Ashley Madison Lawsuit

Case 3:15-cv-02750-N Document 1 Filed 08/21/15
Page 1 of 27 PageID 1
IN THE UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF TEXAS
JOHN DOE (a pseudonym)
)
On behalf of himself and all others similarly )
situated
)
)
)
Plaintiff,
)
)
vs.
)
)
AVID LIFE MEDIA, INC.
)
a corporation,
)
)
Defendant.
)
Case Number:3:15-cv-2750
JURY TRIAL DEMANDED
CLASS ACTION COMPLAINT

NOW COMES the Plaintiff John Doe (a pseudonym), on behalf of himself and all
others similarly situated, and for his class action complaint states as follows:
NATURE OF THE ACTION
1.
Plaintiff bring this class action as a result of a breach of the security system
of Defendant AVID LIFE MEDIA INC. (ALM or Defendant) governing electronic

transactions, resulting in compromised security of Plaintiffs and Class Members personal
financial and oth er information. Upon information and belief such personal information
included, but was
not limited to, the putative Class Members (hereafter Class
Members) names, addresses, credit or debit card number, the cards expiration date,
and/or the cards CVV (a three-digit security code), credit card transactions, users sexual
preferences and fantasies, and email addresses (Personal Information).
2.
On or about July 15 of this year, and at times prior, ALMs databases
were compromised, with the result that Personal Information of Plaintiff and Class Members
Personal Information was used or is at risk of use in fraudulent transactions around the world,
1
as well as other invidious exposure.
Upon information and belief, Defendant maintains or
maintained information, including Personal Information, regarding nearly 37 million

subscribers, and Defendants security failures affected the credit and debit card of millions
of customers, including Plaintiff and Class Members.
One of the primary purposes of
Defendants product and services was confidentiality and anonymity.

3.
Upon information and belief, the security breach and theft of Personal
Information was caused by Defendants violations of its obligations to abide by the best
practices and industry standards concerning the security of its payment processing systems and
the computers associated therewith as set forth, for example, in Payment Card Industry
Security Standards Council Data Security Standards (PCI DSS) and the decisions of the
Federal Trade Commission (FTC) concerning protection of consumer financial information.
Upon information and belief, hackers deliberately targeted Defendants servers and collected
names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit
card numbers and expiration dates, credit card transactions, and other information.
Upon
information and belief, Defendant was also warned that the Personal Information would be
released:
4.
After learning of the security breach, Defendant failed to notify Plaintiff and
the putative Classes in a timely manner and failed to take other reasonable steps to inform
them of the nature and extent of the breach. As a result, Defendant prevented Plaintiff and the
putative Class Members from protecting themselves from the breach and caused Plaintiff
and Class Members to suffer financial loss and emotional distress.
5.
On or about August 18 of this year, the Personal Information of Plaintiff and
Class Members was actually released to the public and was put on several websites. On or about
August 20 of this year, additional Personal Information of Plaintiff and Class Members was
similarly released. Despite being told that it could prevent the release of Personal Information of
Plaintiff and Class Members, Defendants allowed such Personal Information to be released to the
public and did not notify Plaintiff and Class Members about the threat of the release of Personal
Information or the actual release of Personal Information.
Upon information and belief, in an
internal company file called Areas of concern customer data.docx, an unnamed employee at
the company lists technical issues that could lead to a data breach occurring, as well the legal
problems that may come with that. Under a section called Data leak/threft issues [sic], the
author lists customer data being exposed by phishing or SQL injection being a possible
problem, when malicious requests are punched into an entry field, typically in order to dump the
site database. Another employee worried about remote code executionwhen an attacker can
run code on a victims computer over the internetand yet another employee pointed to
employees being infected with malware, allowing hackers access to our user data.
6.
Plaintiff, on behalf of himself and all others similarly situated, asserts the
following claims: Violations of the Stored Communications Act (SCA), 18 U.S.C. 2702;
negligence; breach of implied contract; breach of contract, violations of the Texas Deceptive
3
Trade Practices-Consumer Protection Act (DTPA), under Section 17.45(4) of the Texas
Business and Commerce Code and the substantially similar statutes of the other states in which
Defendant conducts business, the Texas Identity Theft Enforcement Protection Act (TITEPA)
because it is a tie-in statute as provided under Section 521.152 of the Texas Business and
Commerce Code and the substantially similar statutes of the other states in which Defendant
conducts business, and intentional infliction of emotional distress and the substantially similar
statutes of the other states in which Defendant conducts business.
JURISDICTION AND VENUE
7.
This Court has subject matter jurisdiction pursuant to 28 U.S.C. 1331,
which confers upon the Court original jurisdiction over all civil actions arising under the
laws of the United States, and pursuant to 18 U.S.C. 2707. This Court has supplemental
jurisdiction over Plaintiffs and Class Members state law claims under 28 U.S.C. 1367.
8.
In addition, this Court has subject matter jurisdiction pursuant to 28 U.S.C.
1332(d)(2)(A) because this case is a class action where the aggregate claims of all
Members of the putative Classes are in excess of $5,000,000.00, exclusive of interest and
costs, and many of the Members of the putative Classes are citizens of different states than
Defendant. This Court has subject matter jurisdiction pursuant to 28 U.S.C. 1332(d).
9.
Venue is properly set in this District pursuant to 28 U.S.C. 1391(b)
since Defendant transacts business within this judicial district. Likewise, a substantial part
of the events giving rise to the claim occurred within this judicial district.
PARTIES
10.
Plaintiff John Doe (a pseudonym) is an adult male domiciled in Austin, Texas
and is a citizen of Texas. Plaintiff and Class members provided Personal Information to
Defendant with a heightened expectation of privacy due to the nature of Defendants products
4
and services. Additionally, Class Members provided Personal Information to Defendant in

order to effectuate a paid-delete of any of their personal information in Defendants
possession, including Personal Information, as promised by Defendant. On information and
belief Does Personal Information was compromised as a result of Defendants security
failures. As a result of such compromise, Doe suffered losses and damages in an amount
yet to be completely determinable as such losses and damages are ongoing.
11.
On information and belief Defendant is a corporation organized under
Canadian law with its headquarters and principal place of business in Toronto, Canada.
FACTUAL BACKGROUND
12.
Plaintiff repeats, realleges, and incorporates paragraphs 1-11 in this Complaint as
if fully set forth herein.

