Granot et al v. Yahoo Inc.
Filing
1
COMPLAINT for Damages against Yahoo Inc. ( Filing fee $ 400, receipt number 0971-11049437.). Filed byAnna Naupa, Yaniv Rivlin, Hovahannes Avetisyan, Bekim Mehmetaj, Mali Granot, Mahesh Khemlani, Amiram Tapiro, Decontee King-Sackie. (Attachments: # 1 Civil Cover Sheet)(Zaveri, Deval) (Filed on 1/4/2017)
<![CDATA[
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
David S. Casey, Jr., SBN 060768
dcasey@cglaw.com
Gayle M. Blatt, SBN 122048
gmb@cglaw.com
Wendy M. Behan, SBN 199214
wbehan@cglaw.com
Angela Jae Chun, SBN 248571
ajc@cglaw.com
Casey Gerry Schenk
Francavilla Blatt & Penfield, LLP
110 Laurel Street
San Diego, CA 92101
Tel: (619) 238-1811; Fax: (619) 544-9232
Deval R. Zaveri, SBN 213501
dev@zaveritabb.com
James A. Tabb, SBN 208188
jimmy@zaveritabb.com
Zaveri Tabb, APC
402 W. Broadway, Ste. 1950
San Diego, CA 92101
Tel: (619) 831-6988; Fax: (619) 239-7800
Attorneys for Plaintiffs and the class
17
United States District Court
18
Northern District of California
19
San Jose Division
20
21
22
23
Mali Granot, Yaniv Rivlin, Amiram
Tapiro, Decontee King-Sackie, Anna
Naupa, Hovahannes Avetisyan,
Mahesh Khemlani, and Bekim
Mehmetaj on behalf of themselves and
all others similarly situated,
24
27
28
Class Action Complaint for Damages
and Equitable Relief
Jury Trial Demanded
Plaintiffs,
25
26
CASE NO.
v.
Yahoo! Inc., a Delaware corporation,
Defendant.
Class Action Complaint
1
2
3
4
COME NOW Plaintiffs Mali Granot, Yaniv Rivlin, Amiram Tapiro, Decontee
King-Sackie, Anna Naupa, Hovahannes Avetisyan, Mahesh Khemlani, and Bekim
Mehmetaj (“Plaintiffs”), on behalf of themselves and all others similarly situated, and
for causes of action against the Defendant, complain and allege as follows:
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
NATURE OF THE ACTION
1.
This action is brought to seek redress for damages sustained by Plaintiffs
and other members of the class as a result of the failure of Defendant Yahoo! Inc.
(“Yahoo” or “Defendant”) to securely store and maintain the personal information of
Plaintiffs and the class.
2.
On September 22, 2016, Yahoo announced that account information from
roughly 500 million Yahoo user accounts was stolen by online hackers approximately
two years prior. The information included names, email addresses, telephone numbers,
birth dates, passwords, and security questions (referred to as “Personal Information”
or “PI”) of Yahoo account holders. At the time it was announced, it was believed to be
the largest data breach in history.
3.
On December 14, 2016, Yahoo announced that in a separate incident in
August 2013, over 1 billion Yahoo users’ account information had been stolen by
online hackers. The information included names, email addresses, telephone numbers,
birth dates, passwords, and security questions and answers of Yahoo account holders.
This is the largest known data breach in history.
4.
The passwords stolen in August 2013 were encrypted with MD5, a
severely compromised encryption algorithm. Yahoo has admitted that, “[a]t the time
of the August 2013 incident, we used MD5 to hash passwords. We began upgrading
our password protection to bcrypt in the summer of 2013.”
5.
Security researcher, Brian Krebs said, “[f]or years I have been urging
friends and family to migrate off of Yahoo email, mainly because I watched for years
27
28
2
Class Action Complaint
1
as the company appeared to fall behind its peers in blocking spam and other email-
2
based attacks.”
3
6.
Matt Blaze, a cyber security expert and director of the Distributed
4
Systems Lab at the University of Pennsylvania likened the breach announced in
5
September to an “ecological disaster.”
6
7
8
9
10
11
Parties
12
INTRADISTRICT ASSIGNMENT
13
14
7.
A substantial part of the events or conduct that give rise to the claims in
15
this action occurred in the county of Santa Clara, and as such this action is properly
16
assigned to the San Jose Division of this Court.
PARTIES
17
18
8.
Plaintiff Mali Granot is an individual who resides in Raanana, Israel.
19
Plaintiff was a Yahoo account holder during the time of the data breach. Ms. Granot
20
suffered actual damages as a result of Yahoo’s conduct. Ms. Granot has had her
21
identity compromised and her account set up to receive live chat messages without her
22
authorization, and she has received many such unauthorized messages.
23
9.
Plaintiff Yaniv Rivlin is an individual who resides in Tel Aviv, Israel.
24
Mr. Rivlin was a Yahoo account holder during the time of the data breach. He
25
suffered actual damages as a result of Yahoo’s conduct. He paid Yahoo for account
26
forwarding services and hence, shared his financial information with Yahoo.
27
28
3
Class Action Complaint
1
10.
Plaintiff Amiram Tapiro is an individual who resides in Tel Aviv, Israel.
2
Mr. Tapiro was a Yahoo and Yahoo Sports account holder during the time of the data
3
breach. He suffered actual damages as a result of Yahoo’s conduct.
4
11.
Plaintiff Decontee King-Sackie is an individual who resides in Monrovia,
5
Liberia. Ms. King-Sackie was a Yahoo account holder during the time of the data
6
breach. She suffered actual damages as a result of Yahoo’s conduct. Her U.S. based
7
debit card information is sent to her email account and since 2013 she had
8
unauthorized bank withdrawals from that account.
9
12.
Plaintiff Anna Naupa is an individual who resides in Suva, Fiji. Ms.
10
Naupa was a Yahoo account holder during the time of the data breach. She suffered
11
actual damages as a result of Yahoo’s conduct. Ms. Naupa had her bank and credit
12
card information mailed to her Yahoo email account. In 2016, she had several
13
unauthorized charges to her credit card account. Ms. Naupa has also suffered from
14
having embarrassing spam emailed out from her account and has had to handle
15
unauthorized spam.
