Professional Documents
Culture Documents
13
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
13 the harms it caused and will continue to cause Representative Plaintiff and, at least, 69 million
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 other similarly situated persons in the massive and preventable cyberattack purportedly occurring
15 from January 3, 2021 to July 19, 20222, by which cybercriminals infiltrated Defendant’s
16 inadequately protected network servers and accessed highly sensitive PII belonging to both adults
17 and children, which was being kept unprotected (the “Data Breach”).
18 3. Defendant acquired, collected and stored Representative Plaintiff’s and Class
19 Members’ PII. Therefore, at all relevant times, Defendant knew, or should have known, that
20 Representative Plaintiff and Class Members would use Defendant’s system to store and/or share
21 sensitive data, including highly confidential PII. Defendant notified Representative Plaintiff of
22 the Data Breach via a letter on or around August 29, 2022.
23
24 1
Personally identifiable information (“PII”) generally incorporates information that can be
25 used to distinguish or trace an individual’s identity, either alone or when combined with other
personal or identifying information. 2 C.F.R. § 200.79. At a minimum, it includes all information
26 that on its face expressly identifies an individual. PII also is generally defined to include certain
identifiers that do not on their face name an individual, but that are considered to be particularly
27 sensitive and/or valuable if in the wrong hands (for example, Social Security numbers, passport
numbers, driver’s license numbers, financial account numbers).
2
28 https://www.bleepingcomputer.com/news/security/neopets-says-hackers-had-access-to-its-
systems-for-18-months/ (last accessed January 5, 2023).
-2-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 3 of 26 Page ID #:3
13 Class Members was compromised through disclosure to an unknown and unauthorized third
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 party—an undoubtedly nefarious third party that seeks to profit off this disclosure by defrauding
15 Representative Plaintiff and Class Members in the future. Representative Plaintiff and Class
16 Members have a continuing interest in ensuring that their information is and remains safe, and they
17 are entitled to injunctive and other equitable relief.
18
19 JURISDICTION AND VENUE
20 6. Jurisdiction is proper in this Court under 28 U.S.C. §1332 (diversity jurisdiction).
21 Specifically, this Court has subject matter jurisdiction over this action under 28 U.S.C. § 1332(d)
22 because this is a class action where the amount in controversy exceeds the sum or value of $5
23 million, exclusive of interest and costs, there are more than 100 members in the proposed class,
24 and at least one other Class Member is a citizen of a state different from Defendant.
25 7. Supplemental jurisdiction to adjudicate issues pertaining to state law is proper in
26 this Court under 28 U.S.C. §1367.
27 8. Defendant is headquartered in and routinely conducts business in the State where
28 this district is located, has sufficient minimum contacts in this State, and has intentionally availed
-3-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 4 of 26 Page ID #:4
1 itself of this jurisdiction by marketing and selling products and services, and by accepting and
2 processing payments for those products and/or services within this State.
3 9. Venue is proper in this Court under 28 U.S.C. § 1391 because a substantial part of
4 the events that gave rise to Representative Plaintiff’s claims took place within this District, and
5 Defendant is headquartered in this Judicial District.
6
7 PLAINTIFF
8 10. Representative Plaintiff is an adult individual and, at all relevant times herein, a
9 resident and citizen of Florida. Representative Plaintiff is a victim of the Data Breach.
10 11. Defendant received highly sensitive personal, medical, and financial information
11 from Representative Plaintiff in connection with Defendant’s Neopets game. As a result,
12 Representative Plaintiff’s information was among the data accessed by an unauthorized third-party
COLE & VAN NOTE
OAKLAND, CA 94607
TEL: (510) 891-9800
1 monitoring accounts and seeking legal counsel regarding her options for remedying and/or
2 mitigating the effects of the Data Breach. This time has been lost forever and cannot be recaptured.
3 18. Representative Plaintiff suffered actual injury in the form of damages to and
4 diminution in the value of her PII—a form of intangible property that she entrusted to Defendant,
5 which was compromised in and as a result of the Data Breach.
6 19. Representative Plaintiff suffered lost time, annoyance, interference, and
7 inconvenience as a result of the Data Breach and has anxiety and increased concerns for the loss
8 of privacy, as well as anxiety over the impact of cybercriminals accessing, using, and selling her
9 PII and/or financial information.
10 20. Representative Plaintiff has suffered imminent and impending injury arising from
11 the substantially increased risk of fraud, identity theft, and misuse resulting from her PII, in
12 combination with her name, being placed in the hands of unauthorized third parties/criminals.
COLE & VAN NOTE
13 21. Representative Plaintiff has a continuing interest in ensuring that her PII, which,
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 upon information and belief, remains backed up in Defendant’s possession, is protected and
15 safeguarded from future breaches.
16
17 DEFENDANT
18 22. Defendant is a Delaware corporation with a principal place of business located at
19 830 S. Pacific Coast Highway, Suite 208 El Segundo, California 90245.
