Jane Doe V Avid Life Media (Dba Ashley Madison)
Jane Doe V Avid Life Media (Dba Ashley Madison)
Jane Doe V Avid Life Media (Dba Ashley Madison)
)
)
)
)
)
)
)
)
)
)
)
)
)
Plaintiffs,
vs.
AVID LIFE MEDIA, INC.
a corporation,
Defendant.
Case Number:
JURY TRIAL DEMANDED
Plaintiffs bring this class action as a result of a breach of the security system of
Defendant AVID LIFE MEDIA INC. (ALM) governing electronic transactions, resulting in
compromised security of Plaintiffs and Class Members personal financial information. Upon
information and belief such personal information included, but upon information and belief was
not limited to, the putative Class Members (hereafter Class Members) names, addresses,
credit or debit card number, the cards expiration date, and/or the cards CVV (a three-digit
security code) (Personal Information).
2.
On or about July 15 of this year, and at times prior, ALMs databases were
compromised, with the result that Personal Information of Plaintiff and Class Members Personal
Information was used or is at risk of use in fraudulent transactions around the world, as well as
other invidious exposure. Upon information and belief, Defendant maintains or maintained
1
Upon information and belief, the security breach and theft of Personal
Information was caused by Defendants violations of its obligations to abide by the best practices
and industry standards concerning the security of its payment processing systems and the
computers associated therewith as set forth, for example, in Payment Card Industry Security
Standards Council Data Security Standards (PCI DSS) and the decisions of the Federal Trade
Commission (FTC) concerning protection of consumer financial information.
4.
After learning of the security breach, Defendant failed to notify Plaintiff and the
putative Classes in a timely manner and failed to take other reasonable steps to inform them of
the nature and extent of the breach. As a result, Defendant prevented Plaintiffs and the putative
Class Members from protecting themselves from the breach and caused Plaintiffs and Class
Members to suffer financial loss.
5.
Plaintiff, on behalf of herself and all others similarly situated, asserts the
following claims: Violations of the Stored Communications Act (SCA), 18 U.S.C. 2702;
negligence; breach of implied contract; violations of the Missouri Merchandising Practices Act
(MMPA), Mo. Rev. Stat. 407.020, and the substantially similar statutes of the other states in
which Defendant conducts business.
JURISDICTION AND VENUE
6.
This Court has subject matter jurisdiction pursuant to 28 U.S.C. 1331, which
confers upon the Court original jurisdiction over all civil actions arising under the laws of the
United States, and pursuant to 18 U.S.C. 2707. This Court has supplemental jurisdiction over
Plaintiffs and Class Members state law claims under 28 U.S.C. 1367.
7.
1332(d)(2)(A) because this case is a class action where the aggregate claims of all Members of
the putative Classes are in excess of $5,000,000.00, exclusive of interest and costs, and many of
the Members of the putative Classes are citizens of different states than Defendant. This Court
has subject matter jurisdiction pursuant to 28 U.S.C. 1332(d).
8.
Defendant transacts business within this judicial district. Likewise, a substantial part of the
events giving rise to the claim occurred within this judicial district.
PARTIES
9.
Heights, Missouri and is a citizen of Missouri. Jane Doe provided her Personal Information to
Defendant in order to effectuate a paid-delete of any of her personal information in
Defendants possession, including her Personal Information, as promised by Defendant. On
information and belief Does Personal Information was compromised as a result of Defendants
security failures. As a result of such compromise, Doe suffered losses and damages in an
amount yet to be completely determinable as such losses and damages are ongoing.
10.
law with its headquarters and principal place of business in Toronto, Canada.
FACTUAL BACKGROUND
11.
12.
Upon information and belief, Defendants data breach has impacted hundreds of
processes, stores, or utilizes information regarding ALM transactions, with account numbers,
expiration dates, card holder names and/or other information, on information and belief.
14.
Defendant broke such promise to Plaintiff and the Class Members, who also
sought a paid-delete.
16.
Upon information and belief, the Defendant accepts customer payments for
services through credit and debit cards issued by members of the payment card industry (PCI)
such as Visa or MasterCard.
17.
