Morrison v. Verizon Communications Inc. et al

Filing 1

COMPLAINT against Cellco Partnership, Verizon Communications Inc. ( Filing fee $ 400 receipt number 0416-7988180.), filed by Michelle Morrison. (Attachments: #1 Civil Cover Sheet, #2 Summons Verizon Communications, #3 Summons Cellco Partnership, #4 Exhibit A, #5 Exhibit B, #6 Exhibit C, #7 Exhibit D, #8 Exhibit E)(Zajdel, Cory)

Download PDF
Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 1 of 13 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND MICHELLE MORRISON 4217 SKYVIEW BALTIMORE, MD 21211 JURY TRIAL DEMANDED on her own behalf and on behalf of all others similarly situated, Plaintiffs, CASE NO. __________________ v. VERIZON COMMUNICATIONS INC. 1095 Avenue of the Americas, New York City, New York 10036 Serve on: State Dept. of Assessments and Taxation 301 W. Preston Street Room 801 Baltimore, MD 21201 CELLCO PARTNERSHIP d/b/a VERIZON WIRELESS 1 Verizon Way, Basking Ridge, NJ 07920 Serve on: State Dept. of Assessments and Taxation 301 W. Preston Street Room 801 Baltimore, MD 21201 Defendants. CLASS ACTION COMPLAINT Plaintiff Michelle Morrison (“Plaintiff” or “Named Plaintiff”), on her own behalf and on behalf of all others similarly situated, through her attorneys, Cory L. Zajdel, Esq., Jeffrey C. 1 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 2 of 13 Toppe, Esq., and David M. Trojanowski, Esq., and Z LAW, LLC, hereby submit this Class Action Complaint against Defendants Cellco Partnership d/b/a Verizon Wireless and Verizon Communications Inc. (together “Verizon” or “Defendants”) and for support states as follows: I. PRELIMINARY STATEMENT 1. Plaintiff, both individually and on behalf of those similarly situated persons (hereafter “Class Members”), brings this Class Action to secure redress against Verizon for its reckless and negligent violations of customer privacy rights. 2. Plaintiff and Class Members are Verizon customers. 3. This action arises out of Defendants’ collection of geolocation data and the unauthorized dissemination to third-parties of the geolocation data collected from its users’ cell phones. 4. Verizon admittedly sold customer geolocation data to third-parties, including but not limited to data aggregators, who in turn, were able to use or resell the geolocation data with little or no oversight by Verizon. 5. This is an action seeking damages for Verizon’s gross failure to safeguard highly personal and private consumer geolocation data in violation of federal law. II. JURISDICTION 6. This Court has original federal subject-matter jurisdiction over this class action pursuant to 28 U.S.C. § 1331 as the sole cause of action pled in this case arises under federal law. 7. This Court has personal jurisdiction over the parties because Plaintiff is a citizen of Maryland and because Verizon transacts substantial business within the State of Maryland. 8. Venue in this judicial district is proper pursuant to 28 U.S.C. § 1391(a) because Verizon conducts substantial business in, and may be found in, this district, and 2 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 3 of 13 Plaintiff and members of the proposed class had their geolocation data collected within the State of Maryland. III. PARTIES 9. Plaintiff Morrison is a natural person currently residing in Baltimore City. 10. Verizon Communications Inc. is a Delaware corporation with its principal place of business in New York, New York. This Defendant does business in the state of Maryland and in the city of Baltimore. 11. Cellco Partnership d/b/a Verizon Wireless is a Delaware general partnership with its principal place of business in Baskin Ridge, New Jersey. This Defendant does business in the state of Maryland in in the city of Baltimore. IV. FACTUAL ALLEGATIONS Verizon’s Statutory Obligation to Protect Customers’ Personal Network Information Under the Federal Communications Act 12. As a common carrier, Verizon is obligated to protect the confidential personal information of its customers under the Federal Communications Act (“FCA”), 47 U.S.C. § 222. 13. FCA § 222(a) provides that “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to . . . customers . . . .” The “confidential proprietary information” referred to in FCA § 222(a) is abbreviated herein as “CPI.” 14. FCA § 222(c) additionally provides that “[e]xcept as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications 3 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 4 of 13 service, including the publishing of directories.” The “customer proprietary network information” referred to in FCA § 222(c) is abbreviated herein as “CPNI.” 15. FCA § 222(h)(1) (emphasis added) defines CPNI as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier, except that term does not include subscriber list information.” 