20 23. Defendant produces and sells children’s games that “are uniquely designed by early
21 education experts to help your child to learn, grow, and have fun.” 3 Among the games it produces
22 is Neopets, a “Virtual Pet Game” in which users care for digital pets by feeding them, caring for
23 them when they are ill, etc. 4 Originally launched in 1999, over 150 million individuals have played
24 Neopets. 5
25 3
https://www.jumpstart.com/?c=np (last accessed, January 5, 2023).
4
26 https://www.jumpstart.com/neopets/ (last accessed January 5, 2023).
5
https://www.prnewswire.com/news-releases/a-reimagined-neopian-world-to-explore-
27 announhttps://www.prnewswire.com/news-releases/a-reimagined-neopian-world-to-explore-
announcing-the-neopets-metaverse-alpha-release-
28 301612426.html#:~:text=Since%20its%20inception%2C%20Neopets.com,players%20over%202
2%20plus%20years.cing-the-neopets-metaverse-alpha-release-
-5-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 6 of 26 Page ID #:6
1 24. The true names and capacities of persons or entities, whether individual, corporate,
2 associate, or otherwise, who may be responsible for some of the claims alleged here are currently
3 unknown to Representative Plaintiff. Representative Plaintiff will seek leave of court to amend
4 this Complaint to reflect the true names and capacities of such responsible parties when their
5 identities become known.
6
7 CLASS ACTION ALLEGATIONS
8 25. Representative Plaintiff brings this action pursuant to the provisions of Rules 23(a),
9 (b)(2), and (b)(3) of the Federal Rules of Civil Procedure, on behalf of herself and the following
10 classes/subclass(es) (collectively, the “Class”):
11
Nationwide Class:
12 “All individuals within the United States of America whose PII and/or
financial information was exposed to unauthorized third parties as a result
COLE & VAN NOTE
13
555 12TH STREET, SUITE 1725
OAKLAND, CA 94607
TEL: (510) 891-9800
14 Florida Subclass:
“All individuals within the State of Florida whose PII was stored by
15 Defendant and/or was exposed to unauthorized third parties as a result of
the data breach discovered by Defendant on July 20, 2022.”
16
17 26. Excluded from the Classes are the following individuals and/or entities: Defendant
18 and Defendant’s parents, subsidiaries, affiliates, officers and directors, and any entity in which
19 Defendant has a controlling interest; all individuals who make a timely election to be excluded
20 from this proceeding using the correct protocol for opting out; any and all federal, state or local
21 governments, including but not limited to any departments, agencies, divisions, bureaus, boards,
22 sections, groups, counsels and/or subdivisions; and all judges assigned to hear any aspect of this
23 litigation, as well as their immediate family members.
24 27. Also, in the alternative, Representative Plaintiff requests additional Subclasses as
25 necessary based on the types of PII that were compromised.
26
27
28 301612426.html#:~:text=Since%20its%20inception%2C%20Neopets.com,players%20over%202
2%20plus%20years. (last accessed January 5, 2023).
-6-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 7 of 26 Page ID #:7
1 28. Representative Plaintiff reserves the right to amend the above definitions or to
2 propose subclasses in subsequent pleadings and motions for class certification.
3 29. This action has been brought and may properly be maintained as a class action
4 under Federal Rule of Civil Procedure Rule 23 because there is a well-defined community of
5 interest in the litigation and membership in the proposed classes is easily ascertainable.
6 a. Numerosity: A class action is the only available method for the fair and
efficient adjudication of this controversy. The members of the Plaintiff
7 Classes are so numerous that joinder of all members is impractical, if not
impossible. Representative Plaintiff is informed and believes and, on that
8 basis, alleges that the total number of Class Members is in the hundreds of
thousands of individuals. Membership in the classes will be determined by
9 analysis of Defendant’s records.
10 b. Commonality: Representative Plaintiff and the Class Members share a
community of interests in that there are numerous common questions and
11 issues of fact and law which predominate over any questions and issues
solely affecting individual members, including, but not necessarily limited
12 to:
COLE & VAN NOTE
13
555 12TH STREET, SUITE 1725
OAKLAND, CA 94607
14
e. Superiority of Class Action: Since the damages suffered by individual Class
15 Members, while not inconsequential, may be relatively small, the expense
and burden of individual litigation by each member makes or may make it
16 impractical for members of the Plaintiff Classes to seek redress individually
for the wrongful conduct alleged herein. Should separate actions be brought
17 or be required to be brought, by each individual member of the Plaintiff
Classes, the resulting multiplicity of lawsuits would cause undue hardship
18 and expense for the Court and the litigants. The prosecution of separate
actions would also create a risk of inconsistent rulings which might be
19 dispositive of the interests of the Class Members who are not parties to the
adjudications and/or may substantially impede their ability to adequately
20 protect their interests.
