Preview
JULIAN HAMMOND (SBN 268489)
jhammond@hammondlawpc.com
POLINA BRANDLER (SBN 269086)
pbrandler@hammondlawpc.com
ARI CHERNIAK (SBN 290071)
acherniak@hammondlaw.com
HAMMONDLAW, P.C.
1829 Reisterstown Rd. Suite 410
Baltimore, MD 21208
Tel: (310) 601-6766
Fax: (310) 295-2385
LAURA L. Ho (SBN 173179)
lho@gbdhlegal.com
GOLDSTEIN, BORGEN, DARDARIAN & HO
300 Lakeside Drive, Suite 1000
Oakland, CA 94612
Tel: (510) 763-9800
Fax: (510) 835-1417
Attorneys for Plaintiff and Putative Class
SUPERIOR COURT OF THE STATE OF CALIFORNIA
COUNTY OF SANTA CLARA
ALEJANDRO GUTIERREZ, individually and on Case No.
behalf of all other similar situated individuals
CLASS ACTION COMPLAINT
Plaintiff
NEGLIGENCE;
s. BREACH OF IMPLIED CONTRACT;
FRIENDFINDER NETWORKS, INC., a Delaware INVASION OF PRIVACY;
Corporation VIOLATION OF CALIFORNIA’S
CUSTOMER RECORDS ACTCIVIL
Defendant CODE § 1798.80, ET SEQ.
VIOLATION OF CALIFORNIA’S
ONLINE PRIVACY PROTECTION
ACT, CAL. BUS. & PROF. CODE
ET SEQ.
VIOLATION OF CALIFORNIA’S
UNFAIR COMPETITION LAW, CAL.
BUS. & PROF. CODE § 17200, ET SEQ.
JURY TRIAL DEMANDED
LASS CTION OMPLAINT
716671.2
Plaintiff ALEJANDRO GUTIERREZ(“Plaintiff”), by and through undersigned counsel, on
behalf of himself and all others similarly situated, alleges the following claims and causes of action
against Defendant FRIENDFINDER NETWORKS, INC. (“Defendant”), based upon personal
knowledge as to Plaintiff’s own acts, and on information and belief as to all other matters based upon,
inter alia, the investigation conducted by and through Plaintiff’s counsel as follows:
SUMMARY OF THE CASE
Defendant operates an adult online dating site under the AdultFriendFindertrademark
with the Internet address, www.adultfriendfinder.com (“AFF”). The AFF website, in operation since
1996, is designed to facilitate discreet adult relationships between individuals and groups who seek to
find similar minded adults forsexual encounters and is described on the company website as the
“World’s Largest Sex & Swinger Community ” While promising to keep its users’ confidential
personal information secure, Defendant failed to safeguard this information. As a result, in or about
October 2016, a hacker or a group of hackers breached Defendant’s system and downloaded two
decades worth of information from approximately 339 million accounts, making the AFF security
breach the second largest in the 21 Century, trailing only beh nd the massive Yahoo! breach.
Of the 339 million accounts affected, approximately 71.9% belonged to users in the
United States and 15 million belonged to users who had “deleted” their accountsAn additional 70
million users whose information was stolen were customers ofother x rated websites, which
Defendant sold to Penthouse Global Media prior to the breach. It is believed that the stolen
information included: e mail addresses, passwords, whether or not a user was a VIP member, browser
information, thelast IP address used to log in, and user purchases, as well as other sensitive personal
information, such as users’ photographs (“Personal Identifiable Information” or “PII”).
AFF did not admit to the breach when it was contacted by a media source, but
proximately a week later began to notify its customers of the breach by surfacing a message when a
user logged into his/her account. But, this type of notice did not reach millions of users affected as of
the 700 million users AFF boasts, according to an analysis of the last login dates, over 200 million
have not logged in since 2010, and 15 million of the compromised accounts were “deleted” accounts
LASS CTION OMPLAINT
716671.2
The October 2016 breach was not the first breach of Defendant’s system Defendant’s
system was also hacked in 2015,exposing close to 4 million accounts, which contained sensitive
personal information, such as sexual preference and whether the user was looking for extramarital
affairs Given the “warning” Defendant received in 2015, it is baffling that Defendant did not take
appropriate measures to secure its systemand just a year later allowed another massive breach to
occur.
Plaintiff brings this class action on behalf of himself and all similarly situated
individuals in the United States who created an account(s) on www.AdultFriendFinder.com and whose
personal identifying information was accessed, compromised, or stolen and/or released as a result of
the AFF data breach in October 2016 (“National Class”). Plaintiff also brings this class action on
behalf of a classcomprised of himself and all similarly situated individuals in California who created
an account(s) on www.AdultFriendFinder.com and whose personal identifying information was
accessed, compromised, or stolen and/or released as a result of the AFF data breach in October 2016
(“California lass”).The members of the National Class and California Class are collectively referred
to herein as the “Class” or “Class Members”), except where otherwise noted in order to differentiate
them
Plaintiff aClass Members suffered injury. The security breach compromised their
Personal Identifiable Information, which was used or is at risk of being used in fraudulent transactions
around the world, as well as other invidious exposure.
JURISDICTION
This Court has jurisdiction over the claims of negligence and breach of implied
contract.
This Court has jurisdiction overPlaintiff’s claim based on invasion of privacy.
This Court has jurisdiction over Plaintiff’s claim based on the violation of California’s
Customers Records Act, Civil Code § 1798.80 et seq.
This Court has jurisdiction over Plaintiff’s claim based on the violation of California’s
Online Privacy Protection Act, Bus. & Prof. Code § 22575 et seq.
LASS CTION OMPLAINT
716671.2
This Court has jurisdiction over Plaintiff’s claim arising from Defendant’s
nlawful /unfair/fraudulentbusiness practices, under Cal. Bus. & Prof. Code § 17200 et seq.
VENUE
Venue is proper in Santa Clara County pursuant to California Code of Civil Procedure
395(a) Defendant is located in Santa Clara County, California , many of the acts giving rise to the
violations complaint of occurred in Santa Clara County or arose out of decisions made in Santa Clara
County
PARTIES
Plaintiff is a male who resides in Woodland Hills, CaliforniaPlaintiff created an
account with www.adultfriendfinder.com in approximately As part of the process of creating his
account, Plaintiff created a username and password and provided confidential personal information in
reliance on Defendant’s promise to safeguard his information. Plaintiff also uploaded photographs of
himselfPlaintiff subsequently purchased points for the purpose of communicating with other AFF
users In order to make purchases, Plaintiff was required to provide his full name, street address, and
his credit card and/or debit card number and CVV code. Plaintiff’s information was compromised as a
result of Defendant’s security failures, which were released and reposted on other websites by
unauthorized usersAs a result of such compromise, Plaintiff suffered losses and damages in an
amount yet to be completely determinable as such losses and damages are ongoing.Had Plaintiff
known that Defendant would not take industry standard measures to safeguard his information, he
would not have sign up for an AFF account and would not havemade purchases and entered his credit
card information on the AFF website.
Defendant FriendFinder Networks, Inc. is a privatel held corporation headquarteredin
Campbell, California, and is regularly engaged in the business of operating online dating websites,
including www.adultfriendfinder.comDefendant also has offices in Florida.
LASS CTION OMPLAINT
716671.2
FACTS COMMON TO ALL COUNTS
Defendant Collected Users’ Personal Information and Assured Users That It Would
Safeguard It
Defendant is a merchant that owns, operates and controls several dating and
entertainment sides, including a website branded as “Adult FriendFinder” found at
adultfriendfinder.com, penthouse.com and cams.comAdultFriendFinder.com is a dating website
marketed to persons 18 or older who desire to meet similar ed adults for casual sexual
relationships with individuals or groups.
Defendant markets AdultFriendFinder.com to consumers in the United States aswell as
outside the United StatesThe website has more than 85 million current users in 37 countries. It is
rated the fortieth most popular adult website in the United StatesDefendant markets the website
through television, radio, billboard, and Internet advertisements.
AFF boasts membership of over 700 million and has proven extraordinarily lucrative,
yielding Defendant revenues more than $300 million annually.