13.
Defendant is a merchant that owns, operates, and controls social networking
services, including a site on the Internet branded as Ashley Madison.

14.
Upon information and belief, Defendants data breach has impacted millions of
its customers nationwide within the United States.

15.
Hackers accessed a database owned, operated, or controlled by ALM that
processes, stores, or utilizes information regarding Personal Information, including ALM

transactions, with account numbers, expiration dates, card holder names, credit card
transactions, users sexual preferences and fantasies, email addresses, and/or other information,
on information and belief. Hackers publicly exposed such personal information on both August
16.
delete
any
Class Members contacted Defendant to accept Defendants offer to paidpersonal
information,
including
Personal Information,
in
Defendants
possession; in other words, Defendant promised to delete such information for a fee ($19,
on information and belief).
5
17.
Defendant broke such promise to the Class Members, who also sought a
paid-delete.
18.
Upon information and belief, the Defendant accepts customer payments for
services through credit and debit cards issued by members of the payment card industry
(PCI) such as Visa or MasterCard.
19.
In 2006, the PCI members established a Security Standards Counsel (PCI
SSC) as a forum to develop PCI Data Security Standards (PCI DSS) for increased
security of payment processing systems.
20.
The PCI DSS provides, If you are a merchant that accepts payment cards,
you are required to be compliant with the PCI Data Security Standard. Defendant, or
course, is a merchant that accepts payment cards.
21.
The PCI DSS requires a merchant to:

a.
Assessidentify cardholder data, take inventory of IT assets and
business processes for payment card processing, and analyze them for vulnerabilities that
could expose cardholder data.
b.
Remediatefix vulnerabilities and do not store cardholder data
c.
Reportcompile and submit required remediation validation records
unless needed.
(if applicable) and submit compliance reports to the acquiring bank and card brands with
which a merchant does business.
22.
Additionally, since 1995, the FTC has been studying the manner in which
online entities collect and use personal information and safeguards to assure that online data
collection practice is fair and provides adequate information privacy protection. The result of
this study is the FTC Fair Information Practice Principles. The core principles are:
6
a.
Notice/Awareness--Consumers should be given notice of an entitys
information practices before any personal information is collected from them. This requires that
companies explicitly notify of some or all of the following:
Identification of the entity collecting the data;
Identification of the uses to which the data will be put;
Identification of any potential recipients of the data;
The nature of the data collected and the means by which it is
collected;
Whether the provision of the requested data is voluntary or required; and
The steps taken by the data collector to ensure the confidentiality,
integrity and quality of the data.

b.
Choice/Consent--Choice and consent in an online information-
gathering sense means giving consumers options to control how their data is used with respect
to secondary uses of information beyond the immediate needs of the information collector
to complete the consumers transaction.
c.
Access/Participation--Access as defined in the Fair Information
Practice Principles includes not only a consumers ability to view the data collected, but also to
verify and contest its accuracy. This access must be inexpensive and timely in order to be
useful to the consumer.
d.
Integrity/Security--Information collectors should ensure that the data
they collect is accurate and secure. They should improve the integrity of data by crossreferencing it with only reputable databases and by providing access for the consumer to
verify it. Information collectors should keep their data secure by protecting against both
internal and external security threats. They should limit access within their company to
7
only necessary employees to protect against internal threats, and they should use encryption
and other computer- based security systems to stop outside threats.
e.
Enforcement/Redress--In order to ensure that companies follow the
Fair Information Practice Principles, there must be enforcement measures. The FTC identifies
three types of enforcement measures: self-regulation by the information collectors or an
appointed regulatory body; private remedies that give civil causes of action for individuals
whose information has been misused to sue violators; and government enforcement, which can
include civil and criminal penalties levied by the government.
23.
On information and belief, Defendant failed to adequately analyze its
computer systems for vulnerabilities that could expose cardholder data. Defendant further
failed to fix the vulnerabilities in its computer systems which allowed Plaintiffs and Class
Members Personal Information to become compromised.
24.
Additionally, on information and belief, Defendant unlawfully collected
consumer financial data for marketing purposes beyond the needs of specific transactions,
in order to accrue financial benefit at the risk and likelihood of compromising consumers
Personal Information.
25.
On or about July 15 of this year, and at times prior, ALMs databases
were compromised, with the result that Personal Information of Plaintiff and Class Members
Personal Information was used or is at risk of use in fraudulent transactions around the world,
as well as other invidious exposure.
Upon information and belief, Defendant maintains or
maintained information, including Personal Information, regarding nearly 37 million

subscribers, and Defendants security failures affected the credit and debit card of millions
of customers, including Plaintiff and Class Members.
One of the primary purposes of
Defendants product and services was confidentiality and anonymity.

8
26.
Upon information and belief, the security breach and theft of Personal
Information was caused by Defendants violations of its obligations to abide by the best
practices and industry standards concerning the security of its payment processing systems and
the computers associated therewith as set forth, for example, in Payment Card Industry
Security Standards Council Data Security Standards (PCI DSS) and the decisions of the
Federal Trade Commission (FTC) concerning protection of consumer financial information.
Upon information and belief, hackers deliberately targeted Defendants servers and collected
names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit
card numbers and expiration dates, credit card transactions, and other information.
Upon
information and belief, Defendant was also warned that the Personal Information would be
released:
27.
After learning of the security breach, Defendant failed to notify Plaintiff and
the putative Classes in a timely manner and failed to take other reasonable steps to inform
them of the nature and extent of the breach. As a result, Defendant prevented Plaintiff and the
putative Class Members from protecting themselves from the breach and caused Plaintiff
9
and Class Members to suffer financial loss and emotional distress.

