006). Stock spam correlates with significant short-term increases in the touted stock prices (and a corresponding collapse soon thereafter). Frieder & Zittrain, Spam Works, at 40 (fig. 2); Spam Stock Tracker, http://www.spamstocktracker.com/ (updated Apr. 20, 2007). Stock spam's primary purpose is the advertisement and promotion of the touted stock. Stock spam constitutes a commercial electronic mail message under the definition in 15 U.S.C. § 7702(2)(A). Ameritrade's Privacy Statement: At all times relevant to this complaint, Ameritrade published a Privacy Statement which indicated that Ameritrade would not disclose personal information to third parties. The relevant portion of the Privacy Statement has been reproduced below: Do we share the information collected with any other third parties? The cornerstone of our Privacy Statemen is the commitment to keep our clients' t personal information confidential. Ameritrade does not sell, license, lease or otherwise disclose your personal information to any third party for any reason, except as noted earlier and as described below: · To help us improve our services to you, we may engage another business to help us to carry out certain internal functions such as account processing, fulfillment, client service, client satisfaction surveys or other data collection activities relevant to our business. We may also provide a party with client information from our database to help us to analyze and identify client needs and notify clients of product and service offerings. Use of the information shared is strictly limited to the performance of the task we request and for no other purpose. 5 No. C 07 2852 MJJ First Amended Complaint Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 6 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 23. 22. · Periodically, we may invite you to participate in advertisements, promotions and special offers offered by Ameritrade or by other sponsoring organizations. These could include retailers, airlines and Internet service providers. Your participation may require us to gather and share your personal information or may require you to supply personal information to the promotion sponsor. For example, a referral program may require that we provide your name as a reference to a prospective client. It is always your choice whether or not to participate. All third parties with which we share personal information are required to protect personal information in a manner similar to the way we protect personal information. Examples of information shared are identifying information such as name, mailing address, e-mail address, telephone number, and information on account activity. If at any time you choose to purchase a product or service offered by another company, any personal information you share with that company will no longer be controlled under our Privacy Statement. Ameritrade also reserves the right to disclose your personal information to third parties where permitted by law or where required by law to regulatory, law enforcement or other government authorities. We may also disclose your information as necessary to credit reporting or collection agencies, or when necessary to protect our rights or property. Ameritrade, Ameritrade Privacy Statement, http://www.tdAmeritrade.com/privacy.html (Feb. 2007) (emphasis added). The Privacy Statement does allow disclosures of accountholder email addresses to partners and alliances (except for California and Vermont residents), but the Privacy Statement requires marketing under such relationships to identify that an offer is being extended because of the relationship with Ameritrade. Further, Ameritrade's Privacy Statement allows for disclosure to third parties for "certain internal functions such as account processing, fulfillment, client service, client satisfaction surveys or other data collection activities relevant to our business." Id. The spam received by Plaintiffs was not consistent with these exceptions. Elvey Receives Spam: In October 2006, Elvey pro ided Ameritrade with an unique email v address ("First Email Address"): Elvey never otherwise published, used, or provided the First Email Address to any other person. Consequently, the only persons who had the First Email Address were Ameritrade and Elvey. Nonetheless, beginning on or about November 15, 2006, Elvey began to receive stock spam, as alleged in more detail below, at the First Email Address. First Amended Complaint 6 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 7 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 24. In February 2007, Elvey provided Ameritrade with another unique email address ("Second Email Address"). To ensure that he was not responsible for leaking the Second Email Address in any way, Elvey set up a separate hard drive with a separate operating system on his computer for the exclusive purpose of logging into Ameritrade's website and checking email from Ameritrade ­ prior to providing Ameritrade with the Second Email Address. Again, Elvey never otherwise published, used, or provided the Second Email Address to any other person, and the only persons who had the Second Email Address were Ameritrade and Elvey Nonetheless, Elvey began to receive stock spam at the Second . Email Address. All told, Elvey received more than 80 spam messages at the First and Second Email Addresses. 