When users establish an account with AFF, users must provide Defendant with PII,
including in some cases, debit and credit card information.
For example, users are required to purchase points or subscriptions in order to initiate
conversations with other members, which requires users to enter their credit or debit card information
AFF also encourage users to provide their PII by stating that failure to provide such
information may result in users not being able to access some or all of AFF services.
LASS CTION OMPLAINT
716671.2
Users enter on AFF’s website sensitive personal information, such as first and last
name, date of birth,billing address, photographs, sexual preferences, and more.
Defendant’s Privacy Policy posted on the AFF website expl ins the type of personal
information it collects from account holders:
Defendant’s Privacy Policy further describes the numerous instances during which
Defendant collects its users PII, which includes “When you register for an account or interact with our
Services” “When you provide orshare Personal Information within our Services” “When you
communicate with us or sign up for promotional materials” “When you engage with our online
communities or advertising” “When we collect Personal Information from third parties or publicly
availablesources” “When we leverage and/or collect cookies or device IDs” “When we link you to
other members without our Sites or Services”, and in other instances.
Defendant encourages users to in fact provide their PIIby restricting use of its website
if information is not provided:
FRIENDFINDER NETWORKS INC.’S PRIVACY POLICY, at
https://adultfriendfinder.com/go/page/privacy.html?who=r,FBg6ARA81X5JG92Q7xkp9jwHPP1JtwZ
8fhfmvuOmxD1_grY2m9thVBVe1qTY/6i6OoUnj8iZ4fwr4jW_8xvk8H8LV9MjUNMhmpgi34fyU5o
JF4aRzAl6p4nu3ZCOWrE1 (last visited May 29,
Id.
LASS CTION OMPLAINT
716671.2
Defendant also informs its users that it shares personal information provided to
by them only under limited circumstances:
Defendant represent and warrant to Plaintiff and Class Members that their PII was
secure and would remain private In particular, Defendant represented: “FFN Websites use reasonable
security measures to help protect and prevent the loss, misuse, and alteration of the information under
our controlWe use industry standard efforts , such as firewalls, to safeguard your Personal
Information
Defendant sures its users that the privacy of its members was very important:
Id.
Id.
LASS CTION OMPLAINT
716671.2
Breach of Defendant’s System, Defendant’s Outdated Security Measures, And
Defendant’s Inadequate and Unreasonably Delayed Notiof the Breach
Despite the fact that Defendant’s system suffered a breach in 2015, Defendant failed to
take commercially reasonable/ industry standard measures to safeguard the PII of its users.
Both breache occurred by the same method of attac, highlighting that AFF failed to
learn from its mistakes and take adequate measures to protect its users’ PII
Upon information and belief, Defendant did not encrypt data and passwords are (or
were at the time of the breach) stored in plain visible format, or with the poor Secure Hash Algorithm 1
(“SHA 1”) that is not regarded as secure and has not been regarded as secure well before the October
2016 breach.
Experts begandiscovering weaknesses in SHA 1 since before 2007and it has been
more than five years (or in approximately 2012 or 2013) since the National Institute of Standards and
Technology removed all support for the protocol in favor of new cryptographic hash functions like
next gen family members SHA 256 and SHA
In or about October 2016, a hacker or a group of hackers breached Defendant’s system
and downloaded two decades worth of personal information of 339 million AFF users.
Of the 339 million accounts affected, 15 million belonged to members who had actively
deleted their accountsYet, Defendant failed to separate this information from active users or
otherwise delete this data from database(s)
It is estimated that approximately 71.9% of the affected accounts belonged to user in
the United States.
Upon information and belief, users’ data was published on the black market afterit was
downloaded.
Plaintiff’s account and personal information is among the information thatwas
compromised in the breach.
This massive data breach could have been prevented had Defendant taken the necessary
and reasonable precautions to protect its users’ information by using recognized industry standards to
safeguard the information, not outdated encryption methods rejected by the industry years prior.
LASS CTION OMPLAINT
716671.2
Defendant’s Notice to Its User of the Breach Was Delayed and Inadequate
After learning of the breach, Defendant failed to notify Plaintiff and Class Members in a
timely manner and failed to take reasonable steps to inform Plaintiff and Class Members of the extent
of the breach.
The data breach was first reported by the media in October 2016Defendant , however,
did not notify its members until in or about late November 2016.
In or about early November 2016, Defendant was directly confronted by a reporter with
information about the breach, but Defendant did not admit the breach at that timePenthouse Global
Media had members whose information was stored in Defendant’s system and was also affectedby the
breach. Its CEO Kelly Holland confirmedin early November 2016 that her company was aware of the
breach and was waiting for Defendant to provide a detailed scope of the breach.
Finallyin or about late November 2016 Defendant began notifying its users/account
holders of the breach.
However, Defendant’s notice did not reach everyone because Defendant notified its
account holders only through a message window that appeared when users signed in to their accounts,
and as reported by some users, through messages in their account inboxesApproximately 200 million
LASS CTION OMPLAINT
716671.2
inactive users who did not access Defendant’s website did not receive the notification provided on
Defendant’s site:
Plaintiff and Class Members’ PII Information Is Valuable on the Black Market
The types of information compromised in the AFF data breach are very valuable to
identity thieves In addition to credit and debit card information, names, email addresses, recovery
email accounts, dates of birth, and passwords can all be used to gain access to a variety of existing
unts and websites.
Identity thieves can also use the PII to harm Plaintiff and Class Members through
embarrassment, blackmail or harassment in person or online, or to commit other types of fraud
including obtaining ID cards or driver’s licenses, fraudulently obtaining tax returns and refunds, and
obtaining government benefits.
A Presidential Report on identity theft from 2008 states that:
In addition to the losses that result when identity thieves fraudulently open accounts or
misuse existing accounts, . . . individual victims often suffer indirect financial costs,
including the costs incurred in both civil litigation initiated by creditors and in
overcoming the many obstacles they face in obtaining or retaining credit Victims of non
financial identity theft, for example, health related or criminal record fraud, face other
types of harm and frustration.
In addition to out pocket expenses that can reach thousands of dollars for the victims
of new account identity theft, and the emotional toll identity theft can take, some victims
have to spend what can be a considerable amount of time to repair the damage caused by
the identity thieves Victims of new account identity theft, for example, must correct
fraudulent information in their credit reports and monitor their reports for future
inaccuracies, close existing bank accounts and open new ones, and dispute charges with
individual creditors.
To put it into context, the 2013 Norton Report, based on one of the largest consumer
cybercrime studies ever conducted, estimated that the global price tag of cybercrime was around $113
billion at that time, with the average cost per victim being$298 dollars.
Image taken from https://www.cybersecurity insiders.com/adultfriendfinder network finally comes
clean members about hack/ (last visited June 1, 2018)
The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, Federal Trade
Commission, 11 (April 2007), http://www.ftc.gov/sites/default/files/documents/reports/ combating
identity theft strategic plan/strategicplan.pdf.
LASS CTION OMPLAINT
716671.2
The problems associated with identity theft are exacerbated by the fact that many
identity thieves will wait years before attempting to use the PII they have obtained Indeed, a
Government Accountability Office study found that “stolen data may be held for up to a year or more
before being used to commit identity theft.” In order to protect themselves, Class Members will need
to remain vigilant against unauthorized data usefor years and decades to come.
Once stolen, PII can be used in a number of different waysOne of the most common is
that it is offered for sale on the “dark web,” a heavily encrypted part of the Internet that makes it
difficult for authorities to detect the location or owners of a websiteThe dark web is not indexed by
normal search engines such as Google and is only accessible using a Tor browser (or similar tool),
which aims to conceal users’ identities and online activityThe dark web is notorious for hosting
marketplaces selling illegal items, such as weapons, drugs, and PIIWebsites appear and disappear
quickly, makingit a very dynamic environment.
As stated above, data downloaded from AFF’s website by hackers, which includes Plaintiff’s and
Class Members’ PII, has in fact been offered for sale on the dark web.
