Complaint Smallman v. MGM

Case 2:20-cv-00376 Document 1 Filed 02/21/20 Page 1 of 30
1 TANASI LAW OFFICES

Richard Tanasi, Esq.
2 8716 W. Spanish Ridge Ave. Suite 105
Las Vegas, NV 89148
3
Telephone: 702-906-2411
4 Facsimile: 866-299-4274
rtanasi@tanasilaw.com
5
MORGAN & MORGAN COMPLEX
6 LITGATION GROUP
John A. Yanchunis (pro hac vice to be submitted)
7 Jean S. Martin (pro hac vice to be submitted)
8 Marcio Valladares (pro hac vice to be submitted)
201 N. Franklin Street, 7th Floor
9 Tampa, FL 33602
Telephone: (813) 223-5505
10 Facsimile: (813) 223-5402
jyanchunis@forthepeople.com
11
jeanmartin@forthepeople.com
12 mvalladares@forthepeople.com
13 LAW OFFICE OF PAUL C. WHALEN, P.C.

Paul C. Whalen (pro hac vice to be submitted)
14 768 Plandome Road
Manhasset, NY 11030
15
Telephone: (516) 426-6870
16 paul@paulwhalen.com
17 Additional Counsel Listed On Signature Page
18 UNITED STATES DISTRICT COURT
19 DISTRICT OF NEVADA
20 JOHN SMALLMAN, ON BEHALF OF CASE NO.:
21 HIMSELF AND ALL OTHERS
SIMILARLY SITUATED, CLASS ACTION
22 COMPLAINT FOR DAMAGES,
Plaintiff, EQUITABLE, DECLARATORY AND
23 INJUNCTIVE RELIEF
v.
24 JURY DEMAND
MGM RESORTS INTERNATIONAL,
25
26 Defendant.
27
28 1 CLASS ACTION COMPLAINT

1 Plaintiff John Smallman (“Plaintiff”), individually, by and through the undersigned counsel,
2 brings this class action lawsuit against MGM Resorts International (“Defendant,” or “MGM”), on
3
behalf of himself and all others similarly situated, and allege, based upon information and belief and
4
the investigation of his counsel as follows:
5
INTRODUCTION
6
1. MGM Resorts International is a global hospitality and entertainment company
7
operating destination resorts throughout the world. Millions of people stay in MGM Resort
8
properties every year, and in so doing provide MGM with a host of their personally identifiable
9
information (“PII”). 1
10
2. In late 2019, MGM revealed that earlier in the summer an unauthorized individual
11
accessed MGM’s computer network system, downloaded customer data and then posted part of the
12
data on a closed internet forum (“Data Breach”).
13
3. The PII exposed in the Data Breach included, among other things: customer names,
14
addresses, driver’s license numbers, passport numbers, military identification numbers, phone
15
numbers, emails and dates of birth.
16
4. MGM has indicated that, on or about September 5, 2019, it notified affected
17
customers that their PII had been exfiltrated, but assured them that “there is no evidence that your
18
information has been misused.” Seeking to avoid additional negative publicity on the heels of the
19
mass shooting that occurred 8 months earlier, MGM avoided bringing the matter to public light,
20
hoping that the Breach and its inadequate cyber security practices would go unnoticed.
21
22
23
1
24 Personally identifiable information generally incorporates information that can be used to
distinguish or trace an individual's identity, either alone or when combined with other personal or
25 identifying information 2 CFR § 200.79. At a minimum, it includes all information that on its face
expressly identifies an individual. PII also is generally defined to include certain identifiers that do
26 not on their face name an individual, but that are considered to be particularly sensitive and/or
valuable if in the wrong hands (for example, Social Security number, passport number, driver’s
27 license number, financial account number).
28
2 CLASS ACTION COMPLAINT
1 5. Unfortunately, the miscreants that took and/or acquired the sensitive PII had other
2 plans, and on February 19, 2020, internet technology publication ZDNet revealed that the personally
3 identifiable information of more than 10.6 million MGM hotel guests had been posted on a popular
4 internet hacking forum, available for misuse by a host of bad actors.
5 6. MGM acknowledged that the exposed PII was a result of the Data Breach that
6 occurred in the summer of 2019.
7 7. The Data Breach was a direct result of Defendant’s failure to implement adequate and
8 reasonable cyber-security procedures and protocols necessary to protect customer PII.
9 8. Defendant disregarded the rights of Plaintiff and Class Members (defined below) by,
10 inter alia, intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable
11 measures to ensure its data systems were protected against unauthorized intrusions; failing to
12 disclose that it did not have adequately robust computer systems and security practices to safeguard
13 customer PII; failing to take standard and reasonably available steps to prevent the Data Breach;
14 failing to monitor and timely detect the Data Breach; and failing to provide Plaintiff and Class
15 Members prompt and accurate notice of the Data Breach.
16 9. As a result of Defendant’s failure to implement and follow basic security procedures,
17 MGM customer PII is now in the hands of thieves. Plaintiff and Class Members have had to spend,
18 and will continue to spend, significant amounts of time and money in an effort to protect themselves
19 from the adverse ramifications of the Data Breach, and will forever be at a heightened risk of
20 identity theft and fraud.
