Preview
1 John J. Nelson (SBN 317598)
MILBERG COLEMAN BRYSON
2 PHILLIPS GROSSMAN, LLC
402 W. Broadway, Suite 1760 12/6/2023
3
San Diego, CA 92101
4 Telephone: (858) 209-6941
Email: jnelson@milberg.com
5
Attorney for Plaintiff and the Proposed Class
6
7
SUPERIOR COURT FOR THE STATE OF CALIFORNIA
8 FOR THE COUNTY OF BUTTE
9 RITA DELGADO, individually and on behalf
of all others similarly situated, Case No. 23CV03381
_________
10
Plaintiff, CLASS ACTION COMPLAINT
11
12 v. JURY TRIAL DEMANDED
13 TRI COUNTIES BANK,
14 Defendant.
15
16
17 Plaintiff Rita Delgado (“Plaintiff”) brings this Class Action Complaint (“Complaint”)
18 against Defendant Tri Counties Bank (“TCB” or “Defendant”) as an individual and on behalf of
19
all others similarly situated, and alleges, upon personal knowledge as to her own actions and her
20
counsels’ investigation, and upon information and belief as to all other matters, as follows:
21
NATURE OF THE ACTION
22
1. This class action arises out of the recent cyberattack and data breach (“Data
23
24 Breach”) resulting from TCB's failure to implement reasonable and industry standard data security
25 practices.
26
27
28
- Page 1 –
CLASS ACTION COMPLAINT
1 2. Defendant is a California-based bank, “with assets of nearly $10 billion,” that offers
2 financial products and services to its customers “throughout California[.]” 1
3
3. Plaintiff’s and Class Members’ sensitive personal information—which they
4
entrusted to Defendant on the mutual understanding that Defendant would protect it against
5
disclosure—was compromised and unlawfully accessed due to the Data Breach.
6
4. TCB collected and maintained certain personally identifiable information of
7
8 Plaintiff and the putative Class Members (defined below), who are (or were) customers, customer
9 applicants, and/or employees at TCB.
10 5. The PII compromised in the Data Breach was exfiltrated by cyber-criminals and
11
remains in the hands of those cyber-criminals who target PII for its value to identity thieves.
12
6. As a result of the Data Breach, Plaintiff and approximately 74,000 Class Members, 2
13
suffered concrete injuries in fact including, but not limited to: (i) invasion of privacy; (ii) theft of
14
15 their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated with
16 attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the
17 bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences
18
of the Data Breach; (vii) experiencing an increase in spam calls, texts, and/or emails; (viii)
19
Plaintiff’s PII being disseminated on the dark web, according to McAfee; (ix) statutory damages;
20
(x) nominal damages; and (xi) the continued and certainly increased risk to their PII, which: (a)
21
remains unencrypted and available for unauthorized third parties to access and abuse; and (b)
22
23
24
25
1
https://www.tcbk.com/about
26
2
https://apps.web.maine.gov/online/aeviewer/ME/40/c3cf3179-ed79-4766-8750-
27 2f4f2fe06a22.shtml
28
- Page 2 –
CLASS ACTION COMPLAINT
1 remains backed up in Defendant’s possession and is subject to further unauthorized disclosures so
2 long as Defendant fails to undertake appropriate and adequate measures to protect the PII.
3
7. The Data Breach was a direct result of Defendant’s failure to implement adequate
4
and reasonable cyber-security procedures and protocols necessary to protect its customers’,
5
customer applicants’, and employees’ PII from a foreseeable and preventable cyber-attack.
6
8. Defendant maintained, used, and shared the PII in a reckless manner. In particular,
7
8 the PII was used and transmitted by Defendant in a condition vulnerable to cyberattacks. Upon
9 information and belief, the mechanism of the cyberattack and potential for improper disclosure of
10 Plaintiff’s and Class Members’ PII was a known risk to Defendant, and thus, Defendant was on
11
notice that failing to take steps necessary to secure the PII from those risks left that property in a
12
dangerous condition.
13
9. Defendant disregarded the rights of Plaintiff and Class Members by, inter alia,
14
15 intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures
16 to ensure its data systems were protected against unauthorized intrusions; failing to take standard
17 and reasonably available steps to prevent the Data Breach; and failing to provide Plaintiff and
18
Class Members prompt and accurate notice of the Data Breach.
19
10. Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s
20
negligent conduct because the PII that Defendant collected and maintained is now in the hands of
21
data thieves.
22
23 11. Armed with the PII accessed in the Data Breach, data thieves have already engaged
24 in identity theft and fraud and can in the future commit a variety of crimes including, e.g., opening
25 new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using
26
Class Members’ information to obtain government benefits, filing fraudulent tax returns using
27
28
- Page 3 –
CLASS ACTION COMPLAINT
1 Class Members’ information, obtaining driver’s licenses in Class Members’ names but with
2 another person’s photograph, and giving false information to police during an arrest.