Once someone buys PII, it is then used to gain access to different areas of the victim’s
digital life, including bank accounts, social media, and credit card detailsDuring that process, other
sensitive data may be harvested from the victim’s accounts, as well as from those belonging to family,
friends, and colleagues.
In addition to PII, a hacked email account can be very valuable to cyber criminals
Since most online accounts require an email address not only as a username, but also as a way to verify
accounts and reset passwords, a hacked email account could open up a number of other accounts to an
attacker.
The Extent ofInjury Resulting From the Breach is Not Yet Known; Plaintiff and Class
Members Are Exposed to Increased Risk of Identity Theft, Blackmail, and Other Harm
For Years
As a resultof the breach , Plaintiff and Class Members face increased risk of identity
fraud, blackmail, and other potential harm for years to come.
Repo rt to Congressional Requesters, U.S. Government Accountability Office, 33 (June 2007),
available at www.gao.gov/new.items/d07737.pdf.
LASS CTION OMPLAINT
716671.2
Plaintiff’s and Class Members’ PII will be indefinitely available to those who are
willing to pay for it.
Had Plaintiff and the Class Members known of the true facts about AFF they would not
have registered and made purchases from AFF or would not have shared as much personal information
on the AFF website.
CLASS ACTION ALLEGATIONS
Plaintiff brings this action on his own behalf and, pursuant to California Civil Procedure
Code § 382, on behalf of a National Class and California lass, as defined above in paragraph
Plaintiff’s claims are typical of the claims of the National Classand of the California
ClassPlaintiff and all members of the National Class and Plaintiff and all members of the California
Class were injured through the uniform misconduct described above and assert the same claims for
relief.
The embers of the National Class and the members of the California Class are so
numerous that joinder of all embers isimpr acticableOn information and belief, hundreds of
thousands, or more creditand/or debit cards may have been compromised, and the embers of the
Classare geographically dispersedDisposition of the claims of the proposed National Class and
California Class in a class action willprovide substantial benefits to both the parties and the Court.
Plaintiff will fairly and adequately represent the interests of the Clas Plaintiff has no
conflict of interest with any member of the Class Plaintiff has retained competent and experienced
counsel in complex class action litigationPlaintiff’s counsel ha the expertise and financial
resources to adequately represent the interests of the Clas
Common questions of law and fact exist as to all members of the tional Class andthe
California Class andpredominate over any questions solely affecting individual members of the
National Classand the California Class Among the questions of law and fact common to the Plaintiff
and the National Class and the California Classare the following:
LASS CTION OMPLAINT
716671.2
For the California Class
Whether Defendant represented to the Class that it would safeguard Class
Members’ PII;
Whether Defendant owed a legal duty to Plaintiff and the Class to exercise due
care in collecting, storing, and safeguarding their PII;
Whether Defendant breached a legal duty to Plaintiff and the Class to exercise
due care in collecting, storing, and safeguarding their PII;
iv. Whether Defendant failed to use reasonable care and commercially reasonable
methods to secure and safeguard its users’ private personal information;
Whether Plaintiff’s and Class Members’ PII was accessed, compromised, or
stolen in the 2016 breach;
vi. Whether Defendant failed to timely notify Plaintiff and California Class
Members of the breach;
vii. Whether Defendant took reasonable measures to determine the extent of the
breach after it first learned of the same;
viii. Whether Defendant’s method of informing users/consumers of the breach and
the description of the breach was reasonable;
ix. Whether Defendant breached an implied contract with the California Class
Members;
Whether Defendant violated Plaintiff’s and California Class Members’ privacy
rights;
xi. Whether Defendant violated the requirements of California Civil Code §
et seq.
xii. Whether Plaintiff and Class Members are entitled to recover actual damages,
statutory damages, and/or punitive damages;
For the National Class
Whether Defendant failed to use reasonable care and commercially reasonable
methods to secure and safeguard its users’ private personal information;
Whether Defendant violated the Stored Communications Act, 18 U.S.C. § 2702;
Whether Defendant’s conduct was deceptive, unfair, and/or unlawful under Cal.
Bus.
iv. & Prof. Code § 17200 et seq.
LASS CTION OMPLAINT
716671.2
Whether Plaintiff and Class Members are entitled torestitution, disgorgement,
and/orother equitable relief.
Class action treatment is superior to other available means for the fair and efficient
adjudication of this controversy Individual joinder of all Class Members is not practicable, and
questions of law and fact common to the Class predominate over any questions affecting only
individual members of the ClassEach Class Member has been damaged or may be damaged in the
future because of Defendant’s unlawful, deceptive and/or negligent practices described above.
Certification of this case as a class action will allow those similarly situated persons to litigate their
claims in the manner that is most efficient and economical for the parties and the judicial system and
would prevent repetitious litigation relating to Defendant’s wrongful actions and/or inactionsThe
expense and burden of litigation would substantially impair the ability of Plaintiff and Class Members
to pursue individual lawsuits to vindicate their rights. Absent a class action, Defendant will retain the
benefits of its wrongdoing despite its serious violation of the law.
FIRST CAUSE OF ACTION
NEGLIGENCE
(On behalf of Plaintiff and the CaliforniaClass)
Plaintiff realleges and incorporates by reference the allegations contained in the
preceding paragraphs.
Defendant had a duty to timely disclose to Plaintiff and the Class that a data breach had
occurred, and their Personal Information had been compromised, or was reasonably believed to be
compromised.
Defendant, by and through its above negligent acts and/or omissions, breached its duty
to Plaintiff and Class Members by failing to exercise reasonable care in protecting and safeguarding
their Personal Information, which was in Defendant’s possession, custody, and control.
Defendant also breached its duty of care by failing to timely disclose to Plaintiff and
Class Members that a breach of security had occurred, and their Personal Information had been
compromised, or was reasonably believed to have been compromised.
But for Defendant’s negligent and wrongful breach of its duties owed to Plaintiff and
Class Members, their Personal Information would not have been compromised.
LASS CTION OMPLAINT
716671.2
Plaintiff’s and Class Members’ Personal Information was compromised and/or stolen as
a direct and proximately result of Defendant’s breach of its duties as set forth herein.
As a direct and proximate result of Defendant’s acts and omissions, Plaintiff and Class
Members have suffered injuries and damages as alleged herein.
Defendant’s conduct was undertaken in bad faith, with malice, and/or was willful and
wanton and in reckless and conscious disregard of the rights of the Plaintiff and the Class Members,
which entitles the Plaintiff and Class Members to be awarded punitive damages or exemplary damages
in amount s ufficient to punish and deter Defendant and also to deter other entities and persons from
similar conduct in the future.
Plaintiff on behalf of himself and the Class seeks compensatory damages and punitive
damages with interest, attorneys’ fees and costs, and any other and further relief as this Court deems
just and proper.
SECONDCAUSE OF ACTION
BREACH OF IMPLIED CONTRACT
(On behalf of Plaintiff and the CaliforniaClass)
Plaintiff realleges and incorporates by reference the allegations contained in the
preceding paragraphs.
laintiff and Class Members were required to provide Defendant with their Personal
Information in order to register with Defendant’s website and utilize its functions.
Implicit in this requirement was a covenant requiring Defendant to take reasonable
efforts to safeguard this information and promptly notify Plaintiff and Class Members in the event their
Personal Information was compromised.
Similarly, it was implicit that Defendant would not disclose Plaintiff’s and Class
Members’ Personal Information.
Notwithstanding its obligations, Defendant knowingly failed to safeguard and protect
Plaintiff’s and Class Members’ Personal Information. To the contrary, Defendant allow ed this
information to be disseminated to unauthorized third parties.
LASS CTION OMPLAINT
716671.2
Defendant’s above wrongful actions and/or inactions breached their implied contracts
with Plaintiff and Class Members, which in turn directly and/or proximately caused Plaintiff and Clas
Members to suffer substantial injuries, as described above.
Plaintiff on behalf of himself and the Class seeks actual and compensatory damages,
injunctive relief, costs, expenses and attorneys’ fees, and any other and further relief as this Court
deems just and proper.