25. Elvey never received spam at any other email addresses at his domain name that would indicate that the spam sent to the the First and Second Email Addresses were merely part of a "dictionary" attack. (In a dictionary attack, spammers attempt to send spam to email addresses at a particularly domain name by methodically guessing and/or testing which domain names are valid.) 26. Elvey maintains the domain name for the First and Second Email Addresses. The server which provides email service to Elvey's domain name is maintained, stored, and given Internet connectivity by a third party with whom Elvey contracts. The transmission of stock spam sent to the First and Second Email Addresses consumes Internet connectivity, storage space, and processing capacity on this email server. This server is used in interstate and foreign commerce and communication. 27. Gadgetwiz User Receives Spam Traceable to Ameritrade: One of Gadgetwiz's users supplied to Ameritrade several unique email addresses, similar to Elvey as alleged above, including two email addresses that contained a random string of numbers. These email addresses were never disclosed to anyone besides the Gadgetwiz user and Ameritrade. Nonetheless, Gadgetwiz's user received and continues to receive stock spam at every unique email address the user has provided Ameritrade. 28. Gadgetwiz maintains the domain name for the email addresses its user provided to 7 No. C 07 2852 MJJ First Amended Complaint Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 8 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 32. 31. 30. 29. Ameritrade. The server which provides email service to Gadgetwiz's domain name is maintained, stored, and given Internet connectivity by a third party with whom Gadget contracts. The transmission of stock spam sent to this server consumes Internet connectivity, storage space, and processing capacity on this email server. This server is used in interstate and foreign commerce and communication. Spam Traceable to Ameritrade: Having eliminated any other possibility, Elvey and his counsel conclude that Ameritrade disclosed the First and Second Email Addresses to third parties, which send the stock spam to those email addresses. Likewise, Gadgetwiz and its counsel have concluded that Ameritrade must have compromised the email addresses of Gadgetwiz's user in a manner similar to how Elvey's email addresses were compromised. Because provided unique email addresses that were not shared with anyone but Ameritrade, Plaintiffs can isolate a collection of spam that is uniquely traceable to Ameritrade's disclosure of these email addresses ("Traced Spam"). Spammers, as a rule, automate the transmission of digitally identical messages to multiple recipients: a statistically sound sampling of CAN SPAM Class members will prove, by a preponderance of evidence, that particular Traced Spam messages sent to the sampled class members were in fact sent to all class members. The Traced Spam is exclusively stock spam: it touts low-priced, speculative stocks of smaller companies traded on exchanges like Pink Sheets and OTCBB, and urges recipients to purchase the touted stock. Thus, Ameritrade's accountholders are not only targeted for spam, but are specifically targeted for stock spam ­ and accountholders naturally have the ability to purchase touted stocks through Ameritrade. Ameritrade benefits from the Traced Spam because its accountholders trade stocks based on tips in the Traced Spam and Ameritrade earns commissions on those trades. Elvey's Correspondence to Ameritrade: Elvey's counsel sent correspondence by certified or registered mail, return receipt requested, dated May 18, 2007, demanding that Ameritrade rectify the breach of its Privacy Statement for all California residents. Ameritrade received this correspondence on May 21, 2007, when the return receipt was First Amended Complaint 8 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 9 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 38. 37. 36. 35. 34. 33. signed by one Amie Hermanson. Ameritrade's Communications to Class Members: On May 30, 2007, Elvey and hi s counsel learned that his situation was far from unique and, indeed, very widespread, through a story on Slashdot (a prominent online forum for technology and technology policy news). See Slashdot, Who's Trading Your E-mail Addresses?, at http://yro.slashdot.org/yro/07/05/30/1444236.shtml (May 30, 2007) ("Slashdot Story"). The story further disclosed that Ameritrade's response to customer inquiries has been to either 1) deny any breach of the Privacy Statement and atribute the spam to dictionary t attacks or 2) indicate it is investigating the situation, but decline to provide further details. Ameritrade's Spoliation of Evidence: The Slashdot Story indicates that Ameritrade's current response to