Baron v. Sprint Corporation
Filing
1
COMPLAINT against Sprint Corporation ( Filing fee $ 400 receipt number 0416-7981263.), filed by Paul Baron. (Attachments: #1 Civil Cover Sheet, #2 Summons, #3 Exhibit A, #4 Exhibit B, #5 Exhibit C, #6 Exhibit D, #7 Exhibit E, #8 Exhibit F, #9 Exhibit G, #10 Exhibit H)(Zajdel, Cory)
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 1 of 15
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF MARYLAND
PAUL BARON
238 TEAL CIRCLE
BERLIN, MD 21811
JURY TRIAL DEMANDED
on their own behalf and on behalf of
all others similarly situated,
Plaintiffs,
v.
SPRINT CORPORATION
6200 SPRINT PARKWAY
OVERLAND PARK, KS 66251
CASE NO. __________________
Serve on: Department of Assessment and
Taxation
Corporate Charter Division
301 W. Preston Street
Room 801
Baltimore, MD 21201
Defendant
CLASS ACTION COMPLAINT
Plaintiff Paul Baron (“Plaintiff” or “Named Plaintiff”), on his own behalf and on behalf of
all others similarly situated, through his attorneys, Cory L. Zajdel, Esq., Jeffrey C. Toppe, Esq.,
and David M. Trojanowski, Esq., and Z LAW, LLC, hereby submit this Class Action Complaint
against Defendant Sprint Corporation (hereinafter “Sprint” or “Defendant”) and for support states
as follows:
1
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 2 of 15
I.
PRELIMINARY STATEMENT
1.
Plaintiff, both individually and on behalf of those similarly situated persons
(hereafter “Class Members”), brings this Class Action to secure redress against Sprint for its
reckless and negligent violations of customer privacy rights.
2.
Plaintiff and Class Members are Sprint customers.
3.
This action arises out of Defendant’s collection of geolocation data and the
unauthorized dissemination to third-parties of the geolocation data collected from its users’ cell
phones.
4.
Sprint admittedly sells customer geolocation data to third-parties, including but not
limited to data aggregators, who in turn, are able to use or resell the geolocation data with little or
no oversight by Sprint.
5.
This is an action seeking damages for Sprint’s gross failure to safeguard highly
personal and private consumer geolocation data in violation of federal law.
II.
JURISDICTION
6.
This Court has original federal subject-matter jurisdiction over this class action
pursuant to 28 U.S.C. § 1331 as the sole cause of action pled in this case arises under federal law.
7.
This Court has personal jurisdiction over the parties because Plaintiff is a citizen of
Maryland and because Sprint transacts substantial business within the State of Maryland.
8.
Venue in this judicial district is proper pursuant to 28 U.S.C. §
1391(a) because Sprint conducts substantial business in, and may be found in, this district, and
Plaintiff and members of the proposed class had their geolocation data collected within the State
of Maryland.
2
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 3 of 15
III.
PARTIES
9.
Plaintiff Baron is a natural person currently residing in Worcester County,
Maryland.
10.
Defendant Sprint Corporation is a Delaware corporation with its principal place of
business in Overland Park, Kansas.
IV.
FACTUAL ALLEGATIONS
Sprint’s Statutory Obligation to Protect
Customers’ Personal Network Information Under the Federal Communications Act
11.
As a common carrier, Sprint is obligated to protect the confidential personal
information of its customers under the Federal Communications Act (“FCA”), 47 U.S.C. § 222.
12.
FCA § 222(a) provides that “[e]very telecommunications carrier has a duty to
protect the confidentiality of proprietary information of, and relating to . . . customers . . . .” The
“confidential proprietary information” referred to in FCA § 222(a) is abbreviated herein as “CPI.”
13.
FCA § 222(c) additionally provides that “[e]xcept as required by law or with the
approval of the customer, a telecommunications carrier that receives or obtains customer
proprietary network information by virtue of its provision of a telecommunications service shall
only use, disclose, or permit access to individually identifiable customer proprietary network
information in its provision of (A) the telecommunications service from which such information
is derived, or (B) services necessary to, or used in, the provision of such telecommunications
service, including the publishing of directories.” The “customer proprietary network information”
referred to in FCA § 222(c) is abbreviated herein as “CPNI.”
14.