IRDCAUSE OF ACTION
INVASION OF PRIVACY PUBLIC DISCLOSURE OF PRIVATE FACTS, AND
CALIFORNIA CONSTITUTION RIGHT TO PRIVACY
(On behalf of Plaintiff and the California lass)
Plaintiff realleges and incorporates by reference the allegations contained in the
preceding paragraphs.
Plaintiff and California Subclass Members had reasonable expectations of privacy in the
private information Defendant mishandled.
By failing to keep Plaintiff’s and Subclass Members’ private information safe, and b
misusing and/or disclosing said information to unauthorized parties for unauthorized use, Defendant
invaded Plaintiff’s and Subclass Members’ privacy by:
Violating Plaintiff’s and Subclass Members’ right to privacy under California
Constitution, Article 1, Section 1, by failing to protect Plaintiff’s and Subclass
Members’ privacy and property that was disclosed to an unauthorized third
party.
Permitting intrusion into Plaintiff’s and Subclass Members’ private affairs in a
manner that would be highly offensive to a reasonable person.
Defendant had previous knowledge of its inadequate data security and thereby acted
with reckless disregard, by failing to protect the personal information of the Plaintiff and Subclass
Members.
Defendant permitted invasion intoPlaintiff’s and Class Members’ right to privacy and
intruded into Plaintiff’s and Class Members’ private affairs by allowing misuse and/or disclosure of
Plaintiff’s and Class Members’ private information without their informed, voluntary, affirmative and
clear consent.
LASS CTION OMPLAINT
716671.2
As a proximate result of such misuse and disclosures, Plaintiff’s and Class Members’
reasonable expectations of privacy regarding their personal information was unduly frustrated and
thwarted and they suffered a serious invasion of their protected privacy interests.
Having previous knowledge of data security inadequacies, Defendant’s ongoing failure
to protect Plaintiff’s and Class Members’ private information, and in allowing misuse and/or disclosure
of that information, Defendant has actedin conscious disregard of Plaintiff’s and Class Members’
rights to have such information kept confidential and private.
Plaintiff on behalf of himself and the California Subclass, therefore, seeks an award of
punitive damages and any such other and further relief as this Court may deem just and appropriate.
OURTH CAUSE OF ACTION
VIOLATION OF CALIFORNIA’S CUSTOMER RECORDS ACT
Cal. Civ. Code §§ 1798.80, et seq.
(On behalf of Plaintiff andthe California lass)
Plaintiff realleges and incorporates by reference the allegations contained in the
preceding paragraphs.
“[T]o ensure that personal information about California residents is protected,” the
California Legislature enacted California Customer Records ActThis statute states that any business
that “owns or licenses personal information about a California resident shall implement and maintain
reasonable security procedures and practices appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction, use, modification, or disclosure.”
CCRACC §
Defendant is a “business” within the meaning of CCRACC § 1798.80(a).
Plaintiff and California Class Membersare “customer[s]” within the meaning of the
CCRACC § 1798.80(c) “who provide[d] personal information to [Defendant] for the purpose of
purchasing or leasing a product or obtaining a service from the business.” The information retained by
Defendant constitutes “personal information” as defined in CCRACC § 1798.81.5(d)(1).
LASS CTION OMPLAINT
716671.2
Pursuant to CCRACC § 1798.82(g), the unauthorized acquisition of computerized data
that compromises the security, confidentiality, or integrity of personal information of over 339 million
adultfriendfinder.com ustomers constitutes a “breach of [its] security system.”
By keeping users’ personal data within its custody and control longer than necessary,
and by failing to properly and adequately dispose or make users’ data undecipherable, Defendant
violated CCRACC § 1798.81.
By failing to implement reasonable security procedures and practices appropriate to the
nature of Plaintiff’s and California Class Members’ personal information, Defendant violated
CCRACC § 1798.81.5(b).
Additionally, by failing to promptly notify all affected AFF website users that their
personal information had been acquired (or was reasonably believed to have been acquired) by
unauthorized persons in the data breach, Defendant violated § 1798.82 of the same title.
As a direct and proximate result of Defendant’s failure to implement and maintain
reasonable security procedures and practices to protect Plaintiff’s and California ClassMembers’
personal and financial information, Plaintiff and California Class Members suffered damages,
including, but not limited to, loss of and invasion of privacy, loss of property, loss of money, loss of
control of their personal and financial nonpublic information, fear and apprehension of fraud and loss
of control over their personal and financial information, the burden of taking actions to protect
themselves from fraud or potential fraud.
Plaintiff on behalf of himself and the California Classseeks all remedies available
under CCRACC § 1798.84, including, but not limited to: (a) damages suffered by California Class
Members, and (b) equitable relief. Plaintiff on behalf of himself and the California Class also seeks
reasonable attorneys’ fees and costs under applicable law, and any such other and further relief as this
Court may deem just and appropriate.
LASS CTION OMPLAINT
716671.2
FIFTH CAUSE OF ACTION
VIOLATION OF CALIFORNIA’S ONLINE PRIVACY A
Cal. Bus. & Prof. Code § 22575, et seq.
(On behalf of Plaintiff and the California lass)
Plaintiff realleges and incorporates by reference the allegations contained in the
preceding paragraphs.
AFF is a commercial website or online service that collects personally identifiable
information through the Internet about individual consumers residing in California, and elsewhere,
who use or visit its commercial Web site or online services, within the meaning of California Business
and Professions Code § 22575(a).
Defendant failed to adhere to their posted privacy policy concerning the care they
would take to safeguard Plaintiff’s and California Subclass Members’ PII, and negligently and
materially failed to adhere to their posted privacy policy with respect to the extent of their disclosure of
users’ data, in violation of California Business and Professions Code § 22576.
As a result of Defendant’s failures to adhere to their privacy policies and its violations
of California Business and Professions Code § 22575, et seq., Plaintiff and the Subclass have suffered
injuries described in detail herein.
Plaintiff, on his own behalf and on behalf of the putative classes, seeks all remedies
available under California Business and Professions Code § 22575, et seq.
TH CAUSE OF ACTION
VIOLATION OF CALIFORNIA’S UNFAIR COMPETITION LAW (“UCL”)
Cal. Bus. & Prof. Code § 17200, et seq.
(On behalf of Plaintiff and the National Class)
Plaintiff realleges and incorporates by reference the allegations contained in the
preceding paragraphs.
Defendant’s conduct constitutes unfair and illegal and fraudulent business practices
within the meaning of the California Business & Professions Code § 17200, et seq.
efendant’s conduct violated certain laws as alleged above.
LASS CTION OMPLAINT
716671.2
Additionally, Defendant’s conduct violated the Stored Communications Act, 18 U.S.C.
(“SCA”) Defendant provi des, throughits servers (which are under Defendant’s control), an
“electronic communication service to the public” within the meaning of the SCA because Defendant’s
services allow members of AFF to submit their Personal Information to the AFF website and allows
members to communicate electronically with other members through Defendant’s servers.
Furthermore, Defendant provides an “electronic communication service to the public” within the
meaning of the SCA because Defendant provides consumers at large with credit and debit card
payment processing capability that enables them to send or receive wire or electronic communications
concerning their private financial information to transaction managers, card companies, or banks.
By failing to take commercially reasonable steps to safeguard sensitive Personal
Information, even after Defendant was aware that users’/customers’ Personal Information had been
compromised, Defendant knowingly divulged customers’ private communications and Personal
Information, in violation of the SCA.
Furthermore, Defendant knowingly retained information which it should have deleted,
and which certain users who had deleted their accounts reasonably expected to be deleted and purged
from Defendant’s system, despite the reliance of the Class that such information had been deleted, and
the despite the risk that such information would ultimately be divulged in a data breach or otherwise.
Defendant thereby knowingly divulged customers’ PII, in violation of the SCA.
Through its servers, Defendant provide remote computing services to the public within
the meaning of the SCA.
By failing to take commercially reasonable steps to safeguard sensitive private financial
information, Defendant ha knowingly divulged customers’ Personal Information that was carried and
maintained on Defendant’s remote computing service in violation of the SCA.