16
13.
Plaintiff Hovhannes Avetisyan is an individual who resides in Yerevan,
17
Armenia. Mr. Avetisyan was a Yahoo account holder during the time of the data
18
breach. He suffered actual damages as a result of Yahoo’s conduct. He stores
19
financial information in his account and repeatedly suffered from having to handle
20
unauthorized amounts of spam.
21
14.
Plaintiff Mahesh Khemlani is an individual who resides in Panama Oeste,
22
Panama. He suffered actual damages as a result of Yahoo’s conduct. Mr. Khemlani
23
was a Yahoo account holder and during the time of the data breach and repeatedly
24
suffered from having to handle unauthorized spam.
25
15.
Plaintiff Bekim Mehmetaj is an individual who resides in Prishtina,
26
Kosovo. Mr. Mehmetaj opened his account in Kosovo and was an account holder
27
during the time of the data breach. Mr. Mehmetaj suffered actual damages as a result
28
of Yahoo’s conduct.
4
Class Action Complaint
1
2
16.
California Secretary of State and is headquartered in Sunnyvale, California.
JURISDICTION AND VENUE
3
4
Defendant Yahoo! Inc. is a Delaware corporation registered with the
17.
Jurisdiction is proper in this Court under 28 U.S.C. § 1332(d) in that the
5
matter in controversy exceeds $5,000,000, there are more than 100 class members,
6
and members of the class are citizens of foreign and domestic states different than
7
Yahoo which is a citizen of California.
8
9
10
11
18.
In addition, Plaintiffs bring a claim under the Federal Stored
Communications Act, 18 U.S.C. § 2702, which provides for jurisdiction under 28 U.S.
C. § 1331.
19.
This Court has personal jurisdiction over Plaintiffs because Plaintiffs
12
submit to the Court’s jurisdiction. This Court has personal jurisdiction over Yahoo
13
because it maintains its principal headquarters in California, regularly conducts
14
business in California, and has sufficient minimum contacts in California. In addition,
15
Plaintiffs’ claims arise out of Defendant’s conducting and transacting business in
16
California, and many of the actions giving rise to the Complaint took place in this
17
District.
18
20.
Venue is proper in this District pursuant to 28 U.S.C. §1391(c) because
19
Yahoo is a resident of this District and is subject to this Court’s personal jurisdiction.
20
Yahoo is registered to conduct business throughout California, regularly conducts
21
business in this District, and maintains an office in this District. In addition, the
22
causes of action arose, in substantial part, in this District.
23
21.
Venue and jurisdiction for the Middle East and North African Plaintiffs is
24
also proper is this District because Yahoo’s Terms of Service state that “If you are
25
using either Maktoob (xe or xa) or Israeli (il) Services, you are contracting with
26
Yahoo! Inc., 701 First Avenue, Sunnyvale. CA 94089 to provide you with the
27
Services and the substantive law of the State of California governs the interpretation
28
of this ATOS [] and applies to all claims related to it, regardless of conflict of laws
5
Class Action Complaint
1
principles. You and Yahoo! Inc. irrevocably consent to the exclusive jurisdiction and
2
venue of the state courts located in Santa Clara County, California, or in the Federal
3
Courts located in the North District of California, USA for all disputes arising out of
4
or relating to this ATOS or arising out of or relating to the relationship between you
5
and Yahoo regardless of the type of claim.”
FACTUAL ALLEGATIONS
6
7
22.
Yahoo was founded in 1994 as a directory of websites, but developed
8
into a source for searches, email, shopping, and news. Currently, its services attract
9
approximately one billion visitors per month. Yahoo sister sites include, among
10
11
others, Flickr, Yahoo Finance, and Yahoo Fantasy Sports.
23.
Yahoo Mail is one of the oldest free email services, and many users have
12
built their digital identities around it, from their bank and stock trading accounts to
13
photo albums and even medical information. Moreover, not only are email addresses
14
used for private communications, but they serve as recovery and log-in credentialing
15
points for accounts on many other websites. Yahoo allows anyone who is over the age
16
of 12 to open a Yahoo account.
17
24.
Yahoo is central to many other online services, including ones that
18
require entry of credit card and other financial information, such as the popular Yahoo
19
fantasy sports leagues.
20
25.
The Yahoo Fantasy Sports leagues use what Yahoo calls “Yahoo
21
Wallet,” in which users can enter a variety of credit card, debit card, and other account
22
information.
23
26.
Plaintiffs and class members signed up for online Yahoo accounts that
24
required them to provide many different sorts of personal information, including, in
25
some cases, debit and credit card information.
26
27
28
6
Class Action Complaint
1
2
27.
The “Privacy Center” or “Privacy Centre” portion of Yahoo’s website
explains the type of personal information it collects directly from its account holders:
3
4
5
6
7
8
9
10
https://policies.yahoo.com/us/en/yahoo/privacy/index.htm
11
12
13
14
15
16
17
18
19
20
21
22
23
24
https://policies.yahoo.com/xa/en/yahoo/privacy/index.htm
25
26
27
28
7
Class Action Complaint
1
2
28.
Yahoo also informs its account holders that it does not share personal
information:
3
4
5
6
7
8
9
10
11
12
13
14
15
https://policies.yahoo.com/us/en/yahoo/privacy/index.htm
16
17
18
19
20
21
22
23
24
25
26
27
28
8
Class Action Complaint
1
https://policies.yahoo.com/xa/en/yahoo/privacy/index.htm
2
29.
Yahoo represented to Plaintiffs and the other class members that its PI
3
databases were secure and that customers’ PI would remain private. In particular,
4
Yahoo represented that “protecting our systems and our users’ information is
5
paramount to ensuring Yahoo users enjoy a secure user experience and maintaining
6
our users’ trust.”
7
<https://policies.yahoo.com/us/en/yahoo/privacy/topics/security/index.htm>.
8
9
10
30.
Yahoo further assured users that “We have physical, electronic, and
procedural safeguards that comply with federal regulations to protect personal
information about you.”