28.
On or about August 18 of this year, the Personal Information of Plaintiff and
Class Members was actually released to the public and was put on several websites. On or about
August 20 of this year, additional Personal Information of Plaintiff and Class Members was
similarly released. Despite being told that it could prevent the release of Personal Information of
Plaintiff and Class Members, Defendants allowed such Personal Information to be released to the
public and did not notify Plaintiff and Class Members about the threat of the release of Personal
Information or the actual release of Personal Information.
Upon information and belief, in an
internal company file called Areas of concern customer data.docx, an unnamed employee at
the company lists technical issues that could lead to a data breach occurring, as well the legal
problems that may come with that. Under a section called Data leak/threft issues [sic], the
author lists customer data being exposed by phishing or SQL injection being a possible
problem, when malicious requests are punched into an entry field, typically in order to dump the
site database. Another employee worried about remote code executionwhen an attacker can
run code on a victims computer over the internetand yet another employee pointed to
employees being infected with malware, allowing hackers access to our user data.
29.
As a result, Defendant allowed Personal Information connected with millions of
consumers credit cards and debit cards, including credit cards and debit cards of Plaintiff
and Class Members and personal information related to the same, to become compromised for a
period prior to July 15 of this year.
30.
Additionally, Defendant was provided with Personal Information to in order
to effectuate a paid-delete of any of their personal information in Defendants possession,

including Personal Information, as promised by Defendant. In fact, the amount of Personal
Information was increased because Defendant retained Personal Information related to the paid10
delete transaction itself.
On information and belief Does Personal Information was
compromised as a result of Defendants security failures.

31.
Plaintiff and Class Members are subject to continuing damage from having
their Personal Information comprised as a result of Defendants inadequate systems and

failures. Such damages include, among other things, the amount paid to Defendant to
perform a paid-delete which Defendant did not perform or performed inadequately; outof-pocket expenses incurred to mitigate the increased risk of identity theft and or fraud;
credit, debit, and financial monitoring to prevent and/or mitigate theft, identity theft, and/or
fraud incurred or likely to occur as a result of Defendants security failures; the value of their
time and resources spent mitigating the identity theft and/or fraud; the cost of and time spent
replacing credit cards and debit cards and reconfiguring automatic payment programs with
other merchants related to the compromised cards; and irrecoverable financial losses due to
unauthorized charges on the credit/debit cards of Defendants customers by identity thieves
who wrongfully gained access to the Personal Information of Plaintiff and the Classes, the
embarrassment of having Personal Information disclosed, the damage to marital relationships due
to the breach, and the emotional distress of such breach. Plaintiff is in immediate danger of
sustaining these direct injuries as the result of Defendants actions and inactions.
CLASS ACTION ALLEGATIONS
32.

33.
Plaintiff brings this action on his own behalf and, pursuant to Rule 23 of
the Federal Rules of Civil Procedure, on behalf of the following three (3) multi-state classes:
All persons in the United States who paid Defendant for paid-delete services
which were improperly performed.
11
All persons in the United States whose Personal Information was subject to
Defendants security failures and who suffered damages and anticipate and/or
are in immediate danger of suffering damages in the amount of fraudulent
charges / unauthorized withdrawals made to their credit and/or debit cards or
suffered damages and anticipate and/or are in immediate danger of suffering
damages in the amount of overdraft charges made to their credit and/or debit
cards.
All persons in the United States whose Personal Information was subject to
Defendants security failures and who have suffered or anticipate and/or are in
immediate danger of suffering damages, loss, and/or expenses accruing due to
Defendants security failures.
Excluded from the Classes are Defendant and its affiliates, parents, subsidiaries,
employees, officers, agents, and directors.
34.
The Members of the Classes are so numerous that joinder of all Members
is impracticable. On information and belief, millions of credit and/or debit cards may have
been compromised, and the Members of the Classes are geographically dispersed.
Disposition of the claims of the proposed Classes in a class action will provide substantial
benefits to both the parties and the Court.
35.
The rights of each member of the proposed Classes were violated in a
similar fashion based upon Defendants uniform wrongful actions and/or inaction.
36.
The following questions of law and fact are common to each proposed
Class Member and predominate over questions that may affect individual Class Members:
a.
Whether Defendant failed to use reasonable care and
commercially reasonable methods to secure and safeguard its customers private financial and
personal information;
b.
Whether Defendant properly implemented its purported security
measures to protect consumers private financial and personal information from unauthorized
12
capture, dissemination and misuse;

c.
Whether Defendant took reasonable measures to determine the extent
of the security breach after it first learned of the same;

d.
Whether Defendants delay in informing consumers of the security
breach was unreasonable;

e.
Whether Defendants method of informing consumers of the security
breach and its description of the breach and potential exposure to damages as a result of the
same was unreasonable;
f.
Whether Defendants conduct violated the Stored Communications
Act, 18 U.S.C. 2702;

g.
Whether Defendant breached an implied contract with Class Members;
h.
Whether Defendants conduct violated the Texas Deceptive Trade
Practices-Consumer Protection Act (DTPA), under Section 17.45(4) of the Texas Business and
Commerce Code, and the substantively similar statutes of the other states where Defendant
conducts business;
i.
Whether Defendants conduct violated the Texas Identity Theft
Enforcement Protection Act (TITEPA) as a tie-in statute as provided under Section 521.152 of
the Texas Business and Commerce Code and the substantially similar statutes of the other states
in which Defendant conducts business;
j.
Whether Defendants intentionally inflicted emotional distress upon
Plaintiff and Class Members, and the substantively similar statutes of the other states where
Defendant conducts business; and
k.
Whether Plaintiff and others Members of the Classes are entitled to
compensation, monetary damages, equitable relief and injunctive relief, and, if so, the nature
13
and amount of such relief.

37.
Plaintiffs claims are typical of the claim of absent Class Members. If
brought individually, the claim of each Class Member would necessarily require proof of
the same material and substantive facts, and seek the same remedies.
38.
The Plaintiff is willing and prepared to serve the Court and the proposed
Classes in a representative capacity. The Plaintiff will fairly and adequately protect the interest
of the Classes and have no interests adverse to, or which directly and irrevocably conflicts
with, the interests of other Members of the Classes. Further, Plaintiff has retained counsel
experienced in prosecuting complex class action litigation.
39.
Defendant has acted or refused to act on grounds generally applicable to
the proposed Classes, thereby making appropriate equitable relief with respect to the Classes.
40.
A class action is superior to other available methods for the fair and
efficient adjudication of this controversy because individual claims by the Class Members are
impractical, as the costs of prosecution may exceed what any Class Member has at stake.
41.
Members of the Classes are readily ascertainable through Defendants records
of the transactions it undertook.