By engaging in the conduct described in paragraphs through , above, in the
course of doing business, Defendant engaged in unlawful business practices in violation of the
California Business & Professions Code § 17200, et seq.
By failing to adequately secure Plaintiff and Class Members’ Personal Information
and private financial information, and failing to promptly notify Class Members of the breach,
LASS CTION OMPLAINT
716671.2
Defendant engaged in unfair business practices in violation of the California Business & Professions
Code § 17200, et seqThe gravity of the harm to Plaintiff and Class Members outweighed any utility
that Defendant’s conduct may have produced.
Defendant’s failure to disclose information concerning the Data Breach directly and
promptly to affected customers, constitutes a fraudulent act or practice in violation of California
Business & Professions Code section 17200, et seq.
Plaintiff suffered injury in fact and lo
Preview
JULIAN HAMMOND (SBN 268489) jhammond@hammondlawpc.com POLINA BRANDLER (SBN 269086) pbrandler@hammondlawpc.com ARI CHERNIAK (SBN 290071) acherniak@hammondlaw.com HAMMONDLAW, P.C. 1829 Reisterstown Rd. Suite 410 Baltimore, MD 21208 Tel: (310) 601-6766 Fax: (310) 295-2385 LAURA L. Ho (SBN 173179) lho@gbdhlegal.com GOLDSTEIN, BORGEN, DARDARIAN & HO 300 Lakeside Drive, Suite 1000 Oakland, CA 94612 Tel: (510) 763-9800 Fax: (510) 835-1417 Attorneys for Plaintiff and Putative Class SUPERIOR COURT OF THE STATE OF CALIFORNIA COUNTY OF SANTA CLARA ALEJANDRO GUTIERREZ, individually and on Case No. behalf of all other similar situated individuals CLASS ACTION COMPLAINT Plaintiff NEGLIGENCE; s. BREACH OF IMPLIED CONTRACT; FRIENDFINDER NETWORKS, INC., a Delaware INVASION OF PRIVACY; Corporation VIOLATION OF CALIFORNIA’S CUSTOMER RECORDS ACTCIVIL Defendant CODE § 1798.80, ET SEQ. VIOLATION OF CALIFORNIA’S ONLINE PRIVACY PROTECTION ACT, CAL. BUS. & PROF. CODE ET SEQ. VIOLATION OF CALIFORNIA’S UNFAIR COMPETITION LAW, CAL. BUS. & PROF. CODE § 17200, ET SEQ. JURY TRIAL DEMANDED LASS CTION OMPLAINT 716671.2 Plaintiff ALEJANDRO GUTIERREZ(“Plaintiff”), by and through undersigned counsel, on behalf of himself and all others similarly situated, alleges the following claims and causes of action against Defendant FRIENDFINDER NETWORKS, INC. (“Defendant”), based upon personal knowledge as to Plaintiff’s own acts, and on information and belief as to all other matters based upon, inter alia, the investigation conducted by and through Plaintiff’s counsel as follows: SUMMARY OF THE CASE Defendant operates an adult online dating site under the AdultFriendFindertrademark with the Internet address, www.adultfriendfinder.com (“AFF”). The AFF website, in operation since 1996, is designed to facilitate discreet adult relationships between individuals and groups who seek to find similar minded adults forsexual encounters and is described on the company website as the “World’s Largest Sex & Swinger Community ” While promising to keep its users’ confidential personal information secure, Defendant failed to safeguard this information. As a result, in or about October 2016, a hacker or a group of hackers breached Defendant’s system and downloaded two decades worth of information from approximately 339 million accounts, making the AFF security breach the second largest in the 21 Century, trailing only beh nd the massive Yahoo! breach. Of the 339 million accounts affected, approximately 71.9% belonged to users in the United States and 15 million belonged to users who had “deleted” their accountsAn additional 70 million users whose information was stolen were customers ofother x rated websites, which Defendant sold to Penthouse Global Media prior to the breach. It is believed that the stolen information included: e mail addresses, passwords, whether or not a user was a VIP member, browser information, thelast IP address used to log in, and user purchases, as well as other sensitive personal information, such as users’ photographs (“Personal Identifiable Information” or “PII”). AFF did not admit to the breach when it was contacted by a media source, but proximately a week later began to notify its customers of the breach by surfacing a message when a user logged into his/her account. But, this type of notice did not reach millions of users affected as of the 700 million users AFF boasts, according to an analysis of the last login dates, over 200 million have not logged in since 2010, and 15 million of the compromised accounts were “deleted” accounts LASS CTION OMPLAINT 716671.2 The October 2016 breach was not the first breach of Defendant’s system Defendant’s system was also hacked in 2015,exposing close to 4 million accounts, which contained sensitive personal information, such as sexual preference and whether the user was looking for extramarital affairs Given the “warning” Defendant received in 2015, it is baffling that Defendant did not take appropriate measures to secure its systemand just a year later allowed another massive breach to occur. Plaintiff brings this class action on behalf of himself and all similarly situated individuals in the United States who created an account(s) on www.AdultFriendFinder.com and whose personal identifying information was accessed, compromised, or stolen and/or released as a result of the AFF data breach in October 2016 (“National Class”). Plaintiff also brings this class action on behalf of a classcomprised of himself and all similarly situated individuals in California who created an account(s) on www.AdultFriendFinder.com and whose personal identifying information was accessed, compromised, or stolen and/or released as a result of the AFF data breach in October 2016 (“California lass”).The members of the National Class and California Class are collectively referred to herein as the “Class” or “Class Members”), except where otherwise noted in order to differentiate them Plaintiff aClass Members suffered injury. The security breach compromised their Personal Identifiable Information, which was used or is at risk of being used in fraudulent transactions around the world, as well as other invidious exposure. JURISDICTION This Court has jurisdiction over the claims of negligence and breach of implied contract. This Court has jurisdiction overPlaintiff’s claim based on invasion of privacy. This Court has jurisdiction over Plaintiff’s claim based on the violation of California’s Customers Records Act, Civil Code § 1798.80 et seq. This Court has jurisdiction over Plaintiff’s claim based on the violation of California’s Online Privacy Protection Act, Bus. & Prof. Code § 22575 et seq. LASS CTION OMPLAINT 716671.2 This Court has jurisdiction over Plaintiff’s claim arising from Defendant’s nlawful /unfair/fraudulentbusiness practices, under Cal. Bus. & Prof. Code § 17200 et seq. VENUE Venue is proper in Santa Clara County pursuant to California Code of Civil Procedure 395(a) Defendant is located in Santa Clara County, California , many of the acts giving rise to the violations complaint of occurred in Santa Clara County or arose out of decisions made in Santa Clara County PARTIES Plaintiff is a male who resides in Woodland Hills, CaliforniaPlaintiff created an account with www.adultfriendfinder.com in approximately As part of the process of creating his account, Plaintiff created a username and password and provided confidential personal information in reliance on Defendant’s promise to safeguard his information. Plaintiff also uploaded photographs of himselfPlaintiff subsequently purchased points for the purpose of communicating with other AFF users In order to make purchases, Plaintiff was required to provide his full name, street address, and his credit card and/or debit card number and CVV code. Plaintiff’s information was compromised as a result of Defendant’s security failures, which were released and reposted on other websites by unauthorized usersAs a result of such compromise, Plaintiff suffered losses and damages in an amount yet to be completely determinable as such losses and damages are ongoing.Had Plaintiff known that Defendant would not take industry standard measures to safeguard his information, he would not have sign up for an AFF account and would not havemade purchases and entered his credit card information on the AFF website. Defendant FriendFinder Networks, Inc. is a privatel held corporation headquarteredin Campbell, California, and is regularly engaged in the business of operating online dating websites, including www.adultfriendfinder.comDefendant also has offices in Florida. LASS CTION OMPLAINT 716671.2 FACTS COMMON TO ALL COUNTS Defendant Collected Users’ Personal Information and Assured Users That It Would Safeguard It Defendant is a merchant that owns, operates and controls several dating and entertainment sides, including a website branded as “Adult FriendFinder” found at adultfriendfinder.com, penthouse.com and cams.comAdultFriendFinder.com is a dating website marketed to persons 18 or older who desire to meet similar ed adults for casual sexual relationships with individuals or groups. Defendant markets AdultFriendFinder.com to consumers in the United States aswell as outside the United StatesThe website has more than 85 million current users in 37 countries. It is rated the fortieth most popular adult website in the United StatesDefendant markets the website through television, radio, billboard, and Internet advertisements. AFF boasts membership of over 700 million and has proven extraordinarily lucrative, yielding Defendant revenues more than $300 million annually. When users establish an account with AFF, users must provide Defendant with PII, including