11
12
13
14
15
16
17
18
<https://policies.yahoo.com/us.en/yahoo/privacy/index.htm>
19
20
21
22
23
24
25
https://policies.yahoo.com/xa/en/yahoo/privacy/index.htm
26
27
28
9
Class Action Complaint
31.
1
But, on or about September 22, 2016, Yahoo informed its users that they
2
were victims of a massive data breach, dating back to 2014. Yahoo said in a statement
3
that 500 million user accounts were breached and that “the account information may
4
have included names, email addresses, telephone numbers, dates of birth, hashed
5
passwords (the vast majority with bcrypt) and, in some cases, encrypted or
6
unencrypted security questions and answers.”
32.
7
Yahoo also stated that it believed a “state-sponsored actor” was behind
8
the 2014 data breach. However, that was quickly determined not to have been the
9
case.
10
33.
On or about December 14, 2016, Yahoo informed its users of a separate
11
breach, that “an unauthorized third party, in August 2013, stole data associated with
12
more than one billion user accounts” and that “this incident is likely distinct from the
13
incident the company disclosed on September 22, 2016.”
14
34.
The data stolen in 2013 included names, email addresses, telephone
15
numbers, dates of birth and passwords. According to Yahoo, it only learned of the
16
2013 breach in November 2016, though this information was not shared with its
17
account holders, including Plaintiffs, until on or about December 14, 2016. Around
18
December 20, Plaintiff Rivlin for example, received an email notifying him of the
19
acquisition of his personal information from Yahoo:
20
21
22
23
24
25
26
27
28
10
Class Action Complaint
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
35.
As reported on CNBC, “Due to the scale of the [2014] Yahoo breach, and
because users often recycle passwords and security answers across multiple services,
cyber security experts warned the impact of the hack could reverberate throughout the
internet.” http://www.cnbc.com/2016/09/23/after-yahoo-data-breach-some-angryusers-close-accounts.html.
27
28
11
Class Action Complaint
1
36.
Neither the 2013 nor the 2014 data breaches were the first threatening
2
Yahoo account holders’ personal information. In 2012, Yahoo admitted that more
3
than 450,000 user accounts were compromised. This should have served as a “wake
4
up call” to Yahoo that its protections for users’ personal information were inadequate,
5
but Yahoo did not fix the known holes in its security. Instead, Yahoo waited until the
6
summer of 2013 to begin to upgrade its password protection from MD5 to bcrypt.
7
https://help.yahoo.com/kb/account/SLN27925.html?impressions=true.
8
9
37.
In its September 22, 2016, statement Yahoo claimed it did not uncover
that breach until two years after it happened. But Yahoo has been less than
10
forthcoming, as illuminated in a September 23, 2016, Financial Times report that
11
stated that “Yahoo CEO Marissa Mayer has known that Yahoo was investigating a
12
serious data breach since July, but withheld the information from investors, regulators
13
and acquirer Verizon until this week…” http://www.cnbc.com/2016/09/23/yahoo-ceo-
14
mayer-knew-about-data-breach-in-july-report.html.
15
38.
Indeed, an article posted on the technology website Motherboard, dated
16
August 1, 2016, stated that “A notorious cybercriminal is advertising 200 million of
17
alleged Yahoo user credentials on the dark web, and the company has said it is
18
‘aware’ of the hacker’s claims, but has not confirmed nor denied the legitimacy of the
19
data.” http://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-
20
credentials-dark-web.
21
39.
Yahoo had reason to keep any breach under wraps. It struggled for years
22
to compete with more successful technology giants and is now in the midst of a sale of
23
its core business to Verizon for billions of dollars.
24
40.
By failing to either discover or disclose the 2013 or 2014 breaches in a
25
timely manner, Yahoo misled consumers into continuing to sign up for Yahoo
26
services and products, thus providing Yahoo a continuing income stream. This, in turn
27
allowed Yahoo to prop up its stock price and maximize profits to Yahoo shareholders
28
(including Yahoo officers) in the sale to Verizon.
12
Class Action Complaint
1
41.
Yahoo’s lack of timeliness caught the attention of several United States
2
senators. On September 27, 2016, following Yahoo’s belated disclosure of the breach,
3
six senators sent Yahoo CEO Marissa Mayer a letter outlining several concerns.
4
42.
Senator Mark Warner, a co-founder of Nextel, has further called on the
5
Securities and Exchange Commission to investigate whether Yahoo properly notified
6
the public of the massive breach.
7
43.
The type of information compromised in this data breach is highly
8
valuable to perpetrators of identity theft. Names, email addresses, telephone numbers,
9
dates of birth, passwords and security question answers, as well as, obviously, credit
10
and debit card information, can all be used to gain access to a variety of existing
11
accounts and websites. Indeed, named plaintiffs and unnamed class members have
12
suffered a variety of consequences from the breach, including forged credit
13
applications, fake IRS tax returns being filed under the user’s name, fraudulent bank
14
charges, email hacks, and numerous other identity theft-related damages.
15
44.
In addition to compromising existing accounts, the class members’ PI can
16
be used by identity thieves to open new financial accounts, incur charges in the name
17
of class members, take out loans, clone credit and debit cards, and other unauthorized
18
activities.
19
45.
Identity thieves can also use the PI to harm the class members through
20
embarrassment, blackmail or harassment in person or online, or to commit other types
21
of fraud including obtaining ID cards or driver’s licenses, fraudulently obtaining tax
22
returns and refunds, and obtaining government benefits. A Presidential Report on
23
identity theft from 2008 states that:
24
25
26
27
In addition to the losses that result when identity thieves fraudulently
open accounts or misuse existing accounts, . . . individual victims often
suffer indirect financial costs, including the costs incurred in both civil
litigation initiated by creditors and in overcoming the many obstacles
they face in obtaining or retaining credit. Victims of non-financial
28
13
Class Action Complaint
1
identity theft, for example, health-related or criminal record fraud, face
other types of harm and frustration.
