Morrison v. Verizon Communications Inc. et al
Filing
1
COMPLAINT against Cellco Partnership, Verizon Communications Inc. ( Filing fee $ 400 receipt number 0416-7988180.), filed by Michelle Morrison. (Attachments: #1 Civil Cover Sheet, #2 Summons Verizon Communications, #3 Summons Cellco Partnership, #4 Exhibit A, #5 Exhibit B, #6 Exhibit C, #7 Exhibit D, #8 Exhibit E)(Zajdel, Cory)
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 1 of 13
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF MARYLAND
MICHELLE MORRISON
4217 SKYVIEW
BALTIMORE, MD 21211
JURY TRIAL DEMANDED
on her own behalf and on behalf of
all others similarly situated,
Plaintiffs,
CASE NO. __________________
v.
VERIZON COMMUNICATIONS INC.
1095 Avenue of the Americas,
New York City, New York 10036
Serve on: State Dept. of Assessments
and Taxation
301 W. Preston Street
Room 801
Baltimore, MD 21201
CELLCO PARTNERSHIP
d/b/a VERIZON WIRELESS
1 Verizon Way,
Basking Ridge, NJ 07920
Serve on: State Dept. of Assessments
and Taxation
301 W. Preston Street
Room 801
Baltimore, MD 21201
Defendants.
CLASS ACTION COMPLAINT
Plaintiff Michelle Morrison (“Plaintiff” or “Named Plaintiff”), on her own behalf and on
behalf of all others similarly situated, through her attorneys, Cory L. Zajdel, Esq., Jeffrey C.
1
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 2 of 13
Toppe, Esq., and David M. Trojanowski, Esq., and Z LAW, LLC, hereby submit this Class Action
Complaint against Defendants Cellco Partnership d/b/a Verizon Wireless and Verizon
Communications Inc. (together “Verizon” or “Defendants”) and for support states as follows:
I.
PRELIMINARY STATEMENT
1.
Plaintiff, both individually and on behalf of those similarly situated persons
(hereafter “Class Members”), brings this Class Action to secure redress against Verizon for its
reckless and negligent violations of customer privacy rights.
2.
Plaintiff and Class Members are Verizon customers.
3.
This action arises out of Defendants’ collection of geolocation data and the
unauthorized dissemination to third-parties of the geolocation data collected from its users’ cell
phones.
4.
Verizon admittedly sold customer geolocation data to third-parties, including but
not limited to data aggregators, who in turn, were able to use or resell the geolocation data with
little or no oversight by Verizon.
5.
This is an action seeking damages for Verizon’s gross failure to safeguard highly
personal and private consumer geolocation data in violation of federal law.
II.
JURISDICTION
6.
This Court has original federal subject-matter jurisdiction over this class action
pursuant to 28 U.S.C. § 1331 as the sole cause of action pled in this case arises under federal law.
7.
This Court has personal jurisdiction over the parties because Plaintiff is a citizen of
Maryland and because Verizon transacts substantial business within the State of Maryland.
8.
Venue in this judicial district is proper pursuant to 28 U.S.C. §
1391(a) because Verizon conducts substantial business in, and may be found in, this district, and
2
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 3 of 13
Plaintiff and members of the proposed class had their geolocation data collected within the State
of Maryland.
III.
PARTIES
9.
Plaintiff Morrison is a natural person currently residing in Baltimore City.
10.
Verizon Communications Inc. is a Delaware corporation with its principal place of
business in New York, New York. This Defendant does business in the state of Maryland and in
the city of Baltimore.
11.
Cellco Partnership d/b/a Verizon Wireless is a Delaware general partnership with
its principal place of business in Baskin Ridge, New Jersey. This Defendant does business in the
state of Maryland in in the city of Baltimore.
IV.
FACTUAL ALLEGATIONS
Verizon’s Statutory Obligation to Protect
Customers’ Personal Network Information Under the Federal Communications Act
12.
As a common carrier, Verizon is obligated to protect the confidential personal
information of its customers under the Federal Communications Act (“FCA”), 47 U.S.C. § 222.
13.
FCA § 222(a) provides that “[e]very telecommunications carrier has a duty to
protect the confidentiality of proprietary information of, and relating to . . . customers . . . .” The
“confidential proprietary information” referred to in FCA § 222(a) is abbreviated herein as “CPI.”
14.