21
22 30. This class action is also appropriate for certification because Defendant has acted
23 or refused to act on grounds generally applicable to Class Members, thereby requiring the Court’s
24 imposition of uniform relief to ensure compatible standards of conduct toward the Class Members
25 and making final injunctive relief appropriate with respect to the Class in its entirety. Defendant’s
26 policies and practices challenged herein apply to and affect Class Members uniformly and
27 Representative Plaintiff’s challenge of these policies and practices hinges on Defendant’s conduct
28
-8-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 9 of 26 Page ID #:9
1 with respect to the Class in its entirety, not on facts or law applicable only to Representative
2 Plaintiff.
3 31. Unless a Class-wide injunction is issued, Defendant may continue in its failure to
4 properly secure the PII and/or financial information of Class Members, and Defendant may
5 continue to act unlawfully as set forth in this Complaint.
6 32. Further, Defendant has acted or refused to act on grounds generally applicable to
7 the Classes and, accordingly, final injunctive or corresponding declaratory relief with regard to the
8 Class Members as a whole is appropriate under Rule 23(b)(2) of the Federal Rules of Civil
9 Procedure.
10
11 COMMON FACTUAL ALLEGATIONS
12 The Cyberattack
COLE & VAN NOTE
13 33. In the course of the Data Breach, one or more unauthorized third parties accessed
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 Class Members’ sensitive data including, but not limited to, names, email addresses, usernames,
15 dates of birth, genders, IP addresses, Neopets PINs, hashed passwords, data about a player’s pet,
16 game play, and other information provided to Neopets. Representative Plaintiff was among the
17 individuals whose data was accessed in the Data Breach.
18 34. Representative Plaintiff was provided the information detailed above upon her
19 receipt of a letter from Defendant, dated on or about August 29, 2022. Representative Plaintiff was
20 not aware of the Data Breach—or even that Defendant was still in possession of her data until
21 receiving that letter.
22
23 Defendant’s Failed Response to the Breach
24 35. Upon information and belief, the unauthorized third-party cybercriminals gained
25 access to Representative Plaintiff’s and Class Members’ PII with the intent of engaging in misuse
26 of the PII, including marketing and selling Representative Plaintiff’s and Class Members’ PII.
27 36. The Notice included, inter alia, the claims that Defendant had learned of the Data
28 Breach on July 20, 2022, and had taken steps to respond.
-9-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 10 of 26 Page ID #:10
1 37. Upon information and belief, the unauthorized third-party cybercriminals gained
2 access to Representative Plaintiff’s and Class Members’ PII with the intent of engaging in misuse
3 of the PII, including marketing and selling Representative Plaintiff’s and Class Members’ PII.
4 38. Defendant had and continues to have obligations created by applicable federal and
5 state law as set forth herein, reasonable industry standards, common law, and its own assurances
6 and representations to keep Representative Plaintiff’s and Class Members’ PII confidential and to
7 protect such PII from unauthorized access.
8 39. Representative Plaintiff and Class Members were required to provide their PII to
9 Defendant in order to play Neopets. Defendant created, collected, and stored Representative
10 Plaintiff’s and Class Members’ PII with the reasonable expectation and mutual understanding that
11 Defendant would comply with its obligations to keep such information confidential and secure
12 from unauthorized access.
COLE & VAN NOTE
13 40. Despite this, Representative Plaintiff and the Class Members remain, even today,
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 in the dark regarding what particular data was stolen, the particular malware used, and what steps
15 are being taken, if any, to secure their PII going forward. Representative Plaintiff and Class
16 Members are, thus, left to speculate as to where their PII ended up, who has used it and for what
17 potentially nefarious purposes. Indeed, they are left to further speculate as to the full impact of the
18 Data Breach and how exactly Defendant intends to enhance its information security systems and
19 monitoring capabilities so as to prevent further breaches.
20 41. Representative Plaintiff’s and Class Members’ PII may end up for sale on the dark
21 web, or simply fall into the hands of companies that will use the detailed PII for targeted marketing
22 without the approval of Representative Plaintiff and/or Class Members. Either way, unauthorized
23 individuals can now easily access the PII and/or financial information of Representative Plaintiff
24 and Class Members.
25
26 Defendant Collected/Stored Class Members’ PII
27 42. Defendant acquired, collected, and stored and assured reasonable security over
28 Representative Plaintiff’s and Class Members’ PII.
-10-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 11 of 26 Page ID #:11
1 43. As a condition of its relationships with Representative Plaintiff and Class Members,
2 Defendant required that Representative Plaintiff and Class Members entrust Defendant with highly
3 sensitive and confidential PII. Defendant, in turn, stored that information on Defendant’s system
4 that was ultimately affected by the Data Breach.
5 44. By obtaining, collecting, and storing Representative Plaintiff’s and Class Members’
6 PII, Defendant assumed legal and equitable duties and knew, or should have known, that they were
7 thereafter responsible for protecting Representative Plaintiff’s and Class Members’ PII from
8 unauthorized disclosure.
9 45. Representative Plaintiff and Class Members have taken reasonable steps to
10 maintain the confidentiality of their PII. Representative Plaintiff and Class Members relied on
11 Defendant to keep their PII confidential and securely maintained, to use this information for
12 business purposes only, and to make only authorized disclosures of this information.
COLE & VAN NOTE
13 46. Defendant could have prevented the Data Breach, which began as early as January
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 3, 2021, by properly securing and encrypting and/or more securely encrypting its servers generally,
15 as well as Representative Plaintiff’s and Class Members’ PII.