in some cases, debit and credit card information. For example, users are required to purchase points or subscriptions in order to initiate conversations with other members, which requires users to enter their credit or debit card information AFF also encourage users to provide their PII by stating that failure to provide such information may result in users not being able to access some or all of AFF services. LASS CTION OMPLAINT 716671.2 Users enter on AFF’s website sensitive personal information, such as first and last name, date of birth,billing address, photographs, sexual preferences, and more. Defendant’s Privacy Policy posted on the AFF website expl ins the type of personal information it collects from account holders: Defendant’s Privacy Policy further describes the numerous instances during which Defendant collects its users PII, which includes “When you register for an account or interact with our Services” “When you provide orshare Personal Information within our Services” “When you communicate with us or sign up for promotional materials” “When you engage with our online communities or advertising” “When we collect Personal Information from third parties or publicly availablesources” “When we leverage and/or collect cookies or device IDs” “When we link you to other members without our Sites or Services”, and in other instances. Defendant encourages users to in fact provide their PIIby restricting use of its website if information is not provided: FRIENDFINDER NETWORKS INC.’S PRIVACY POLICY, at https://adultfriendfinder.com/go/page/privacy.html?who=r,FBg6ARA81X5JG92Q7xkp9jwHPP1JtwZ 8fhfmvuOmxD1_grY2m9thVBVe1qTY/6i6OoUnj8iZ4fwr4jW_8xvk8H8LV9MjUNMhmpgi34fyU5o JF4aRzAl6p4nu3ZCOWrE1 (last visited May 29, Id. LASS CTION OMPLAINT 716671.2 Defendant also informs its users that it shares personal information provided to by them only under limited circumstances: Defendant represent and warrant to Plaintiff and Class Members that their PII was secure and would remain private In particular, Defendant represented: “FFN Websites use reasonable security measures to help protect and prevent the loss, misuse, and alteration of the information under our controlWe use industry standard efforts , such as firewalls, to safeguard your Personal Information Defendant sures its users that the privacy of its members was very important: Id. Id. LASS CTION OMPLAINT 716671.2 Breach of Defendant’s System, Defendant’s Outdated Security Measures, And Defendant’s Inadequate and Unreasonably Delayed Notiof the Breach Despite the fact that Defendant’s system suffered a breach in 2015, Defendant failed to take commercially reasonable/ industry standard measures to safeguard the PII of its users. Both breache occurred by the same method of attac, highlighting that AFF failed to learn from its mistakes and take adequate measures to protect its users’ PII Upon information and belief, Defendant did not encrypt data and passwords are (or were at the time of the breach) stored in plain visible format, or with the poor Secure Hash Algorithm 1 (“SHA 1”) that is not regarded as secure and has not been regarded as secure well before the October 2016 breach. Experts begandiscovering weaknesses in SHA 1 since before 2007and it has been more than five years (or in approximately 2012 or 2013) since the National Institute of Standards and Technology removed all support for the protocol in favor of new cryptographic hash functions like next gen family members SHA 256 and SHA In or about October 2016, a hacker or a group of hackers breached Defendant’s system and downloaded two decades worth of personal information of 339 million AFF users. Of the 339 million accounts affected, 15 million belonged to members who had actively deleted their accountsYet, Defendant failed to separate this information from active users or otherwise delete this data from database(s) It is estimated that approximately 71.9% of the affected accounts belonged to user in the United States. Upon information and belief, users’ data was published on the black market afterit was downloaded. Plaintiff’s account and personal information is among the information thatwas compromised in the breach. This massive data breach could have been prevented had Defendant taken the necessary and reasonable precautions to protect its users’ information by using recognized industry standards to safeguard the information, not outdated encryption methods rejected by the industry years prior. LASS CTION OMPLAINT 716671.2 Defendant’s Notice to Its User of the Breach Was Delayed and Inadequate After learning of the breach, Defendant failed to notify Plaintiff and Class Members in a timely manner and failed to take reasonable steps to inform Plaintiff and Class Members of the extent of the breach. The data breach was first reported by the media in October 2016Defendant , however, did not notify its members until in or about late November 2016. In or about early November 2016, Defendant was directly confronted by a reporter with information about the breach, but Defendant did not admit the breach at that timePenthouse Global Media had members whose information was stored in Defendant’s system and was also affectedby the breach. Its CEO Kelly Holland confirmedin early November 2016 that her company was aware of the breach and was waiting for Defendant to provide a detailed scope of the breach. Finallyin or about late November 2016 Defendant began notifying its users/account holders of the breach. However, Defendant’s notice did not reach everyone because Defendant notified its account holders only through a message window that appeared when users signed in to their accounts, and as reported by some users, through messages in their account inboxesApproximately 200 million LASS CTION OMPLAINT 716671.2 inactive users who did not access Defendant’s website did not receive the notification provided on Defendant’s site: Plaintiff and Class Members’ PII Information Is Valuable on the Black Market The types of information compromised in the AFF data breach are very valuable to identity thieves In addition to credit and debit card information, names, email addresses, recovery email accounts, dates of birth, and passwords can all be used to gain access to a variety of existing unts and websites. Identity thieves can also use the PII to harm Plaintiff and Class Members through embarrassment, blackmail or harassment in person or online, or to commit other types of fraud including obtaining ID cards or driver’s licenses, fraudulently obtaining tax returns and refunds, and obtaining government benefits. A Presidential Report on identity theft from 2008 states that: In addition to the losses that result when identity thieves fraudulently open accounts or misuse existing accounts, . . . individual victims often suffer indirect financial costs, including the costs incurred in both civil litigation initiated by creditors and in overcoming the many obstacles they face in obtaining or retaining credit Victims of non financial identity theft, for example, health related or criminal record fraud, face other types of harm and frustration. In addition to out pocket expenses that can reach thousands of dollars for the victims of new account identity theft, and the emotional toll identity theft can take, some victims have to spend what can be a considerable amount of time to repair the damage caused by the identity thieves Victims of new account identity theft, for example, must correct fraudulent information in their credit reports and monitor their reports for future inaccuracies, close existing bank accounts and open new ones, and dispute charges with individual creditors. To put it into context, the 2013 Norton Report, based on one of the largest consumer cybercrime studies ever conducted, estimated that the global price tag of cybercrime was around $113 billion at that time, with the average cost per victim being$298 dollars. Image taken from https://www.cybersecurity insiders.com/adultfriendfinder network finally comes clean members about hack/ (last visited June 1, 2018) The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, Federal Trade Commission, 11 (April 2007), http://www.ftc.gov/sites/default/files/documents/reports/ combating identity theft strategic plan/strategicplan.pdf. LASS CTION OMPLAINT 716671.2 The problems associated with identity theft are exacerbated by the fact that many identity thieves will wait years before attempting to use the PII they have obtained Indeed, a Government Accountability Office study found that “stolen data may be held for up to a year or more before being used to commit identity theft.” In order to protect themselves, Class Members will need to remain vigilant against unauthorized data usefor years and decades to come. Once stolen, PII can be used in a number of different waysOne of the most common is that it is offered for sale on the “dark web,” a heavily encrypted part of the Internet that makes it difficult for authorities to detect the location or owners of a websiteThe dark web is not indexed by normal search engines such as Google and is only accessible using a Tor browser (or similar tool), which aims to conceal users’ identities and online activityThe dark web is notorious for hosting marketplaces selling illegal items, such as weapons, drugs, and PIIWebsites appear and disappear quickly, makingit a very dynamic environment. As stated above, data downloaded from AFF’s website by hackers, which includes Plaintiff’s and Class Members’ PII, has in fact been offered for sale on the dark web. Once someone buys PII, it is then used to gain access to different areas of the