42.
Prosecuting separate actions by individual Class Members would create a risk
of inconsistent or varying adjudications that would establish incomparable standards of conduct

for Defendant. Moreover, adjudications with respect to individual Class Members would,
as a practical matter, be dispositive of the interests of other Class Members.
CAUSES OF ACTION
COUNT I VIOLATION OF THE FEDERAL STORED
COMMUNICATIONS ACT, 18 U.S.C. 2702
43.
Plaintiff repeats, realleges, and incorporates paragraphs 1-42 in this Complaint
14
as if fully set forth herein.

44.
The Stored Communications Act (SCA) contains provisions that provide
consumers with redress if a company mishandles their electronically stored information. The
SCA was designed, in relevant part, to protect individuals privacy interests in personal
and proprietary information. S. Rep. No. 99-541, at 3 (1986), reprinted in 1986 U.S.C.C.A.N.
3555 at 3557.
45.
Section 2702(a)(1) of the SCA provides that a person or entity providing
an electronic communication service to the public shall not knowingly divulge to any
person or entity the contents of a communication while in electronic storage by that service.
18 U.S.C. 2702(a)(1).
46.
The SCA defines electronic communication service as any service which
provides to users thereof the ability to send or receive wire or electronic communications. Id.
at
2510(15).
47.
Through
its
payment
processing
equipment,
Defendant
provides
an
electronic communication service to the public within the meaning of the SCA because it
provides consumers at large with credit and debit card payment processing capability that
enables them to send or receive wire or electronic communications concerning their private
financial information to transaction managers, card companies, or banks.
48.
By failing to take commercially reasonable steps to safeguard sensitive
private financial information, even after Defendant was aware that customers Personal
Information had been compromised, Defendant has knowingly divulged customers private
financial information that was communicated to financial institutions solely for customers
payment verification purposes, while in electronic storage in Defendants payment system.
15
49.
Section 2702(a)(2)(A) of the SCA provides that a person or entity
providing remote computing service to the public shall not knowingly divulge to any person
or entity the contents of any communication which is carried or maintained on that service on
behalf of, and received by means of electronic transmission from (or created by means of
computer processing of communications received by means of electronic transmission from), a
subscriber or customer of such service. 18 U.S.C. 2702(a)(2)(A).
50.
The SCA defines remote computing service as the provision to the public
of computer storage or processing services by means of an electronic communication system.

18 U.S.C. 2711(2).
51.
An electronic communications systems is defined by the SCA as any
wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of

wire or electronic communications, and any computer facilities or related electronic
equipment for the electronic storage of such communications. 18 U.S.C. 2510(4).
52.
Defendant provides remote computing services to the public by virtue of its
computer processing services for consumer credit and debit card payments, which are used
by customers and carried out by means of an electronic communications system, namely the
use of wire, electromagnetic, photooptical or photoelectric facilities for the transmission of
wire or electronic communications received from, and on behalf of, the customer concerning
customer private financial information.
53.
By failing to take commercially reasonable steps to safeguard sensitive
private financial information, Defendant has knowingly divulged customers private financial
information that was carried and maintained on Defendants remote computing service solely
for the customers payment verification purposes.
54.
As a result of Defendants conduct described herein and its violations of

16
Section 2702(a)(1) and (2)(A), Plaintiff and putative Class Members have suffered injuries,
including lost money and the costs associated with the need for vigilant credit monitoring to
protect against additional identity theft. Plaintiff, on her own behalf and on behalf of the
putative Classes, seek an order awarding themselves and the Classes the maximum statutory
damages available under 18 U.S.C. 2707 in addition to the cost for 3 years of credit
monitoring services.
WHEREFORE Plaintiff and Class Members pray for Judgment in their favor and
against Defendant on this Count I of their Complaint; for actual and compensatory damages;
for punitive or exemplary damages; for punitive or exemplary damages; for punitive or
exemplary damages; for injunctive relief; for costs, expenses and attorney fees as allowed by
law; and for such other and further relief as this Court deems just and proper.
COUNT II NEGLIGENCE
55.

56.
Upon coming into possession of Plaintiffs and Class Members Personal
Information, i.e., private, non-public, sensitive financial information, Defendant had (and
continues to have) a duty to exercise reasonable care in safeguarding and protecting the
information from being compromised and/or stolen.
57.
Defendant also had a duty to timely disclose to Plaintiff and Class Members that
a breach of security had occurred and their Personal Information pertaining to their credit
cards and/or debit cards had been compromised, or was reasonably believed to be
compromised.
58.
Defendant also had a duty to put into place internal policies and
procedures designed to detect and prevent the theft or dissemination of Plaintiffs and
17
Class Members Personal Information.

59.
Defendant, by and through its above negligent acts and/or omissions, breached
its duty to Plaintiff and Class Members by failing to exercise reasonable care in protecting
and safeguarding their Personal Information which was in Defendants possession, custody,
and control.
60.
Defendant, by and through its above negligent acts and or omissions,
further breached its duty to Plaintiff and Class Members by failing to put into place internal
policies and procedures designed to detect and prevent the unauthorized dissemination of
Plaintiff and Class Members Personal Information.
61.
Defendant, by and through its above negligent acts and or omissions, breached
its duty to timely disclose the fact that Plaintiff and Class Members Personal Information had
been or was reasonable believed to be have been compromised.
62.
Defendants negligent and wrongful breach of its duties owed to Plaintiff
and Class Members, their Personal Information would not have been compromised.
63.
Plaintiffs and Class Members Personal Information was compromised
and/or stolen as a direct and proximate result of Defendants breach of its duties as set forth
herein.
64.
Plaintiff and Class Members have suffered actual damages including, but
not limited to, having their personal information compromised, incurring time and expenses in
cancelling their debit and/credit cards, activating new cards and re-establishing automatic
payment authorizations from their new cards, and other economic and non-economic
damages, including irrecoverable losses due to unauthorized charges on their credit/debit cards.
against Defendant on this Count II of their Complaint; for actual and compensatory damages;
18
for punitive or exemplary damages; for punitive or exemplary damages; for punitive or
COUNT III -- BREACH OF IMPLIED CONTRACT
65.