16 47. Defendant’s negligence in safeguarding Representative Plaintiff’s and Class
17 Members’ PII is exacerbated by repeated warnings and alerts directed to protecting and securing
18 sensitive data, as evidenced by the trending data breach attacks in recent years.
19 48. Due to the high-profile nature of recent breaches of this kind, Defendant was and/or
20 certainly should have been on notice and aware of such attacks occurring and, therefore, should
21 have assumed and adequately performed the duty of preparing for such an imminent attack. This
22 is especially true given that Defendant is a large, sophisticated operation with the resources to put
23 adequate data security protocols in place.
24 49. Yet, despite the prevalence of public announcements of data breach and data
25 security compromises, Defendant failed to take appropriate steps to protect Representative
26 Plaintiff’s and Class Members’ PII from being compromised.
27
28
-11-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 12 of 26 Page ID #:12
13 is an “unfair practice” in violation of the FTC Act. See, e.g., FTC v. Wyndham Worldwide Corp.,
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
1 including not sharing information with other entities who maintained sub-standard data security
2 systems.
3 55. Defendant owed a duty to Representative Plaintiff and Class Members to
4 implement processes that would immediately detect a breach on its data security systems in a
5 timely manner.
6 56. Defendant owed a duty to Representative Plaintiff and Class Members to act upon
7 data security warnings and alerts in a timely fashion.
8 57. Defendant owed a duty to Representative Plaintiff and Class Members to disclose
9 if its computer systems and data security practices were inadequate to safeguard individuals’ PII
10 and/or financial information from theft because such an inadequacy would be a material fact in the
11 decision to entrust this PII and/or financial information to Defendant.
12 58. Defendant owed a duty of care to Representative Plaintiff and Class Members
COLE & VAN NOTE
13 because they were foreseeable and probable victims of any inadequate data security practices.
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 59. Defendant owed a duty to Representative Plaintiff and Class Members to encrypt
15 and/or more reliably encrypt Representative Plaintiff’s and Class Members’ PII and monitor user
16 behavior and activity in order to identify possible threats.
17
18 Value of the Relevant Sensitive Information
19 60. The high value of PII to criminals is further evidenced by the prices they will pay
20 through the dark web. Numerous sources cite dark web pricing for stolen identity credentials. For
21 example, personal information can be sold at a price ranging from $40 to $200, and bank details
22 have a price range of $50 to $200. 6 Experian reports that a stolen credit or debit card number can
23
24
25
26
27 6
Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends, Oct.
28 16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-
dark-web-how-much-it-costs/ (last accessed July 28, 2021).
-13-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 14 of 26 Page ID #:14
1 sell for $5 to $110 on the dark web. 7 Criminals can also purchase access to entire company data
2 breaches from $999 to $4,995. 8
3 61. These criminal activities have and will result in devastating financial and personal
4 losses to Representative Plaintiff and Class Members. For example, it is believed that certain PII
5 compromised in the 2017 Experian data breach was being used, three years later, by identity
6 thieves to apply for COVID-19-related benefits in the state of Oklahoma. Such fraud will be an
7 omnipresent threat for Representative Plaintiff and Class Members for the rest of their lives. They
8 will need to remain constantly vigilant.
9 62. This breach is particularly troubling given the target demographic for Neopets:
10 children. Because of the Data Breach, the personal information of millions of children is in the
11 hands of cybercriminals, all but assuring at least some of it will end up in the hands of sinister
12 actors with unwholesome intentions. As UNICEF notes,
COLE & VAN NOTE
13
555 12TH STREET, SUITE 1725
[i]t has never been easier for child sex offenders to contact their potential victims, share
ATTORNEYS AT LAW
OAKLAND, CA 94607
imagery and encourage others to commit offences. Children may be victimized through
TEL: (510) 891-9800
14 the production, distribution and consumption of sexual abuse material, or they may be
groomed for sexual exploitation, with abusers attempting to meet them in person or exhort
15 them for explicit content. In the digital world, any person from any location can create
and store sexually exploitative content. 9
16
17 63. And these troubling incidents are becoming more common. Indeed, according to
18 the National Center for Missing and Exploited Children (“NCMEC”), a nonprofit founded by
19 Congress, reports of online sexual exploitation of children rose from 21 million in 2020 to over 29
20 million in 2021, a 35 percent increase. 10
21 64. For example, once criminals have a child’s information, they may use it to begin
22 communicating with a child through the internet, in a process called Online Enticement. 11 Once
23 7
Here’s How Much Your Personal Information Is Selling for on the Dark Web, Experian, Dec.
24 6, 2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-
personal-information-is-selling-for-on-the-dark-web/ (last accessed November 5, 2021).
8
25 In the Dark, VPNOverview, 2019, available at:
https://vpnoverview.com/privacy/anonymous-browsing/in-the-dark/ (last accessed January 21,
26 2022).
9
https://www.unicef.org/protection/violence-against-children-online (last accessed January 5,
27 2023).
