Habashy v Amazon Complaint

8/3/2019 Habashy v Amazon Complaint

1/16

UNITED STATES DISTRICT COURTDISTRICT OF MASSACHUSETTS

DAHLIA HABASHY, on behalf of herselfand all others similarly situated,

Plaintiff,-against-

AMAZON.COM, INC. d/b/a ZAPPOS.COM

Defendant.

Civil Action No. _Class Action ComplaintJury Trial Demanded

Plaintiff Dahlia Habashy, by her attorneys, Meiselman, Denlea, Packman, Carton&Eberz P.C., as and for her class action complaint, alleges, with personal knowledgeas to her own actions, and upon information and belief as to those of others, as follows:

NATURE OF THE CASE1. This action seeks to redress Defendant Amazon.com, Inc's ("Amazon")

failure to safeguard the confidential personal identifying information of 24 millionconsumers ("Class Members"). As a result of Defendant's failures, Class Membershave been victimized by a sophisticated band of cybercriminals who have exploitedDefendant's lax security and obtained Class Members' personal identifying information.

2. Specifically, on or about the evening of Sunday, January 15, 2012, cyber-criminals (or a criminal) accessed insufficiently protected servers belonging toZappos.com ("Zappos" or "the Company"), a division of Amazon. As a result of Zappos'negligent failure to properly secure its servers, the criminals obtained extensivepersonal information belonging to 24 million Zappos customers, including, inter alia,

Case 1:12-cv-10145-RGS Document 1 Filed 01/24/12 Page 1 of 16


2/16

names, account numbers, passwords, e-mail addresses, billing and shippingaddresses, phone numbers and the last four digits of credit cards used to makepurchases ("personal identifying information").

3. As a result of Defendant's actions, Ms. Habashy and Class Members wereharmed. The very next day after the breach, criminals transferred money from the bankaccount of certain customers, using the very credit cards that they used at Zappos. Forexample, the Las Vegas Journal Review reported that a victim of the disclosure wasvictimized by identity theft the very next day after the disclosure occurred. Seehttp://www.lvrj.com/business/Zappos-alerts-account-holders-of-hacker-security-breach137453118.htrnl.

4. As a result of Defendant's actions, Ms. Habashy was forced to take theremedial step of purchasing credit monitoring. Indeed, all of the Class Members arecurrently at a very high risk of direct theft or of identity theft.

5. Defendant's wrongful actions and/or inaction constitute common lawnegligence, invasion of privacy by the public disclosure of private facts, breach ofimplied contract, breach of implied warranty, and also constitute violations of stateprivacy laws.

6. Plaintiff, on behalf of herself and the Class Members, seeks (i) actualdamages, economic damages, emotional distress damages, statutory damages and/ornominal damages, (ii) exemplary damages, (iii) injunctive relief, and (iv) attorneys' fees,litigation expenses and costs.

2



3/16

JURISDICTION AND VENUE7. Jurisdiction in this civil action is authorized pursuant to 28 U.S.C.

1332(d), as minimal diversity exists, there are more than 100 class members, and theamount in controversy is in excess of $5 million.

8. Venue is authorized pursuant to 28 U.S.C. 1391 (d)(1) because Amazondoes substantial business in Massachusetts. Venue is also authorized pursuant to 28U.S.C. 1391 (d)(2) because a substantial part of the events or omissions giving rise tothe claim occurred in the District of Massachusetts. Specifically, Ms. Habashy providedher personal identifying information to Defendant while in Massachusetts; and Ms.Habashy took the reasonable remedial step of purchasing credit monitoring serviceswhile in Massachusetts.

PARTIES9. Plaintiff Dahlia Habashy is a resident of Boston, Massachusetts. On

January 16, 2012, Plaintiff received an e-mail from Zappos notifying Ms. Habashy thather personal identifying information had been stolen and/or compromised.

10. Defendant Amazon is a Delaware corporation with its principle place ofbusiness in Seattle, Washington. Amazon is an online retailer that conducts businessthroughout the United States, including Massachusetts. Zappos, an online shoe andapparel retailer, is a division of Amazon.

FACTS11. Identity theft, which costs Americans approximately $54 billion per

year, occurs when a person's personal identifying information is used without his orher permission to commit fraud or other crimes. Victims of identity theft typically lose

3



4/16

more than 100 hours dealing with the crime, and they typically lose over $500 in moneywhich they are unable to recover.