66.
Plaintiff and Class Members were required to provide Defendant with their
Personal Information in order to facilitate their credit card and/or debit card transactions.
67.
Implicit in this requirement was a covenant requiring Defendant to take
reasonable efforts to safeguard this information and promptly notify Plaintiff and Class
Members in the event their information was compromised.
68.
Similarly, it was implicit that Defendant would not disclose Plaintiffs and
Class Members Personal Information.

69.
Notwithstanding its obligations, Defendant knowingly failed to safeguard
and protect Plaintiffs and Class Members Personal Information. To the contrary, Defendant
allowed this information to be disseminated to unauthorized third parties.
70.
Defendants above wrongful actions and/or inaction breached its implied
contracts with Plaintiff and Class Members, which in turn directly and/or proximately caused
Plaintiff and Class Members to suffer substantial injuries.
against Defendant on this Count III of their Complaint; for actual and compensatory
damages; for punitive or exemplary damages; for punitive or exemplary damages; for
punitive or exemplary damages; for injunctive relief; for costs, expenses and attorney fees as
allowed by law; and for such other and further relief as this Court deems just and proper.
19
COUNT IV VIOLATION OF TEXAS DECEPTIVE TRADE PRACTICESCONSUMER PROTECTION ACT (DTPA), OF THE TEXAS BUSINESS AND
COMMERCE CODE, AND SIMILAR STATUTES OF
THE OTHER STATES WHERE DEFENDANT DOES BUSINESS
71.

72.
Defendant violated the Texas Deceptive Trade Practices-Consumer Protection
Act (DTPA), under Section 17.45(4) of the Texas Business and Commerce Code, and the
substantially similar statutes of the other states in which it conducts business by failing to
properly implement adequate, commercially reasonable security measures to protect
customers private financial information, and by failing to immediately notify affected
customers of the nature and extent of the security breach.
73.
regarding
Defendants fraudulent and deceptive omissions and misrepresentations

the companys security measures to protect customers private financial
information and the extent of the breach of those security measures were intended to
deceive and induce Plaintiff and the putative Class Members reliance on Defendants
misrepresentations that their financial information was secure and protected when using
debit and credit cards to shop at Defendant stores.
74.
Defendants unlawful misrepresentations and omissions occurred in the course
of conduct involving trade or commerce.

75.
Defendants unlawful misrepresentations and omissions were material
because Plaintiff and the other putative Class Members, if they had known the truth, would
not have risked compromising their private financial information by using their debit or
credit cards at Defendant stores. Plaintiff and the other putative Class Members would
consider the omitted and misrepresented material facts important in making their purchasing
20
decisions.
76.
Defendants unlawful misrepresentations and omissions damaged Plaintiff
and the other putative Class Members because Plaintiff and Class Members would not have
chosen to expose their private financial information to a security breach and subsequent
exploitation by the defrauders.
77.
Plaintiff, therefore, prospectively asserts that by its above-described wrongful
actions, inaction and/or omissions and the resulting data breach of Personal Information,
Defendant knowingly and intentionally violated Section 17.50(a)(3) of the Texas Business and
Commerce Code by engaging in the above-described unconscionable actions and/or
unconscionable course of action; to wit, despite knowing of the security issues present in
Defendants systems, failing to identify, implement, maintain and monitor the proper data
security measures, policies, procedures, protocols, and software and hardware systems to
safeguard and protect Plaintiffs and Class Members Personal Information data which, as a
direct and/or proximate result, was stolen and compromised in the Data Breach.
78.
Defendants above-described wrongful actions, inaction and/or omissions and the
resulting Data Breach unfairly took advantage of the lack of knowledge, ability, and experience
of Plaintiff and Class Members to a grossly unfair degree regarding Defendants computer
system and servers and Defendants inability to safeguard and protect their Personal Information
data; to wit, at the time Plaintiff and Class Members gave Defendants their Personal Information
data in connection with purchasing of access and services, Plaintiff and Class Members did not
know, and had no way of knowing, that Defendant was incapable of safeguarding and protecting
their Personal Information data.
79.
Concurrent with filing this Class Action Complaint, Plaintiff served a 60-day
demand letter on Defendant under Section 17.505 of the Texas Business and Commerce Code.
21
Should this matter not be resolved to the satisfaction of Plaintiff, on behalf of himself and all
Class Members, within the 60-day period, Plaintiff intends to amend this Class Action
Complaint and formally assert this cause of action.
80.
Plaintiff, individually and on behalf of the putative Classes, seek an order
requiring Defendant to pay: monetary and punitive damages for the conduct described herein;
three years of credit card fraud monitoring services for Plaintiff and Members of the putative
Classes; and the reasonable attorneys fees and costs of suit of Plaintiff and Class Members;
together with all such other and further relief as may be just.
against Defendant on this Count IV of their Complaint; for actual and compensatory
COUNT V BREACH OF CONTRACT
81.

82.
delete
any
Defendant promised the Class Members, for a fee of approximately $19, to

of
Plaintiffs/Class
Members
personal
information,
including
Personal
Information, in Defendants possession (the paid-delete service).

83.
On information and belief, Defendant broke such promise, and did not
delete some or all of Plaintiffs/Class Members Personal Information in Defendants

possession, even after the payment of such fee.
84.
Plaintiff have been damage thereby in the amount paid to the Defendant
to perform a paid-delete, and in the amount of other losses as previously stated.

22
against Defendant on this Count V of their Complaint; for actual and compensatory
COUNT VI INTENTIONAL INFLICTION OF EMOTIONAL DISTRESS
85.

86.
Defendant acted intentionally or recklessly in failing to adequately secure Plaintiff
and Class Members Personal information despite knowing that there were security problems
and failures and did nothing to remedy those problems and failures despite being aware of them.
Moreover, despite being warned that Personal Information was compromised through a breach,
Defendants intentionally or recklessly failed to mitigate such breach causing millions of users
Personal Information to be released to the public. Such conduct was extreme and outrageous,
especially in light of the confidential nature of the products and services that Defendant provides.
87.
Defendants actions caused Plaintiff and Class Members emotional distress
directly related to their actions in the form of extreme and severe emotional distress over their
marital relationship, societal status, reputation in the community, and other general distress
resulting from Defendants actions and inactions.
WHEREFORE Plaintiff and Class Members pray for Judgment in their favor and against
Defendant on this Count VI of their Complaint; for actual and compensatory damages; for
punitive or exemplary damages; for punitive or exemplary damages; for punitive or
23
COUNT VII TEXAS IDENTITY THEFT ENFORCEMENT PROTECTION ACT

(TITEPA) AS A TIE-IN STATUTE AS PROVIDED UNDER SECTION 521.152 OF
THE TEXAS BUSINESS AND COMMERCE CODE
88.