2
3
4
5
6
7
8
In addition to out-of-pocket expenses that can reach thousands of dollars
for the victims of new account identity theft, and the emotional toll
identity theft can take, some victims have to spend what can be a
considerable amount of time to repair the damage caused by the identity
thieves. Victims of new account identity theft, for example, must correct
fraudulent information in their credit reports and monitor their reports for
future inaccuracies, close existing bank accounts and open new ones, and
dispute charges with individual creditors.
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic
Plan, at p.11 (April 2007), available at
<http://www.ftc.gov/sites/default/files/documents/reports/combating-identity-theftstrategic-plan/strategicplan.pdf>.
46.
To put it into context, the 2013 Norton Report, based on one of the
largest consumer
cybercrime studies ever
conducted, estimated
that the global price tag
of cybercrime is around
$113 billion, with the
average cost per victim
being $298 dollars:
47.
These
problems are
exacerbated by the fact
that many identity thieves will wait years before attempting to use the personal
information they have obtained. A Government Accountability Office (“GAO”) study
found that “stolen data may be held for up to a year or more before being used to
14
Class Action Complaint
1
commit identity theft.” In order to protect themselves, class members will need to
2
remain vigilant against unauthorized data use for years and decades to come. GAO,
3
Report to Congressional Requesters, at p. 33 (June 2007), available at
4
<www.gao.gov/new.items/d07737.pdf>
5
48.
In fact, according to a December 15, 2016, New York Times report,
6
hackers were offering data stolen from Yahoo accounts in the 2013 breach, for sale on
7
the dark web in August 2015. http://www.nytimes.com/2016/12/15/technology/hacked-
8
yahoo-data-for-sale-dark-web.html?_r=0
9
10
11
49.
Plaintiffs and class members are at risk for identity theft in its myriad
forms, potentially for the remainder of their lives.
50.
Yahoo users whose PI has been unlawfully accessed or stolen can—and
12
should—sign up for credit protection services immediately. Such services cost money,
13
however. Yahoo has yet to offer to reimburse such costs for the millions of users
14
affected by the breach.
CLASS ACTION ALLEGATIONS
15
16
17
18
19
20
21
22
51.
Plaintiffs bring this lawsuit on behalf of themselves and as a class action
on behalf of a proposed Israeli Class, defined as:
All Yahoo users in Israel whose personal information was accessed
following the data breach that Yahoo announced in a press release on
September 22, 2016, and/or the data breach that Yahoo announced in a
press release on December 14, 2016.
52.
Plaintiffs bring this lawsuit on behalf of themselves and as a class action
on behalf of a proposed Liberian Class, defined as:
23
24
25
26
27
28
All Yahoo users in Liberia whose personal information was accessed
following the data breach that Yahoo announced in a press release on
September 22, 2016, and/or the data breach that Yahoo announced in a
press release on December 14, 2016.
53.
Plaintiffs bring this lawsuit on behalf of themselves and as a class action
on behalf of a proposed Fijian Class, defined as:
15
Class Action Complaint
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
All Yahoo users in Fiji whose personal information was accessed
following the data breach that Yahoo announced in a press release on
September 22, 2016, and/or the data breach that Yahoo announced in a
press release on December 14, 2016.
54.
Plaintiffs bring this lawsuit on behalf of themselves and as a class action
on behalf of a proposed Panamanian Class:
All Yahoo users in Panama whose personal information was accessed
following the data breach that Yahoo announced in a press release on
September 22, 2016, and/or the data breach that Yahoo announced in a
press release on December 14, 2016.
55.
Plaintiffs bring this lawsuit on behalf of themselves and as a class action
on behalf of a proposed Armenian Class:
All Yahoo users in Armenia whose personal information was accessed
following the data breach that Yahoo announced in a press release on
September 22, 2016, and/or the data breach that Yahoo announced in a
press release on December 14, 2016.
56.
Plaintiffs also bring this lawsuit on behalf of themselves and as a class
action on behalf of a proposed Kosovar Class:
All Yahoo users in Kosovo whose personal information was accessed
following the data breach that Yahoo announced in a press release on
September 22, 2016, and/or the data breach that Yahoo announced in
a press release on December 14, 2016.
20
21
22
23
57.
Collectively, the Israeli, Liberian, Fijian, Panamanian, Armenian, and
Kosovar Classes will be referred to as “the Class.”
58.
Excluded from the Class are Defendants and any entities in which
24
Defendant or their subsidiaries or affiliates have a controlling interest; Defendant’s
25
officers, agents, and employees; attorneys for Plaintiffs and the Class; the judicial
26
officer to whom this action is assigned and any member of the Court’s staff and
27
immediate families; as well as claims for personal injury, wrongful death, and
28
emotional distress.
16
Class Action Complaint
1
59.
Numerosity: The members of the Class are so numerous that joinder of
2
all members would be impracticable. Plaintiffs reasonably believe that class members
3
number millions of people. As such, class members are so numerous that joinder of all
4
members is impractical. The names and addresses of class members are identifiable
5
through documents maintained by Yahoo.
6
60.
Commonality and Predominance: This action involves common
7
questions of law or fact, which predominate over any questions affecting individual
8
class members, including:
9
61.
Whether Defendant engaged in the wrongful conduct alleged herein;
10
a. Whether Defendant owed a legal duty to Plaintiffs and the other class
11
members to exercise due care in collecting, storing, and safeguarding
12
their Personal Information;
13
b. Whether Defendant negligently or recklessly breached legal duties
14
owed to Plaintiffs and the other class members to exercise due care in
15
collecting, storing, and safeguarding their Personal Information and
16
financial information;
17
c. Whether Defendant’s conduct violated Cal. Civ. Code § 1750 et seq.
18
d. Whether Defendant’s conduct violated Cal. Bus. & Prof. Code §
19
20
21
17200 et seq.;
e. Whether Defendant’s conduct violated Cal. Civ. Code § 1798.80 et
seq.;
22
f. Whether Defendant violated the Stored Communications Act;
23
g. Whether Plaintiffs and the other class members are entitled to actual,
24
25
statutory, or other forms of damages, and other monetary relief; and
h. Whether Plaintiffs and the other class members are entitled to
26
equitable relief, including, but not limited to, injunctive relief and
27
restitution.
28
17
Class Action Complaint
1
62.