victim’s digital life, including bank accounts, social media, and credit card detailsDuring that process, other sensitive data may be harvested from the victim’s accounts, as well as from those belonging to family, friends, and colleagues. In addition to PII, a hacked email account can be very valuable to cyber criminals Since most online accounts require an email address not only as a username, but also as a way to verify accounts and reset passwords, a hacked email account could open up a number of other accounts to an attacker. The Extent ofInjury Resulting From the Breach is Not Yet Known; Plaintiff and Class Members Are Exposed to Increased Risk of Identity Theft, Blackmail, and Other Harm For Years As a resultof the breach , Plaintiff and Class Members face increased risk of identity fraud, blackmail, and other potential harm for years to come. Repo rt to Congressional Requesters, U.S. Government Accountability Office, 33 (June 2007), available at www.gao.gov/new.items/d07737.pdf. LASS CTION OMPLAINT 716671.2 Plaintiff’s and Class Members’ PII will be indefinitely available to those who are willing to pay for it. Had Plaintiff and the Class Members known of the true facts about AFF they would not have registered and made purchases from AFF or would not have shared as much personal information on the AFF website. CLASS ACTION ALLEGATIONS Plaintiff brings this action on his own behalf and, pursuant to California Civil Procedure Code § 382, on behalf of a National Class and California lass, as defined above in paragraph Plaintiff’s claims are typical of the claims of the National Classand of the California ClassPlaintiff and all members of the National Class and Plaintiff and all members of the California Class were injured through the uniform misconduct described above and assert the same claims for relief. The embers of the National Class and the members of the California Class are so numerous that joinder of all embers isimpr acticableOn information and belief, hundreds of thousands, or more creditand/or debit cards may have been compromised, and the embers of the Classare geographically dispersedDisposition of the claims of the proposed National Class and California Class in a class action willprovide substantial benefits to both the parties and the Court. Plaintiff will fairly and adequately represent the interests of the Clas Plaintiff has no conflict of interest with any member of the Class Plaintiff has retained competent and experienced counsel in complex class action litigationPlaintiff’s counsel ha the expertise and financial resources to adequately represent the interests of the Clas Common questions of law and fact exist as to all members of the tional Class andthe California Class andpredominate over any questions solely affecting individual members of the National Classand the California Class Among the questions of law and fact common to the Plaintiff and the National Class and the California Classare the following: LASS CTION OMPLAINT 716671.2 For the California Class Whether Defendant represented to the Class that it would safeguard Class Members’ PII; Whether Defendant owed a legal duty to Plaintiff and the Class to exercise due care in collecting, storing, and safeguarding their PII; Whether Defendant breached a legal duty to Plaintiff and the Class to exercise due care in collecting, storing, and safeguarding their PII; iv. Whether Defendant failed to use reasonable care and commercially reasonable methods to secure and safeguard its users’ private personal information; Whether Plaintiff’s and Class Members’ PII was accessed, compromised, or stolen in the 2016 breach; vi. Whether Defendant failed to timely notify Plaintiff and California Class Members of the breach; vii. Whether Defendant took reasonable measures to determine the extent of the breach after it first learned of the same; viii. Whether Defendant’s method of informing users/consumers of the breach and the description of the breach was reasonable; ix. Whether Defendant breached an implied contract with the California Class Members; Whether Defendant violated Plaintiff’s and California Class Members’ privacy rights; xi. Whether Defendant violated the requirements of California Civil Code § et seq. xii. Whether Plaintiff and Class Members are entitled to recover actual damages, statutory damages, and/or punitive damages; For the National Class Whether Defendant failed to use reasonable care and commercially reasonable methods to secure and safeguard its users’ private personal information; Whether Defendant violated the Stored Communications Act, 18 U.S.C. § 2702; Whether Defendant’s conduct was deceptive, unfair, and/or unlawful under Cal. Bus. iv. & Prof. Code § 17200 et seq. LASS CTION OMPLAINT 716671.2 Whether Plaintiff and Class Members are entitled torestitution, disgorgement, and/orother equitable relief. Class action treatment is superior to other available means for the fair and efficient adjudication of this controversy Individual joinder of all Class Members is not practicable, and questions of law and fact common to the Class predominate over any questions affecting only individual members of the ClassEach Class Member has been damaged or may be damaged in the future because of Defendant’s unlawful, deceptive and/or negligent practices described above. Certification of this case as a class action will allow those similarly situated persons to litigate their claims in the manner that is most efficient and economical for the parties and the judicial system and would prevent repetitious litigation relating to Defendant’s wrongful actions and/or inactionsThe expense and burden of litigation would substantially impair the ability of Plaintiff and Class Members to pursue individual lawsuits to vindicate their rights. Absent a class action, Defendant will retain the benefits of its wrongdoing despite its serious violation of the law. FIRST CAUSE OF ACTION NEGLIGENCE (On behalf of Plaintiff and the CaliforniaClass) Plaintiff realleges and incorporates by reference the allegations contained in the preceding paragraphs. Defendant had a duty to timely disclose to Plaintiff and the Class that a data breach had occurred, and their Personal Information had been compromised, or was reasonably believed to be compromised. Defendant, by and through its above negligent acts and/or omissions, breached its duty to Plaintiff and Class Members by failing to exercise reasonable care in protecting and safeguarding their Personal Information, which was in Defendant’s possession, custody, and control. Defendant also breached its duty of care by failing to timely disclose to Plaintiff and Class Members that a breach of security had occurred, and their Personal Information had been compromised, or was reasonably believed to have been compromised. But for Defendant’s negligent and wrongful breach of its duties owed to Plaintiff and Class Members, their Personal Information would not have been compromised. LASS CTION OMPLAINT 716671.2 Plaintiff’s and Class Members’ Personal Information was compromised and/or stolen as a direct and proximately result of Defendant’s breach of its duties as set forth herein. As a direct and proximate result of Defendant’s acts and omissions, Plaintiff and Class Members have suffered injuries and damages as alleged herein. Defendant’s conduct was undertaken in bad faith, with malice, and/or was willful and wanton and in reckless and conscious disregard of the rights of the Plaintiff and the Class Members, which entitles the Plaintiff and Class Members to be awarded punitive damages or exemplary damages in amount s ufficient to punish and deter Defendant and also to deter other entities and persons from similar conduct in the future. Plaintiff on behalf of himself and the Class seeks compensatory damages and punitive damages with interest, attorneys’ fees and costs, and any other and further relief as this Court deems just and proper. SECONDCAUSE OF ACTION BREACH OF IMPLIED CONTRACT (On behalf of Plaintiff and the CaliforniaClass) Plaintiff realleges and incorporates by reference the allegations contained in the preceding paragraphs. laintiff and Class Members were required to provide Defendant with their Personal Information in order to register with Defendant’s website and utilize its functions. Implicit in this requirement was a covenant requiring Defendant to take reasonable efforts to safeguard this information and promptly notify Plaintiff and Class Members in the event their Personal Information was compromised. Similarly, it was implicit that Defendant would not disclose Plaintiff’s and Class Members’ Personal Information. Notwithstanding its obligations, Defendant knowingly failed to safeguard and protect Plaintiff’s and Class Members’ Personal Information. To the contrary, Defendant allow ed this information to be disseminated to unauthorized third parties. LASS CTION OMPLAINT 716671.2 Defendant’s above wrongful actions and/or inactions breached their implied contracts with Plaintiff and Class Members, which in turn directly and/or proximately caused Plaintiff and Clas Members to suffer substantial injuries, as described above. Plaintiff on behalf of himself and the Class seeks actual and compensatory damages, injunctive relief, costs, expenses and attorneys’ fees, and any other and further relief as this Court deems just and proper. IRDCAUSE OF ACTION INVASION OF PRIVACY PUBLIC DISCLOSURE OF PRIVATE FACTS, AND CALIFORNIA CONSTITUTION RIGHT TO PRIVACY (On behalf of Plaintiff and the California lass) Plaintiff realleges and incorporates by reference the allegations contained in the preceding paragraphs. Plaintiff