89.
As plead in Count IV above, Plaintiff and Class Members are protected under the
DTPA and Defendant is subject to the DTPA and subject to the provisions of the Texas Identity
Theft Enforcement Protection Act (TITEPA) because it is a tie-in statute as provided under
Section 521.152 of the Texas Business and Commerce Code.
90.
Defendant stored Plaintiffs and the Classs Personal Information, including but
not limited to sensitive personal information and personal identifying information such as their
names, dates of birth, sometimes mothers maiden names, account numbers, credit card
numbers, physical conditions, and/or mental conditions, sexual preferences, sexual fantasies,
physical addresses, and other information.
91.
Plaintiff and the Class Members are victims under this act because their
Personal Information is available on the internet and being perused by unauthorized individuals.
Upon information and belief, Plaintiff and the Class Members information is also being used
for profit and for blackmail purposes.
92.
Defendant violated its duty to protect sensitive personal information by failing to
implement and maintain reasonable procedures around the Personal Information, including
taking protective actions when it knew the personal information was vulnerable, to protect the
data from unlawful use.
93.
Defendant also failed to destroy or arrange for the destruction of the personal
information in a safe and secure manner in violation of this act. Further, Class Members who
affirmatively paid Defendant to remove their personal data and received a guarantee that it was
24
removed were harmed. Defendant actually failed to safely and securely destroy that data and
permitted it to be stolen by unauthorized users.
94.
Defendant further violated this act by failing to notify Plaintiff and the Class
immediately upon learning of the breach. Notice, if any, was given to Plaintiff and Class
Members too late and not in accordance with this act.
95.
As a natural and proximate cause of Defendants violation of this act, Plaintiff
and the Class Members were harmed and will continue to be harmed.
WHEREFORE Plaintiff and Class Members pray for Judgment in their favor and against
Defendant on this Count VII of their Complaint; for actual and compensatory damages; for
punitive or exemplary damages; for punitive or exemplary damages; for punitive or
JURY TRIAL DEMAND

Plaintiff and class members demand a jury trial as to all claims and issues triable of right by a jury.
PRAYER FOR RELIEF

WHEREFORE, Plaintiff and the Members of the proposed Classes pray that this
Honorable Court do the following:
A.
Certify the matter as a class action pursuant to the provisions of Rule 23 of
the Federal Rules of Civil Procedure and order that notice be provided to all Class Members;
B.
Designate Plaintiff as representative of the Classes and the undersigned
counsel as Class Counsel;

C.
Award Plaintiff and the Classes compensatory and punitive damages in
an amount to be determined by the trier of fact;

25
D.
Award Plaintiff and the Classes statutory interest and penalties;
E.
Award Plaintiff and the Classes appropriate injunctive and/or declaratory relief;
F.
Award Plaintiff and the Classes their costs, prejudgment interest, and
attorney fees; and

G.
Grant such other relief as is just and proper.
26
DATED: August 21, 2015.

/s/ James F. McDonough, III.
W. LEWIS GARRISON, JR.,
PHV forthcoming
lewis@hgdlawfirm.com
TAYLOR C. BARTLETT,
PHV forthcoming
taylor@hgdlawfirm.com
HENINGER GARRISON DAVIS, LLC
2224 First Avenue North
Birmingham, AL 35203
Tel: 205-326-3336
Fax: 205-326-3332
JAMES F. MCDONOUGH, III.
PHV forthcoming
jmcdonough@hgdlawfirm.com
HENINGER GARRISON DAVIS, LLC
3621 Vinings Slope, Suite 4320
Atlanta, GA 30339
Tel: 404-996-0869
Fax: 205-326-3332
Attorney for Named Plaintiff
FERRER, POIROT & WANSBROUGH
/s/ John T. Kirtley, III
JOHN T. KIRTLEY, III
Texas Bar no. 11534050
2603 Oak Lawn Ave., Suite 300
P. O. Box 199109
Dallas, Texas 75219
jkirtley@lawyerworks.com
(Asst. molvera@lawyerworks.com)
(214) 521-4412 phone
(214) 526-6026 facsimile
Attorney-In-Charge For Plaintiff
27
JS 44 (Rev. 12/12)
Case 3:15-cv-02750-N Document 1-1 Filed 08/21/15
CIVIL COVER SHEET
The JS 44 civil cover sheet and the information contained herein neither replace nor supplement the filing and service of pleadings or other papers as required by law, except as
provided by local rules of court. This form, approved by the Judicial Conference of the United States in September 1974, is required for the use of the Clerk of Court for the
purpose of initiating the civil docket sheet. (SEE INSTRUCTIONS ON NEXT PAGE OF THIS FORM.)
I. (a) PLAINTIFFS
DEFENDANTS
John Doe (a psuedonym)
Avid Life Media, Inc.

PO Box 67027,
Toronto, Ontario, M4P 1E4
(b) County of Residence of First Listed Plaintiff
County of Residence of First Listed Defendant
Travis Co., TX
(EXCEPT IN U.S. PLAINTIFF CASES)

NOTE:
Toronto, Canada
(IN U.S. PLAINTIFF CASES ONLY)

IN LAND CONDEMNATION CASES, USE THE LOCATION OF
THE TRACT OF LAND INVOLVED.
Attorneys (If Known)
(c) Attorneys (Firm Name, Address, and Telephone Number)
II. BASIS OF JURISDICTION (Place an X in One Box Only)

1
U.S. Government
Plaintiff
Federal Question
(U.S. Government Not a Party)
U.S. Government
Defendant
Diversity
(Indicate Citizenship of Parties in Item III)
III. CITIZENSHIP OF PRINCIPAL PARTIES (Place an X in One Box for Plaintiff

(For Diversity Cases Only)
PTF
Citizen of This State
1
DEF
1
and One Box for Defendant)