12. According to the Federal Trade Commission:Identity theft is serious. While some identity theft victimscan resolve their problems quickly, others spend hundreds ofdollars and many days repairing damage to their goodname and credit record. Some consumers victimized byidentity theft may lose out on job opportunities, or be deniedloans for education, housing or cars because of negativeinformation on their credit reports. In rare cases, they mayeven be arrested for crimes they did not commit.

13. To allay consumers' reasonable apprehensions regarding the risk ofidentity theft attendant to online transactions, Zappos' website promises and boasts that"Zappos.com servers are protected by secure firewalls-communication managementcomputers specially designed to keep information secure and inaccessible by otherInternet users. So you're absolutely safe while you shop." (emphasis added).Unfortunately, this promise is untrue.

14. On January 16, 2012, Ms. Habashy and over 24 million Class Membersreceived an e-mail from Zappos notifying them that their personal identifyinginformation had been disclosed. Zappos was so unprepared for the disclosure that,instead of promptly and responsibly offering assistance to the victims of its negligence,the Company instead shut down its customer service phone lines for nearly a week.

15. Zappos' email admitted that "[w]e were recently the victim of a cyberattack by a criminal who gained access to parts of our internal network and systemsthrough one of our servers."

16. The criminal was able to access the servers because Zappos failed totake basic security precautions. Disturbingly, Zappos did not properly encrypt its

4



5/16

customers' data. Had it done so, the disclosure would not have occurred.17. Zappos also failed to properly encrypt its customers' passwords. In a

letter to Class Members, Zappos stated that the information was "cryptographicallyscrambled." However, Tim Rohrbaugh, an internet security expert, recently explainedthat "cryptographically scrambled" is a "virtually meaningless term," and that the hackerswould be able to obtain and use the Class Members' confidential personal identifyinginformation with relative ease.

18. According to Tony Hsieh, Zappos' CEO, the criminals obtained ClassMembers' personal identifying information, including, inter alia, their names, accountnumbers, passwords, e-mail addresses, billing and shipping addresses, phonenumbers, and the last four digits of their credit cards used to make purchases.

19. As a result of Defendant's failure to properly secure its servers andsafeguard Plaintiff's and Class Members' personal identifying information, Ms. Habashyand Class Members' privacy has been invaded.

20. Moreover, all of this personal identifying information can easily be used tosteal directly from class members, as has already happened to multiple victims, or toengage in identity theft.

21. Indeed, in the wake of Zappos' negligent failure, data expert ProfessorStephen Wicker of Cornell explained that "large databases of consumer informationcan be used for identity theft. . . . As Zappos acknowledged, users who use the sameor similar passwords are at risk of theft through access to other sites such as Amazonor Ebay."

22. Given all of the information obtained, the criminals would also be able to

5



6/16

set up numerous fake accounts and websites, as part of their identity theft operation.23. The theft of passwords is especially pernicious because most people use

similar usernames and passwords for all of their online accounts. Accordingly, thecybercriminals will be able to go from website to website, accessing victims' privateaccounts and using those accounts to commit theft and/or fraud.

24. As a direct and/or proximate result of Zappos' wrongful disclosure, criminalsnow have Ms. Habashy and Class Members' personal identifying information, as well asthe knowledge that Plaintiff and Class Members are accustomed to receiving emails fromZappos. However, the disclosure makes Plaintiff and Class Members much more likelyto respond to requests from Zappos or law enforcement agencies for more personalinformation, such as bank account numbers, login information or even Social Securitynumbers. Because criminals know this and are capable of posing as Zappos or lawenforcement agencies, consumers like Plaintiff and her fellow Class Members aremore likely to unknowingly give away their sensitive personal information to othercriminals.