10
https://www.ny1.com/nyc/all-boroughs/news/2022/03/18/national-center-missing-exploited-
28 children-online-reports-increase (last accessed January 5).
11
https://www.missingkids.org/theissues/onlineenticement (last accessed January 5, 2023).
-14-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 15 of 26 Page ID #:15
1 predators initiate contact and develop a rapport with a target child, they can pivot to exploitative
2 conduct, such as asking for pictures. 12
3 65. Moreover, victims of this breach face the more banal, but no less devastating risk
4 of identity theft. The FTC defines identity theft as “a fraud committed or attempted using the
5 identifying information of another person without authority.” The FTC describes “identifying
6 information” as “any name or number that may be used, alone or in conjunction with any other
7 information, to identify a specific person,” including, among other things, “[n]ame, Social Security
8 number, date of birth, official State or government issued driver’s license or identification number,
9 alien registration number, government passport number, employer or taxpayer identification
10 number.”
11 66. Identity thieves can use PII, such as that of Representative Plaintiff and Class
12 Members which Defendant failed to keep secure, to perpetrate a variety of crimes that harm
COLE & VAN NOTE
13 victims. For instance, identity thieves may commit various types of government fraud such as
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 immigration fraud, obtaining a driver’s license or identification card in the victim’s name but with
15 another’s picture, using the victim’s information to obtain government benefits, or filing a
16 fraudulent tax return using the victim’s information to obtain a fraudulent refund.
17 67. The ramifications of Defendant’s failure to keep secure Representative Plaintiff’s
18 and Class Members’ PII are long lasting and severe. Once PII is stolen, particularly identification
19 numbers, fraudulent use of that information and damage to victims may continue for years. Indeed,
20 the PII and/or financial information of Representative Plaintiff and Class Members was taken by
21 hackers to engage in identity theft or to sell it to other criminals who will purchase the PII and/or
22 financial information for that purpose. The fraudulent activity resulting from the Data Breach may
23 not come to light for years.
24 68. There may be a time lag between when harm occurs versus when it is discovered,
25 and also between when PII and/or financial information is stolen and when it is used. According
26 to the U.S. Government Accountability Office (“GAO”), which conducted a study regarding data
27 breaches:
28 12
https://www.clarkcountyohio.gov/578/Online-Enticement (last accessed January 5, 2023).
-15-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 16 of 26 Page ID #:16
1
[L]aw enforcement officials told us that in some cases, stolen data may be held for
2 up to a year or more before being used to commit identity theft. Further, once stolen
data have been sold or posted on the Web, fraudulent use of that information may
3 continue for years. As a result, studies that attempt to measure the harm resulting
from data breaches cannot necessarily rule out all future harm. 13
4
5 69. The harm to Representative Plaintiff and Class Members is especially acute given
7 70. When cyber criminals access personally sensitive data—as they did here—there is
8 no limit to the amount of fraud to which Defendant may have exposed Representative Plaintiff and
9 Class Members.
10 71. And data breaches are preventable. 14 As Lucy Thompson wrote in the DATA
11 BREACH AND ENCRYPTION HANDBOOK, “[i]n almost all cases, the data breaches that occurred could
12 have been prevented by proper planning and the correct design and implementation of appropriate
security solutions.” 15 she added that “[o]rganizations that collect, use, store, and share sensitive
COLE & VAN NOTE
13
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 personal data must accept responsibility for protecting the information and ensuring that it is not
15 compromised . . . .” 16
16 72. Most of the reported data breaches are a result of lax security and the failure to
17 create or enforce appropriate security policies, rules, and procedures … Appropriate information
18 security controls, including encryption, must be implemented and enforced in a rigorous and
20 73. Here, Defendant knew of the importance of safeguarding PII and of the foreseeable
21 consequences that would occur if Representative Plaintiff’s and Class Members’ PII was stolen,
22 including the significant costs that would be placed on Representative Plaintiff and Class Members
24 organization with the resources to deploy robust cybersecurity protocols. They knew, or should
25 13
Report to Congressional Requesters, GAO, at 29 (June 2007), available at:
26 http://www.gao.gov/new.items/d07737.pdf (last accessed January 21, 2022).
14
Lucy L. Thompson, “Despite the Alarming Trends, Data Breaches Are Preventable,” in
27 DATA BREACH AND ENCRYPTION HANDBOOK (Lucy Thompson, ed., 2012)
15
Id. at 17.
16
28 Id. at 28.
17
Id.
-16-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 17 of 26 Page ID #:17
1 have known, that the development and use of such protocols were necessary to fulfill its statutory
2 and common law duties to Representative Plaintiff and Class Members. Its failure to do so is,
3 therefore, intentional, willful, reckless, and/or grossly negligent.
4 74. Defendant disregarded the rights of Representative Plaintiff and Class Members by,
5 inter alia, (i) intentionally, willfully, recklessly, or negligently failing to take adequate and
6 reasonable measures to ensure that its network servers were protected against unauthorized
7 intrusions; (ii) failing to disclose that it did not have adequately robust security protocols and
8 training practices in place to adequately safeguard Representative Plaintiff’s and Class Members’
9 PII; (iii) failing to take standard and reasonably available steps to prevent the Data Breach; (iv)
10 concealing the existence and extent of the Data Breach for an unreasonable duration of time; and
11 (v) failing to provide Representative Plaintiff and Class Members prompt and accurate notice of
12 the Data Breach.