PTF
DEF
Incorporated or Principal Place
4
4
of Business In This State
Citizen of Another State
Incorporated and Principal Place

of Business In Another State
Citizen or Subject of a
Foreign Country
Foreign Nation
IV. NATURE OF SUIT (Place an X in One Box Only)

CONTRACT
TORTS
110 Insurance
120 Marine
130 Miller Act
140 Negotiable Instrument
150 Recovery of Overpayment
& Enforcement of Judgment
151 Medicare Act
152 Recovery of Defaulted
Student Loans
(Excludes Veterans)
153 Recovery of Overpayment
of Veterans Benefits
160 Stockholders Suits
190 Other Contract
195 Contract Product Liability
196 Franchise
REAL PROPERTY
210 Land Condemnation
220 Foreclosure
230 Rent Lease & Ejectment
240 Torts to Land
245 Tort Product Liability
290 All Other Real Property
PERSONAL INJURY
310 Airplane
315 Airplane Product
Liability
320 Assault, Libel &
Slander
330 Federal Employers
Liability
340 Marine
345 Marine Product
Liability
350 Motor Vehicle
355 Motor Vehicle
Product Liability
360 Other Personal
Injury
362 Personal Injury Medical Malpractice
CIVIL RIGHTS
440 Other Civil Rights
441 Voting
442 Employment
443 Housing/
Accommodations
445 Amer. w/Disabilities Employment
446 Amer. w/Disabilities Other
448 Education
FORFEITURE/PENALTY
PERSONAL INJURY
365 Personal Injury Product Liability
367 Health Care/
Pharmaceutical
Personal Injury
Product Liability
368 Asbestos Personal
Injury Product
Liability
PERSONAL PROPERTY
370 Other Fraud
371 Truth in Lending
380 Other Personal
Property Damage
385 Property Damage
Product Liability
PRISONER PETITIONS
Habeas Corpus:
463 Alien Detainee
510 Motions to Vacate
Sentence
530 General
535 Death Penalty
Other:
540 Mandamus & Other
550 Civil Rights
555 Prison Condition
560 Civil Detainee Conditions of
Confinement
625 Drug Related Seizure

of Property 21 USC 881
690 Other
BANKRUPTCY
422 Appeal 28 USC 158
423 Withdrawal
28 USC 157
PROPERTY RIGHTS
820 Copyrights
830 Patent
840 Trademark
LABOR
710 Fair Labor Standards
Act
720 Labor/Management
Relations
740 Railway Labor Act
751 Family and Medical
Leave Act
790 Other Labor Litigation
791 Employee Retirement
Income Security Act
SOCIAL SECURITY
861 HIA (1395ff)
862 Black Lung (923)
863 DIWC/DIWW (405(g))
864 SSID Title XVI
865 RSI (405(g))
FEDERAL TAX SUITS

870 Taxes (U.S. Plaintiff
or Defendant)
871 IRSThird Party
26 USC 7609
OTHER STATUTES
375 False Claims Act

400 State Reapportionment
410 Antitrust
430 Banks and Banking
450 Commerce
460 Deportation
470 Racketeer Influenced and
Corrupt Organizations
480 Consumer Credit
490 Cable/Sat TV
850 Securities/Commodities/
Exchange
890 Other Statutory Actions
891 Agricultural Acts
893 Environmental Matters
895 Freedom of Information
Act
896 Arbitration
899 Administrative Procedure
Act/Review or Appeal of
Agency Decision
950 Constitutionality of
State Statutes
IMMIGRATION
462 Naturalization Application
465 Other Immigration
Actions
V. ORIGIN (Place an X in One Box Only)

1 Original
Proceeding
2 Removed from
State Court
Remanded from
Appellate Court
4 Reinstated or
Reopened
5 Transferred from
Another District
(specify)
6 Multidistrict
Litigation
Cite the U.S. Civil Statute under which you are filing (Do not cite jurisdictional statutes unless diversity):
18 USC 2702
VI. CAUSE OF ACTION Brief description of cause:
Violation of the Federal Stored Communications Act
CHECK IF THIS IS A CLASS ACTION

VII. REQUESTED IN
UNDER RULE 23, F.R.Cv.P.
COMPLAINT:
VIII. RELATED CASE(S)
(See instructions):
IF ANY
JUDGE
DATE
CHECK YES only if demanded in complaint:

Yes
No
JURY DEMAND:
DEMAND $
DOCKET NUMBER
SIGNATURE OF ATTORNEY OF RECORD
/s/John T. Kirtley, III
08/21/2015
FOR OFFICE USE ONLY
RECEIPT #
AMOUNT
Print
APPLYING IFP
Save As...
JUDGE
MAG. JUDGE
Reset
Case 3:15-cv-02750-N Document 1-1 Filed 08/21/15
JS 44 Reverse (Rev. 12/12)
INSTRUCTIONS FOR ATTORNEYS COMPLETING CIVIL COVER SHEET FORM JS 44