accountholders who inquire about spam traced to Ameritrade is that the accountholders should "delete any spam you might receive, then empty your e-mail's trash so that it's no longer kept there, either." It appears that, although Ameritrade was aware of potential class claims no later than May 21, 2007, it still urges potential class members to destroy this evidence. Since the filing of the Complaint, Plaintiffs' counsel has inquired orally and in writing whether Ameritrade has ceased and desisted from telling accountholders to spoliate evidence. As of June 28, 2007, Plaintiffs' counsel has not received any definitive response. Potential Ongoing Security Breach at Ameritrade: The spam received by Plaintiffs is indelible proof that Ameritrade has disclosed accountholders' email addresses to spammers, either inadvertently or intentionally. Ameritrade has denied that there is an intentional disclosure. The Slashdot Story indicates that Ameritrade's disclosure of accountholders' email addresses continues to the present day. If Ameritrade's exposure of accountholders' email addresses is not intentional, as it appears from taking Ameritrade's statements at face value, whatever security breach led to the exposure is ongoing and has not yet been remedied. In the context of an ongoing security breach, the following portion of Ameritrade's 9 No. C 07 2852 MJJ First Amended Complaint Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 10 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 42. 41. 40. 39. Privacy Statement would be misleading: "TD Ameritrade does not . . . disclose [accountholders'] personal information to any third party for any reason . . ." Likewise, the portion of the Privacy Statement below is also misleading: We have made a significant investment in leading-edge security software, systems, and procedures to offer you a safe and secure trading environment and protect your personal, financial and trading information. While no security system is absolutely impenetrable, we are constantly reviewing, refining and upgrading our security technology, as new tools become available. Ameritrade Privacy Statement. To the extent Ameritrade knew that there was a security breach and knew that it was disclosing accountholders' email addresses, Ameritrade must have also known these statements were false. An ongoing security breach at Ameritrade's would be problematic on several levels. First, if Ameritrade cannot secure its information system, accountholders cannot be sure that the funds and securities in their account are safe from diversion. If spammers can steal email addresses from Ameritrade, they may also be able to divert funds. Second, inasmuch as Ameritrade knows there is an ongoing security breach, the Privacy Statement's representations are rendered knowingly and intentionally misleading. In this light, Ameritrade would continue to entice new accountholders to provide personal information under the representation that such information is secure from third parties, when it knows (or should know) that representation is false. Third, Ameritrade is generally privy to a wealth of sensitive financial information regarding its accountholders ­ without any information about the scope of the security breach, accountholders must presume this information is unacceptably vulnerable and that they are exposed to identity theft. Indeed, someone used Elvey's name and social security number to open a cellular phone account and incurred $2,500 in charges in 2006. At least with respect to California residents, Ameritrade is obligated to disclose suspected security breaches to its accountholders under Cal. Civ. Code § 1798.82. If there is a security breach, Ameritrade may have violated is statutory duties to disclose the same to California residents. While the disclosure of emails alone does not trigger Cal. Civ. 1798.82, it is improbable that Ameritrade's information security protected accountholders' First Amended Complaint 10 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 11 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 49. 48. 47. 45. 44. 43. personal information (as defined under Cal Civ. Code 1782(d)) but failed to protect accountholders' email addresses. Finally, Ameritrade would have an pernicious incentive to allow the security breach to continue, because accountholders would trade stocks based on tips in the Traced Spam and Ameritrade would earn commissions on those trades. Alternatively, Disclosure of Email Addresses Was Intentional: Plaintiffs allege, on information and belief, that Ameritrade's disclosure of its accountholders' email addresses was unintentional and the result of a security breach. In the alternative, Plaintiffs allege that Ameritrade's disclosure of its accountholders' email addresses was intentional. Class Certification Allegations Plaintiffs seek certification of a California Resident Class and a CAN SPAM Class under both Rule 23(b)(2) and Rule 23(b)(3). 