21 10. Plaintiff, on behalf of all others similarly situated, alleges claims for negligence,
22 breach of implied contract, unjust enrichment, breach of confidence and violation of the Nevada
23 Consumer Fraud Act and seeks to compel Defendant to adopt reasonably sufficient security practices
24 to safeguard customer PII that remains in its custody in order to prevent incidents like the Data
25 Breach from reoccurring in the future.
26
27
28
1 PARTIES
2 11. Plaintiff John Smallman is a resident of California and an MGM customer. Over the
3 last 10 years, Plaintiff Smallman has stayed at the Luxor, giving copies his driver’s license, as well
4 as payment card and other PII. During his visits to Las Vegas, Plaintiff Smallman also used his
5 payment cards at Bellagio.
6 12. Plaintiff suffered actual injury from having their PII stolen as a result of the Data
7 Breach including, but not limited to: (a) paying monies to MGM for its goods and services which
8 they would not have had if MGM disclosed that it lacked data security practices adequate to
9 safeguard consumers’ PII from theft; (b) damages to and diminution in the value of their PII—a form
10 of intangible property that the Plaintiff entrusted to MGM as a condition of receiving MGM
11 services; (c) loss of their privacy; (d) imminent and impending injury arising from the increased risk
12 of fraud and identity theft.
13 13. As a result of the Data Breach, Plaintiff will continue to be at heightened risk for
14 financial fraud and identity theft, and their attendant damages for years to come.
15 14. Defendant MGM Resorts International is a Delaware corporation headquartered at
16 3600 Las Vegas Blvd South Las Vegas, NV 89109. It is a global hospitality and entertainment
17 company operating destination resorts throughout the world.
18
19 JURISDICTION AND VENUE
20 15. This Court has subject matter jurisdiction over this action under the Class Action
21 Fairness Act, 28 U.S.C. § 1332(d)(2). The amount in controversy exceeds $5 million, exclusive of
22 interest and costs. There are more than 10 million putative class members, many of whom have
23 different citizenship from MGM.
24 16. This Court has jurisdiction over the Defendant which operates in this District, and the
25 computer systems implicated in this Data Breach are likely based in this District.
26 17. Through its business operations in this District, MGM intentionally avails itself of the
27 markets within this District to render the exercise of jurisdiction by this Court just and proper.
28
1 18. Venue is proper in this Court pursuant to 28 U.S.C. § 1391(a)(1) because a substantial
2 part of the events giving rise to this action occurred in this District. MGM is based in this District,
3 maintains customer PII in the District and has caused harm to Plaintiff and Class members residing
4 in this District.
6 STATEMENT OF FACTS
7 A. The MGM Data Breach
8 19. On or about July 7, 2019, an unauthorized individual gained access to MGM Resorts
9 International’s computer network system, exfiltrated customer data, and then disclosed a subset of
10 that data on a closed internet forum.
11 20. The data consisted of a treasure trove of MGM customer PII including: names,
12 addresses, driver’s license numbers, passport numbers, military identification numbers, phone
13 numbers, emails and dates of birth.
14 21. Although the PII was subsequently removed from the closed internet site, in mid-
15 February 2020 the seemingly full set of data containing the PII of more than 10.6 million MGM
16 guests was published on a well-known hacking forum, visible to any number of dark web
17 miscreants.
18 22. Internet security specialists recognized that the PII leaked in the Data Breach presents
19 “a treasure trove” of contact details on customers, many of whom will now “face a higher risk of
20 receiving spear-phishing emails, and being SIM swapped.” 2 “The fact that the breach happened
21 about seven months ago without any public disclosure may have led MGM to believe the data was
22
23
24
25
26 2
ZDNet, Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum, February
19, 2020, https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-
27 posted-on-a-hacking-forum/
28
1 not going to be used by the thieves, but as with many breaches malicious actors sometimes wait
2 months or years to tip their hand” presenting an ongoing problem for affected users. 3
3 23. On or about September 5, 2019, MGM notified affected customers and various
4 governmental agencies of the Data Breach, but otherwise kept news of the breach quiet. The Notice
5 of Data Incident (“Notice”) stated in relevant part.
6 Notice of Data Incident
7 What Happened
8
On or about July 7, 2019, an individual accessed MGM Resorts
9 International’s computer network system without permission. The
individual downloaded partial customer data from MGM’s computer
10 systems, then posted and disclosed part of the data on a closed internet
forum. No customer financial information, passwords or credit cards were
11 part of the data in question and it was taken down and removed from the
closed internet site.
12
13 What Information Was Involved
14 MGM immediately initiated an internal forensic investigation into this

incident. MGM conducted an exhaustive investigation and search of the
15 downloaded data from the closed internet site. On August 9, 2019, MGM
16 determined your First Name, Last Name, and Driver’s License Number
were part of the compromised file. Again, no financial information,
17 passwords or credit cards were included in the database.
18 What We Are Doing

We take the security of our customers’ data seriously, and after MGM
19 became aware of the event, we took immediate measures to investigate
20 and remediate the incident. We have implemented additional safeguards to
improve further data security related to external software incidents.
21 Furthermore, MGM reported the incident to law enforcement immediately
once MGM discovered the matter. In addition, we are offering identity
22 theft protection services through ID Experts®, the data incident and
recovery services expert, to provide you with MyIDCare™. MyIDCare
23 services include: 12 months of credit and CyberScan monitoring, a
24 $1,000,000 insurance reimbursement policy, and fully managed ID theft
25
26 3
SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
27 data-breach-affecting-10-6-million-customers/
28
1 recovery services. With this protection, MyIDCare will help you resolve
issues if your identity is compromised.