FCA § 222(h)(1) (emphasis added) defines CPNI as “(A) information that relates
to the quantity, technical configuration, type, destination, location, and amount of use of a
telecommunications service subscribed to by any customer of a telecommunications carrier, and
3
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 4 of 15
that is made available to the carrier by the customer solely by virtue of the carrier-customer
relationship; and (B) information contained in the bills pertaining to telephone exchange service
or telephone toll service received by a customer of a carrier, except that term does not include
subscriber list information.”
15.
The Federal Communication Commissions (“FCC”) has promulgated rules to
implement FCA § 222 “to ensure that telecommunications carriers establish effective safeguards
to protect against unauthorized use or disclosure of CPNI.” See 47 CFR § 64.2001, et seq. (“CPNI
Rules”); CPNI Order, 13 FCC Rcd. at 8195 ¶ 193.
16.
The CPNI Rules limit disclosure and use of CPNI without customer approval to
certain limited circumstances (such as cooperation with law enforcement), none of which are
applicable to the facts here. CPNI Rules § 64.2005.
17.
The CPNI Rules §§ 64.2009(b), (d), and (e) require carriers to implement
safeguards to protect customers’ CPNI.
18.
These safeguards include: (i) training personnel “as to when they are and are not
authorized to use CPNI[;]” (ii) establishing “a supervisory review process regarding carrier
compliance with the rules[;]” and (iii) filing annual compliance certificates with the FCC.
19.
The CPNI Rules § 64.2010 further require carriers to implement measures to
prevent the disclosure of CPNI to unauthorized individuals. For example, “carriers must take
reasonable measures to discover and protect against attempts to gain unauthorized access to
CPNI.” CPNI Rules § 64.2010(a).
20.
As further alleged below, Sprint violated FCA § 222 and the CPNI Rules when it
disclosed CPNI and CPI to third-parties without Plaintiff or Class Members’ authorization or
permission.
4
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 5 of 15
Sprint’s Stated Privacy and Security Commitments
to Customers in its Privacy Policy and Code of Business Conduct
21.
In its Privacy Policy (“Privacy Policy”) and Code of Business Conduct (“COBC”),
Sprint acknowledges its responsibilities to protect customers’ Personal Information under the
FCA, the CPNI Rules, and other regulations.
22.
A true and correct copy of the Privacy Policy in effect in March 2019 (last updated
in March 2017), available at https://www.sprint.com/en/legal/sprint-corporation-privacypolicy.html#infoshare, is attached hereto as Exhibit A.
23.
A true and correct copy of the COBC in effect in April 2019 available at
https://s21.q4cdn.com/487940486/files/doc_downloads/governance_documents/2018/SprintCode-of-Conduct-(External)-Effective-May-25-2018.pdf is attached hereto as Exhibit B.
24.
In its Privacy Policy and COBC, Sprint makes binding promises and commitments
to Plaintiff and Class Members, as its customers, that it will protect and secure the confidentiality
of its customers’ information.
25.
The Privacy Policy defines “Personal Information” as including “information you
give us, such as name, postal address, telephone number, e-mail address, date of birth, social
security number or other government identification number, demographics, activities, location
information, and personal preferences.” Thus, “Personal Information” includes both CPI and CPNI
under FCA § 222 and the CPNI Rules.
26.
In its Privacy Policy, Sprint states the following about how it shares personal
information:
We do not share information that identifies you personally
with third parties other than as follows:
Affiliates. We may share personal and non-personal
information with affiliated entities for approved business
5
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 6 of 15
purposes. The data may include credit-related, payment
history and transactional information . . . .
Service Providers. We may share personal information
with third parties who perform services on our behalf . . . .
Other Third Parties with Your Consent. We may share
information with other third parties with your consent. For
example, you may agree to our sharing your information
with other third parties to hear about their products and
services. Use of the information you agree to share will be
subject to those third parties’ separate privacy policies. This
may include sharing information collected in connection
with financial products or services, such as installment
billing . . . .
Disclosures to Third Party Application and Service
Providers. You may choose to use services and products
offered by third parties through our Services or devices, such
as third party applications. When you leave our network you
may also use mobile roaming services provided by third
parties. Your use of such services and applications may
result in these third parties collecting your personal
information and obtaining information from Sprint,
including location information (when applicable). You may
also choose to give personal information directly to third
parties when using our Services. In each case, personal
information you give a third party will be subject to its terms,
conditions, and policies—not this policy. You should review
a third party's privacy policy and terms of service before
providing your information or using the service.