46. The California Class asserts claims for breach of fiduciary duty, and for violations of California's CLRA (Cal. Civ. Code §§ 1750-84), UCL (Cal. Bus. & Prof. Code §§ 1720010), and CFAA (18 U.S.C. § 1030) on behalf of all Ameritrade accountholders residing in California. The CAN SPAM Class asserts claims for violations of the CAN SPAM Act of 2003 (15 U.S.C. §§ 7701-13) on behalf of all persons and entities who qualify as Internet access services under 15 U.S.C. § 7702(11) who received spam at the email addresses of Ameritrade's accountholders which is traceable to Ameritrade. Adequate Representation: Plaintiffs will fairly and adequately represent and protect the interests of the members of both Classes, and have retained counsel competent and experienced in complex class actions. Plaintiffs have no interest antagonistic to those of either Class, and Defendants have no defenses unique to Plaintiffs. Predominance and Superiority: This class action is appropriate for certification because class proceedings are superior to all other available methods for the fair and efficient adjudication of this controversy, since joinder of all members is impracticable. The damages suffered by each individual member of either Class will likely be relatively First Amended Complaint 11 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 12 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 52. 51. 50. small, especially given the burden and expense of in ividual prosecution of the complex d litigation necessitated by the actions of Defendants. It wou d be virtually impossible for l the members of either Class individually to obtain effective relief from the misconduct of Defendants. Even if members of either Class themselves could sustain such individual litigation, it would still not be preferable to a class action, because individual litigation would increase the delay and expense to all parties due to the complex legal and factual controversies presented in this Complaint. By contrast, a class action presents far fewer management difficulties and provides the benefits of single adjudication, economy of scale, and comprehensive supervision by a single Court. Economies of time, effort, and expense will be fostered and uniformity of decisions will be ensured. Policies Generally Applicable to the Class: This class action is also appropriate for certification because Defendants have acted or refused to act on grou ds generally n applicable to the class, thereby making appropriate final injunctive relief or corresponding declaratory relief with respect to either Class as a whole. The policies of the Defendants challenged herein apply and affect members of both Class uniformly, and Plaintiffs' challenge of these policies hinges on Defendants' conduct, not on facts or law applicable only to Plaintiffs. Allegations to Certification of California Resident Class Definition of the California Resident Class: Pursuant to Federal Rule of Civil Procedure 23, Elvey brings this Complaint against Ameritrade on behalf of himself and all persons who are accountholders of Ameritrade who reside in California. Excluded from the California Resident Class are 1) any Judge or Magistrate presiding over this action and members of their families; 2) Defendants, Defendants' subsidiaries, parents, successors, predecessors, and any entity in which the Defendants or their parents have a controlling interest and their current or former employees, officers and directors; and 3) persons who properly execute and file a timely request for exclusion from the class and 4) the legal representatives, successors or assigns of any such excluded persons. California Resident Class Numerosity: The exact number of California Resident Class 12 No. C 07 2852 MJJ First Amended Complaint Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 13 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 53. members is unknown and is not available to Elvey, but it is clear that individual joinder of all Class members is impracticable. In SEC filings, Ameritrade estimated it had 6,191,000 accountholders as of September 2006. According to recent U.S. Census estimates, approximately 12% of the US population resides in California. Assuming that Ameritrade's accountholders are distributed evenly across the US population, there are approximately 740,000 Ameritrade accountholders residing in California. California Resident Class members can be easily identified through Ameritrade's records. California Resident Class Commonality: Common questions of fact and law exist as to all California Resident Class members and predominate over the questions affecting only individual California Resident Class members. These common questions include: (a) (b) (c) (d) Whether Ameritrade exposed or provided email addresses of the California Resident Class members to spammers; Whether such exposure violated Ameritrade's Privacy Statement; Whether such exposure was intentional or unintentional on Ameritrade's part; Whether Ameritrade's Privacy Statement represented that Ameritrade's services have characteristics, uses, and benefits, or quantities which they do not have, in violation of Cal. Civ. Code § 1770(a)(5); Whether Ameritrade's Privacy Statement represen ed that