FCA § 222(c) additionally provides that “[e]xcept as required by law or with the
approval of the customer, a telecommunications carrier that receives or obtains customer
proprietary network information by virtue of its provision of a telecommunications service shall
only use, disclose, or permit access to individually identifiable customer proprietary network
information in its provision of (A) the telecommunications service from which such information
is derived, or (B) services necessary to, or used in, the provision of such telecommunications
3
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 4 of 13
service, including the publishing of directories.” The “customer proprietary network information”
referred to in FCA § 222(c) is abbreviated herein as “CPNI.”
15.
FCA § 222(h)(1) (emphasis added) defines CPNI as “(A) information that relates
to the quantity, technical configuration, type, destination, location, and amount of use of a
telecommunications service subscribed to by any customer of a telecommunications carrier, and
that is made available to the carrier by the customer solely by virtue of the carrier-customer
relationship; and (B) information contained in the bills pertaining to telephone exchange service
or telephone toll service received by a customer of a carrier, except that term does not include
subscriber list information.”
16.
The Federal Communication Commissions (“FCC”) has promulgated rules to
implement FCA § 222 “to ensure that telecommunications carriers establish effective safeguards
to protect against unauthorized use or disclosure of CPNI.” See 47 CFR § 64.2001, et seq. (“CPNI
Rules”); CPNI Order, 13 FCC Rcd. at 8195 ¶ 193.
17.
The CPNI Rules limit disclosure and use of CPNI without customer approval to
certain limited circumstances (such as cooperation with law enforcement), none of which are
applicable to the facts here. CPNI Rules § 64.2005.
18.
The CPNI Rules §§ 64.2009(b), (d), and (e) require carriers to implement
safeguards to protect customers’ CPNI.
19.
These safeguards include: (i) training personnel “as to when they are and are not
authorized to use CPNI[;]” (ii) establishing “a supervisory review process regarding carrier
compliance with the rules[;]” and (iii) filing annual compliance certificates with the FCC.
20.
The CPNI Rules § 64.2010 further require carriers to implement measures to
prevent the disclosure of CPNI to unauthorized individuals. For example, “carriers must take
4
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 5 of 13
reasonable measures to discover and protect against attempts to gain unauthorized access to
CPNI.” CPNI Rules § 64.2010(a).
21.
As further alleged below, Verizon violated FCA § 222 and the CPNI Rules when it
disclosed CPNI and CPI to third-parties without Plaintiff’s authorization or permission.
Verizon’s Stated Privacy and Security Commitments
to Customers in its Privacy Policy and Code of Business Conduct
22.
In its Privacy Policy (“Privacy Policy”) and Code of Business Conduct (“COBC”),
Verizon acknowledges its responsibilities to protect customers’ “Personal Information” under the
FCA, the CPNI Rules, and other regulations.
23.
A true and correct copy of the Privacy Policy in effect in April 2019 available at
https://www.verizon.com/about/privacy/full-privacy-policy is attached hereto as Exhibit A.
24.
A true and correct copy of the COBC in effect in April 2019 available at
https://www.verizon.com/about/sites/default/files/Verizon-Code-of-Conduct.pdf
is
attached
hereto as Exhibit B.
25.
In its Privacy Policy and COBC, Verizon makes binding promises and
commitments to Plaintiff, as its customers, that it will protect and secure their personal
information.
26.
In the Privacy Policy, Verizon promises that it “does not sell, license or share
information that individually identifies our customers . . . outside the Verizon family of companies
that are not performing work on Verizon’s behalf without the consent of the person whose
information will be shared.”
27.
Nowhere in its Privacy Policy does Verizon disclose that it would sell access to
customers’ location data to LocationSmart or Zumigo, which, as discussed below, it did.
5
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 6 of 13
28.
Verizon’s COBC also makes binding commitments to Plaintiff and all Class
Members, as Verizon customers, that it will protect their Personal Information and that it will
adhere to all of its legal obligations. Those legal obligations include FCA § 222, the CPNI Rules,
and other legal obligations that govern protection of confidential and private information.
29.
For example, Verizon’s COBC instructs employees not to “access, view, use,
modify, share or distribute customer information without a proper business reason.” The COBC
goes on to say that “Verizon contractors and vendors must also protect customer information.”
Exhibit B, at 25.
30.
As alleged below, Verizon flagrantly and repeatedly violated its commitments
made to Plaintiff and Class Members in its Privacy Policy and COBC, as well as its legal
obligations under the FCA and the CPNI Rules by willingly disclosing Plaintiff and Class
Members’ CPNI to unauthorized third-parties.
The Unauthorized Disclosure of CPNI
31.