3
12. As a result of the Data Breach, Plaintiff and Class Members have been exposed to
4
a heightened and imminent risk of fraud and identity theft. Plaintiff and Class Members must now
5
and in the future closely monitor their financial accounts to guard against identity theft.
6
13. Plaintiff and Class Members may also incur out of pocket costs, e.g., for purchasing
7
8 credit monitoring services, credit freezes, credit reports, or other protective measures to deter and
9 detect identity theft.
10 14. Plaintiff brings this class action lawsuit on behalf all those similarly situated to
11
address Defendant’s inadequate safeguarding of Class Members’ PII that it collected and
12
maintained, and for failing to provide timely and adequate notice to Plaintiff and other Class
13
Members that their information had been subject to the unauthorized access by an unknown third
14
15 party and precisely what specific type of information was accessed.
16 15. Through this Complaint, Plaintiff seeks to remedy these harms on behalf of herself
17 and all similarly situated individuals whose PII was accessed during the Data Breach.
18
16. Plaintiff and Class Members have a continuing interest in ensuring that their
19
information is and remains safe, and they should be entitled to injunctive and other equitable relief.
20
PARTIES
21
17. Plaintiff, Rita Delgado, is a natural person and citizen of Bakersfield, California,
22
23 where she intends to remain.
24 18. Defendant is a California corporation with its principal place of business located
25 at 63 Constitution Drive, Chico, California 95973. Defendant is a wholly-owned subsidiary of
26
TriCo Bancshares.
27
28
- Page 4 –
CLASS ACTION COMPLAINT
1 JURISDICTION AND VENUE
2 19. This Court has jurisdiction over this action under California Code of Civil
3
Procedure § 410.10. The total amount of damages incurred by Plaintiff and the Class in the
4
aggregate exceeds the $25,000 jurisdictional minimum of this Court. Further, upon information
5
and belief, the amount in controversy as to Plaintiff individually does not exceed $75,000.
6
20. Venue is proper in this Court under California Bus. & Prof. Code § 17203 and Code
7
8 of Civil Procedure §§ 395(a) and 395.5 because Defendant and/or its parents or affiliates are
9 headquartered in this judicial district and a substantial part of the events or omissions giving rise
10 to Plaintiff’s claims occurred in this judicial district.
11
FACTUAL ALLEGATIONS
12
Defendant’s Business
13
21. Defendant is a California-based bank, “with assets of nearly $10 billion,” that offers
14
3
15 financial products and services to its customers “throughout California[.]”
16 22. Plaintiffs and Class Members are current and former customers, customer
17 applicants, and/or employees at Defendant.
18
23. In the course of their relationship, customers, customer applicants, and employees,
19
including Plaintiff and Class Members, provided Defendant with at least the following: names
20
and Social Security numbers.
21
24. Upon information and belief, in the course of collecting PII from customers,
22
23 customer applicants, and employees, including Plaintiff and Class Members, Defendant promised
24 to provide confidentiality and adequate security for their data through its applicable privacy
25 policy and through other disclosures in compliance with statutory privacy requirements.
26
27 3
https://www.tcbk.com/about
28
- Page 5 –
CLASS ACTION COMPLAINT
1 25. Indeed, the Privacy Policy posted on Defendant's website provides that: “[t]o
2 protect your personal information from unauthorized access and use, we use security measures
3
that comply with federal law. These measures include computer safeguards and secured files and
4
buildings.”4
5
26. Plaintiff and the Class Members, as former and current customers, customer
6
applicants, and/or employees of Defendant, relied on these promises and on this sophisticated
7
8 business entity to keep their sensitive PII confidential and securely maintained, to use this
9 information for business purposes only, and to make only authorized disclosures of this
10 information. Customers, customer applicants, and employees, in general, demand security to
11
safeguard their PII, especially when their Social Security numbers and other sensitive PII is
12
involved.
13
The Data Breach
14
15 27. On or about November 22, 2023, Defendant began sending Plaintiff and other
16 Data Breach victims a Notice of Data Breach letter (the "Notice Letter"), informing them that:
17 What Happened? On or around February 7, 2023, Tri Counties Bank became aware of
suspicious activity on our computer network. We shut down our networked systems and
18
immediately launched an investigation. We determined that our internal bank network
19 had been infected with malware which prevented access to certain files on the network.
Through our investigation, we determined that, between February 7, 2023, and February
20 8, 2023, an unauthorized actor may have had access to certain systems that stored personal
information. Although we have no evidence of any identity theft or fraud in connection
21 with this incident, Tri Counties Bank is notifying those affected out of an abundance of
caution.