Ameritrade's t services confer or involves rights, remedies, or obligations which they do confer not or involve, in violation of Cal. Civ. Code § 1770(a)(14); Whether, in light of the exposure and provision of California Resident Class members' email addresses to spammers, Ameritrade's Privacy Statement was deceptive under Cal. Bus. & Prof. Code § 17200; Whether Ameritrade owed the California Class members a fiduciary duty as their broker; Whether Ameritrade owed the California Class members a fiduciary duty by dint of its collection of personal information under the Privacy Statement; Whether Ameritrade breached such fiduciary duties through the violation of its Privacy Statement; Whether Ameritrade failed to fully and accurately disclose the exposure and provision of California Resident Class members' email addresses to spammers. and any underlying security breach; Whether, in light of Cal. Civ. Code § 1798.82, Ameritrade's failure to 13 No. C 07 2852 MJJ (e) (f) (g) (h) (i) (j) (k) First Amended Complaint Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 14 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 55. 54. (l) disclose any security breach was unlawful under Cal. Bus. & Prof. Code § 17200; Whether, in light of its fiduciary duties, Ameritrade's failure to disclose any security breach violated its fiduciary duties to the California Resident Class members; Whether the Does obtained the email addresses to send the California Resident Class members the Traced Spam or to have confederates send such Traced Spam by accessing Ameritrade's computer systems; Whether the Does' access of Ameritrade's computer systems was without authorization or in excess of authorization. because it was in violation of the Privacy Statement; Whether the Does' access of Ameritrade's computer systems caused the California Resident Class members to suffer over $5,000 in losses, as the term is defined in 18 U.S.C. § 1030(e)(11); Whether Ameritrade violated the CLRA; Whether Ameritrade violated the UCL; Whether the Does violated the CFAA; Whether Ameritrade is liable for the Does' violation of the CFAA under the doctrine of respondeat superior; Whether Elvey and the California Resident Class are entitled to relief, and the nature of such relief. (m) (n) (o) (p) (q) (r) (s) (t) California Resident Class Typicality: Elvey's claims are typical of the claims of other California Resident Class members, as Elvey and other California Resident Class members sustained damages arising out of the wrongful conduct of Defendant, based upon the same transactions which were made uniformly to Elvey and the public. Allegations to Certification of CAN SPAM Class Definition of the CAN SPAM Class: Pursuant to Federal Rule of Civil Procedure 23, Plaintiffs bring this Complaint against Ameritrade on behalf of themselves and all persons and entities 1) who maintain domain names and email server which provide email service s to those domain names for Ameritrade, 2) which received Traced Spam through computers located in the United States. Excluded from the CAN SPAM Class are 1) any Judge or Magistrate presiding over this action and members of their families; 2) Defendants, Defendants' subsidiaries, parents, successors, predecessors, and any entity in which the Defendants or their parents have a controlling interest and their current or former First Amended Complaint 14 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 15 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 58. 57. 56. employees, officers and directors; and 3) persons who properly execute and file a timely request for exclusion from the class and 4) the legal representatives, successors or assigns of any such excluded persons. CAN SPAM Class Numerosity: The exact number of CAN SPAM Class members is unknown and is not available to Plaintiff, but it is clear that individual joinder of all Class members is impracticable. As Ameritrade is an online brokerage service, it stands to reason that some or all of its estimated 6,191,000 accountholders provided it with email addresses. Potential CAN SPAM Class members can be identified by the email addresses contained in Ameritrade's records; membership in the class can be confirmed either by actual production of Traced Spam or can be inferred from the proof of the Traced Spam. CAN SPAM Class Commonality: Common questions of fact and law exist as to all CAN SPAM Class members and predominate over the questions affecting only individual CAN SPAM Class members. In addition to the questions which predominate the California Resident Class, these common questions include: (a) (b) (c) (d) Whether the CAN SPAM Class members are "Internet access services" under the meaning of 15 U.S.C. § 7702(11); Whether Traced Spam constitutes "commercial electronic mail message" under the meaning of 15 U.S.C. § 7702(11); Whether Traced Spam's header information was "materially false or materially misleading" under the meaning of 15 U.S.C. § 7704(a)(1); Whether Ameritrade's involvement in the provision of its accountholder's email addresses to spammers is such that it "initiate[d] the transmission" of the Traced Spam under the meaning of 15 U.S.C. § 7704(a)(1); Whether Ameritrade violated 15 U.S.C. § 7704(a)(1); Whether Plaintiffs and the CAN SPAM Class are entitled to relief, and the nature of such relief. (e) (f) CAN SPAM Class Typicality: Plaintiffs' claims are typical of the claims of other CAN SPAM Class members, as the Plaintiffs and other CAN SPAM Class members sustained damages arising out of the wrongful conduct of Defendants, based upon the same transactions which were made uniformly to the Plaintiffs and the public. First Amended Complaint 15 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 16 of 22 1 2 59. 