27.
Sprint’s legal obligations include complying with FCA § 222, the CPNI Rules, and
other legal obligations that govern protection of confidential and private information.
28.
As alleged below, Sprint flagrantly and repeatedly violated its commitments made
to Plaintiff and Class Members in its Privacy Policy and COBC, as well as its legal obligations
under the FCA and the CPNI Rules by willingly disclosing Plaintiff and Class Members’ CPNI to
unauthorized third-parties.
6
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 7 of 15
The First Discovery of Unauthorized Disclosure of CPNI
29.
On May 8, 2018, Senator Ron Wyden sent a letter (“the Wyden Letter”) to Sprint
President and CEO Marcelo Claure. The Wyden Letter (attached hereto as Exhibit C). In the
Letter, Senator Wyden expressed, in very clear terms, great concern with Sprint’s handling of
consumer information. It had come to Senator Wyden’s attention that a company called Securus
Technologies, a major provider of correctional-facility telephone services, purchased real-time
location information from major wireless carriers, and provided that information, via a self-service
web portal, to the government “for nothing more than the legal equivalent of a pinky promise.”
30.
In the Wyden Letter, Senator Wyden detailed how Securus confirmed to him that
the web portal enabled surveillance of customers of “every major U.S. wireless carrier,” which, in
Senator Wyden’s words, “needlessly exposes millions of Americans to potential abuse and
unchecked surveillance by the government.”
31.
Senator Wyden also explained how wireless carriers “are prohibited from sharing
certain customer information, including location data, unless the carrier either has the customer’s
consent or sharing is otherwise required by law.” He ultimately concluded that, “the fact that
Securus provide[d] this service at all suggests that Sprint does not sufficiently control access to
[its] customers’ private information.”
32.
The process by which Securus obtained access to the customers’ information in the
first place is part of the problem. It purchased real-time location information on Sprint’s customers
“through a third party location aggregator that has a commercial relationship with the major
wireless carriers . . . .”
33.
Sprint had no active oversight or direction in Securus’ use of Sprint customer
location data.
7
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 8 of 15
34.
In the Wyden Letter, Senator Wyden demanded that Sprint “undertake a
comprehensive audit of each third party” with whom Sprint shared its customers’ personal
information, and “terminate [its] data-sharing relationships with all third parties that have
misrepresented customer consent or abused their access to sensitive customer data.”
35.
On June 15, 2018, Sprint sent a reply letter to Senator Wyden (hereinafter “the First
Sprint Letter”) (attached hereto as Exhibit D). In the First Sprint Letter, Sprint represented that it
“takes its obligations to safeguard [its] customers’ privacy seriously.”
36.
Sprint went on to say that it “may provide location information to vendors,
application developers, and location aggregators, who in turn provide the information to the
ultimate end-user.” Sprint, in the First Sprint Letter, did not specifically identify any of the
location aggregators with whom it had or has a contractual relationship.
The Second Discovery of Unauthorized Disclosure of CPNI
37.
Six months later, on January 8, 2019, Motherboard (a news outlet) ran an
investigative article concerning major telecommunications carriers (including Sprint) selling
access to geolocation data to third-parties (hereinafter “The Article”) (attached hereto as Exhibit
E).
38.
In the Article, the journalist gave a bounty hunter $300 to locate a cell phone. The
bounty hunter did just that using “real-time location data sold to bounty hunters that ultimately
originated from the major [telecommunications carriers].”
39.
The Article revealed that a company called MicroBilt was selling cell phone
geolocation services with little oversight to a spread of different private industries, “ranging from
car salesmen and property managers to bail bondsmen and bounty hunters . . . .” Additionally, this
8
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 9 of 15
“spying capability is also being resold to others on the black market who are not licensed by the
company to use it . . . seemingly without MicroBilt’s knowledge.”
40.
Motherboard’s investigation revealed that “a wide variety of companies can access
cell phone location data, and . . . the information trickles down from cell phone providers to a wide
array of smaller players, who don’t necessarily have the correct safeguards in place to protect that
data.”
41.
Motherboard found that some of the location aggregators were so sloppy that
“anyone could geolocate nearly any phone in the United States at a click of a mouse.”
42.