22
23 What Information Was Involved? Following an extensive review that was completed
on October 9, 2023, we determined the following types of your information may have
24 been impacted by this incident: your name, and Social Security number. 5
25
4
https://www.tcbk.com/application/files/5516/9766/7918/ADV-22_GLBA_Privacy_Notice.pdf
26 5
The “Notice Letter”. A sample copy is available at
27 https://apps.web.maine.gov/online/aeviewer/ME/40/c3cf3179-ed79-4766-8750-
28
- Page 6 –
CLASS ACTION COMPLAINT
1
28. Omitted from the Notice Letter were any explanation as to why Defendant failed
2
to notify Plaintiff and class Members of the Data Breach until more than eight months after
3
4 detecting the cyberattack, the root cause of the Data Breach, the vulnerabilities exploited, and the
5 remedial measures undertaken to ensure such a breach does not occur again. To date, these
6 omitted details have not been explained or clarified to Plaintiff and Class Members, who retain a
7
vested interest in ensuring that their PII remains protected.
8
29. This “disclosure” amounts to no real disclosure at all, as it fails to inform, with
9
any degree of specificity, Plaintiff and Class Members of the Data Breach’s critical facts. Without
10
11 these details, Plaintiff’s and Class Members’ ability to mitigate the harms resulting from the Data
12 Breach is severely diminished.
13 30. Defendant did not use reasonable security procedures and practices appropriate to
14 the nature of the sensitive information they were maintaining for Plaintiff and Class Members,
15
causing the exposure of PII, such as encrypting the information or deleting it when it is no longer
16
needed.
17
31. The attacker accessed and acquired files Defendant shared with a third party
18
19 containing unencrypted PII of Plaintiff and Class Members, including their Social Security
20 numbers. Plaintiff’s and Class Members’ PII was accessed and stolen in the Data Breach.
21 32. Plaintiff has been informed by McAfee that her PII has been disseminated on the
22
dark web, and Plaintiff further believes that Class Members’ PII was subsequently sold on the
23
dark web following the Data Breach, as that is the modus operandi of cybercriminals that commit
24
cyber-attacks of this type.
25
26
27 2f4f2fe06a22.shtml
28
- Page 7 –
CLASS ACTION COMPLAINT
1 33. Defendant had obligations created by the FTC Act, the Gramm-Leach-Bliley Act,
2 contract, common law, and industry standards to keep Plaintiff’s and Class Members’ PII
3
confidential and to protect it from unauthorized access and disclosure.
4
Data Breaches Are Preventable
5
34. Defendant could have prevented this Data Breach by, among other things,
6
properly encrypting or otherwise protecting their equipment and computer files containing PII.
7
8 35. Defendant did not use reasonable security procedures and practices appropriate to
9 the nature of the sensitive information they were maintaining for Plaintiff and Class Members,
10 causing the exposure of PII, such as encrypting the information or deleting it when it is no longer
11
needed.
12
36. As Plaintiff has already experienced, the unencrypted PII of Class Members may
13
end up for sale to identity thieves on the dark web, if it has not already, or it could simply fall
14
15 into the hands of companies that will use the detailed PII for targeted marketing without the
16 approval of Plaintiff and Class Members. Unauthorized individuals can easily access the PII of
17 Plaintiff and Class Members.
18
37. As explained by the Federal Bureau of Investigation, “[p]revention is the most
19
effective defense against ransomware and it is critical to take precautions for protection.” 6
20
38. To prevent and detect cyber-attacks and/or ransomware attacks Defendant could
21
and should have implemented, as recommended by the United States Government, the following
22
23 measures:
24 Implement an awareness and training program. Because end users are targets,
employees and individuals should be aware of the threat of ransomware and how it is
25
26
6
How to Protect Your Networks from RANSOMWARE, at 3, available at:
27 https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view
28
- Page 8 –
CLASS ACTION COMPLAINT
1 delivered.
2 Enable strong spam filters to prevent phishing emails from reaching the end users and
3 authenticate inbound email using technologies like Sender Policy Framework (SPF),
Domain Message Authentication Reporting and Conformance (DMARC), and
4 DomainKeys Identified Mail (DKIM) to prevent email spoofing.
5 Scan all incoming and outgoing emails to detect threats and filter executable files
from reaching end users.
6
7 Configure firewalls to block access to known malicious IP addresses.
8 Patch operating systems, software, and firmware on devices. Consider using a
centralized patch management system.
9
10 Set anti-virus and anti-malware programs to conduct regular scans automatically.
11 Manage the use of privileged accounts based on the principle of least privilege: no
users should be assigned administrative access unless absolutely needed; and those
12 with a need for administrator accounts should only use them when necessary.
13
Configure access controls—including file, directory, and network share
14 permissions—with least privilege in mind. If a user only needs to read specific files,
the user should not have write access to those files, directories, or shares.