On May 8, 2018, Senator Ron Wyden sent a letter (“the Wyden Letter”) to Verizon
Chairman and CEO Lowell C. McAdam. The Wyden Letter is attached hereto as Exhibit C. In
the Letter, Senator Wyden expressed, in very clear terms, great concern with Verizon’s handling
of consumer information. It had come to Senator Wyden’s attention that a company called Securus
Technologies, a major provider of correctional-facility telephone services, purchased real-time
location information from major wireless carriers, and provided that information, via a self-service
web portal, to the government “for nothing more than the legal equivalent of a pinky promise.”
32.
In the Wyden Letter, Senator Wyden detailed how Securus confirmed to him that
the web portal enabled surveillance of customers of “every major U.S. wireless carrier,” which, in
6
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 7 of 13
Senator Wyden’s words, “needlessly exposes millions of Americans to potential abuse and
unchecked surveillance by the government.”
33.
Senator Wyden also explained how wireless carriers “are prohibited from sharing
certain customer information, including location data, unless the carrier either has the customer’s
consent or sharing is otherwise required by law.” He ultimately concluded that, “the fact that
Securus provide[d] this service at all suggests that Verizon does not sufficiently control access to
[its] customers’ private information.”
34.
The process by which Securus obtained access to the customers’ information in the
first place is part of the problem. It purchased real-time location information on Verizon’s
customers “through a third party location aggregator that has a commercial relationship with the
major wireless carriers . . . .”
35.
Verizon had no active oversight or direction in Securus’ use of Verizon customer
location data.
36.
In the Wyden Letter, Senator Wyden demanded that Verizon “undertake a
comprehensive audit of each third party” with whom Verizon shared its customers’ personal
information, and “terminate [its] data-sharing relationships with all third parties that have
misrepresented customer consent or abused their access to sensitive customer data.”
37.
On June 15, 2018, Verizon sent a reply letter (“the First Verizon Letter”) to Senator
Wyden (hereinafter “the Verizon Letter”) (attached hereto as Exhibit D). In the Verizon Letter,
after representing that it “takes the privacy and security of customers’ information seriously,”
Verizon stated that as soon as it found out that Securus was “accessing location information for
unauthorized purposes, [Verizon] immediately blocked Securus’s access to customer location
information through [Verizon’s] vendor LocationSmart.”
7
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 8 of 13
38.
Verizon went on to detail how it shares its customers’ data: it contracted with two
location aggregators: LocationSmart and Zumigo. It explained that consent by its customers is the
“cornerstone” of its data sharing policy.
39.
In the Verizon Letter, Verizon contended that “customer[s] must provide
affirmative consent before the location aggregator may access that customer’s location.”
Evidently, Securus—and others—were not obtaining such consent or providing such notice.
40.
As alleged herein, Verizon was not properly obtaining consent from its customers
prior to sharing their location data.
41.
As a result of receiving the Wyden Letter, Verizon pledged to end its data sharing
relationship with LocationSmart and Zumigo.
42.
Almost a year later, on March 13, 2019, Senator Wyden sent another letter to
Verizon, and the other telecommunications carriers (hereinafter “the Second Wyden Letter”)
(attached hereto as Exhibit E) seeking additional information regarding Verizon’s “repeated sale
and improper disclosure of customer location data” to third-parties. In the Second Wyden Letter,
Senator Wyden said it was “now abundantly clear that [Verizon has] failed to be [a] good steward[]
of [its] customers’ private location information.”
43.
The Second Wyden Letter also chastised the telecommunications carriers for their
failures to comply with a federal law that requires wireless carriers “to protect Customer
Proprietary Network Information (CPNI), which includes location data.” Wyden also noted that
wireless carriers are “required to report breaches of CPNI to federal law enforcement agencies.”
44.
On March 26, 2019, the FTC issued an order to Verizon, among others, seeking
information the agency will use to examine how it collects, retains, uses, and discloses information
about consumers and their devices.
8
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 9 of 13
V.
CLASS ACTION ALLEGATIONS
45.
Plaintiff brings this action on behalf of a Class which consists of:
All Verizon customers located in any of the United States, including the District of
Columbia, between May 3, 2015 and February 15, 2019.
Excluded from the Class are those individuals who now are or have ever been executives of the
Defendant and the spouses, parents, siblings, and children of all such individuals.
46.
The Class, as defined above, is identifiable. Plaintiff is a member of the Class.
47.
The Class consists, at a minimum, of one hundred million (100,000,000)
individuals and is thus so numerous that joinder of all members is clearly impracticable.
48.
There are questions of law and fact which are not only common to the Class but
which predominate over any questions affecting only individual Class members.
49.