Authority For Civil Cover Sheet
The JS 44 civil cover sheet and the information contained herein neither replaces nor supplements the filings and service of pleading or other papers as
required by law, except as provided by local rules of court. This form, approved by the Judicial Conference of the United States in September 1974, is
required for the use of the Clerk of Court for the purpose of initiating the civil docket sheet. Consequently, a civil cover sheet is submitted to the Clerk of
Court for each civil complaint filed. The attorney filing a case should complete the form as follows:
I.(a)
(b)
(c)
Plaintiffs-Defendants. Enter names (last, first, middle initial) of plaintiff and defendant. If the plaintiff or defendant is a government agency, use
only the full name or standard abbreviations. If the plaintiff or defendant is an official within a government agency, identify first the agency and
then the official, giving both name and title.
County of Residence. For each civil case filed, except U.S. plaintiff cases, enter the name of the county where the first listed plaintiff resides at the
time of filing. In U.S. plaintiff cases, enter the name of the county in which the first listed defendant resides at the time of filing. (NOTE: In land
condemnation cases, the county of residence of the "defendant" is the location of the tract of land involved.)
Attorneys. Enter the firm name, address, telephone number, and attorney of record. If there are several attorneys, list them on an attachment, noting
in this section "(see attachment)".
II.
Jurisdiction. The basis of jurisdiction is set forth under Rule 8(a), F.R.Cv.P., which requires that jurisdictions be shown in pleadings. Place an "X"
in one of the boxes. If there is more than one basis of jurisdiction, precedence is given in the order shown below.
United States plaintiff. (1) Jurisdiction based on 28 U.S.C. 1345 and 1348. Suits by agencies and officers of the United States are included here.
United States defendant. (2) When the plaintiff is suing the United States, its officers or agencies, place an "X" in this box.
Federal question. (3) This refers to suits under 28 U.S.C. 1331, where jurisdiction arises under the Constitution of the United States, an amendment
to the Constitution, an act of Congress or a treaty of the United States. In cases where the U.S. is a party, the U.S. plaintiff or defendant code takes
precedence, and box 1 or 2 should be marked.
Diversity of citizenship. (4) This refers to suits under 28 U.S.C. 1332, where parties are citizens of different states. When Box 4 is checked, the
citizenship of the different parties must be checked. (See Section III below; NOTE: federal question actions take precedence over diversity
cases.)
III.
Residence (citizenship) of Principal Parties. This section of the JS 44 is to be completed if diversity of citizenship was indicated above. Mark this
section for each principal party.
IV.
Nature of Suit. Place an "X" in the appropriate box. If the nature of suit cannot be determined, be sure the cause of action, in Section VI below, is
sufficient to enable the deputy clerk or the statistical clerk(s) in the Administrative Office to determine the nature of suit. If the cause fits more than
one nature of suit, select the most definitive.
V.
Origin. Place an "X" in one of the six boxes.

Original Proceedings. (1) Cases which originate in the United States district courts.
Removed from State Court. (2) Proceedings initiated in state courts may be removed to the district courts under Title 28 U.S.C., Section 1441.
When the petition for removal is granted, check this box.
Remanded from Appellate Court. (3) Check this box for cases remanded to the district court for further action. Use the date of remand as the filing
date.
Reinstated or Reopened. (4) Check this box for cases reinstated or reopened in the district court. Use the reopening date as the filing date.
Transferred from Another District. (5) For cases transferred under Title 28 U.S.C. Section 1404(a). Do not use this for within district transfers or
multidistrict litigation transfers.
Multidistrict Litigation. (6) Check this box when a multidistrict case is transferred into the district under authority of Title 28 U.S.C. Section 1407.
When this box is checked, do not check (5) above.
VI.
Cause of Action. Report the civil statute directly related to the cause of action and give a brief description of the cause. Do not cite jurisdictional
statutes unless diversity. Example: U.S. Civil Statute: 47 USC 553 Brief Description: Unauthorized reception of cable service
VII.
Requested in Complaint. Class Action. Place an "X" in this box if you are filing a class action under Rule 23, F.R.Cv.P.
Demand. In this space enter the actual dollar amount being demanded or indicate other demand, such as a preliminary injunction.
Jury Demand. Check the appropriate box to indicate whether or not a jury is being demanded.
VIII. Related Cases. This section of the JS 44 is used to reference related pending cases, if any. If there are related pending cases, insert the docket
numbers and the corresponding judge names for such cases.
Date and Attorney Signature. Date and sign the civil cover sheet.

Ashley Madison Lawsuit

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ashley Madison Lawsuit

Uploaded by

Copyright:

Available Formats

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

IN THE UNITED STATES DISTRICT COURT

CLASS ACTION COMPLAINT

of Defendant AVID LIFE MEDIA INC. (ALM or Defendant) governing electronic

not limited to, the putative Class Members (hereafter Class

On or about July 15 of this year, and at times prior, ALMs databases

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

as well as other invidious exposure.

Upon information and belief, Defendant maintains or

maintained information, including Personal Information, regarding nearly 37 million

One of the primary purposes of

Defendants product and services was confidentiality and anonymity.

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

On or about August 18 of this year, the Personal Information of Plaintiff and

Upon information and belief, in an

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

This Court has subject matter jurisdiction pursuant to 28 U.S.C. 1331,

In addition, this Court has subject matter jurisdiction pursuant to 28 U.S.C.

Venue is properly set in this District pursuant to 28 U.S.C. 1391(b)

Plaintiff John Doe (a pseudonym) is an adult male domiciled in Austin, Texas

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

and services. Additionally, Class Members provided Personal Information to Defendant in

On information and belief Defendant is a corporation organized under

Plaintiff repeats, realleges, and incorporates paragraphs 1-11 in this Complaint as

if fully set forth herein.

Defendant is a merchant that owns, operates, and controls social networking

services, including a site on the Internet branded as Ashley Madison.

its customers nationwide within the United States.

Hackers accessed a database owned, operated, or controlled by ALM that

processes, stores, or utilizes information regarding Personal Information, including ALM

Class Members contacted Defendant to accept Defendants offer to paidpersonal

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

In 2006, the PCI members established a Security Standards Counsel (PCI

The PCI DSS requires a merchant to:

Assessidentify cardholder data, take inventory of IT assets and

Remediatefix vulnerabilities and do not store cardholder data

Reportcompile and submit required remediation validation records

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

Notice/Awareness--Consumers should be given notice of an entitys

Identification of the entity collecting the data;

Identification of the uses to which the data will be put;

Identification of any potential recipients of the data;

The nature of the data collected and the means by which it is

Whether the provision of the requested data is voluntary or required; and

The steps taken by the data collector to ensure the confidentiality,

integrity and quality of the data.

Choice/Consent--Choice and consent in an online information-

Access/Participation--Access as defined in the Fair Information

Integrity/Security--Information collectors should ensure that the data

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

Enforcement/Redress--In order to ensure that companies follow the

On information and belief, Defendant failed to adequately analyze its

Additionally, on information and belief, Defendant unlawfully collected

On or about July 15 of this year, and at times prior, ALMs databases

Upon information and belief, Defendant maintains or

maintained information, including Personal Information, regarding nearly 37 million

One of the primary purposes of

Defendants product and services was confidentiality and anonymity.

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

Case 3:15-cv-02750-N Document 1 Filed 08/21/15

and Class Members to suffer financial loss and emotional distress.

On or about August 18 of this year, the Personal Information of Plaintiff and

Upon information and belief, in an

As a result, Defendant allowed Personal Information connected with millions of