15
Disable macro scripts from office files transmitted via email. Consider using Office
16
Viewer software to open Microsoft Office files transmitted via email instead of full
17 office suite applications.
18 Implement Software Restriction Policies (SRP) or other controls to prevent programs
from executing from common ransomware locations, such as temporary folders
19 supporting popular Internet browsers or compression/decompression programs,
20 including the AppData/LocalAppData folder.
21 Consider disabling Remote Desktop protocol (RDP) if it is not being used.
22 Use application whitelisting, which only allows systems to execute programs known
23 and permitted by security policy.
24 Execute operating system environments or specific programs in a virtualized
environment.
25
Categorize data based on organizational value and implement physical and logical
26
27
28
- Page 9 –
CLASS ACTION COMPLAINT
1 separation of networks and data for different organizational units. 7
2 39. To prevent and detect cyber-attacks or ransomware attacks Defendant could and
3
should have implemented, as recommended by the Microsoft Threat Protection Intelligence
4
Team, the following measures:
5
Secure internet-facing assets
6
7 - Apply latest security updates
- Use threat and vulnerability management
8 - Perform regular audit; remove privileged credentials;
9 Thoroughly investigate and remediate alerts
10 - Prioritize and treat commodity malware infections as potential full
11 compromise;
12 Include IT Pros in security discussions
13 - Ensure collaboration among [security operations], [security admins], and
[information technology] admins to configure servers and other endpoints
14 securely;
15
Build credential hygiene
16
- Use [multifactor authentication] or [network level authentication] and use
17 strong, randomized, just-in-time local admin passwords;
18
Apply principle of least-privilege
19
- Monitor for adversarial activities
20 - Hunt for brute force attempts
- Monitor for cleanup of Event Logs
21 - Analyze logon events;
22
Harden infrastructure
23
- Use Windows Defender Firewall
24 - Enable tamper protection
- Enable cloud-delivered protection
25 - Turn on attack surface reduction rules and [Antimalware Scan Interface] for
26
27 7
Id. at 3-4.
28
- Page 10 –
CLASS ACTION COMPLAINT
1 Office [Visual Basic for Applications].8
2 40. Given that Defendant was storing the PII of its current and former customers,
3
customer applicants, and employees, Defendant could and should have implemented all of the
4
above measures to prevent and detect cyberattacks.
5
41. The occurrence of the Data Breach indicates that Defendant failed to adequately
6
implement one or more of the above measures to prevent cyberattacks, resulting in the Data
7
8 Breach and the exposure of the PII of more than seventy thousand individuals, including that of
9 Plaintiff and Class Members.
10 42. Defendant's negligence in safeguarding the PII of Plaintiff and Class Members is
11
exacerbated by the repeated warnings and alerts directed to protecting and securing sensitive data.
12
Defendant Acquires, Collects, And Stores Plaintiff’s and the Class’s PII
13
43. Defendant acquires, collects, and stores a massive amount of PII on its customers,
14
15 customer applicants, employees, and other personnel.
16 44. As a condition of obtaining financial services and/or employment at TCB,
17 Defendant requires that customers, customer applicants, employees, and other personnel entrust
18
it with highly sensitive personal information.
19
45. By obtaining, collecting, and using Plaintiff’s and Class Members’ PII, Defendant
20
assumed legal and equitable duties and knew or should have known that it was responsible for
21
protecting Plaintiff’s and Class Members’ PII from disclosure.
22
23 46. Plaintiff and the Class Members have taken reasonable steps to maintain the
24 confidentiality of their PII and would not have entrusted it to Defendant absent a promise to
25
26 8
See Human-operated ransomware attacks: A preventable disaster (Mar 5, 2020), available at:
27 https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-
preventable-disaster/
28
- Page 11 –
CLASS ACTION COMPLAINT
1 safeguard that information.
2 47. Upon information and belief, in the course of collecting PII from customers,
3
customer applicants, and employees, including Plaintiff and Class Members, Defendant promised
4
to provide confidentiality and adequate security for their data through its applicable privacy
5
policy and through other disclosures in compliance with statutory privacy requirements.
6
48. Indeed, the Privacy Policy posted on Defendant's website provides that: “[t]o
7
8 protect your personal information from unauthorized access and use, we use security measures
9 that comply with federal law. These measures include computer safeguards and secured files and
10 buildings.”9
11
49. Plaintiff and the Class Members relied on Defendant to keep their PII confidential
12
and securely maintained, to use this information for business purposes only, and to make only
13
authorized disclosures of this information.
14
15 Defendant Knew, Or Should Have Known, of the Risk Because Financial Institutions
In Possession Of PII Are Particularly Susceptible To Cyber Attacks
16
50. Defendant’s data security obligations were particularly important given the
17
substantial increase in cyber-attacks and/or data breaches targeting financial institutions that
18
19 collect and store PII, like Defendant, preceding the date of the breach.