3 60. 4 5 6 7 8 9 10 11 12 61. 13 14 15 62. 16 17 18 19 20 21 22 23 24 25 63. 26 27 28 Count I: Violation of the CLRA, Cal. Civ. Code § 1770 Plaintiffs incorporate the above allegations by reference. Ameritrade's Privacy Statement represented that Ameritrade's services have characteristics, uses, and benefits, or quantities which they do not have, in violation of Cal. Civ. Code § 1770(a)(5), and that Ameritrade's services have confer or involves rights, remedies, or obligations which they do confer not or involve, in violation of Cal. Civ. Code § 1770(a)(14). The Privacy Statement stated that Ameritrade would not disclose accountholders' personal information to third parties, and that it provided a secure trading environment and protected accountholders' personal, financial and trading information. The Privacy Statement i also misleading inasmuch as it not disclose any ongoing security s breach, to the extent such a breach exists. Ameritrade's failure to disclose to California Resident Class members who trade in stock touted in the Traced Spam that the stock is being touted by the Traced Spam and its value is very likely being manipulated, also violates the CLRA. Ameritrade's CLRA violations have damaged Elvey and the other California Resident Class members, and threaten additional injury if the violations continue. This damage includes the loss of the benefit of bargain on Ameritrade's brokerage fees, which were premised, in part, on Ameritrade's compliance with the privacy statement and full disclosure of facts relevant to the security of accountholders' information. The damage from the Traced Spam includes California Resident Class members' lost time required to sort, read, discard and attempt to prevent future Traced Spam, and lost storage space, Internet connectivity, and computing resources on the personal computers on which they received the Traced Spam. Further, California Resident Class members are subject to a identity theft to the extent Ameritrade's security has been breached. Elvey, on his own behalf and behalf of the ot er California Resident Class members, seeks h damages, an order enjoining Ameritrade's CLRA violations alleged herein, restitution of property gained by the CLRA violations (including commissions on trades while actionable failure to disclose information was ongoing), and court costs and attorney's fees First Amended Complaint 16 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 17 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 69. 70. 68. 66. 64. 65. under the CLRA (Cal. Civ. Code § 1780(d)). Count II: Violation of California's UCL, Cal. Bus. & Prof. Code § 17200 Plaintiffs incorporate the above allegations by reference. Ameritrade's Privacy Statement was deceptive. Ameritrade's failure to disclose to California Resident Class members who trade in stock touted in the Traced Spam that the stock is being touted by the Traced Spam and its value is very likely being manipulated, is also deceptive. The acts alleged above are unlawful, unfair or fraudulent business acts or practices and constitute unfair competition under Cal. Bus. & Prof. Code § 17200. 67. Ameritrade's unfair competition has damaged Elvey and the other California Resident Class members, and threatens additional injury in the future. This damage includes the loss of the benefit of bargain on Ameritrade's brokerage fees, which were premised, in part, on Ameritrade's compliance with the privacy statement and full disclosure of facts relevant to the security of accountholders' information. The damage from the Traced Spam includes California Resident Class members' lost time required to sort, read, discard and attempt to prevent future Traced Spam, and lost storage space, Internet connectivity, and computing resources on the personal computers on which they received the Traced Spam. Further, California Resident Class members are subject to a identity theft to the extent Ameritrade's security has been breached. Elvey, on his own behalf and behalf of the ot er California Resident Class members, seeks h an order enjoining Ameritrade's unfair competition alleged herein, and restitution of property gained by such unfair competition under the UCL (Cal. Bus. & Prof. Code § 17203), as well as interest and attorney's fees and costs pursuant to, in part, Cal. Code Civ. Proc. § 1021.5. Count III: Breach of Fiduciary Duty Plaintiffs incorporate the above allegations by reference. As their stock broker, Ameritrade and the Does owed all California Resident Class members a fiduciary duty. First Amended Complaint 17 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 18 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 71. Ameritrade breached its fiduciary duty of confidentiality by allowing the disclosure of its accountholder's email addresses to spammers. 