Defendant engaged in a common course of conduct giving rise to the
2
legal rights sought to be enforced by Plaintiffs individually and on behalf of the other
3
class members. Similar or identical statutory and common law violations, business
4
practices, and injuries are involved. Individual questions, if any, pale by comparison,
5
in both quantity and quality, to the numerous questions that dominate this action.
6
63.
Typicality: Plaintiffs’ claims are typical of the claims of the other class
7
members because, among other things, Plaintiffs and the other class members were
8
injured through the substantially uniform misconduct by Yahoo. Plaintiffs are
9
advancing the same claims and legal theories on behalf of themselves and all other
10
11
class members, and there are no defenses that are unique to Plaintiffs.
64.
Adequacy of Representation: Plaintiffs are adequate representatives of
12
the class because their interests do not conflict with the interests of the other class
13
members they seek to represent; they have retained counsel competent and
14
experienced in complex class action litigation and Plaintiffs will prosecute this action
15
vigorously. The class’ interests will be fairly and adequately protected by Plaintiffs
16
and their counsel.
17
65.
Superiority: A class action is superior to any other available means for
18
the fair and efficient adjudication of this controversy, and no unusual difficulties are
19
likely to be encountered in the management of this matter as a class action. The
20
damages, harm, or other financial detriment suffered individually by Plaintiffs and the
21
other class members are relatively small compared to the burden and expense that
22
would be required to litigate their claims on an individual basis against Defendant,
23
making it impracticable for class members to individually seek redress for
24
Defendant’s wrongful conduct. Even if class members could afford individual
25
litigation, the court system could not. Individualized litigation would create a potential
26
for inconsistent or contradictory judgments, and increase the delay and expense to all
27
parties and the court system. By contrast, the class action device presents far fewer
28
18
Class Action Complaint
1
management difficulties and provides the benefits of single adjudication, economies
2
of scale, and comprehensive supervision by a single court.
3
66.
Application of California law – Because Yahoo is headquartered in
4
California and all of its key decisions and operations emanate from California,
5
California law can and should apply to claims relating to the data breach, even those
6
made by persons who reside outside of California. Additionally, Yahoo’s Terms of
7
Service, to the extent applicable, contain a choice of law provision specifying Yahoo’s
8
understanding that it may be held accountable under California law regardless of the
9
location of the user.
CLAIMS FOR RELIEF
10
11
First Claim for Relief
12
Violation of California’s Unfair Competition Law (“UCL”)
(Cal. Bus. & Prof. Code § 17200 et seq.)
13
14
15
16
17
18
67.
Plaintiffs repeat, reallege, and incorporate by reference the allegations
contained in each and every paragraph above, as though fully stated herein.
68.
Defendant Yahoo engaged in unfair, unlawful, and fraudulent business
practices in violation of the UCL.
69.
By reason of the conduct alleged herein, Yahoo engaged in unlawful,
19
unfair, and deceptive practices within the meaning of the UCL. The conduct alleged
20
herein is a “business practice” within the meaning of the UCL.
21
70.
Defendant stored Plaintiffs’ and the other class members’ PI in their
22
electronic and consumer information databases. Yahoo represented to Plaintiffs and
23
the other class members that its PI databases were secure and that customers’ PI
24
would remain private. Yahoo engaged in deceptive acts and business practices by
25
providing in its website that “protecting our systems and our users’ information is
26
paramount to ensuring Yahoo users enjoy a secure user experience and maintaining
27
our users’ trust” and by representing that it has “physical, electronic, and procedural
28
safeguards that comply with federal regulations to protect personal information about
19
Class Action Complaint
1
you.” (https://policies.yahoo.com/us/en/yahoo/privacy/topics/security/index.htm);
2
(https://policies .yahoo.com/us/en/yahoo/privacy/index.htm).
3
71.
Yahoo knew or should have known that it did not employ reasonable
4
measures that would have kept Plaintiffs’ and the other class members’ PI and
5
financial information secure and prevented the loss or misuse of Plaintiffs’ and the
6
other class members’ PI and financial information.
7
72.
Yahoo’s representations that it would secure and protect Plaintiffs’ and
8
the other class members’ PI and financial information in its possession were facts that
9
reasonable persons could be expected to rely upon when deciding whether to use
10
11
Yahoo’s services.
73.
Defendant violated the UCL by misrepresenting the safety of their many
12
systems and services, specifically the security thereof, and their ability to safely store
13
Plaintiffs’ and Class Members’ PI. Yahoo also violated the UCL by failing to
14
immediately notify Plaintiffs and the other Class members of the data breach. If
15
Plaintiffs and the other Class members had been notified in an appropriate fashion,
16
they could have taken precautions to safeguard their PI.
17
74.
Defendant’s acts, omissions, and misrepresentations as alleged herein
18
were unlawful and in violation of, inter alia, Cal. Civ. Code § 1750 et seq., Cal. Civ.
19
Code § 1798.80 et seq., and 18 U.S.C. § 2702, and also Cal. Bus. & Prof. Code §
20
22576 (as a result of Yahoo failing to comply with its own posted privacy policy).
21
75.
Plaintiffs and the other Class members suffered injury in fact and lost
22
money or property as the result of Defendant’s failure to secure Plaintiffs’ and the
23
other Class members’ PI contained in Defendant’s servers or databases. In particular,
24
Plaintiffs and class members have suffered from forged credit applications and tax
25
returns; improper or fraudulent charges to their credit/debit card accounts; hacked
26
emails; and other similar harm, all as a result of the data breach.
27
28
76.
As a result of Yahoo’s violations of the UCL, Plaintiffs and the other
class members are entitled to restitution and injunctive relief.
20
Class Action Complaint
1
Second Claim for Relief
2
Violation of California’s Consumer Legal Remedies Act (“CLRA”)
3
(Cal. Civ. Code § 1750 et seq.)
4
5
6
77.
Plaintiffs repeat, reallege, and incorporate by reference the allegations
contained in each and every paragraph above, as though fully stated herein.
78.
The CLRA was enacted to protect consumers against unfair and
7
deceptive business practices. It extends to transactions that are intended to result, or
8
which have resulted, in the sale of goods or services to consumers. Yahoo’s acts,
9
omissions, representations and practices as described herein fall within the CLRA.