20 51. Data breaches, including those perpetrated against financial institutions that store
21 PII in their systems, have become widespread.
22
52. In the third quarter of the 2023 fiscal year alone, 7333 organizations experienced
23
data breaches, resulting in 66,658,764 individuals’ personal information being compromised. 10
24
25
26 9
https://www.tcbk.com/application/files/5516/9766/7918/ADV-22_GLBA_Privacy_Notice.pdf
27 10
See https://www.idtheftcenter.org/publication/q3-data-breach-2023-analysis/
28
- Page 12 –
CLASS ACTION COMPLAINT
1 53. In light of recent high profile cybersecurity incidents at other healthcare partner
2 and provider companies, including American Medical Collection Agency (25 million customers,
3
March 2019), University of Washington Medicine (974,000 customers, December 2018), Florida
4
Orthopedic Institute (640,000 customers, July 2020), Wolverine Solutions Group (600,000
5
customers, September 2018), Oregon Department of Human Services (645,000 customers, March
6
2019), Elite Emergency Physicians (550,000 customers, June 2020), Magellan Health (365,000
7
8 customers, April 2020), and BJC Health System (286,876 customers, March 2020), Defendant
9 knew or should have known that its electronic records would be targeted by cybercriminals.
10 54. Indeed, cyber-attacks, such as the one experienced by Defendant, have become so
11
notorious that the Federal Bureau of Investigation (“FBI”) and U.S. Secret Service have issued a
12
warning to potential targets so they are aware of, and prepared for, a potential attack. As one
13
report explained, smaller entities that store PII are “attractive to ransomware criminals…because
14
11
15 they often have lesser IT defenses and a high incentive to regain access to their data quickly.”
16 55. Additionally, as companies became more dependent on computer systems to run
17 their business,12 e.g., working remotely as a result of the Covid-19 pandemic, and the Internet of
18
Things (“IoT”), the danger posed by cybercriminals is magnified, thereby highlighting the need
19
for adequate administrative, physical, and technical safeguards. 13
20
56. Defendant knew and understood unprotected or exposed PII in the custody of
21
22 11
https://www.law360.com/consumerprotection/articles/1220974/fbi-secret-service-warn-of-
23 targeted-ransomware?nl_pk=3ed44a08-fcc2-4b6c-89f0-
aa0155a8bb51&utm_source=newsletter&utm_medium=email&utm_campaign=consumerprotect
24 ion
25 12
https://www.federalreserve.gov/econres/notes/feds-notes/implications-of-cyber-risk-for-
financial-stability-20220512.html
26
13
https://www.picussecurity.com/key-threats-and-cyber-risks-facing-financial-services-and-
27 banking-firms-in-2022
28
- Page 13 –
CLASS ACTION COMPLAINT
1 financial institutions, like Defendant, is valuable and highly sought after by nefarious third parties
2 seeking to illegally monetize that PII through unauthorized access.
3
57. At all relevant times, Defendant knew, or reasonably should have known, of the
4
importance of safeguarding the PII of Plaintiff and Class Members and of the foreseeable
5
consequences that would occur if Defendant’s data security system was breached, including,
6
specifically, the significant costs that would be imposed on Plaintiff and Class Members as a
7
8 result of a breach.
9 58. Plaintiff and Class Members now face years of constant surveillance of their
10 financial and personal records, monitoring, and loss of rights. The Class is incurring and will
11
continue to incur such damages in addition to any fraudulent use of their PII.
12
59. the Notice Letter, TCB offers to cover 24 months of credit and identity theft
13
monitoring services for Plaintiff and Class Members. This is wholly inadequate to compensate
14
15 Plaintiff and Class Members as it fails to provide for the fact victims of data breaches and other
16 unauthorized disclosures commonly face multiple years of ongoing identity theft, financial fraud,
17 and it entirely fails to provide sufficient compensation for the unauthorized release and disclosure
18
of Plaintiff’s and Class Members’ PII. Moreover, once this service expires, Plaintiff and Class
19
Members will be forced to pay out of pocket for necessary identity monitoring services.
20
60. TCB’s offer of credit and identity monitoring establishes that Plaintiff’s and Class
21
Members’ sensitive PII was in fact affected, accessed, compromised, and exfiltrated from
22
23 Defendant's computer systems.
24 61. The injuries to Plaintiff and Class Members were directly and proximately caused
25 by Defendant’s failure to implement or maintain adequate data security measures for the PII of
26
Plaintiff and Class Members.
27
28
- Page 14 –
CLASS ACTION COMPLAINT
1 62. The ramifications of Defendant’s failure to keep secure the PII of Plaintiff and
2 Class Members are long lasting and severe. Once PII is stolen––particularly Social Security
3
numbers––fraudulent use of that information and damage to victims may continue for years.