2
What You Can Do
3
We encourage you to contact ID Experts with any questions and to enroll
4 in free MyIDCare services by calling 833-959- 1344 or going to
https://ide.myidcare.com/mgmri and using the Enrollment Code provided
5 above.
6 ***
Again, at this time, there is no evidence that your information has been
7
misused. However, we encourage you to take full advantage of this service
8 offering. MyIDCare representatives have been fully versed on the incident
and can answer questions or concerns you may have regarding protection
9 of your personal information. 4
10
11 B. MGM Privacy Policies

12 24. MGM maintains a Privacy Policy wherein it details the PII it collects from customers
13 and promises to maintain the security and integrity of such data.
14 MGM RESORTS PRIVACY POLICY 5
15 MGM Resorts International values your patronage and respects your privacy. This Privacy
16 Policy ("Policy") describes the information collection, use, protection, and sharing practices
of MGM Resorts International and MGM Resorts International web sites, mobile
17 applications, electronic communications, and properties
18 We collect information from a variety of sources and in a variety of ways, including the
following:
19
20 Personal Information. When you visit, use, and/or access MGM Resorts or MGM Online
Services, you may provide us with (and/or we may collect) information by which you can be
21 personally identified including your name, date of birth, postal address, e-mail address, and
telephone number, and videos, recordings, and images of you (“Personal Information”). We
22 may also obtain Personal Information from third parties.
23 Sensitive Information. When you make a purchase, visit, use and/or access MGM Resorts
24 or MGM Online Services, or engage in other transactions or activities, you may provide us
with sensitive Personal Information including your credit or debit card number, financial
25
26 4
Exhibit A.
27 5
https://www.mgmresorts.com/en/privacy-policy.html
28
1 account number, biometrics, medical/health-related information, driver’s license number,

government-issued identification card number, social security number, passport number, or
2 naturalization number (“Sensitive Information”).
3
SECURITY
4
Information maintained in electronic form that is collected by MGM Resorts International
5 and any individual MGM Resort is stored on systems protected by industry standard security
measures. These security measures are intended to protect these systems from unauthorized
6 access. No security system is impenetrable and these systems could become accessible in the
event of a security breach. We have controls in place that are designed to detect potential
7
data breaches, contain and minimize the loss of data, and conduct forensic investigations of a
8 breach.
9 Our staff is required to take reasonable measures to ensure that unauthorized persons cannot
view or access your Personal Information. Employees who violate our internal privacy
10 policies are subject to disciplinary action, up to and including termination of employment.
11
12 25. Although MGM claims to employ “industry standard security measures,” this
13 representation, along with the promise to maintain the integrity of customer PII was belied by its
14 failure to impose and maintain the necessary safeguards that would have prevented the Data Breach.
15 C. Prevalence of Cyber Attacks and Susceptibility of the Hotel Industry
16 26. In 2016, the number of U.S. data breaches surpassed 1,000, a record high and a forty
17 percent increase in the number of data breaches from the previous year. 6 In 2017 a new record high
18 of 1,579 breaches were reported representing a 44.7 percent increase over 2016. 7 The number of
19 yearly data breaches have remained steady with 1,473 breaches reported in 2019. 8
20
21
6
Identity Theft Resource Center, Data Breaches Increase 40 Percent in 2016, Finds New Report
22 From Identity Theft Resource Center and CyberScout (Jan. 19, 2017), available at
23 https://www.idtheftcenter.org/surveys-studys.
7
24 Identity Theft Resource Center, 2017 Annual Data Breach Year-End Review, available at
https://www.idtheftcenter.org/2017-data-breaches/.
25
8
Identity Theft Resource Center, 2019 End -of-Year Data Breach Report. Available at
26 https://www.idtheftcenter.org/2019-data-
breaches/?utm_source=web&utm_medium=sitewidenotice&utm_campaign=01282020_2019DataBr
27 eachReport
28
1 27. The type of PII collected by companies by hotels makes this sector particularly to
2 cyber-attack. Trustwave’s "2018 Global Security Report" lists hospitality as one of the top three
3 industries most vulnerable to payment card breaches while other estimates project that hotels are the
4 unwelcome recipients of around 20 percent of all cyberattacks. 9 Indeed, in recent years, Marriott
5 Hilton, Hyatt, and Trump hotels have all been cited for large-scale data negligence over the past few
6 years. “Such unfortunate trends should not come as much of a surprise since hotels are hotbeds of
7 sensitive information. Their data is spread out across porous digital systems and their sales are
8 usually conducted through weak point-of-sale systems.” Id.
9 28. “While hospitality companies have fewer transactions than retail organizations — and
10 thus have data on fewer customers to steal — they collect substantially more valuable and varied
11 personal data for each of their guests…. This rich personal data is invaluable to cybercriminals. They
12 can use this data to better impersonate each breached customer, leading to additional identity theft
13 and social engineering attacks against each individual’s company. By enabling further attacks,
14 breaching a hotel provides cybercriminals much more value than breaching a company in almost any
15 other industry.” 10
16
17 D. MGM Acquires, Collects, and Stores Plaintiff’s and Class Members’ PII
18 29. As its Privacy Policy makes clear, MGM acquires, collects, and stores a massive
19 amount of personally identifiable information on its customers.