25. Defendant's wrongful actions and/or inaction here directly and/orproximately caused the public disclosure of Plaintiff's and Class Members' personalidentifying information without their knowledge, authorization and/or consent. As afurther direct and/or proximate result of Defendant's wrongful actions and/or inaction,Plaintiff and Class Members have suffered, and will continue to suffer, damagesincluding, without limitation, loss of the unencumbered use of their current passwords,the loss of their passwords, expenses for credit monitoring and identity theftinsurance, out-of-pocket expenses, anxiety, emotional distress, loss of privacy, and

6



7/16

other economic and non-economic harm.26. Plaintiff and Class Members are now required to monitor their accounts

and to respond to identity theft. In order to try to mitigate the damage caused byDefendant, Class Members are also required to take the time to change the passwordson their Zappos accounts (as recommended by Zappos), change the passwords "onany other web site where [Plaintiff and Class Members] use the same or a similarpassword" (as further recommended by Zappos), and change other elements of theircompromised personal identifying information. Even taking all of these precautions, Ms.Habashy and Class Members now face a very high risk of identity theft.

27. Accordingly, Connecticut Senator Richard Blumenthal has writtenZappos, stating that:

enterprising criminals can leverage information like names,addresses, email addresses, and other breached informationto gain access to consumers' accounts and commit identitytheft and fraud. Therefore, I request that Zappos provide itscustomers with the option of receiving two years of creditmonitoring and a credit freeze, as well as any costs resultingfrom the security breach, to be paid for by Zappos.

28. Nonetheless, Defendant has not offered Plaintiff and Class Membersany compensation or direct personal protection from the disclosure -- such as creditmonitoring services and/or identity theft insurance. Defendant's failure to make sucha remedial offer distinguishes it from many other entities which have moved quickly toremediate similar invasions of their customers' privacy.

29. Zappos' security failures have harmed millions, and are resulting innationwide attention. In addition to Senator Blumenthal, nine Attorneys General,including the Attorney General of Massachusetts, have written a letter to Zappos about

7



8/16

this breach. This letter correctly states that "[t]his incident raises serious concernsabout the risk of identity theft, fraud, targeted email .phishing. or other scams, as well asthe effectiveness of the Company's measures to protect the confidentiality and securityof private information that it receives from consumers."

CLASS ACTION ALLEGATIONS30. Pursuant to Rule 23 of the Federal Rules of Civil Procedure, Plaintiff

brings this class action as a national class action on behalf of herself and the followingClass of similarly situated individuals:

All persons whose personal identifying information,including, inter alia, name, account number, password,e-mai l address, billing and shipping addresses, phonenumber, and the last four digits of the credit cards used tomake purchases, was stolen or otherwise obtained by anunauthorized individual or individuals from Zappos'servers or other Zappos' computer systems or databases.31. The Class specifically excludes Defendant and its officers, directors,

agents and/or employees, the Court and Court personnel.32. The putative Class is comprised of over 24 million persons, making

joinder impracticable. Disposition of this matter as a class action will provide substantialbenefits and efficiencies to the Parties and the Court.

33. The rights of each Class Member were violated in an identical manneras a result of Defendant's willful, reckless and/or negligent actions and/or inaction.

34. Questions of law and fact common to all Class Members exist andpredominate over any questions affecting only individual Class Members including, interalia:

a) Whether Defendant negligently failed to maintain and/or execute

8



9/16

reasonable procedures designed to prevent unauthorized accessto Plaintiff's and Class Members' personal identifying information;

b) Whether Defendant was negligent in storing and failing toadequately safeguard Plaintiff's and Class Members' personalidentifying information;

c) Whether Defendant owed a duty to Plaintiff and Class Membersto exercise reasonable care in protecting and securing theirpersonal identifying information;

d) Whether Defendant breached its duty to exercise reasonablecare in failing to protect and secure Plaintiff's and Class Members'personal identifying information;

e) Whether by pUblicly disclosing Plaintiff's and Class Members'personal identifying information without authorization, Defendantinvaded Plaintiff's and Class Members' privacy;

f) Whether Defendant created an implied contract with Plaintiff andClass Members to keep their personal identifying informationconfidential;

g) Whether Defendant created an implied warranty with Plaintiff andClass Members whereby it warranted that it would keep theirpersonal identifying information confidential; and

h) Whether Plaintiff and Class Members sustained damages as aresult of Defendant's failure to secure and protect their personalidentifying information.

9



10/16

35. Plaintiff and her counsel will fairly and adequately represent theinterests of Class Members. Plaintiff has no interests antagonistic to, or in conflictwith, Class Members' interests. Plaintiff's lawyers are highly experienced in theprosecution of consumer class action and data breach cases.