In 2006, the PCI members established a Security Standards Counsel (PCI SSC)
as a forum to develop PCI Data Security Standards (PCI DSS) for increased security of
payment processing systems.
18.
The PCI DSS provides, If you are a merchant that accepts payment cards, you
are required to be compliant with the PCI Data Security Standard. Defendant, or course, is a
merchant that accepts payment cards.
19.
a.
processes for payment card processing, and analyze them for vulnerabilities that could expose
cardholder data.
b.
c.
needed.
applicable) and submit compliance reports to the acquiring bank and card brands with which a
merchant does business.
20.
Additionally, since 1995, the FTC has been studying the manner in which online
entities collect and use personal information and safeguards to assure that online data collection
practice is fair and provides adequate information privacy protection. The result of this study is
the FTC Fair Information Practice Principles. The core principles are:
a.
information practices before any personal information is collected from them. This requires that
companies explicitly notify of some or all of the following:
b.
sense means giving consumers options to control how their data is used with respect to
secondary uses of information beyond the immediate needs of the information collector to
complete the consumers transaction.
c.
Principles includes not only a consumers ability to view the data collected, but also to verify and
contest its accuracy. This access must be inexpensive and timely in order to be useful to the
consumer.
d.
referencing it with only reputable databases and by providing access for the consumer to verify
it. Information collectors should keep their data secure by protecting against both internal and
external security threats. They should limit access within their company to only necessary
employees to protect against internal threats, and they should use encryption and other computerbased security systems to stop outside threats.
e.
Information Practice Principles, there must be enforcement measures. The FTC identifies three
types of enforcement measures: self-regulation by the information collectors or an appointed
regulatory body; private remedies that give civil causes of action for individuals whose
information has been misused to sue violators; and government enforcement, which can include
civil and criminal penalties levied by the government.
21.
systems for vulnerabilities that could expose cardholder data. Defendant further failed to fix the
vulnerabilities in its computer systems which allowed Plaintiffs and Class Members Personal
Information to become compromised.
22.
financial data for marketing purposes beyond the needs of specific transactions, in order to
accrue financial benefit at the risk and likelihood of compromising consumers Personal
Information.
23.
consumers credit cards and debit cards, including credit cards and debit cards of Plaintiff and
Class Members, to become compromised for a period prior to July 15 of this year.
24.
Plaintiff and Class Members are subject to continuing damage from having their
25.
Plaintiff brings this action on her own behalf and, pursuant to Rule 23 of the
Federal Rules of Civil Procedure, on behalf of the following three (3) multi-state classes:
All persons in the United States who paid Defendant for paid-delete services
which were improperly performed.
All persons in the United States whose Personal Information was subject to Defendants
security failures and who suffered damages in the amount of fraudulent charges /
The Members of the Classes are so numerous that joinder of all Members is
The rights of each member of the proposed Classes were violated in a similar
The following questions of law and fact are common to each proposed Class
Member and predominate over questions that may affect individual Class Members:
a.
reasonable methods to secure and safeguard its customers private financial information;
b.
was unreasonable;
e.
breach and its description of the breach and potential exposure to damages as a result of the same
was unreasonable;
f.
18 U.S.C. 2702;
g.
h.
Practices Act, Mo. Rev. Stat. 407.020, and the substantively similar statutes of the other states
where Defendant conducts business; and
i.
compensation, monetary damages, equitable relief and injunctive relief, and, if so, the nature and
amount of such relief.
29.
Plaintiffs claims are typical of the claim of absent Class Members. If brought
individually, the claim of each Class Member would necessarily require proof of the same
material and substantive facts, and seek the same remedies.
30.
The Plaintiffs are willing and prepared to serve the Court and the proposed
Classes in a representative capacity. The Plaintiffs will fairly and adequately protect the interest
of the Classes and have no interests adverse to, or which directly and irrevocably conflicts with,
the interests of other Members of the Classes.
proposed Classes, thereby making appropriate equitable relief with respect to the Classes.
32.
A class action is superior to other available methods for the fair and efficient
adjudication of this controversy because individual claims by the Class Members are impractical,
as the costs of prosecution may exceed what any Class Member has at stake.