20 30. As a condition of staying at its hotel properties, MGM requires that its customers
21 entrust it with highly sensitive personal information.
22
23
24
9
25 Hotel management, Why cybersecurity matters, https://www.hotelmanagement.net/tech/why-
cybersecurity-matters
26
10
Cybersecurity in Hospitality: An Unsolvable Problem?, Paladion Networks,
27 https://www.paladion.net/cybersecurity-in-hospitality-an-unsolvable-problem
28
1 31. By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class
2 Members’ PII, MGM assumed legal and equitable duties and knew or should have known that it was
3 responsible for protecting Plaintiff’s and Class Members’ PII from disclosure.
4 32. Plaintiff and the Class Members have taken reasonable steps to maintain the
5 confidentiality of their PII.
6 33. Plaintiff and the Class Members relied on MGM to keep their PII confidential and
7 securely maintained, to use this information for business purposes only, and to make only authorized
8 disclosures of this information.
9
10 E. The Value of Personally Identifiable Information and the Effects of Unauthorized
Disclosure
11
34. MGM was well-aware that the PII it collects is highly sensitive, and of significant
12
value to those who would use it for wrongful purposes.
13
35. Personally identifiable information is a valuable commodity to identity thieves. As
14
the FTC recognizes, with PII identity thieves can commit an array of crimes including identify theft,
15
medical and financial fraud. 11 Indeed, a robust “cyber black market” exists in which criminals
16
openly post stolen PII on multiple underground Internet websites.
17
36. The ramifications of the MGM’s failure to keep its customers’ PII secure are long
18
lasting and severe. Once PII is stolen, fraudulent use of that information and damage to victims may
19
continue for years.
20
37. “The fact that the breach happened about seven months ago without any public
21
disclosure may have led MGM to believe the data was not going to be used by the thieves, but as
22
with many breaches malicious actors sometimes wait months or years to tip their hand. This is a
23
great example of how these breaches and their fallout can continue to haunt businesses for quite
24
25
26
27 11
Federal Trade Commission, Warning Signs of Identity Theft,
https://www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft
28
1 some time. It’s likely MGM thought this incident was far in the rear view, but the value of their
2 particular dataset continues to have appeal….” 12
3 38. At all relevant times, MGM knew, or reasonably should have known, of the
4 importance of safeguarding PII and of the foreseeable consequences if its data security systems were
5 breached, including, the significant costs that would be imposed on customers as a result of a breach.
7 F. MGM Fails to Comply with FTC Guidelines
8 39. The Federal Trade Commission (“FTC”) has promulgated numerous guides for
9 businesses which highlight the importance of implementing reasonable data security practices.
10 According to the FTC, the need for data security should be factored into all business decision-
11 making. 13
12 40. In 2016, the FTC updated its publication, Protecting Personal Information: A Guide
13 for Business, which established cyber-security guidelines for businesses. 14 The guidelines note that
14 businesses should protect the personal customer information that they keep; properly dispose of
15 personal information that is no longer needed; encrypt information stored on computer networks;
16 understand their network’s vulnerabilities; and implement policies to correct any security problems.
17 The guidelines also recommend that businesses use an intrusion detection system to expose a breach
18 as soon as it occurs; monitor all incoming traffic for activity indicating someone is attempting to
19 hack the system; watch for large amounts of data being transmitted from the system; and have a
20 response plan ready in the event of a breach.
21
22
23 12
SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
24 customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
data-breach-affecting-10-6-million-customers/
25 13
Federal Trade Commission, Start With Security, available at
26 https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
14
Federal Trade Commission, Protecting Personal Information: A Guide for Business, available at
27 https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-
information.pdf.
28
1 41. The FTC further recommends that companies not maintain PII longer than is needed
2 for authorization of a transaction; limit access to sensitive data; require complex passwords to be
3 used on networks; use industry-tested methods for security; monitor for suspicious activity on the
4 network; and verify that third-party service providers have implemented reasonable security
5 measures. 15
6 42. The FTC has brought enforcement actions against businesses for failing to adequately
7 and reasonably protect customer data, treating the failure to employ reasonable and appropriate
8 measures to protect against unauthorized access to confidential consumer data as an unfair act or
9 practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45.
10 Orders resulting from these actions further clarify the measures businesses must take to meet their
11 data security obligations.
12 43. MGM failed to properly implement basic data security practices. MGM’s failure to
13 employ reasonable and appropriate measures to protect against unauthorized access to customer PII
14 constitutes an unfair act or practice prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
15 44. MGM was at all times fully aware of its obligation to protect the PII of customers
16 because of its position as a trusted healthcare provider. MGM was also aware of the significant
17 repercussions that would result from its failure to do so.
18 G. MGM Fails to Comply with Industry Standards
19 45. Cyber security firms have routinely identified the hotel sector as one being
20 particularly vulnerable to cyber-attacks because the of value of the PII which they maintain. These
21 firms have promulgated a series of best practices that a minimum should be implemented by sector
22 participants including, but not limited to: installing appropriate malware detection software;
23 monitoring and limiting the network ports; protecting web browsers and email management systems;
24 setting up network systems such as firewalls, switches and routers; monitoring and protection of
25
26
27
15
FTC, Start With Security, supra note 19.