The common and predominating questions include, but are not limited to:
a) Whether Verizon violated FCA § 222 by its unauthorized disclosure of Plaintiff
and Class Members’ CPNI to third-parties during the class period; and
b) Whether Plaintiff and Class Members’ CPNI was accessible to unauthorized
third-parties during the class period.
50.
Claims of Plaintiff are typical of the claims of the respective Class Members and
are based on and arise out of similar facts constituting the wrongful conduct of Defendant.
51.
Plaintiff will fairly and adequately protect the interests of the Class.
52.
Plaintiff is committed to vigorously litigating this matter.
53.
Further, Plaintiff has secured counsel experienced in handling consumer class
actions and complex consumer litigation.
54.
Neither Plaintiff, nor her counsel, have any interests which might cause them not
to vigorously pursue this claim.
9
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 10 of 13
55.
Common questions of law and fact enumerated above predominate over questions
affecting only individual members of the Class.
56.
A class action is the superior method for fair and efficient adjudication of the
controversy.
57.
The likelihood that individual members of the Class will prosecute separate actions
in court is remote due to the time and expense necessary to conduct such litigation.
58.
Counsel for Plaintiff and the Class are experienced in class actions and foresee little
difficulty in the management of this case as a class action.
VI.
CAUSE OF ACTION
COUNT ONE
(Unauthorized Disclosure of CPNI in Violation of 47 U.S.C. § 222)
59.
Plaintiff incorporates by reference all of the allegations herein as if each and every
allegation is set forth fully herein.
60.
Verizon is a telecommunications common carrier engaged in interstate commerce
by wire regulated by the FCA and subject to the requirements, inter alia, of §§ 206 and 222 of the
FCA.
61.
Under FCA § 206, “[i]n case any common carriers shall do, or cause or permit it to
be done, any act, matter, or thing in this chapter prohibited or declared to be unlawful, or shall
omit to do any act, matter, or thing in this chapter required to be done, such common carrier shall
be liable to the person or persons injured thereby for the full amount of damages sustained in
consequence of any such violation of the provisions of this chapter, together with a reasonable
counsel or attorney’s fee, to be fixed by the court in every case of recovery, which attorney’s fee
shall be taxed and collected as part of the costs in the case.”
10
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 11 of 13
62.
FCA § 222(a) requires every telecommunications carrier to protect, among other
things, its customers’ CPI.
63.
FCA § 222(c) further requires every telecommunications carrier to protect, among
other things, its customers’ CPNI.
64.
The information disclosed by Verizon to third-parties, including but not limited to
data aggregators, without Plaintiff or Class Members’ consent was CPI and CPNI under FCA §
222.
65.
Verizon failed to protect the confidentiality of Plaintiff and Class Members’ CPI
and CPNI, including their wireless telephone numbers, account information, private
communications, and location, by divulging that information to third-parties, including but not
limited to data aggregators.
66.
Through its negligent and deliberate acts, including inexplicable failures to follow
its own Privacy Policy, Verizon permitted access to Plaintiff and Class Members’ CPI and CPNI.
67.
Verizon profited from the sale and unauthorized dissemination of Plaintiff and
Class Members’ CPI and CPNI.
68.
As a direct consequence of Verizon’s violations of the FCA, Plaintiff and Class
Members have been damaged, in an amount to be proven at trial.
69.
As a direct consequence of Verizon’s violations of the FCA, Verizon were unjustly
enriched in an amount to be proven at trial.
70.
Plaintiff and Class Members are also entitled to attorney’s fees under the FCA.
11
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 12 of 13
VII.
PRAYER FOR RELIEF
WHEREFORE, Plaintiff respectfully prays that this Court:
A. Assume jurisdiction of this case;
B. Enter an order certifying the Class under FED. R. CIV. P. 23(b)(3);
C. Award damages in accordance with FCA § 206; and
D. Award reasonable attorney’s fees in accordance with FCA § 206.
Respectfully submitted,
Z LAW, LLC
Dated: May 2, 2019
________/s/ 28191_______________
Cory L. Zajdel (Fed. Bar #28191)
Jeffrey C. Toppe (Fed. Bar #20804)
David M. Trojanowski (Fed. Bar #19808)
2345 York Road, Ste. B-13
Timonium, MD 21093
(443) 213-1977
clz@zlawmaryland.com
jct@zlawmaryland.com
dmt@zlawmaryland.com
Attorneys for Plaintiff
12
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 13 of 13
DEMAND FOR JURY TRIAL
Plaintiff requests a jury trial for any and all Count for which a trial by jury is permitted
by law.
________/s/ 28191_______________
Cory L. Zajdel, Esquire
13
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?