10
11
12
79.
Plaintiffs and the other class members are consumers within the meaning
of Cal. Civ. Code §1761(d).
80.
Yahoo’s acts, omissions, misrepresentations, and practices were and are
13
likely to deceive consumers. By misrepresenting the safety and security of their
14
electronic, health, and customer information databases, Yahoo violated the CLRA.
15
Yahoo had exclusive knowledge of undisclosed material facts, namely, that their
16
consumer databases were defective and/or unsecure, and withheld that knowledge
17
from Plaintiffs and the other class members.
18
81.
Yahoo’s acts, omissions, misrepresentations, and practices alleged herein
19
violated the following provisions of the CLRA, Civil Code § 1770, which provides, in
20
relevant part, that:
21
22
23
24
25
26
27
28
(a) The following unfair methods of competition and unfair or deceptive
acts or practices undertaken by any person in a transaction intended to
result or which results in the sale or lease of goods or services to any
consumer are unlawful:
(5) Representing that goods or services have sponsorship,
approval, characteristics, ingredients, uses, benefits, or quantities
which they do not have . . .
(7) Representing that goods or services are of a particular
standard, quality, or grade . . . if they are of another.
21
Class Action Complaint
1
(14) Representing that a transaction confers or involves rights,
remedies, or obligations which it does not have or involve, or
which are prohibited by law.
2
3
(16) Representing that the subject of a transaction has been
supplied in accordance with a previous representation when it has
not.
4
5
6
82.
Defendant stored Plaintiffs’ and the other class members’ PI in its
7
electronic and consumer information databases. Defendant represented to Plaintiffs
8
and the other class members that their PI databases were secure and that customers’ PI
9
would remain private. Yahoo engaged in deceptive acts and business practices by
10
providing in its website that “protecting our systems and our users’ information is
11
paramount to ensuring Yahoo users enjoy a secure user experience and maintaining
12
our users’ trust” and by representing that it has “physical, electronic, and procedural
13
safeguards that comply with federal regulations to protect personal information about
14
you.” (https://policies.yahoo.com/us/en/yahoo/privacy/topics/security/index.htm);
15
(https://policies .yahoo.com/us/en/yahoo/privacy/index.htm).
16
83.
Defendant knew or should have known that it did not employ reasonable
17
measures to keep Plaintiffs’ and the other class members’ Personal Information or
18
financial information secure and prevented the loss or misuse of that information.
19
84.
Defendant’s deceptive acts and business practices induced Plaintiffs and
20
the other class members to use Yahoo’s online services, and to provide their PI and
21
financial information. But for these deceptive acts and business practices, Plaintiffs
22
and the other class members would not have provided that information to Defendant.
23
85.
Plaintiffs and the other class members were harmed as the result of
24
Defendant’s violations of the CLRA, because their PI and financial information were
25
compromised, placing them at a greater risk of identity theft and their PI and financial
26
information disclosed to third parties without their consent.
27
28
22
Class Action Complaint
1
86.
Plaintiffs and the other class members suffered injury in fact and lost
2
money or property as the result of Defendant’s failure to secure Plaintiffs’ and the
3
other class members’ PI and financial information.
4
87.
As the result of Defendant’s violation of the CLRA, Plaintiffs and the
5
other class members are, or will be, entitled to compensatory and exemplary damages,
6
an order enjoining Defendant from continuing the unlawful practices described herein,
7
a declaration that Defendant’s conduct violated the CLRA, attorneys’ fees, and the
8
costs of litigation.
9
88.
Pursuant to Civil Code § 1782, concurrent with the filing of this
10
Complaint, Plaintiffs will notify Defendant in writing by certified mail of the alleged
11
violations of section 1770 and demand that the same be corrected. Concurrent with
12
the filing of this Complaint, Plaintiffs will provide further notification to Defendant in
13
writing by certified mail pursuant to Section 1782, and again demand that Defendant’s
14
Section 1770 violations be corrected. If Defendant fails to rectify or agree to rectify
15
the problems associated with the action detailed above within 30 days of the date of
16
written notice pursuant to Civil Code § 1782, Plaintiffs will amend this Complaint to
17
add claims for actual, punitive and statutory damages, as appropriate in accordance
18
with Civil Code § 1782(a) & (d).
19
Third Claim for Relief
20
Violation of Cal. Civ. Code § 1798.80 et seq.
21
22
23
24
25
26
27
28
89.
Plaintiffs repeat, reallege, and incorporate by reference the allegations
contained in each and every paragraph above, as though fully stated herein.
90. Section 1798.82 of the California Civil Code provides, in pertinent part:
(a) Any person or business that conducts business in California, and that
owns or licenses computerized data that includes personal information,
shall disclose any breach of the security of the system following
discovery or notification of the breach in the security of the data to any
resident of California whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized person.
The disclosure shall be made in the most expedient time possible and
without unreasonable delay, consistent with the legitimate needs of law
23
Class Action Complaint
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
enforcement, as provided in subdivision (c), or any measures necessary to
determine the scope of the breach and restore the reasonable integrity of
the data system.
(b) Any person or business that maintains computerized data that
includes personal information that the person or business does not own
shall notify the owner or licensee of the information of any breach of the
security of the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person.
(c) The notification required by this section may be delayed if a law
enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section shall be
made after the law enforcement agency determines that it will not
compromise the investigation.
(d) Any person or business that is required to issue a security breach
notification pursuant to this section shall meet all of the following
requirements:
(1) The security breach notification shall be written in plain
language.
(2) The security breach notification shall include, at a minimum,
the following information:
(A) The name and contact information of the reporting
person or business subject to this section.
(B) A list of the types of personal information that were or
are reasonably believed to have been the subject of a breach.
(C) If the information is possible to determine at the time the
notice is provided, then any of the following: (i) the date of
the breach, (ii) the estimated date of the breach, or (iii) the
date range within which the breach occurred. The
notification shall also include the date of the notice.
(D) Whether notification was delayed as a result of a law
enforcement investigation, if that information is possible to
determine at the time the notice is provided.