COLE & VAN NOTE
13
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
1
d. to promptly notify Representative Plaintiff and Class Members of any data
2 breach, security incident, or intrusion that affected or may have affected
their PII.
3
4 78. Defendant knew that the PII was private and confidential and should be protected
5 as private and confidential and, thus, Defendant owed a duty of care not to subject Representative
6 Plaintiff and Class Members to an unreasonable risk of harm because they were foreseeable and
8 79. Defendant knew, or should have known, of the risks inherent in collecting and
9 storing PII, the vulnerabilities of its data security systems, and the importance of adequate security.
11 80. Defendant knew, or should have known, that its data systems and networks did not
13
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 sufficient to protect the PII that Representative Plaintiff and Class Members had entrusted to it.
15 82. Defendant breached its duties to Representative Plaintiff and Class Members by
16 failing to provide fair, reasonable, or adequate computer systems and data security practices to
18 83. Because Defendant knew that a breach of its systems could damage millions of
19 individuals, including Representative Plaintiff and Class Members, Defendant had a duty to
20 adequately protect its data systems and the PII contained therein.
22 with their PII was predicated on the understanding that Defendant would take adequate security
23 precautions. Moreover, only Defendant had the ability to protect its systems and the PII it stored
24 on them from attack. Thus, Defendant had a special relationship with Representative Plaintiff and
25 Class Members.
26 85. Defendant also had independent duties under state and federal laws that required
27 Defendant to reasonably safeguard Representative Plaintiff’s and Class Members’ PII and
28
-18-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 19 of 26 Page ID #:19
1 promptly notify them about the Data Breach. These “independent duties” are untethered to any
2 contract between Defendant and Representative Plaintiff and/or the remaining Class Members.
3 86. Defendant breached its general duty of care to Representative Plaintiff and Class
4 Members in, but not necessarily limited to, the following ways:
5
a. by failing to provide fair, reasonable, or adequate computer systems and
6 data security practices to safeguard the PII of Representative Plaintiff and
Class Members;
7
b. by failing to timely and accurately disclose that Representative Plaintiff’s
8 and Class Members’ PII had been improperly acquired or accessed;
9 c. by failing to adequately protect and safeguard the PII by knowingly
disregarding standard information security principles, despite obvious risks,
10 and by allowing unmonitored and unrestricted access to unsecured PII;
11 d. by failing to provide adequate supervision and oversight of the PII with
which they were and are entrusted, in spite of the known risk and
12 foreseeable likelihood of breach and misuse, which permitted an unknown
third party to gather PII of Representative Plaintiff and Class Members,
COLE & VAN NOTE
13
555 12TH STREET, SUITE 1725
OAKLAND, CA 94607
TEL: (510) 891-9800
14 e. by failing to adequately train its employees to not store PII longer than
absolutely necessary;
15
f. by failing to consistently enforce security policies aimed at protecting
16 Representative Plaintiff’s and Class Members’ PII;
17 g. by failing to implement processes to quickly detect data breaches, security
incidents, or intrusions; and
18
h. by failing to encrypt Representative Plaintiff’s and Class Members’ PII and
19 monitor user behavior and activity in order to identify possible threats.
20
21 87. Defendant’s willful failure to abide by these duties was wrongful, reckless, and
22 grossly negligent in light of the foreseeable risks and known threats.
23 88. As a proximate and foreseeable result of Defendant’s grossly negligent conduct,
24 Representative Plaintiff and Class Members have suffered damages and are at imminent risk of
25 additional harms and damages (as alleged above).
26 89. The law further imposes an affirmative duty on Defendant to timely disclose the
27 unauthorized access and theft of the PII to Representative Plaintiff and Class Members so that they
28
-19-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 20 of 26 Page ID #:20
1 could and/or still can take appropriate measures to mitigate damages, protect against adverse
2 consequences and thwart future misuse of their PII.
3 90. Defendant breached its duty to notify Representative Plaintiff and Class Members
4 of the unauthorized access by waiting months after learning of the Data Breach to notify
5 Representative Plaintiff and Class Members and then by failing and continuing to fail to provide
6 Representative Plaintiff and Class Members sufficient information regarding the breach. To date,
7 Defendant has not provided sufficient information to Representative Plaintiff and Class Members
8 regarding the extent of the unauthorized access and continues to breach its disclosure obligations
9 to Representative Plaintiff and Class Members.
10 91. Further, through its failure to provide timely and clear notification of the Data
11 Breach to Representative Plaintiff and Class Members, Defendant prevented Representative
12 Plaintiff and Class Members from taking meaningful, proactive steps to secure their PII.
COLE & VAN NOTE
OAKLAND, CA 94607
TEL: (510) 891-9800
14 security measures to protect the PII of Representative Plaintiff and Class Members and the harm
15 suffered, or risk of imminent harm suffered by Representative Plaintiff and Class Members.