72. Ameritrade owed a fiduciary duty to disclose all material facts within its knowledge relating to its transaction with the California Resident Class members. The security of personal information given to Ameritrade was a material fact, because exposure of accountholders' personal information subjects the accountholders to spam and increased risk of identity theft. 73. Ameritrade breached its fiduciary duty by 1) its continued failure to correct the decept on i created by the Privacy Statemen, and 2) its failure to the extent Ameritrade fails to t disclose the events that led to the disclosure of its accountholders' email addresses to spammers, and 3) instructed accountholders to destroy Traced Spam. 74. Ameritrade also breached its fiduciary duty by failing to disclose to California Resident Class members who trade in s ock touted in the Traced Spam that the stock is being touted t by the Traced Spam and its value is very likely being manipulated. 75. Ameritrade's breach of its fiduciary duties has caused damage to Elvey and the other California Resident Class members and threaten additional damage in the future. This damage includes the loss of the benefit of bargain on Ameritrade's brokerage fees, which were premised, in part, on Ameritrade's compliance with the privacy statement and full disclosure of facts relevant to the security of accountholders' information. The damage from the Traced Spam includes California Resident Class members' lost time required to sort, read, discard and attempt to prevent future Traced Spam, and lost storage space, Internet connectivity, and computing resources on the personal computers on which they received the Traced Spam. Further, California Resident Class members are subject to a identity theft to the extent Ameritrade's security has been breached. 76. Elvey, on his own behalf and behalf of the ot er California Resident Class members, seeks h damages in an amount to be determined at trial and equitable relief (including an accounting, and disgorgement of profits obtained while the breach of fiduciary duty was ongoing, such as commissions on trades), for Ameritrade's breach of its fiduciary duties, First Amended Complaint 18 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 19 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 84. 85. 79. 77. 78. as well as interest and attorney's fees and costs pursuant to, in part, Cal. Code Civ. Proc. § 1021.5. Count IV: Violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 Plaintiffs incorporate the above allegations by reference. Plaintiffs allege on information and belief that the Does are Ameritrade's agents, ostensible agents, partners and/or joint venturers and employees, that Ameritrade has given the Does access to its computer systems, and that the Does are either sending stock spam to these email addresses as alleged above, or are deliberately providing the email addresses to confederates who are sending the stock spam. The Does obtained the California Resident Class members' email addresses by intentionally accessing Ameritrade's computer systems. 80. The Does obtained the email addresses to send the California Resident Class members the Traced Spam or to have confederates send such Traced Spam. 81. The Does' access of Ameritrade's computer systems was without authorization or in excess of authorization. because it was in violation of the Privacy Statemen . t 82. The Does' access of Ameritrade's computer systems impaired the integrity of those systems. 83. The Does' access of Ameritrade's computer systems caused the California Resident Class members to lose time required to sort, read, discard and attempt to prevent future Traced Spam, and lost storage space, Internet connectivity, and computing resources on the personal computers on which they received the Traced Spam. This loss exceeded $5,000 in damages in the last year. The Does have violated the CFAA (18 U.S.C. § 1030(a)(5)). The Does' use of their access to the Ameritrade's computer systems was in the scope of their employment. The Does were in a position to access Ameritrade's computer systems because of their agency relationship with Ameritrade, and their access to those systems was an outgrowth of that relationship. As it was here, the risk of the Does abusing their employer's proprietary information was inherent in the workplace, or typical of or broadly First Amended Complaint 19 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 20 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 90. 91. 86. 