33.
inconsistent or varying adjudications that would establish incomparable standards of conduct for
Defendant. Moreover, adjudications with respect to individual Class Members would, as a
practical matter, be dispositive of the interests of other Class Members.
CAUSES OF ACTION
COUNT I VIOLATION OF THE FEDERAL STORED
COMMUNICATIONS ACT, 18 U.S.C. 2702
35.
consumers with redress if a company mishandles their electronically stored information. The
SCA was designed, in relevant part, to protect individuals privacy interests in personal and
10
proprietary information. S. Rep. No. 99-541, at 3 (1986), reprinted in 1986 U.S.C.C.A.N. 3555
at 3557.
37.
electronic communication service to the public shall not knowingly divulge to any person or
entity the contents of a communication while in electronic storage by that service. 18 U.S.C.
2702(a)(1).
38.
provides to users thereof the ability to send or receive wire or electronic communications. Id. at
2510(15).
39.
communication service to the public within the meaning of the SCA because it provides
consumers at large with credit and debit card payment processing capability that enables them to
send or receive wire or electronic communications concerning their private financial information
to transaction managers, card companies, or banks.
40.
financial information, even after Defendant was aware that customers Personal Information had
been compromised, Defendant has knowingly divulged customers private financial information
that was communicated to financial institutions solely for customers payment verification
purposes, while in electronic storage in Defendants payment system.
41.
remote computing service to the public shall not knowingly divulge to any person or entity the
contents of any communication which is carried or maintained on that service on behalf of, and
received by means of electronic transmission from (or created by means of computer processing
11
The SCA defines remote computing service as the provision to the public of
computer processing services for consumer credit and debit card payments, which are used by
customers and carried out by means of an electronic communications system, namely the use of
wire, electromagnetic, photooptical or photoelectric facilities for the transmission of wire or
electronic communications received from, and on behalf of, the customer concerning customer
private financial information.
45.
2702(a)(1) and (2)(A), Plaintiff and putative Class Members have suffered injuries, including
lost money and the costs associated with the need for vigilant credit monitoring to protect against
additional identity theft. Plaintiff, on her own behalf and on behalf of the putative Classes, seek
12
an order awarding themselves and the Classes the maximum statutory damages available under
18 U.S.C. 2707 in addition to the cost for 3 years of credit monitoring services.
WHEREFORE Plaintiff and Class Members pray for Judgment in their favor and against
Defendant on this Count I of their Complaint; for actual and compensatory damages; for punitive
or exemplary damages; for punitive or exemplary damages; for punitive or exemplary damages;
for injunctive relief; for costs, expenses and attorney fees as allowed by law; and for such other
and further relief as this Court deems just and proper.
COUNT II NEGLIGENCE
47.
Information, i.e., private, non-public, sensitive financial information, Defendant had (and
continues to have) a duty to exercise reasonable care in safeguarding and protecting the
information from being compromised and/or stolen.
49.
Defendant also had a duty to timely disclose to Plaintiff and Class Members that a
breach of security had occurred and their Personal Information pertaining to their credit cards
and/or debit cards had been compromised, or was reasonably believed to be compromised.
50.
Defendant also had a duty to put into place internal policies and procedures
designed to detect and prevent the theft or dissemination of Plaintiffs and Class Members
Personal Information.
51.
Defendant, by and through its above negligent acts and/or omissions, breached its
duty to Plaintiff and Class Members by failing to exercise reasonable care in protecting and
13
safeguarding their Personal Information which was in Defendants possession, custody, and
control.
52.
Defendant, by and through its above negligent acts and or omissions, further
breached its duty to Plaintiffs and Class Members by failing to put into place internal policies
and procedures designed to detect and prevent the unauthorized dissemination of Plaintiff and
Class Members Personal Information.
53.
Defendant, by and through its above negligent acts and or omissions, breached its
duty to timely disclose the fact that Plaintiff and Class Members Personal Information had been
or was reasonable believed to be have been compromised.
54.
Defendants negligent and wrongful breach of its duties owed to Plaintiff and
Class Members, their Personal Information would not have been compromised.
55.
stolen as a direct and proximate result of Defendants breach of its duties as set forth herein.
56.