16 Representative Plaintiff’s and Class Members’ PII was accessed as the proximate result of
17 Defendant’s failure to exercise reasonable care in safeguarding such PII by adopting,
18 implementing, and maintaining appropriate security measures.
19 93. Defendant’s wrongful actions, inactions, and omissions constituted (and continue
20 to constitute) common law negligence.
21 94. The damages Representative Plaintiff and Class Members have suffered (as alleged
22 above) and will suffer were and are the direct and proximate result of Defendant’s grossly
23 negligent conduct.
24 95. Additionally, 15 U.S.C. §45 (FTC Act, Section 5) prohibits “unfair . . . practices in
25 or affecting commerce,” including, as interpreted, and enforced by the FTC, the unfair act or
26 practice by businesses, such as Defendant, of failing to use reasonable measures to protect PII. The
27 FTC publications and orders described above also form part of the basis of Defendant’s duty in
28 this regard.
-20-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 21 of 26 Page ID #:21
1 96. Defendant violated 15 U.S.C. §45 by failing to use reasonable measures to protect
2 PII and not complying with applicable industry standards, as described in detail herein.
3 Defendant’s conduct was particularly unreasonable given the nature and amount of PII it obtained
4 and stored and the foreseeable consequences of the immense damages that would result to
5 Representative Plaintiff and Class Members.
6 97. Defendant’s violation of 15 U.S.C. §45 constitutes negligence per se.
7 98. As a direct and proximate result of Defendant’s negligence and negligence per se,
8 Representative Plaintiff and Class Members have suffered and will suffer injury, including but not
9 limited to: (i) actual identity theft; (ii) the loss of the opportunity of how their PII is used; (iii) the
10 compromise, publication, and/or theft of their PII; (iv) out-of-pocket expenses associated with the
11 prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their
12 PII; (v) lost opportunity costs associated with effort expended and the loss of productivity
COLE & VAN NOTE
13 addressing and attempting to mitigate the actual and future consequences of the Data Breach,
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 including but not limited to, efforts spent researching how to prevent, detect, contest, and recover
15 from embarrassment and identity theft; (vi) the continued risk to their PII, which may remain in
16 Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant
17 fails to undertake appropriate and adequate measures to protect Representative Plaintiff’s and
18 Class Members’ PII in its continued possession; and (vii) future costs in terms of time, effort, and
19 money that will be expended to prevent, detect, contest, and repair the impact of the PII
20 compromised as a result of the Data Breach for the remainder of the lives of Representative
21 Plaintiff and Class Members.
22 99. As a direct and proximate result of Defendant’s negligence and negligence per se,
23 Representative Plaintiff and Class Members have suffered and will continue to suffer other forms
24 of injury and/or harm, including, but not limited to, anxiety, emotional distress, loss of privacy,
25 and other economic and non-economic losses.
26 100. Additionally, as a direct and proximate result of Defendant’s negligence and
27 negligence per se, Representative Plaintiff and Class Members have suffered and will suffer the
28 continued risks of exposure of their PII, which remains in Defendant’s possession and are subject
-21-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 22 of 26 Page ID #:22
13 104. Defendant solicited and invited Representative Plaintiff and Class Members to
555 12TH STREET, SUITE 1725
ATTORNEYS AT LAW
OAKLAND, CA 94607
TEL: (510) 891-9800
14 provide their PII as part of Defendant’s regular business practices. Representative Plaintiff and
15 Class Members accepted Defendant’s offers and provided their PII to Defendant.
16 105. As a condition of playing Neopets, Representative Plaintiff and Class Members
17 provided and entrusted their PII to Defendant. In so doing, Representative Plaintiff and Class
18 Members entered into implied contracts with Defendant by which Defendant agreed to safeguard
19 and protect such non-public information, to keep such information secure and confidential, and to
20 timely and accurately notify Representative Plaintiff and Class Members if their data had been
21 breached and compromised or stolen.
22 106. A meeting of the minds occurred when Representative Plaintiff and Class Members
23 agreed to, and did, provide their PII to Defendant, in exchange for, amongst other things, the
24 protection of their PII.
25 107. Representative Plaintiff and Class Members fully performed their obligations under
26 the implied contracts with Defendant.
27
28
-22-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 23 of 26 Page ID #:23
1 108. Defendant breached the implied contracts it made with Representative Plaintiff and
2 Class Members by failing to safeguard and protect their PII and by failing to provide timely and
3 accurate notice to them that their PII was compromised as a result of the Data Breach.
4 109. As a direct and proximate result of Defendant’s above-described breach of implied
5 contract, Representative Plaintiff and Class Members have suffered (and will continue to suffer)
6 (a) ongoing, imminent, and impending threat of identity theft crimes, fraud, and abuse, resulting
7 in monetary loss and economic harm; (b) actual identity theft crimes, fraud, and abuse, resulting
8 in monetary loss and economic harm; (c) loss of the confidentiality of the stolen confidential data;
9 (d) the illegal sale of the compromised data on the dark web; (e) lost work time; and (f) other
10 economic and non-economic harm.