36. Plaintiff's claims are typical of Class Members' claims in that Plaintiff'sclaims and Class Member's claims all arise from Defendant's wrongful disclosure oftheir personal identifying information and from Defendant's failure to properly secureand protect the same.

37. A class action is superior to all other available methods for fairly andefficiently adjudicating Plaintiff's and Class Members' claims. Plaintiff and ClassMembers have been irreparably harmed as a result of Defendant's wrongful actionsand/or inaction. Litigating this case as a class action will reduce the possibility ofrepetitious litigation relating to Defendant's failure to secure and protect Plaintiff's andClass Members' personal identifying information.

38. Class certification, therefore, is appropriate pursuant to Fed. R. Civ. P.23(b)(3) because the above common questions of law or fact predominate over anyquestions affecting individual Class Members, and a class action is superior to otheravailable methods for the fair and efficient adjudication of this controversy.

39. Class certification also is appropriate pursuant to Fed. R. Civ. P. 23(b)(2)because Defendant has acted or refused to act on grounds generally applicable to theClass, so that final injunctive relief or corresponding declaratory relief is appropriate asto the Class as a whole.

10



11/16

40. The expense and burden of litigation would substantially impair the ability ofClass Members to pursue individual lawsuits in order to vindicate their rights. Absent aclass action, Defendant will retain the benefits of its wrongdoing despite its seriousviolations of the law.

CLAIMS FOR RELlEF1

COUNT INEGLIGENCE

41 . Plaintiff repeats and re-alleges the allegations contained in Paragraphs1-40 above as if fully set forth herein.

42. Defendant owed a duty to Plaintiff and Class Members to safeguard andprotect their personal identifying information.

43. Defendant breached its duty by fai ling to exercise reasonable care inits safeguarding and protection of Plaintiff's and Class Members' personal identifyinginformation.

44. It was reasonably foreseeable that Defendant's failure to exercisereasonable care in safeguarding and protecting Plaintiff's and Class Members'personal identifying information would result in an unauthorized third party gainingaccess to such information for no lawful purpose, and that such third parties would usePlaintiff's and Class Members' personal identifying information for malevolent andunlawful purposes, including the commission of direct theft and identity theft.

1 Pursuant to Mass. Gen. Laws ch. 93A, 9 Ms. Habashy sent Defendant a demandletter on January 24, 2012. In the event that Defendant fails to tender the full amountdemanded within the appropriate time frame, Ms. Habashy intends to amend thiscomplaint to bring a statutory claim under Massachusetts' law on behalf of herself and asub-class of Massachusetts' consumers. See Mass. Gen. Laws ch. 93A 9; Mass.Gen. Laws ch. 93H 1 et seq.

11



12/16

45. Plaintiff and the Class Members were (and continue to be) damaged as adirect and/or proximate result of Defendant's failure to secure and protect their personalidentifying information as a result of, inter alia, direct theft, identity theft, expenses forcredit monitoring and identity theft insurance incurred in mitigation, out-of-pocketexpenses, anxiety, emotional distress, loss of privacy, and other economic and non-economic harm, for which they suffered loss and are entitled to compensation.

46. Defendant's wrongful actions and/or inaction (as described above)constituted (and continue to constitute) negligence at common law.

COUNT IIINVASION OF PRIVACY BY PUBLIC DISCLOSURE OF PRIVATE FACTS47. Plaintiff repeats and re-alleges the allegations contained in Paragraphs

1-40 above as if fully set forth herein.48. Plaintiff's and Class Members' personal identifying information is

and always has been private information.49. Defendant's efforts to obtain Plaintiff's and Class Members' personal

identifying information, followed by Defendant's failure to secure and protect the same,directly resulted in the public disclosure of such private information.

50. Dissemination of Plaintiff's and Class Members' personal identifyinginformation is not of a legitimate public concem; publication of their personal identifyinginformation would be, is and will continue to be, offensive to Plaintiff, Class Members, andother reasonable people.

51. Plaintiff and the Class Members were (and continue to be) damaged as adirect and/or proximate result of Defendant's invasion of their privacy by publiclydisclosing their private facts including, inter alia, direct theft, identity theft, expenses

12



13/16

for credit monitoring and identity theft insurance, out-of-pocket expenses, anxiety,emotional distress, loss of privacy, and other economic and non-economic harm, forwhich they are entitled to compensation. At the very least, Plaintiff and the ClassMembers are entitled to nominal damages.