28
1 physical security systems; protection against any possible communication system; training hotel staff
2 regarding critical points. 16
3 46. MGM acknowledged the Data Breach was through a cloud server exposure.
4 Although it did not state how or why the cloud server was exposed, “this could have easily been
5 caused from poor cloud configuration and security hygiene…. 17
6 H. Plaintiff and Class Members Suffered Damages
7 47. The ramifications of Defendant’s failure to keep Customers’ PII secure are long
8 lasting and severe. Once PII is stolen, fraudulent use of that information and damage to victims may
9 continue for years. Consumer victims of data breaches are more likely to become victims of identity
10 fraud. 18
11 48. The PII belonging to Plaintiff and Class Members is private, sensitive in nature, and
12 was left inadequately protected by Defendant who did not obtain Plaintiff’s or Class Members’
13 consent to disclose such PII to any other person as required by applicable law and industry
14 standards.
15 49. The Data Breach was a direct and proximate result of MGM’s failure to: (a) properly
16 safeguard and protect Plaintiff’s and Class Members’ PII from unauthorized access, use, and
17 disclosure, as required by various state and federal regulations, industry practices, and common law;
18 (b) establish and implement appropriate administrative, technical, and physical safeguards to ensure
19 the security and confidentiality of Plaintiff’s and Class Members’ PII; and (c) protect against
20 reasonably foreseeable threats to the security or integrity of such information.
21
22
23
16
24 https://opendatasecurity.io/how-to-work-on-hotel-cyber-security/
17
25 SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
26 data-breach-affecting-10-6-million-customers/
27 18
2014 LexisNexis True Cost of Fraud Study,
https://www.lexisnexis.com/risk/downloads/assets/true-cost-fraud-2014.pdf.
28
1 50. Defendant is a multi-billion-dollar company and had the resources necessary to
2 prevent the Breach, but neglected to adequately invest in data security measures, despite its
3 obligation to protect customer data.
4 51. Had Defendant remedied the deficiencies in its data security systems and adopted
5 security measures recommended by experts in the field, it would have prevented the intrusions into
6 their systems and, ultimately, the theft of PII.
7 52. As a direct and proximate result of Defendant’s wrongful actions and inactions,
8 Plaintiff and Class Members have been placed at an imminent, immediate, and continuing increased
9 risk of harm from identity theft and fraud, requiring them to take the time which they otherwise
10 would have dedicated to other life demands such as work and family in an effort to mitigate the
11 actual and potential impact of the Data Breach on their lives. The U.S. Department of Justice’s
12 Bureau of Justice Statistics found that “among victims who had personal information used for
13 fraudulent purposes, 29% spent a month or more resolving problems” and that “resolving the
14 problems caused by identity theft [could] take more than a year for some victims.” 19
15 53. To date, MGM has merely offered 12 months of identity monitoring services at no
16 charge. 20 The offer, however, is wholly inadequate as it fails to provide for the fact that victims of
17 data breaches and other unauthorized disclosures commonly face multiple years of ongoing identity
18 theft and it entirely fails to provide any compensation for the unauthorized release and disclosure of
19 Plaintiff’s and Class Members’ PII.
20 54. Furthermore, Defendant’s credit monitoring offer to Plaintiff and Class Members
21 squarely places the burden on Plaintiff and Class Members, rather than on the Defendant, to
22 investigate and protect themselves from Defendant’s tortious acts resulting in the Data Breach.
23 Rather than automatically enrolling Plaintiff and Class Members in credit monitoring services upon
24
19
25 U.S. Department of Justice, Office of Justice Programs Bureau of Justice Statistics, Victims of
Identity Theft, 2012, December 2013 available at https://www.bjs.gov/content/pub/pdf/vit12.pdf (last
26 visited April 19,2019).
27 20
Exhibit A.
28
1 discovery of the breach, Defendant merely sent instructions “offering” the services to affected
2 customers recommending they sign up for the services.
3 55. As a result of the Defendant’s failures to prevent the Data Breach, Plaintiff and Class
4 Members have suffered, will suffer, or are at increased risk of suffering:
5 a. The compromise, publication, theft and/or unauthorized use of their PII;
6 b. Out-of-pocket costs associated with the prevention, detection, recovery and
7 remediation from identity theft or fraud;
8 c. Lost opportunity costs and lost wages associated with efforts expended and
9 the loss of productivity from addressing and attempting to mitigate the actual
10 and future consequences of the Data Breach, including but not limited to
11 efforts spent researching how to prevent, detect, contest and recover from
12 identity theft and fraud;
13 d. The continued risk to their PII, which remains in the possession of Defendant
14 and is subject to further breaches so long as Defendant fails to undertake
15 appropriate measures to protect the PII in their possession; and
16 e. Current and future costs in terms of time, effort and money that will be
17 expended to prevent, detect, contest, remediate and repair the impact of the
18 Data Breach for the remainder of the lives of Plaintiff and Class Members.
19 56. In addition to a remedy for the economic harm, Plaintiff and the Class maintain an
20 undeniable interest in ensuring that their PII is secure, remains secure, and is not subject to further
21 misappropriation and theft.