In response to a request for comment, Sprint told Motherboard that “protecting our
customers’ privacy and security is a top priority, and we are transparent about that in our Privacy
Policy . . . Sprint does not have a direct relationship with MicroBilt. If we determine that any of
our customers do and have violated the terms of our contract, we will take appropriate action based
on those findings.” Sprint would not clarify the contours of its relationship with Microbilt.
43.
The telecommunications carriers are the beginning of a dizzying chain of data
selling, where data goes from company to company, and ultimately ends up in the hands of literally
anybody who is looking.
44.
The information a person could obtain included the name and address of an
individual, and the geolocation of that individual’s cell phone.
45.
One of the data aggregators with whom Sprint contracted is called Zumigo. Zumigo
contracted with MicroBilt. MicroBilt was engaged in the process of selling consumer data to
literally anybody who would pay for it, including the name and address of an individual, and the
geolocation of that individual’s cell phone. Some of the sectors that utilized MicroBilt’s services
were landlords, car salesmen, and others conducting credit checks.
9
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 10 of 15
46.
In essence, Sprint was relying on the end user of the location data not to abuse the
data, or not to obtain the data under false pretenses. In practice, the end users exercised no oversight
over the process whatsoever.
47.
Three weeks after Motherboard published its story, on January 24, 2019, Senator
Wyden, along with fourteen other United States Senators, sent a letter to the FCC and Federal
Trade Commission (hereinafter “Second Wyden Letter”) (attached hereto as Exhibit F), urging
the chairmen of the respective Commissions to “broadly investigate the sale of Americans’
location data by wireless carriers, location aggregators, and other third parties.”
48.
The Commissions are currently investigating each of the major wireless carriers,
including Sprint.
The Second Correspondence between Sprint and Senator Wyden
49.
On February 15, 2019, Sprint sent Senator Wyden another letter (hereinafter
“Second Sprint Letter”) (attached hereto as Exhibit G) explaining that it had shared data with two
location aggregators over the past five years: LocationSmart and Zumigo. Ironically, Sprint noted
that “Questions regarding LocationSmart’s and Zumigo’s sub-aggregators and customers are best
directed to LocationSmart and Zumigo in light of contractual provisions in our agreements
regarding aggregators’ confidential information.”
50.
On March 13, 2019, Senator Wyden responded in a letter to Sprint, and the other
telecommunications carriers (hereinafter “the Third Wyden Letter”) (attached hereto as Exhibit
H) seeking additional information regarding Sprint’s “repeated sale and improper disclosure of
customer location data” to third-parties. In the Third Wyden Letter, Senator Wyden said it was
“now abundantly clear that [Sprint has] failed to be [a] good steward[] of [its] customers’ private
location information.”
10
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 11 of 15
51.
The Third Wyden Letter also chastised the telecommunications carriers for their
failures to comply with a federal law that requires wireless carriers “to protect Customer
Proprietary Network Information (CPNI), which includes location data.” Wyden also noted that
wireless carriers are “required to report breaches of CPNI to federal law enforcement agencies.”
52.
On March 26, 2019, the FTC issued an order to Sprint, among others, seeking
information the agency will use to examine how it collects, retains, uses, and discloses information
about consumers and their devices.
V.
CLASS ACTION ALLEGATIONS
53.
Plaintiff bring this action on behalf of a Class which consists of:
All Sprint customers located in any of the United States, including the District of
Columbia, between April 30, 2015 and February 15, 2019.
Excluded from the Class are those individuals who now are or have ever been executives of the
Defendant and the spouses, parents, siblings, and children of all such individuals.
54.
The Class, as defined above, is identifiable. Plaintiff is a member of the Class.
55.
The Class consists, at a minimum, of fifty million (50,000,000) individuals and is
thus so numerous that joinder of all members is clearly impracticable.
56.
There are questions of law and fact which are not only common to the Class but
which predominate over any questions affecting only individual Class members.
57.
The common and predominating questions include, but are not limited to:
a) Whether Sprint violated FCA § 222 by its unauthorized disclosure of Plaintiff
and Class Members’ CPNI to third-parties during the class period; and
b) Whether Plaintiff and Class Members’ CPNI was accessible to unauthorized
third parties during the class period.
11
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 12 of 15
58.
Claims of Plaintiff are typical of the claims of the respective Class Members and
are based on and arise out of similar facts constituting the wrongful conduct of Defendant.