52. Defendant's wrongful actions and/or inaction (as described above)constituted (and continue to constitute) an invasion of Plaintiffs and Class Members'privacy by publicly disclosing their private facts (i.e., their personal identifyinginformation ).

COUNT IIIBREACH OF CONTRACT

53. Plaintiff repeats and re-alleges the allegations contained in Paragraphs1-40 above as if fully set forth herein.

54. Zappos customers purchased shoes and/or other apparel by exchangingmoney in consideration for those goods via Zappos' website, thereby creating a contract

between the parties.55. As a uniform condition precedent to the completion of all transactions

made by Zappos customers, including those made by Plaintiff and Class Members,Zappos requires consumers to provide Zappos with their personal identifyinginformation, which provides measurable benefits to Zappos in that the provision of thisinformation allows Zappos to market directly to its customers and to obtain knowledgeof their shopping habits. Consumers benefit by being able to shop with Zappos moreefficiently.

56. Through its statements regarding its security measures and through itsown password requirements, Zappos explicitly and impliedly promised Plaintiff and the

13



14/16

Class members that it would take adequate measures to protect their personalidentifying information.

5? Indeed, a material term of this contract is a covenant by Zappos that it willtake reasonable efforts to safeguard consumers' personal identifying information.Zappos promises all of its customers that "Zappos.com servers are protected by securefirewalls-communication management computers specially designed to keepinformation secure and inaccessible by other Internet users. So you're absolutely safewhile you shop."

58. Zappos' customers, including Plaintiff and Class Members, relied uponthis covenant and would not have disclosed their personal identifying informationwithout assurances that it would be properly safeguarded. Moreover, the covenant toadequately safeguard Plaintiff and Class Members personal identifying information is animplied term in the contract, to the extent it is not an express term.

59. Plaintiff and Class Members fulfilled their obligations under the contract byproviding their personal identifying information and purchasing Zappos' goods.

60. Notwithstanding its obligations imposed by this implied contract, Zapposfailed to safeguard and protect Plaintiff's and Class Members' personal identifyinginformation. Zappos' breaches of its obligations under the contract between the partiesdirectly caused Plaintiff and Class Members to suffer injuries.

PRAYER FOR RELIEFWHEREFORE, Plaintiff respectfully requests that the Court enter judgment

against Defendant as follows:1. Certifying this action as a class action, with a class as defined above;

14



15/16

2. Awarding compensatory damages to redress the harm caused to Plaintiffand Class Members in the form of, inter alia, direct theft, identity theft, loss ofunencumbered use of existing passwords, loss of passwords, expenses for creditmonitoring and identity theft insurance, out-of-pocket expenses, anxiety, emotionaldistress, loss of privacy, and other economic and non-economic harm. Plaintiff andClass Members also are entitled to recover statutory damages and/or nominal damages.Plaintiff and Class Members' damages were foreseeable by Defendant and exceed theminimum jurisdictional limits of this Court.

3. Ordering injunctive relief including, without limitation, (i) credit monitoring,(ii) identity theft insurance, and (iii) requiring Defendant to submit to periodiccompliance audits by a third party regarding the security of consumers' personalidentifying information its possession, custody and control.

4. Awarding Plaintiff and the Class interest, costs and attorneys' fees; and5. Awarding Plaintiff and the Class such other and further relief as this Court

deems just and proper.

15



16/16

DEMAND FOR TRIAL BY JURYPursuant to Federal Rule of Civil Procedure Rule 38, Plaintiff hereby demands a

trial by jury.

Dated: January 24,2012 Respectfully submitted,MEISELMAN, DENLEA, PACKMAN,CARTON &EBERZ P.C.

By: /s/ D. Greg BlankinshipD. Greg Blankinship (BBO 655430)Jeffrey I. Carton (pro hac viceapplication to be filed)Jeremiah Frei-Pearson (pro hac viceapplication to be filed)1311 Mamaroneck AvenueWhite Plains, New York 10605Tel: (914) 517-5000Fax: (914) [email protected] for Plaintiff

16


Date post:	06-Apr-2018
Category:	Documents
Upload:	eric-goldman
View:	225 times
Download:	0 times

Habashy v Amazon Complaint

Documents