16. The Federal Communication Commissions (“FCC”) has promulgated rules to implement FCA § 222 “to ensure that telecommunications carriers establish effective safeguards to protect against unauthorized use or disclosure of CPNI.” See 47 CFR § 64.2001, et seq. (“CPNI Rules”); CPNI Order, 13 FCC Rcd. at 8195 ¶ 193. 17. The CPNI Rules limit disclosure and use of CPNI without customer approval to certain limited circumstances (such as cooperation with law enforcement), none of which are applicable to the facts here. CPNI Rules § 64.2005. 18. The CPNI Rules §§ 64.2009(b), (d), and (e) require carriers to implement safeguards to protect customers’ CPNI. 19. These safeguards include: (i) training personnel “as to when they are and are not authorized to use CPNI[;]” (ii) establishing “a supervisory review process regarding carrier compliance with the rules[;]” and (iii) filing annual compliance certificates with the FCC. 20. The CPNI Rules § 64.2010 further require carriers to implement measures to prevent the disclosure of CPNI to unauthorized individuals. For example, “carriers must take 4 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 5 of 13 reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” CPNI Rules § 64.2010(a). 21. As further alleged below, Verizon violated FCA § 222 and the CPNI Rules when it disclosed CPNI and CPI to third-parties without Plaintiff’s authorization or permission. Verizon’s Stated Privacy and Security Commitments to Customers in its Privacy Policy and Code of Business Conduct 22. In its Privacy Policy (“Privacy Policy”) and Code of Business Conduct (“COBC”), Verizon acknowledges its responsibilities to protect customers’ “Personal Information” under the FCA, the CPNI Rules, and other regulations. 23. A true and correct copy of the Privacy Policy in effect in April 2019 available at https://www.verizon.com/about/privacy/full-privacy-policy is attached hereto as Exhibit A. 24. A true and correct copy of the COBC in effect in April 2019 available at https://www.verizon.com/about/sites/default/files/Verizon-Code-of-Conduct.pdf is attached hereto as Exhibit B. 25. In its Privacy Policy and COBC, Verizon makes binding promises and commitments to Plaintiff, as its customers, that it will protect and secure their personal information. 26. In the Privacy Policy, Verizon promises that it “does not sell, license or share information that individually identifies our customers . . . outside the Verizon family of companies that are not performing work on Verizon’s behalf without the consent of the person whose information will be shared.” 27. Nowhere in its Privacy Policy does Verizon disclose that it would sell access to customers’ location data to LocationSmart or Zumigo, which, as discussed below, it did. 5 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 6 of 13 28. Verizon’s COBC also makes binding commitments to Plaintiff and all Class Members, as Verizon customers, that it will protect their Personal Information and that it will adhere to all of its legal obligations. Those legal obligations include FCA § 222, the CPNI Rules, and other legal obligations that govern protection of confidential and private information. 29. For example, Verizon’s COBC instructs employees not to “access, view, use, modify, share or distribute customer information without a proper business reason.” The COBC goes on to say that “Verizon contractors and vendors must also protect customer information.” Exhibit B, at 25. 30. As alleged below, Verizon flagrantly and repeatedly violated its commitments made to Plaintiff and Class Members in its Privacy Policy and COBC, as well as its legal obligations under the FCA and the CPNI Rules by willingly disclosing Plaintiff and Class Members’ CPNI to unauthorized third-parties. The Unauthorized Disclosure of CPNI 31. On May 8, 2018, Senator Ron Wyden sent a letter (“the Wyden Letter”) to Verizon Chairman and CEO Lowell C. McAdam. The Wyden Letter is attached hereto as Exhibit C. In the Letter, Senator Wyden expressed, in very clear terms, great concern with Verizon’s handling of consumer information. It had come to Senator Wyden’s attention that a company called Securus Technologies, a major provider of correctional-facility telephone services, purchased real-time location information from major wireless carriers, and provided that information, via a self-service web portal, to the government “for nothing more than the legal equivalent of a pinky promise.” 32. In the Wyden Letter, Senator Wyden detailed how Securus confirmed to him that the web portal enabled surveillance of customers of “every major U.S. wireless carrier,” which, in 6 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 7 of 13 Senator Wyden’s words, “needlessly exposes millions of Americans to potential abuse and unchecked surveillance by the government.” 