59.
Plaintiff will fairly and adequately protect the interests of the Class.
60.
Plaintiff is committed to vigorously litigating this matter.
61.
Further, Plaintiff has secured counsel experienced in handling consumer class
actions and complex consumer litigation.
62.
Neither Plaintiff, nor his counsel, have any interests which might cause them not to
vigorously pursue this claim.
63.
Common questions of law and fact enumerated above predominate over questions
affecting only individual members of the Class.
64.
A class action is the superior method for fair and efficient adjudication of the
controversy.
65.
The likelihood that individual members of the Class will prosecute separate actions
in court is remote due to the time and expense necessary to conduct such litigation.
66.
Counsel for Plaintiff and the Class are experienced in class actions and foresee little
difficulty in the management of this case as a class action.
VI.
CAUSE OF ACTION
COUNT ONE
(Unauthorized Disclosure of Customer Confidential
Proprietary Network Information in Violation of 47 U.S.C. § 222)
67.
Plaintiff incorporates by reference all of the allegations herein as if each and every
allegation is set forth fully herein.
68.
Sprint is a telecommunications common carrier engaged in interstate commerce by
wire regulated by the FCA and subject to the requirements, inter alia, of §§ 206 and 222 of the
FCA.
12
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 13 of 15
69.
Under FCA § 206, “[i]n case any common carriers shall do, or cause or permit it to
be done, any act, matter, or thing in this chapter prohibited or declared to be unlawful, or shall
omit to do any act, matter, or thing in this chapter required to be done, such common carrier shall
be liable to the person or persons injured thereby for the full amount of damages sustained in
consequence of any such violation of the provisions of this chapter, together with a reasonable
counsel or attorney’s fee, to be fixed by the court in every case of recovery, which attorney’s fee
shall be taxed and collected as part of the costs in the case.”
70.
FCA § 222(a) requires every telecommunications carrier to protect, among other
things, its customers’ CPI.
71.
FCA § 222(c) further requires every telecommunications carrier to protect, among
other things, its customers’ CPNI.
72.
The information disclosed by Sprint to third-parties, including but not limited to
data aggregators, without Plaintiff or Class Members’ consent was CPI and CPNI under FCA §
222.
73.
Sprint failed to protect the confidentiality of Plaintiff and Class Members’ CPI and
CPNI, including their wireless telephone numbers, account information, private communications,
and location, by divulging that information to third-parties, including but not limited to data
aggregators.
74.
Through its negligent and deliberate acts, including inexplicable failures to follow
its own Privacy Policy, Sprint permitted access to Plaintiff and Class Members’ CPI and CPNI.
75.
Sprint profited from the sale and unauthorized dissemination of Plaintiff and Class
Members’ CPI and CPNI.
13
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 14 of 15
76.
As a direct consequence of Sprint’s violations of the FCA, Plaintiff and Class
Members have been damaged, in an amount to be proven at trial.
77.
As a direct consequence of Sprint’s violations of the FCA, Sprint was unjustly
enriched in an amount to be proven at trial.
78.
VII.
Plaintiff and Class Members are also entitled to attorney’s fees under the FCA.
PRAYER FOR RELIEF
WHEREFORE, Plaintiff respectfully prays that this Court:
A. Assume jurisdiction of this case;
B. Enter an order certifying the Class under FED. R. CIV. P. 23(b)(3);
C. Award damages in accordance with FCA § 206; and
D. Award reasonable attorneys’ fees in accordance with FCA § 206.
Respectfully submitted,
Z LAW, LLC
Dated: April 29, 2019
________/s/ 28191_______________
Cory L. Zajdel (Fed. Bar #28191)
Jeffrey C. Toppe (Fed. Bar #20804)
David M. Trojanowski (Fed. Bar #19808)
2345 York Road, Ste. B-13
Timonium, MD 21093
(443) 213-1977
clz@zlawmaryland.com
jct@zlawmaryland.com
dmt@zlawmaryland.com
Attorneys for Plaintiffs
14
Case 1:19-cv-01255-JKB Document 1 Filed 04/29/19 Page 15 of 15
DEMAND FOR JURY TRIAL
Plaintiff requests a jury trial for any and all Counts for which a trial by jury is permitted
by law.
________/s/ 28191_______________
Cory L. Zajdel, Esquire
15
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?