4
63. As a financial institution in custody of current and former customers’, customer
5
applicants’, and employees’ PII, Defendant knew, or should have known, the importance of
6
safeguarding PII entrusted to it by Plaintiff and Class Members, and of the foreseeable
7
8 consequences if its data security systems were breached. This includes the significant costs
9 imposed on Plaintiff and Class Members as a result of a breach. Defendant failed, however, to
10 take adequate cybersecurity measures to prevent the Data Breach.
11
Value Of Personally Identifying Information
12
64. The Federal Trade Commission (“FTC”) defines identity theft as “a fraud
13
committed or attempted using the identifying information of another person without authority.” 14
14
15 The FTC describes “identifying information” as “any name or number that may be used, alone
16 or in conjunction with any other information, to identify a specific person,” including, among
17 other things, “[n]ame, Social Security number, date of birth, official State or government issued
18
driver’s license or identification number, alien registration number, government passport number,
19
employer or taxpayer identification number.” 15
20
65. The PII of individuals remains of high value to criminals, as evidenced by the
21
prices they will pay through the dark web. Numerous sources cite dark web pricing for stolen
22
16
23 identity credentials.
24
14
17 C.F.R. § 248.201 (2013).
25
15
Id.
26 16
Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends, Oct.
27 16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-dark-
28
- Page 15 –
CLASS ACTION COMPLAINT
1 66. For example, Personal Information can be sold at a price ranging from $40 to
2 $200.17 Criminals can also purchase access to entire company data breaches from $900 to
3
$4,500.18
4
67. For example, Social Security numbers are among the worst kind of PII to have
5
stolen because they may be put to a variety of fraudulent uses and are difficult for an individual
6
to change. The Social Security Administration stresses that the loss of an individual’s Social
7
8 Security number, as experienced by Plaintiff and some Class Members, can lead to identity theft
9 and extensive financial fraud:
10 A dishonest person who has your Social Security number can use it to get other personal
11 information about you. Identity thieves can use your number and your good credit to apply
for more credit in your name. Then, they use the credit cards and don’t pay the bills, it
12 damages your credit. You may not find out that someone is using your number until
you’re turned down for credit, or you begin to get calls from unknown creditors
13 demanding payment for items you never bought. Someone illegally using your Social
Security number and assuming your identity can cause a lot of problems. 19
14
15 68. What’s more, it is no easy task to change or cancel a stolen Social Security
16 number. An individual cannot obtain a new Social Security number without significant
17 paperwork and evidence of actual misuse. In other words, preventive action to defend against the
18
possibility of misuse of a Social Security number is not permitted; an individual must show
19
evidence of actual, ongoing fraud activity to obtain a new number.
20
21
22 web-how-much-it-costs/
17
23 Here’s How Much Your Personal Information Is Selling for on the Dark Web, Experian, Dec. 6,
2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-
24 personal-information-is-selling-for-on-the-dark-web/
25 18
In the Dark, VPNOverview, 2019, available at: https://vpnoverview.com/privacy/anonymous-
browsing/in-the-dark/
26
19
Social Security Administration, Identity Theft and Your Social Security Number, available at:
27 https://www.ssa.gov/pubs/EN-05-10064.pdf
28
- Page 16 –
CLASS ACTION COMPLAINT
1 69. Even then, a new Social Security number may not be effective. According to Julie
2 Ferguson of the Identity Theft Resource Center, “[t]he credit bureaus and banks are able to link
3
the new number very quickly to the old number, so all of that old bad information is quickly
4
inherited into the new Social Security number.” 20
5
70. Based on the foregoing, the information compromised in the Data Breach is
6
significantly more valuable than the loss of, for example, credit card information in a retailer data
7
8 breach because, there, victims can cancel or close credit and debit card accounts. The information
9 compromised in this Data Breach is impossible to “close” and difficult, if not impossible, to
10 change—Social Security numbers and names.
11
71. This data demands a much higher price on the black market. Martin Walter, senior
12
director at cybersecurity firm RedSeal, explained, “Compared to credit card information,
13
personally identifiable information and Social Security numbers are worth more than 10x on the
14
21
15 black market.”
16 72. Among other forms of fraud, identity thieves may obtain driver’s licenses,
17 government benefits, medical services, and housing or even give false information to police.