87. incidental to the Ameritrade's business. The Does' violation of the CFAA was reasonably foreseeable by Ameritrade. Ameritrade benefited from (in the form of commissions on trades prompted by the Traced Spam) the Does' violation of the CFAA. In the alternative, Ameritrade directed and encouraged the Does' violation of the CFAA. Ameritrade is liable for the Does' violation of the CFAA under the doctrine of respondeat superior. 88. As alleged above, the Does' CFAA violation has damaged Elvey and the o her California t Resident Class members, and threatens additional damage in the future. 89. Elvey, on his own behalf and behalf of the ot er California Resident Class members, seeks h compensatory damages in an amount t be determined at trial and injunctive relief or other o equitable relief (including an accounting, and disgorgement of profits obtained while the CFAA violations were ongoing, such as commissions on trades), for Ameritrade's vicarious liability under the CFAA. Count V: Violation of CAN SPAM Act, 15 U.S.C. § 7704(a)(1) Plaintiffs incorporate the above allegations by reference. Plaintiffs and the other CAN SPAM Class members are "Internet access services" under the meaning of 15 U.S.C. § 7702(11). 92. On information and belief, the Traced Spam alleged above uniformly contains false and inaccurate header information. Although the originating email addresses contains a real domain name, the name transmitted with the email address and the originating email address itself were false. Initial investigations indicate that the originating emails are invalid, because the mail servers responsible for the domain names contained in these email addresses returned email to a sampling of these originating email addresses and indicated that the email addresses did not exist. Further, other elements of header information were frequently incorrect: for example, one spam message might include a "To:" header field that inaccurately indicated the recipient's email address, and the "Subject:" and "Received:" header fields were generally forged and inaccurate. The initiation of the Traced Spam violated 15 U.S.C. § 7704(a)(1). First Amended Complaint 20 No. C 07 2852 MJJ Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 21 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 93. But for Ameritrade's disclosure of the email addresses of Elvey and Gadgetw z's user, the i Traced Spam would not have been sent to those email addresses. Hence, Ameritrade originated the Traced Spam and/or was the origin of the Traced Spam. Further, the transmission of spam to those email addresses was a reasonably foreseeable consequence of Ameritrade's disclosure. Because Ameritrade was the origin of the Traced Spam, it initiated the Traced Spam under the definition of 15 U.S.C. § 7702(9). As Ameritrade initiated the Traced Spam under 15 U.S.C. § 7702(9), it was a sender of the Traced Spam under the definition of 15 U.S.C. § 7702(16)(A) and thus violated 15 U.S.C. § 7704(a)(1). 94. Plaintiffs the other CAN SPAM Class members have sustained injuries from Ameritrade's violation of 15 U.S.C. § 7704(a)(1) and will suffer additional injury if the unfair competition continues. 95. Elvey, on his own behalf and behalf of the ot er CAN SPAM Class members, seeks an h order enjoining Ameritrade's violations of 15 U.S.C. § 7704(a)(1), statutory damages for each Traced Spam to each CAN SPAM Class member, and reasonable costs, including reasonable attorneys' fees under the CAN SPAM Act (15 U.S.C. § 7706(g)). WHEREFORE, Plaintiff prays that the Court enter judgment and orders in their favor and against Defendant as follows: (a) Certifying the action as a class action and designating Plaintiffs and their counsel as representatives of the California Resident Class (as to Elvey only), and the CAN SPAM Class; With respect to Counts I, II, III, and IV equitable relief for the California Resident Class, including an order for accounting, an order enjoining the misconduct alleged herein, restitution of property gained by this misconduct and disgorgement of profits obtained while the breach of fiduciary duty was ongoing, such as commissions on trades; With respect to Counts I, III and IV damages in an amount to be , determined at trial for the California Resident Class; With respect to Count V, an injunction against further violations of CAN SPAM, statutory damages for each Traced Spam to each CAN SPAM Class member, and reasonable costs, including reasonable attorneys' fees under the CAN SPAM Act, for the CAN SPAM Class; Awarding pre- and post-judgment interest; and Granting such other and further relief as the Court may deem just and 21 No. C 07 2852 MJJ (b) (c) (d) (e) (f) First Amended Complaint Case 3:07-cv-02852-MJJ Document 9 Filed 06/28/2007 Page 22 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 First Amended Complaint proper. Dated: June 28, 2007 By:/s/Alan Himmelfarb Alan Himmelfarb LAW OFFICES OF ALAN HIMMELFARB 2757 Leonis Blvd Los Angeles, CA 90058 Telephone: (323) 585-8696 Fax: (323) 585-8198 consumerlaw1@earthlink.net Scott A. Kamber Ethan Preston KAMBER & ASSOCIATES, LLC 11 Broadway, 22d Floor New York, NY 10004 Telephone: (212) 920-3072 Fax: (212) 202-6364 skamber@kolaw.com epreston@kolaw.com 22 No. C 07 2852 MJJ

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?