Plaintiff and Class Members have suffered actual damages including, but not
limited to, having their personal information compromised, incurring time and expenses in
cancelling their debit and/credit cards, activating new cards and re-establishing automatic
payment authorizations from their new cards, and other economic and non-economic damages,
including irrecoverable losses due to unauthorized charges on their credit/debit cards.
WHEREFORE Plaintiff and Class Members pray for Judgment in their favor and against
Defendant on this Count II of their Complaint; for actual and compensatory damages; for
punitive or exemplary damages; for punitive or exemplary damages; for punitive or exemplary
damages; for injunctive relief; for costs, expenses and attorney fees as allowed by law; and for
such other and further relief as this Court deems just and proper.
14
Plaintiffs and Class Members were required to provide Defendant with their
Personal Information in order to facilitate their credit card and/or debit card transactions.
59.
reasonable efforts to safeguard this information and promptly notify Plaintiffs and Class
Members in the event their information was compromised.
60.
Similarly, it was implicit that Defendant would not disclose Plaintiffs and Class
contracts with Plaintiffs and Class Members, which in turn directly and/or proximately caused
Plaintiffs and Class Members to suffer substantial injuries.
WHEREFORE Plaintiff and Class Members pray for Judgment in their favor and against
Defendant on this Count III of their Complaint; for actual and compensatory damages; for
punitive or exemplary damages; for punitive or exemplary damages; for punitive or exemplary
damages; for injunctive relief; for costs, expenses and attorney fees as allowed by law; and for
such other and further relief as this Court deems just and proper.
15
Defendant violated the Missouri Merchandising Practices Act, Mo. Rev. Stat.
407.020, and the substantially similar statutes of the other states in which it conducts business by
failing to properly implement adequate, commercially reasonable security measures to protect
customers private financial information, and by failing to immediately notify affected customers
of the nature and extent of the security breach.
65.
the companys security measures to protect customers private financial information and the
extent of the breach of those security measures were intended to deceive and induce Plaintiffs
and the putative Class Members reliance on Defendants misrepresentations that their financial
information was secure and protected when using debit and credit cards to shop at Defendant
stores.
66.
Plaintiffs and the other putative Class Members, if they had known the truth, would not have
risked compromising their private financial information by using their debit or credit cards at
Defendant stores. Plaintiffs and the other putative Class Members would consider the omitted
and misrepresented material facts important in making their purchasing decisions.
16
68.
the other putative Class Members because Plaintiffs and Class Members would not have chosen
to expose their private financial information to a security breach and subsequent exploitation by
the defrauders.
69.
requiring Defendant to pay: monetary and punitive damages for the conduct described herein;
three years of credit card fraud monitoring services for Plaintiffs and Members of the putative
Classes; and the reasonable attorneys fees and costs of suit of Plaintiffs and Class Members;
together with all such other and further relief as may be just.
WHEREFORE Plaintiff and Class Members pray for Judgment in their favor and against
Defendant on this Count IV of their Complaint; for actual and compensatory damages; for
punitive or exemplary damages; for punitive or exemplary damages; for punitive or exemplary
damages; for injunctive relief; for costs, expenses and attorney fees as allowed by law; and for
such other and further relief as this Court deems just and proper.
COUNT V BREACH OF CONTRACT
70.
Defendant promised Plaintiff and the Class Members, for a fee of approximately
On information and belief, Defendant broke such promise, and did not delete
17
73.
Plaintiffs have been damage thereby in the amount paid to the Defendant to
Certify the matter as a class action pursuant to the provisions of Rule 23 of the
Federal Rules of Civil Procedure and order that notice be provided to all Class Members;
B.
as Class Counsel;
C.
E.
Award Plaintiffs and the Classes appropriate injunctive and/or declaratory relief;
F.
Award Plaintiffs and the Classes their costs, prejudgment interest, and attorney
fees; and
G.
18
Respectfully submitted,
THE DRISCOLL FIRM, P.C.
By:
___/s/John J. Driscoll___________
John J. Driscoll, #6276464
211 N. Broadway, 40th Floor
St. Louis, Missouri 63102
314-932-3232 telephone
314-932-3233 facsimile
19