18
73. The fraudulent activity resulting from the Data Breach may not come to light for
19
years. There may be a time lag between when harm occurs versus when it is discovered, and also
20
between when PII is stolen and when it is used. According to the U.S. Government Accountability
21
22
23 20
Bryan Naylor, Victims of Social Security Number Theft Find It’s Hard to Bounce Back, NPR
24 (Feb. 9, 2015), available at: http://www.npr.org/2015/02/09/384875839/data-stolen-by-anthem-s-
hackers-has-millionsworrying-about-identity-theft
25 21
Tim Greene, Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card
26 Numbers, IT World, (Feb. 6, 2015), available at:
https://www.networkworld.com/article/2880366/anthem-hack-personal-data-stolen-sells-for-10x-
27 price-of-stolen-credit-card-numbers.html
28
- Page 17 –
CLASS ACTION COMPLAINT
1 Office (“GAO”), which conducted a study regarding data breaches:
2 [L]aw enforcement officials told us that in some cases, stolen data may be held for up to
a year or more before being used to commit identity theft. Further, once stolen data have
3
been sold or posted on the Web, fraudulent use of that information may continue for years.
4 As a result, studies that attempt to measure the harm resulting from data breaches cannot
necessarily rule out all future harm.22
5
74. Plaintiff and Class Members now face years of constant surveillance of their
6
financial and personal records, monitoring, and loss of rights. The Class is incurring and will
7
8 continue to incur such damages in addition to any fraudulent use of their PII.
9 Defendant Fails To Comply With FTC Guidelines
10 75. The Federal Trade Commission (“FTC”) has promulgated numerous guides for
11
businesses which highlight the importance of implementing reasonable data security practices.
12
According to the FTC, the need for data security should be factored into all business decision-
13
making.
14
15 76. In 2016, the FTC updated its publication, Protecting Personal Information: A
16 Guide for Business, which established cyber-security guidelines for businesses. These guidelines
17 note that businesses should protect the personal consumer information that they keep; properly
18
dispose of personal information that is no longer needed; encrypt information stored on computer
19
networks; understand their network’s vulnerabilities; and implement policies to correct any
20
security problems.23
21
77. The guidelines also recommend that businesses use an intrusion detection system
22
23
24
22
Report to Congressional Requesters, GAO, at 29 (June 2007), available at:
25 https://www.gao.gov/assets/gao-07-737.pdf
23
26 Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016).
Available at https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-
27 personal-information.pdf
28
- Page 18 –
CLASS ACTION COMPLAINT
1 to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating
2 someone is attempting to hack the system; watch for large amounts of data being transmitted
3
from the system; and have a response plan ready in the event of a breach. 24
4
78. The FTC further recommends that companies not maintain PII longer than is
5
needed for authorization of a transaction; limit access to sensitive data; require complex
6
passwords to be used on networks; use industry-tested methods for security; monitor for
7
8 suspicious activity on the network; and verify that third-party service providers have
9 implemented reasonable security measures.
10 79. The FTC has brought enforcement actions against businesses for failing to
11
adequately and reasonably protect customer, customer applicant, and employee data, treating the
12
failure to employ reasonable and appropriate measures to protect against unauthorized access to
13
confidential consumer data as an unfair act or practice prohibited by Section 5 of the Federal
14
15 Trade Commission Act (“FTCA”), 15 U.S.C. § 45. Orders resulting from these actions further
16 clarify the measures businesses must take to meet their data security obligations.
17 80. These FTC enforcement actions include actions against financial institutions, like
18
Defendant.
19
81. Section 5 of the FTC Act, 15 U.S.C. § 45, prohibits “unfair . . . practices in or
20
affecting commerce,” including, as interpreted and enforced by the FTC, the unfair act or practice
21
by businesses, such as Defendant, of failing to use reasonable measures to protect PII. The FTC
22
23 publications and orders described above also form part of the basis of Defendant's duty in this
24 regard.
25 82. Defendant failed to properly implement basic data security practices.
26
27 24
Id.
28
- Page 19 –
CLASS ACTION COMPLAINT
1 83. Defendant's failure to employ reasonable and appropriate measures to protect
2 against unauthorized access to customers’, customer applicants’, and employees’ PII or to comply
3
with applicable industry standards constitutes an unfair act or practice prohibited by Section 5 of
4
the FTC Act, 15 U.S.C. § 45.
5
84. Upon information and belief, TCB was at all times fully aware of its obligation to
6
protect the PII of its customers, customer applicants, and employees, TCB was also aware of the
7
8 significant repercussions that would result from its failure to do so. Accordingly, Defendant's
9 conduct was particularly unreasonable given the nature and amount of PII it obtained and stored
10 and the foreseeable consequences of the immense damages that would result to Plaintiff and the
11
Class.
12
Defendant Fails to Comply with Gramm-Leach-Bliley Act
13
85. TCB is a financial institution, as that term is defined by Section 509(3)(A) of the
14
15 Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. § 6809(3)(A), and thus is subject to the GLBA.
16 86. The GLBA defines a financial institution as “any institution the business of which
17 is engaging in financial activities as described in Section 1843(k) of Title 12 [The Bank Holding
18
Company Act of 1956].” 15 U.S.C. § 6809(3)(A).