22 I. Defendant’s Delay in Identifying & Reporting the Data Breach Caused Additional Harm
23 57. It is axiomatic that “[t]he quicker a financial institution, credit card issuer, wireless
24 carrier or other service provider is notified that fraud has occurred on an account, the sooner these
25 organizations can act to limit the damage. Early notification can also help limit the liability of a
26
27
28
1 victim in some cases, as well as allow more time for law enforcement to catch the fraudsters in the
2 act.” 21
3 58. Indeed, once a data breach has occurred, “[o]ne thing that does matter is hearing
4 about a data breach quickly. That alerts consumers to keep a tight watch on credit card bills and
5 suspicious emails. It can prompt them to change passwords and freeze credit reports. And notifying
6 officials can help them catch cybercriminals and warn other businesses of emerging dangers. If
7 consumers don’t know about a breach because it wasn’t reported, they can’t take action to protect
8 themselves” (internal citations omitted). 22
9 59. Although their PII was improperly exposed in July, affected customers were not
10 notified of the Data Breach until September, depriving them of the ability to promptly mitigate
11 potential adverse consequences resulting from the Data Breach.
12 60. As a result of MGM’s delay in detecting and notifying consumers of the Data Breach,
13 the risk of fraud for Plaintiff and Class Members has been driven even higher.
14
15 CLASS ACTION ALLEGATIONS
16 61. Plaintiff seeks relief on behalf of himself and as a representative of all others who are
17 similarly situated. Pursuant to Fed. R. Civ. P. Rule 23(a), (b)(2), (b)(3) and (c)(4), Plaintiff seeks
18 certification of a Nationwide class defined as follows:
19 All persons whose PII was compromised as a result of the Data Breach announced by MGM
on or about September 5, 2019 (the “Class”).
20
21
22
23 21
Identity Fraud Hits Record High with 15.4 Million U.S. Victims in 2016, Up 16 Percent According
24 to New Javelin Strategy & Research Study, Business Wire¸
https://www.businesswire.com/news/home/20170201005166/en/Identity-Fraud-Hits-Record-High-
25 15.4-Million.
26 22
Consumer Reports, The Data Breach Next Door Security breaches don't just hit giants like
Equifax and Marriott. Breaches at small companies put consumers at risk, too, January 31, 2019,
27 https://www.consumerreports.org/data-theft/the-data-breach-next-door/
28
1 62. Excluded from the Class are MGM and any of its affiliates, parents or subsidiaries; all
2 persons who make a timely election to be excluded from the Class; government entities; and the
3 judges to whom this case is assigned, their immediate families, and court staff.
4 63. Plaintiff hereby reserves the right to amend or modify the class definitions with
5 greater specificity or division after having had an opportunity to conduct discovery.
6 64. The proposed Class meets the criteria for certification under Rule 23(a), (b)(2), (b)(3)
7 and (c)(4).
8 65. Numerosity. Fed. R. Civ. P. 23(a)(1). Consistent with Rule 23(a)(1), the members
9 of the Class are so numerous and geographically dispersed that the joinder of all members is
10 impractical. The Data Breach implicates more than 10.6 million MGM customers.
11 66. Commonality. Fed. R. Civ. P. 23(a)(2) and (b)(3). Consistent with Rule 23(a)(2)
12 and with 23(b)(3)’s predominance requirement, this action involves common questions of law and
13 fact that predominate over any questions affecting individual Class members. The common
14 questions include:
15 a. Whether MGM had a duty to protect customer PII;
16 b. Whether MGM knew or should have known of the susceptibility of its
17 systems to a data breach;
18 c. Whether MGM’s security measures to protect their systems were reasonable
19 in light of best practices recommended by data security experts;
20 d. Whether MGM was negligent in failing to implement reasonable and adequate
21 security procedures and practices;
22 e. Whether MGM’s failure to implement adequate data security measures
23 allowed the breach of its data systems to occur;
24 f. Whether MGM’s conduct, including its failure to act, resulted in or was the
25 proximate cause of the breach of its systems, resulting in the unlawful
26 exposure of the Plaintiff’s and Class Members’ PII;
27
28
1 g. Whether Plaintiff and Class Members were injured and suffered damages or
2 other losses because of MGM’s failure to reasonably protect its systems and
3 data network; and
4 h. Whether Plaintiff and Class members are entitled to relief.
5 67. Typicality. Fed. R. Civ. P. 23(a)(3). Consistent with Rule 23(a)(3), Plaintiff’s
6 claims are typical of those of other Class members. Plaintiff was an MGM customer whose PII was
7 exposed in the Data Breach. Plaintiff’s damages and injuries are akin to other Class Members, and
8 Plaintiff seeks relief consistent with the relief sought by the Class.
9 68. Adequacy. Fed. R. Civ. P. 23(a)(4). Consistent with Rule 23(a)(4), Plaintiff is an
10 adequate representative of the Class because Plaintiff is a member of the Class he seeks to
11 represent; is committed to pursuing this matter against MGM to obtain relief for the Class; and has
12 no conflicts of interest with the Class. Moreover, Plaintiff’s Counsel are competent and experienced
13 in litigating class actions, including privacy litigation of this kind. Plaintiff intends to vigorously
14 prosecute this case and will fairly and adequately protect the Class’s interests.