and California Subclass Members had reasonable expectations of privacy in the private information Defendant mishandled. By failing to keep Plaintiff’s and Subclass Members’ private information safe, and b misusing and/or disclosing said information to unauthorized parties for unauthorized use, Defendant invaded Plaintiff’s and Subclass Members’ privacy by: Violating Plaintiff’s and Subclass Members’ right to privacy under California Constitution, Article 1, Section 1, by failing to protect Plaintiff’s and Subclass Members’ privacy and property that was disclosed to an unauthorized third party. Permitting intrusion into Plaintiff’s and Subclass Members’ private affairs in a manner that would be highly offensive to a reasonable person. Defendant had previous knowledge of its inadequate data security and thereby acted with reckless disregard, by failing to protect the personal information of the Plaintiff and Subclass Members. Defendant permitted invasion intoPlaintiff’s and Class Members’ right to privacy and intruded into Plaintiff’s and Class Members’ private affairs by allowing misuse and/or disclosure of Plaintiff’s and Class Members’ private information without their informed, voluntary, affirmative and clear consent. LASS CTION OMPLAINT 716671.2 As a proximate result of such misuse and disclosures, Plaintiff’s and Class Members’ reasonable expectations of privacy regarding their personal information was unduly frustrated and thwarted and they suffered a serious invasion of their protected privacy interests. Having previous knowledge of data security inadequacies, Defendant’s ongoing failure to protect Plaintiff’s and Class Members’ private information, and in allowing misuse and/or disclosure of that information, Defendant has actedin conscious disregard of Plaintiff’s and Class Members’ rights to have such information kept confidential and private. Plaintiff on behalf of himself and the California Subclass, therefore, seeks an award of punitive damages and any such other and further relief as this Court may deem just and appropriate. OURTH CAUSE OF ACTION VIOLATION OF CALIFORNIA’S CUSTOMER RECORDS ACT Cal. Civ. Code §§ 1798.80, et seq. (On behalf of Plaintiff andthe California lass) Plaintiff realleges and incorporates by reference the allegations contained in the preceding paragraphs. “[T]o ensure that personal information about California residents is protected,” the California Legislature enacted California Customer Records ActThis statute states that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” CCRACC § Defendant is a “business” within the meaning of CCRACC § 1798.80(a). Plaintiff and California Class Membersare “customer[s]” within the meaning of the CCRACC § 1798.80(c) “who provide[d] personal information to [Defendant] for the purpose of purchasing or leasing a product or obtaining a service from the business.” The information retained by Defendant constitutes “personal information” as defined in CCRACC § 1798.81.5(d)(1). LASS CTION OMPLAINT 716671.2 Pursuant to CCRACC § 1798.82(g), the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information of over 339 million adultfriendfinder.com ustomers constitutes a “breach of [its] security system.” By keeping users’ personal data within its custody and control longer than necessary, and by failing to properly and adequately dispose or make users’ data undecipherable, Defendant violated CCRACC § 1798.81. By failing to implement reasonable security procedures and practices appropriate to the nature of Plaintiff’s and California Class Members’ personal information, Defendant violated CCRACC § 1798.81.5(b). Additionally, by failing to promptly notify all affected AFF website users that their personal information had been acquired (or was reasonably believed to have been acquired) by unauthorized persons in the data breach, Defendant violated § 1798.82 of the same title. As a direct and proximate result of Defendant’s failure to implement and maintain reasonable security procedures and practices to protect Plaintiff’s and California ClassMembers’ personal and financial information, Plaintiff and California Class Members suffered damages, including, but not limited to, loss of and invasion of privacy, loss of property, loss of money, loss of control of their personal and financial nonpublic information, fear and apprehension of fraud and loss of control over their personal and financial information, the burden of taking actions to protect themselves from fraud or potential fraud. Plaintiff on behalf of himself and the California Classseeks all remedies available under CCRACC § 1798.84, including, but not limited to: (a) damages suffered by California Class Members, and (b) equitable relief. Plaintiff on behalf of himself and the California Class also seeks reasonable attorneys’ fees and costs under applicable law, and any such other and further relief as this Court may deem just and appropriate. LASS CTION OMPLAINT 716671.2 FIFTH CAUSE OF ACTION VIOLATION OF CALIFORNIA’S ONLINE PRIVACY A Cal. Bus. & Prof. Code § 22575, et seq. (On behalf of Plaintiff and the California lass) Plaintiff realleges and incorporates by reference the allegations contained in the preceding paragraphs. AFF is a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California, and elsewhere, who use or visit its commercial Web site or online services, within the meaning of California Business and Professions Code § 22575(a). Defendant failed to adhere to their posted privacy policy concerning the care they would take to safeguard Plaintiff’s and California Subclass Members’ PII, and negligently and materially failed to adhere to their posted privacy policy with respect to the extent of their disclosure of users’ data, in violation of California Business and Professions Code § 22576. As a result of Defendant’s failures to adhere to their privacy policies and its violations of California Business and Professions Code § 22575, et seq., Plaintiff and the Subclass have suffered injuries described in detail herein. Plaintiff, on his own behalf and on behalf of the putative classes, seeks all remedies available under California Business and Professions Code § 22575, et seq. TH CAUSE OF ACTION VIOLATION OF CALIFORNIA’S UNFAIR COMPETITION LAW (“UCL”) Cal. Bus. & Prof. Code § 17200, et seq. (On behalf of Plaintiff and the National Class) Plaintiff realleges and incorporates by reference the allegations contained in the preceding paragraphs. Defendant’s conduct constitutes unfair and illegal and fraudulent business practices within the meaning of the California Business & Professions Code § 17200, et seq. efendant’s conduct violated certain laws as alleged above. LASS CTION OMPLAINT 716671.2 Additionally, Defendant’s conduct violated the Stored Communications Act, 18 U.S.C. (“SCA”) Defendant provi des, throughits servers (which are under Defendant’s control), an “electronic communication service to the public” within the meaning of the SCA because Defendant’s services allow members of AFF to submit their Personal Information to the AFF website and allows members to communicate electronically with other members through Defendant’s servers. Furthermore, Defendant provides an “electronic communication service to the public” within the meaning of the SCA because Defendant provides consumers at large with credit and debit card payment processing capability that enables them to send or receive wire or electronic communications concerning their private financial information to transaction managers, card companies, or banks. By failing to take commercially reasonable steps to safeguard sensitive Personal Information, even after Defendant was aware that users’/customers’ Personal Information had been compromised, Defendant knowingly divulged customers’ private communications and Personal Information, in violation of the SCA. Furthermore, Defendant knowingly retained information which it should have deleted, and which certain users who had deleted their accounts reasonably expected to be deleted and purged from Defendant’s system, despite the reliance of the Class that such information had been deleted, and the despite the risk that such information would ultimately be divulged in a data breach or otherwise. Defendant thereby knowingly divulged customers’ PII, in violation of the SCA. Through its servers, Defendant provide remote computing services to the public within the meaning of the SCA. By failing to take commercially reasonable steps to safeguard sensitive private financial information, Defendant ha knowingly divulged customers’ Personal Information that was carried and maintained on Defendant’s remote computing service in violation of the SCA. By engaging in the conduct described in paragraphs through , above, in the course of doing business, Defendant engaged in unlawful business practices in violation of the California Business & Professions Code § 17200, et seq. By failing to adequately secure Plaintiff and Class Members’ Personal Information and private financial information, and failing to promptly notify Class Members of the breach, LASS CTION OMPLAINT 716671.2 Defendant engaged in unfair business practices in violation of the California Business & Professions Code § 17200, et seqThe gravity of the harm to Plaintiff and Class Members outweighed any utility that Defendant’s conduct may have produced. Defendant’s failure to disclose information concerning the Data Breach directly and promptly to affected customers, constitutes a fraudulent act or practice in violation of California Business & Professions Code section 17200, et seq. Plaintiff suffered injury in fact and lo