19
87. Defendant collects nonpublic personal information, as defined by 15 U.S.C. §
20
6809(4)(A), 16 C.F.R. § 313.3(n) and 12 C.F.R. § 1016.3(p)(1). Accordingly, during the relevant
21
time period Defendant were subject to the requirements of the GLBA, 15 U.S.C. §§ 6801.1, et
22
23 seq., and is subject to numerous rules and regulations promulgated on the GLBA statutes.
24 88. The GLBA Privacy Rule became effective on July 1, 2001. See 16 C.F.R. Part
25 313. Since the enactment of the Dodd-Frank Act on July 21, 2010, the CFPB became responsible
26
for implementing the Privacy Rule. In December 2011, the CFPB restated the implementing
27
28
- Page 20 –
CLASS ACTION COMPLAINT
1 regulations in an interim final rule that established the Privacy of Consumer Financial
2 Information, Regulation P, 12 C.F.R. § 1016 (“Regulation P”), with the final version becoming
3
effective on October 28, 2014.
4
89. Accordingly, Defendant's conduct is governed by the Privacy Rule prior to
5
December 30, 2011 and by Regulation P after that date.
6
90. Both the Privacy Rule and Regulation P require financial institutions to provide
7
8 customers with an initial and annual privacy notice. These privacy notices must be “clear and
9 conspicuous.” 16 C.F.R. §§ 313.4 and 313.5; 12 C.F.R. §§ 1016.4 and 1016.5. “Clear and
10 conspicuous means that a notice is reasonably understandable and designed to call attention to
11
the nature and significance of the information in the notice.” 16 C.F.R. § 313.3(b)(1); 12 C.F.R.
12
§ 1016.3(b)(1). These privacy notices must “accurately reflect[] [the financial institution’s]
13
privacy policies and practices.” 16 C.F.R. § 313.4 and 313.5; 12 C.F.R. §§ 1016.4 and 1016.5.
14
15 They must include specified elements, including the categories of nonpublic personal information
16 the financial institution collects and discloses, the categories of third parties to whom the financial
17 institution discloses the information, and the financial institution’s security and confidentiality
18
policies and practices for nonpublic personal information. 16 C.F.R. § 313.6; 12 C.F.R. § 1016.6.
19
These privacy notices must be provided “so that each consumer can reasonably be expected to
20
receive actual notice.” 16 C.F.R. § 313.9; 12 C.F.R. § 1016.9. As alleged herein, Defendant
21
violated the Privacy Rule and Regulation P.
22
23 91. Upon information and belief, Defendant failed to provide annual privacy notices
24 to customers after the customer relationship ended, despite retaining these customers’ PII and
25 storing that PII on Defendant's network systems.
26
92. Defendant failed to adequately inform their customers that they were storing
27
28
- Page 21 –
CLASS ACTION COMPLAINT
1 and/or sharing, or would store and/or share, the customers’ PII on an insecure platform, accessible
2 to unauthorized parties from the internet, and would do so after the customer relationship ended.
3
93. The Safeguards Rule, which implements Section 501(b) of the GLBA, 15 U.S.C.
4
§ 6801(b), requires financial institutions to protect the security, confidentiality, and integrity of
5
customer information by developing a comprehensive written information security program that
6
contains reasonable administrative, technical, and physical safeguards, including: (1) designating
7
8 one or more employees to coordinate the information security program; (2) identifying
9 reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of
10 customer information, and assessing the sufficiency of any safeguards in place to control those
11
risks; (3) designing and implementing information safeguards to control the risks identified
12
through risk assessment, and regularly testing or otherwise monitoring the effectiveness of the
13
safeguards’ key controls, systems, and procedures; (4) overseeing service providers and requiring
14
15 them by contract to protect the security and confidentiality of customer information; and (5)
16 evaluating and adjusting the information security program in light of the results of testing and
17 monitoring, changes to the business operation, and other relevant circumstances. 16 C.F.R. §§
18
314.3 and 314.4.
19
94. As alleged herein, Defendant violated the Safeguard Rule.
20
95. Defendant failed to assess reasonably foreseeable risks to the security,
21
confidentiality, and integrity of customer information.
22
23 96. Defendant violated the GLBA and its own policies and procedures by sharing the
24 PII of Plaintiff and Class Members with a non-affiliated third party without providing Plaintiff
25 and Class Members (a) an opt-out notice and (b) a reasonable opportunity to opt out of such
26
disclosure.
27
28
- Page 22 –
CLASS ACTION COMPLAINT
1 Defendant Fails To Comply With Industry Standards
2 97. As noted above, experts studying cyber security routinely identify entities in
3
possession of PII as being particularly vulnerable to cyberattacks because of the value of the PII
4
which they collect and maintain.
5
98. Several best practices have been identified that, at a minimum, shou