15 69. Superiority. Fed. R. Civ. P. 23(b)(3). Consistent with Rule 23(b)(3), a class action
16 is superior to any other available means for the fair and efficient adjudication of this controversy,
17 and no unusual difficulties are likely to be encountered in the management of this class action. The
18 quintessential purpose of the class action mechanism is to permit litigation against wrongdoers even
19 when damages to an individual Plaintiff may not be sufficient to justify individual litigation. Here,
20 the damages suffered by Plaintiff and the Class are relatively small compared to the burden and
21 expense required to individually litigate their claims against MGM, and thus, individual litigation to
22 redress MGM’s wrongful conduct would be impracticable. Individual litigation by each Class
23 member would also strain the court system. Individual litigation creates the potential for
24 inconsistent or contradictory judgments and increases the delay and expense to all parties and the
25 court system. By contrast, the class action device presents far fewer management difficulties and
26 provides the benefits of a single adjudication, economies of scale, and comprehensive supervision
27 by a single court.
28
1 70. MGM has physical and email addresses for Class members who therefore may be
2 notified of the pendency of this action by recognized, Court-approved notice dissemination
3 methods, which may include U.S. mail, electronic mail, internet postings, and/or published notice.
4 71. Injunctive and Declaratory Relief. Class certification is also appropriate under Rule
5 23(b)(2) and (c). Defendant, through its uniform conduct, acted or refused to act on grounds
6 generally applicable to the Class as a whole, making injunctive and declaratory relief appropriate to
7 the Class as a whole.
8 72. Likewise, particular issues under Rule 23(c)(4) are appropriate for certification
9 because such claims present only particular, common issues, the resolution of which would advance
10 the disposition of this matter and the parties’ interests therein. Such particular issues include, but
11 are not limited to:
12 a. Whether MGM failed to timely notify the public of the Data Breach;
13 b. Whether MGM owed a legal duty to Plaintiff and the Class to exercise due
14 care in collecting, storing, and safeguarding their PII;
15 c. Whether MGM’s security measures to protect its data systems were
16 reasonable in light of best practices recommended by data security experts;
17 d. Whether Defendant’s failure to institute adequate protective security measures
18 amounted to negligence;
19 e. Whether Defendant failed to take commercially reasonable steps to safeguard
20 customer PII; and
21 f. Whether adherence to FTC data security recommendations, and measures
22 recommended by data security experts would have reasonably prevented the
23 data breach.
24 73. Finally, all members of the proposed Classes are readily ascertainable. MGM has
25 access to customer names and addresses affected by the Data Breach. Using this information, Class
26 members can be identified and ascertained for the purpose of providing notice.
27
28
1 FIRST CAUSE OF ACTION

NEGLIGENCE
2
3 74. Plaintiff restates and realleges paragraphs 1 through 73 above as if fully set forth
4 herein.
5 75. As a condition of receiving services, Plaintiff and Class Members were obligated to
6 provide MGM with their PII.
7 76. Plaintiff and the Class Members entrusted their PII to MGM with the understanding
8 that MGM would safeguard their information.
9 77. Defendant had full knowledge of the sensitivity of the PII and the types of harm that
10 Plaintiff and Class Members could and would suffer if the PII were wrongfully disclosed.
11 78. Defendant had a duty to exercise reasonable care in safeguarding, securing and
12 protecting such information from being compromised, lost, stolen, misused, and/or disclosed to
13 unauthorized parties. This duty includes, among other things, designing, maintaining and testing the
14 Defendant’s security protocols to ensure that PII in its possession was adequately secured and
15 protected and that employees tasked with maintaining such information were adequately training on
16 cyber security measures regarding the security of such information.
17 79. Plaintiff and the Class Members were the foreseeable and probable victims of any
18 inadequate security practices and procedures. Defendant knew of or should have known of the
19 inherent risks in collecting and storing the PII of Plaintiff and the Class, the critical importance of
20 providing adequate security of that PII, the current cyber scams being perpetrated and that it had
21 inadequate employee training and education and IT security protocols in place to secure the PII of
22 Plaintiff and the Class.
23 80. Defendant’s own conduct created a foreseeable risk of harm to Plaintiff and Class
24 Members. Defendant’s misconduct included, but was not limited to, its failure to take the steps and
25 opportunities to prevent the Data Breach as set forth herein. Defendant’s misconduct also included
26 its decision not to comply with industry standards for the safekeeping and encrypted authorized
27 disclosure of the PII of Plaintiff and Class Members.
28
1 81. Plaintiff and the Class Members had no ability to protect their PII that was in MGM’s
2 possession.
3 82. Defendant was in a position to protect against the harm suffered by Plaintiff and Class
4 Members as a result of the Data Breach.
5 83. Defendant had a duty to put proper procedures in place in order to prevent the
6 unauthorized dissemination Plaintiff and Class Members’ PII.
7 84. Defendant has admitted that Plaintiff’s and Class Members’ PII was wrongfully
8 disclosed to unauthorized third persons as a result of the Data Breach.
9 85. Defendant, through its actions and/or omissions, unlawfully breached its duty to
10 Plaintiff and Class Members by failing to exercise reasonable care in protecting and safeguarding the
11 Plaintiff’s and Class Members’ PII while it was within the MGM’s possession or control.
12 86. Defendant improperly and inadequately safeguarded Plaintiff’s and Class Members’
13 PII in deviation of standard industry rules, regulations and practices at the time of the Data Breach.
15 Plaintiff and Class Members by failing to have appropriate procedures in place to detect and prevent
16 dissemination of its customers’ PII.