11
12 THIRD CLAIM FOR RELIEF
Breach of the Implied Covenant of Good Faith and Fair Dealing
COLE & VAN NOTE
OAKLAND, CA 94607
TEL: (510) 891-9800
14 110. Each and every allegation of the preceding paragraphs is incorporated in this cause
15 of action with the same force and effect as though fully set forth therein.
16 111. Every contract in this state has an implied covenant of good faith and fair dealing.
17 This implied covenant is an independent duty and may be breached even when there is no
18 breach of a contract’s actual and/or express terms.
19 112. Representative Plaintiff and Class Members have complied with and performed all
20 conditions of their contracts with Defendant.
21 113. Defendant breached the implied covenant of good faith and fair dealing by failing
22 to maintain adequate computer systems and data security practices to safeguard PII, failing to
23 timely and accurately disclose the Data Breach to Representative Plaintiff and Class Members and
24 continued acceptance of PII and storage of other personal information after Defendant knew, or
25 should have known, of the security vulnerabilities of the systems that were exploited in the Data
26 Breach.
27
28
-23-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 24 of 26 Page ID #:24
1 114. Defendant acted in bad faith and/or with malicious motive in denying
2 Representative Plaintiff and Class Members the full benefit of their bargains as originally intended
3 by the parties, thereby causing them injury in an amount to be determined at trial.
4
5 RELIEF SOUGHT
6 WHEREFORE, Representative Plaintiff, on behalf of herself and each member of the
7 proposed National Class and the Florida Subclass, respectfully requests that the Court enter
8 judgment in her favor and for the following specific relief against Defendant as follows:
9 1. That the Court declare, adjudge, and decree that this action is a proper class action
10 and certify each of the proposed classes and/or any other appropriate subclasses under F.R.C.P.
11 Rule 23 (b)(1), (b)(2), and/or (b)(3), including appointment of Representative Plaintiff’s counsel
12 as Class Counsel;
COLE & VAN NOTE
OAKLAND, CA 94607
TEL: (510) 891-9800
1 justification for the retention and use of such information when weighed
against the privacy interests of Representative Plaintiff and Class Members;
2
d. requiring Defendant to implement and maintain a comprehensive
3 Information Security Program designed to protect the confidentiality and
integrity of Representative Plaintiff’s and Class Members’ PII;
4
e. requiring Defendant to engage independent third-party security auditors and
5 internal personnel to run automated security monitoring, simulated attacks,
penetration tests, and audits on Defendant’s systems on a periodic basis;
6
f. prohibiting Defendant from maintaining Representative Plaintiff’s and
7 Class Members’ PII on a cloud-based database;
8 g. requiring Defendant to segment data by creating firewalls and access
controls so that, if one area of Defendant’s network is compromised,
9 hackers cannot gain access to other portions of Defendant’s systems;
10 h. requiring Defendant to conduct regular database scanning and securing
checks;
11
i. requiring Defendant to establish an information security training program
12 that includes at least annual information security training for all employees,
with additional training to be provided as appropriate based upon the
COLE & VAN NOTE
14
j. requiring Defendant to implement a system of tests to assess its employees’
15 knowledge of the education programs discussed in the preceding
subparagraphs, as well as randomly and periodically testing employees’
16 compliance with Defendant’s policies, programs, and systems for protecting
PII;
17
k. requiring Defendant to implement, maintain, review, and revise as
18 necessary a threat management program to appropriately monitor
Defendant’s networks for internal and external threats, and assess whether
19 monitoring tools are properly configured, tested, and updated;
20 l. requiring Defendant to meaningfully educate all Class Members about the
threats that they face as a result of the loss of their confidential PII to third
21 parties, as well as the steps affected individuals must take to protect
themselves.
22
23 6. For prejudgment interest on all amounts awarded, at the prevailing legal rate;
24 7. For an award of attorneys’ fees, costs, and litigation expenses, as allowed by law;
25 8. For all other Orders, findings, and determinations identified and sought in this
26 Complaint.
27
28
-25-
COMPLAINT FOR DAMAGES,
INJUNCTIVE AND EQUITABLE RELIEF
Case 2:23-cv-00089-SPG-SK Document 1 Filed 01/06/23 Page 26 of 26 Page ID #:26
1 JURY DEMAND
2 Representative Plaintiff, individually and on behalf of the Plaintiff Class(es) and/or
3 Subclass(es), hereby demands a trial by jury for all issues triable by jury.
4
5 Dated: January 6, 2023 COLE & VAN NOTE
6
7 By: /s/ Cody Alexander Bolce
Cody Alexander Bolce, Esq.
8 Attorneys for Representative Plaintiff
and the Plaintiff Classes
9
10 Dated: January 6, 2023 SROURIAN LAW FIRM, P.C.
11
12 By: /s/Daniel Srourian
Daniel Srourian, Esq.
COLE & VAN NOTE
13
555 12TH STREET, SUITE 1725
OAKLAND, CA 94607
TEL: (510) 891-9800