(E) A general description of the breach incident, if that
information is possible to determine at the time the notice is
provided.
24
Class Action Complaint
(F) The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number or a driver’s license or California
identification card number.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
*******
(f) Any person or business that is required to issue a security breach
notification pursuant to this section to more than 500 California residents
as a result of a single breach of the security system shall electronically
submit a single sample copy of that security breach notification,
excluding any personally identifiable information, to the Attorney
General. A single sample copy of a security breach notification shall not
be deemed to be within subdivision (f) of Section 6254 of the
Government Code.
(g) For purposes of this section, “breach of the security of the system”
means unauthorized acquisition of computerized data that compromises
the security, confidentiality, or integrity of personal information
maintained by the person or business. Good faith acquisition of personal
information by an employee or agent of the person or business for the
purposes of the person or business is not a breach of the security of the
system, provided that the personal information is not used or subject to
further unauthorized disclosure.
15
16
17
18
19
20
21
22
23
24
25
26
27
28
91.
The breach described previously in this Complaint constituted a “breach
of the security system” of Yahoo.
92.
As alleged above, Yahoo unreasonably delayed informing anyone about
the breach of security of Plaintiffs’ and other class members’ confidential and nonpublic PI and financial information after Defendant knew the breach had occurred.
93.
Yahoo failed to disclose to Plaintiffs and other class members, without
unreasonable delay, and in the most expedient time possible, the breach of security of
their unencrypted, or not properly and securely encrypted, PI and financial
information when they knew or reasonably believed such information had been
compromised.
94.
Yahoo’s ongoing business interests, and in particular its impending sale
to Verizon, gave Yahoo incentive to want to conceal the breach from the public to
ensure continued revenue and a high stock price for the sale.
25
Class Action Complaint
1
95.
Upon information and belief, no law enforcement agency instructed
2
Yahoo that notification to Plaintiffs or other class members would impede its
3
investigation.
4
96.
Pursuant to Section 1798.84 of the California Civil Code:
5
(a) Any waiver of a provision of this title is contrary to public
policy and is void and unenforceable.
6
7
(b) Any customer injured by a violation of this title may institute a
civil action to recover damages.
8
9
(c) In addition, for a willful, intentional, or reckless violation of
Section 1798.83, a customer may recover a civil penalty not to
exceed three thousand dollars ($3,000) per violation; otherwise, the
customer may recover a civil penalty of up to five hundred dollars
($500) per violation for a violation of Section 1798.83.
10
11
12
*******
(e) Any business that violates, proposes to violate, or has violated
this title may be enjoined.
13
14
15
16
17
18
19
20
21
22
23
24
25
26
97.
As a result of Defendant’s violation of Cal. Civ. Code § 1798.82,
Plaintiffs and the other class members incurred economic damages relating to
expenses for credit monitoring, loss of use and value of their debit and/or credit cards,
and loss of rewards on their debit and/or credit cards.
98.
Plaintiffs, on behalf of themselves and the class, seeks all remedies
available under Cal. Civ. Code § 1798.84, including, but not limited to: (a) damages
suffered by Plaintiffs and the other class members as alleged above; (b) statutory
penalties of up to $3,000 per violation for damages for Defendant’s willful,
intentional, and/or reckless violations of Cal. Civ. Code § 1798.83 (or, at a minimum,
up to $500 per violation); and (c) equitable relief.
99.
Plaintiffs and the Class also seeks reasonable attorneys’ fees and costs
under Cal. Civ. Code §1798.84(g).
27
28
26
Class Action Complaint
1
Fourth Claim for Relief
2
Negligence
3
4
100. Plaintiffs repeat, reallege, and incorporate by reference the allegations
contained in each and every paragraph above, as though fully stated herein.
5
101. Yahoo owed a duty to Plaintiffs and the other class members to exercise
6
reasonable care in safeguarding and protecting their PI and financial information that
7
was in its possession from being compromised, lost, stolen, misused, and or/disclosed
8
to unauthorized parties. This duty included, among other things, designing,
9
maintaining, and testing Defendant’s security systems to ensure that Plaintiffs’ and the
10
other class members’ PI and financial information was adequately secured and
11
protected. Defendant further had a duty to implement processes that would detect a
12
breach of their security system in a timely manner.
13
102. Yahoo also had a duty to timely disclose to Plaintiffs and the other class
14
members that their PI and financial information had been or was reasonably believed
15
to have been compromised. Timely disclosure was appropriate so that, among other
16
things, Plaintiffs and the other class members could take appropriate measures to
17
cancel or change usernames, pin numbers, and passwords on compromised accounts,
18
to begin monitoring their accounts for unauthorized access, to contact the credit
19
bureaus to request freezes or place alerts, and take any and all other appropriate
20
precautions.
21
103. Yahoo breached is duty to exercise reasonable care in safeguarding and
22
protecting Plaintiffs’ and the other class members’ PI and financial information by
23
failing to adopt, implement, and maintain adequate security measures to safeguard that
24
information; allowing unauthorized access to Plaintiffs’ and the other class members’
25
PI and financial information stored by Defendant; and failing to recognize in a timely
26
manner the breach.
27
28
27
Class Action Complaint
1
104. Yahoo breached its duty to timely disclose that Plaintiffs’ and the other
2
class members’ PI and financial information had been, or was reasonably believed to
3
have been, stolen or compromised.
4
105. Yahoo’s failure to comply with industry regulations and the delay
5
between the date of intrusion and the date Yahoo informed customers of the data
6
breach further evidence Yahoo’s negligence in failing to exercise reasonable care in
7
safeguarding and protecting Plaintiffs’ and the other class members’ PI and financial
8
information.
9
106. But for Defendant’s wrongful and negligent breach of its duties owed to
10
Plaintiffs and the other class members, their PI and financial information would not
11
have been compromised, stolen, and viewed by unauthorized persons.
12
107. The injury and harm suffered by Plaintiffs and the other class members
13
was the reasonably foreseeable result of Defendant’s failure to exercise reasonable
14
care in safeguarding and protecting Plaintiffs’ and the other class members’ PI and
15
financial information. Defendant knew or should have known that their systems and
16
technologies for processing and securing Plaintiffs’ and the other Class members’ PI
17
and financial information had security vulnerabilities.