33. Senator Wyden also explained how wireless carriers “are prohibited from sharing certain customer information, including location data, unless the carrier either has the customer’s consent or sharing is otherwise required by law.” He ultimately concluded that, “the fact that Securus provide[d] this service at all suggests that Verizon does not sufficiently control access to [its] customers’ private information.” 34. The process by which Securus obtained access to the customers’ information in the first place is part of the problem. It purchased real-time location information on Verizon’s customers “through a third party location aggregator that has a commercial relationship with the major wireless carriers . . . .” 35. Verizon had no active oversight or direction in Securus’ use of Verizon customer location data. 36. In the Wyden Letter, Senator Wyden demanded that Verizon “undertake a comprehensive audit of each third party” with whom Verizon shared its customers’ personal information, and “terminate [its] data-sharing relationships with all third parties that have misrepresented customer consent or abused their access to sensitive customer data.” 37. On June 15, 2018, Verizon sent a reply letter (“the First Verizon Letter”) to Senator Wyden (hereinafter “the Verizon Letter”) (attached hereto as Exhibit D). In the Verizon Letter, after representing that it “takes the privacy and security of customers’ information seriously,” Verizon stated that as soon as it found out that Securus was “accessing location information for unauthorized purposes, [Verizon] immediately blocked Securus’s access to customer location information through [Verizon’s] vendor LocationSmart.” 7 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 8 of 13 38. Verizon went on to detail how it shares its customers’ data: it contracted with two location aggregators: LocationSmart and Zumigo. It explained that consent by its customers is the “cornerstone” of its data sharing policy. 39. In the Verizon Letter, Verizon contended that “customer[s] must provide affirmative consent before the location aggregator may access that customer’s location.” Evidently, Securus—and others—were not obtaining such consent or providing such notice. 40. As alleged herein, Verizon was not properly obtaining consent from its customers prior to sharing their location data. 41. As a result of receiving the Wyden Letter, Verizon pledged to end its data sharing relationship with LocationSmart and Zumigo. 42. Almost a year later, on March 13, 2019, Senator Wyden sent another letter to Verizon, and the other telecommunications carriers (hereinafter “the Second Wyden Letter”) (attached hereto as Exhibit E) seeking additional information regarding Verizon’s “repeated sale and improper disclosure of customer location data” to third-parties. In the Second Wyden Letter, Senator Wyden said it was “now abundantly clear that [Verizon has] failed to be [a] good steward[] of [its] customers’ private location information.” 43. The Second Wyden Letter also chastised the telecommunications carriers for their failures to comply with a federal law that requires wireless carriers “to protect Customer Proprietary Network Information (CPNI), which includes location data.” Wyden also noted that wireless carriers are “required to report breaches of CPNI to federal law enforcement agencies.” 44. On March 26, 2019, the FTC issued an order to Verizon, among others, seeking information the agency will use to examine how it collects, retains, uses, and discloses information about consumers and their devices. 8 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 9 of 13 V. CLASS ACTION ALLEGATIONS 45. Plaintiff brings this action on behalf of a Class which consists of: All Verizon customers located in any of the United States, including the District of Columbia, between May 3, 2015 and February 15, 2019. Excluded from the Class are those individuals who now are or have ever been executives of the Defendant and the spouses, parents, siblings, and children of all such individuals. 46. The Class, as defined above, is identifiable. Plaintiff is a member of the Class. 47. The Class consists, at a minimum, of one hundred million (100,000,000) individuals and is thus so numerous that joinder of all members is clearly impracticable. 48. There are questions of law and fact which are not only common to the Class but which predominate over any questions affecting only individual Class members. 49. The common and predominating questions include, but are not limited to: a) Whether Verizon violated FCA § 222 by its unauthorized disclosure of Plaintiff and Class Members’ CPNI to third-parties during the class period; and b) Whether Plaintiff and Class Members’ CPNI was accessible to unauthorized third-parties during the class period. 