18
108. As a result of Defendant’s negligence, Plaintiffs and the other class
19
members incurred economic damages, including expenses for credit monitoring,
20
fraudulent charges on credit card or bank accounts, forged IRS returns, loss of use and
21
value of their debit and/or credit cards, and/or other identity theft-related damages.
22
Fifth Claim for Relief
23
Violation of Stored Communications Act, 18 U.S.C. § 2702
24
25
26
109. Plaintiffs repeat, reallege, and incorporate by reference the allegations
contained in each and every paragraph above, as though fully stated herein.
110. The Federal Stored Communications Act (“SCA”) contains provisions
27
that provide consumers with redress if a company mishandles their electronically
28
stored information. The SCA was designed, in relevant part, “to protect individuals’
28
Class Action Complaint
1
privacy interests in personal and proprietary information.” S. Rep. No. 99-541, at 3
2
(1986), reprinted in 1986 U.S.C.C.A.N. 3555 at 3557.
3
111. Section 2702(a)(1) of the SCA provides that “a person or entity providing
4
an electronic communication service to the public shall not knowingly divulge to any
5
person or entity the contents of a communication while in electronic storage by that
6
service.” 18 U.S.C. § 2702(a)(1).
7
112. The SCA defines “electronic communication service” as “any service
8
which provides to users thereof the ability to send or receive wire or electronic
9
communications.” Id. at § 2510(15).
10
113. Through its equipment, Defendant provides an “electronic
11
communication service to the public” within the meaning of the SCA because it
12
provides consumers at large with mechanisms that enable them to send or receive wire
13
or electronic communications concerning their private financial information to
14
transaction managers, card companies, or banks.
15
114. By failing to take commercially reasonable steps to safeguard sensitive
16
private financial information, even after Defendant was aware that customers’ PI and
17
financial information had been compromised, Defendant knowingly divulged
18
customers’ private financial information that was communicated to financial
19
institutions solely for customers’ payment verification purposes, while in electronic
20
storage in Defendant’s payment system.
21
115. Section 2702(a)(2)(A) of the SCA provides that “a person or entity
22
providing remote computing service to the public shall not knowingly divulge to any
23
person or entity the contents of any communication which is carried or maintained on
24
that service on behalf of, and received by means of electronic transmission from (or
25
created by means of computer processing of communications received by means of
26
electronic transmission from), a subscriber or customer of such service.” 18 U.S.C. §
27
2702(a)(2)(A).
28
29
Class Action Complaint
1
116. The SCA defines “remote computing service” as “the provision to the
2
public of computer storage or processing services by means of an electronic
3
communication system.” 18 U.S.C. § 2711(2).
4
117. An “electronic communications systems” is defined by the SCA as “any
5
wire, radio, electromagnetic, photo-optical or photo-electronic facilities for the
6
transmission of wire or electronic communications, and any computer facilities or
7
related electronic equipment for the electronic storage of such communications.” 18
8
U.S.C. § 2510(4).
9
118. Defendant provides remote computing services to the public by virtue of
10
its computer processing services for consumer credit and debit card payments, which
11
are used by customers and carried out by means of an electronic communications
12
system, namely the use of wire, electromagnetic, photo-optical or photo-electric
13
facilities for the transmission of wire or electronic communications received from, and
14
on behalf of, the customer concerning customer private financial information.
15
119. By failing to take commercially reasonable steps to safeguard sensitive
16
private financial information, even after Defendant was aware that customers’ PI and
17
financial information had been compromised, Defendant has knowingly divulged
18
customers’ private financial information that was carried and maintained on
19
Defendant’s remote computing service solely for the customer’s payment verification
20
purposes.
21
120. As a result of Defendant’s conduct described herein and their violations
22
of Section 2702(a)(1) and (2)(A), Plaintiffs and the class members have suffered
23
injuries, including lost money and the costs associated with the need for vigilant credit
24
monitoring to protect against additional identity theft. Plaintiffs, on their own behalf
25
and on behalf of the putative class, seeks an order awarding themselves and the class
26
the maximum statutory damages available under 18 U.S.C. § 2707 in addition to the
27
cost for 3 years of credit monitoring services.
28
30
Class Action Complaint
PRAYER FOR RELIEF
1
2
3
4
5
6
7
8
9
10
11
WHEREFORE, Plaintiffs, individually and on behalf of the other Class
members, respectfully requests that this Court enter an Order:
(a)
Certifying the Class and the Subclass, appointing Plaintiffs as Class
Representatives, and appointing their undersigned counsel as Class Counsel;
(b)
Finding that Defendant’s conduct was negligent, deceptive, unfair, and
unlawful as alleged herein;
(c)
Enjoining Defendant from engaging in the negligent, deceptive, unfair,
and unlawful business practices alleged herein;
(d)
Awarding Plaintiffs and the other class members actual, compensatory,
and consequential damages;
12
(e)
13
Awarding Plaintiffs and the other class members statutory damages and
penalties;
14
(f)
15
disgorgement;
16
17
18
19
(g)
Awarding Plaintiffs and the other class members restitution and
Requiring Defendant to provide appropriate credit monitoring services to
Plaintiffs and the other class members;
(h)
Awarding Plaintiffs and the other class members pre-judgment and post-
judgment interest;
20
(i)
Awarding Plaintiffs and the other class members reasonable attorneys’
21
fees and costs, including expert witness fees; and
22
(i)
Granting such other relief as the Court deems just and proper.
23
24
25
26
27
28
31
Class Action Complaint
1
JURY TRIAL DEMANDED
2
3
4
Plaintiffs demand a trial by jury of all claims in this Class Action Complaint so
triable.
5
6
7
Dated: January 4, 2017
Respectfully submitted,
CASEY GERRY SCHENK FRANCAVILLA
BLATT & PENFIELD, LLP
8
9
ZAVERI TABB, APC
10
11
12
/s/ Deval R. Zaveri
13
Attorneys for Plaintiffs
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
32
Class Action Complaint
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