50. Claims of Plaintiff are typical of the claims of the respective Class Members and are based on and arise out of similar facts constituting the wrongful conduct of Defendant. 51. Plaintiff will fairly and adequately protect the interests of the Class. 52. Plaintiff is committed to vigorously litigating this matter. 53. Further, Plaintiff has secured counsel experienced in handling consumer class actions and complex consumer litigation. 54. Neither Plaintiff, nor her counsel, have any interests which might cause them not to vigorously pursue this claim. 9 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 10 of 13 55. Common questions of law and fact enumerated above predominate over questions affecting only individual members of the Class. 56. A class action is the superior method for fair and efficient adjudication of the controversy. 57. The likelihood that individual members of the Class will prosecute separate actions in court is remote due to the time and expense necessary to conduct such litigation. 58. Counsel for Plaintiff and the Class are experienced in class actions and foresee little difficulty in the management of this case as a class action. VI. CAUSE OF ACTION COUNT ONE (Unauthorized Disclosure of CPNI in Violation of 47 U.S.C. § 222) 59. Plaintiff incorporates by reference all of the allegations herein as if each and every allegation is set forth fully herein. 60. Verizon is a telecommunications common carrier engaged in interstate commerce by wire regulated by the FCA and subject to the requirements, inter alia, of §§ 206 and 222 of the FCA. 61. Under FCA § 206, “[i]n case any common carriers shall do, or cause or permit it to be done, any act, matter, or thing in this chapter prohibited or declared to be unlawful, or shall omit to do any act, matter, or thing in this chapter required to be done, such common carrier shall be liable to the person or persons injured thereby for the full amount of damages sustained in consequence of any such violation of the provisions of this chapter, together with a reasonable counsel or attorney’s fee, to be fixed by the court in every case of recovery, which attorney’s fee shall be taxed and collected as part of the costs in the case.” 10 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 11 of 13 62. FCA § 222(a) requires every telecommunications carrier to protect, among other things, its customers’ CPI. 63. FCA § 222(c) further requires every telecommunications carrier to protect, among other things, its customers’ CPNI. 64. The information disclosed by Verizon to third-parties, including but not limited to data aggregators, without Plaintiff or Class Members’ consent was CPI and CPNI under FCA § 222. 65. Verizon failed to protect the confidentiality of Plaintiff and Class Members’ CPI and CPNI, including their wireless telephone numbers, account information, private communications, and location, by divulging that information to third-parties, including but not limited to data aggregators. 66. Through its negligent and deliberate acts, including inexplicable failures to follow its own Privacy Policy, Verizon permitted access to Plaintiff and Class Members’ CPI and CPNI. 67. Verizon profited from the sale and unauthorized dissemination of Plaintiff and Class Members’ CPI and CPNI. 68. As a direct consequence of Verizon’s violations of the FCA, Plaintiff and Class Members have been damaged, in an amount to be proven at trial. 69. As a direct consequence of Verizon’s violations of the FCA, Verizon were unjustly enriched in an amount to be proven at trial. 70. Plaintiff and Class Members are also entitled to attorney’s fees under the FCA. 11 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 12 of 13 VII. PRAYER FOR RELIEF WHEREFORE, Plaintiff respectfully prays that this Court: A. Assume jurisdiction of this case; B. Enter an order certifying the Class under FED. R. CIV. P. 23(b)(3); C. Award damages in accordance with FCA § 206; and D. Award reasonable attorney’s fees in accordance with FCA § 206. Respectfully submitted, Z LAW, LLC Dated: May 2, 2019 ________/s/ 28191_______________ Cory L. Zajdel (Fed. Bar #28191) Jeffrey C. Toppe (Fed. Bar #20804) David M. Trojanowski (Fed. Bar #19808) 2345 York Road, Ste. B-13 Timonium, MD 21093 (443) 213-1977 clz@zlawmaryland.com jct@zlawmaryland.com dmt@zlawmaryland.com Attorneys for Plaintiff 12 Case 1:19-cv-01298-JKB Document 1 Filed 05/02/19 Page 13 of 13 DEMAND FOR JURY TRIAL Plaintiff requests a jury trial for any and all Count for which a trial by jury is permitted by law. ________/s/ 28191_______________ Cory L. Zajdel, Esquire 13

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?