18 adequately disclose to Plaintiff and Class Members the existence, and scope of the Data Breach.
19 89. But for Defendant’s wrongful and negligent breach of duties owed to Plaintiff and
20 Class Members, Plaintiff’s and Class Members’ PII would not have been compromised.
21 90. There is a temporal and close causal connection between Defendant’s failure to
22 implement security measures to protect the PII and the harm suffered, or risk of imminent harm
23 suffered by Plaintiff and the Class.
24 91. As a result of Defendant’s negligence, Plaintiff and the Class Members have suffered
25 and will continue to suffer damages and injury including, but not limited to: out-of-pocket expenses
26 associated with procuring robust identity protection and restoration services; increased risk of future
27 identity theft and fraud, the costs associated therewith; time spent monitoring, addressing and
28
1 correcting the current and future consequences of the Data Breach; and the necessity to engage legal
2 counsel and incur attorneys’ fees, costs and expenses.
3 SECOND CAUSE OF ACTION

NEGLIGENCE PER SE
4
5 92. Plaintiff restates and realleges Paragraphs 1 through 73 as if fully set forth herein.
6 93. Section 5 of the FTC Act prohibits “unfair . . . practices in or affecting commerce,”
7 including, as interpreted and enforced by the FTC, the unfair act or practice by businesses, such as
8 MGM, of failing to use reasonable measures to protect PII. The FTC publications and orders
9 described above also form part of the basis of Defendant’s duty in this regard.
10 94. MGM violated Section 5 of the FTC Act by failing to use reasonable measures to
11 protect customer PII and not complying with applicable industry standards, as described in detail
12 herein. MGM’s conduct was particularly unreasonable given the nature and amount of PII it
13 obtained and stored, and the foreseeable consequences of a data breach including, specifically, the
14 damages that would result to Plaintiff and Class Members.
15 95. MGM’s violation of Section 5 of the FTC Act constitutes negligence per se as
16 MGM’s violation of the FTC Act establishes the duty and breach elements of negligence.
17 96. Plaintiff and Class Members are within the class of persons that the FTC Act was
18 intended to protect.
19 97. The harm that occurred as a result of the Data Breach is the type of harm the FTC Act
20 was intended to guard against. The FTC has pursued enforcement actions against businesses, which,
21 as a result of their failure to employ reasonable data security measures and avoid unfair and
22 deceptive practices, caused the same harm as that suffered by Plaintiff and the Class.
23 98. As a direct and proximate result of MGM’s negligence per se, Plaintiff and the Class
24 have suffered, and continue to suffer, injuries and damages arising from the Data Breach including,
25 but not limited to: damages from lost time and effort to mitigate the actual and potential impact of
26 the Data Breach on their lives, including, inter alia, by placing “freezes” and “alerts” with credit
27 reporting agencies, contacting their financial institutions, closing or modifying financial and medical
28
1 accounts, closely reviewing and monitoring their credit reports and various accounts for
2 unauthorized activity, and filing police reports, and damages from identity theft, which may take
3 months if not years to discover and detect.
4 99. Additionally, as a direct and proximate result of MGM’s negligence per se, Plaintiff
5 and Class Members have suffered and will suffer the continued risks of exposure of their PII, which
6 remain in MGM’s possession and is subject to further unauthorized disclosures so long as MGM fail
7 to undertake appropriate and adequate measures to protect the PII in its continued possession.
9 THIRD CAUSE OF ACTION

BREACH OF IMPLIED CONTRACT
10
100. Plaintiff restates and realleges paragraphs 1 through 73 above as if fully set forth
11
herein.
12
101. Plaintiff and Class Members were required to provide their PII, including their names,
13
addresses, dates of birth, telephone numbers, email addresses, and various forms of identification to
14
Defendant as a condition of their use of Defendant’s services.
15
102. Plaintiff and Class Members paid money to Defendant in exchange for services, along
16
with Defendant’s promise to protect their PII from unauthorized disclosure.
17
103. In their written privacy policies, MGM expressly promised Plaintiff and Class
18
Members that they would only disclose PII under certain circumstances, none of which relate to the
19
Data Breach.
20
104. MGM promised to comply with industry standards and to make sure that Plaintiff’s
21
and Class Members’ PII would remain protected.
22
105. Implicit in the agreement between Plaintiff and Class Members and the Defendant to
23
24 provide protected health information and other PII, was the latter’s obligation to: (a) use such PII for
business purposes only, (b) take reasonable steps to safeguard that PII, (c) to prevent unauthorized
25
disclosures of the PII, (d) to provide Plaintiff and Class Members with prompt and sufficient notice
26
of any and all unauthorized access and/or theft of their PII, (e) to reasonably safeguard and protect
27
28
1 the PII of Plaintiff and Class Members from unauthorized disclosure or uses, (f) to retain the PII only
2 under conditions that kept such information secure and confidential.
3 106. Without such implied contracts, Plaintiff and Class Members would not have
4 provided their PII to Defendant.
5 107. Plaintiff and Class Members fully performed their obligations under the implied
6 contract with Defendant, however, Defendant did not.
7 108. Defendant breached the implied contracts with Plaintiff and Class Members by failing
8 to reasonably safeguard and protect Plaintiff and Class Members’ PII, which was compromised as a
9 result of the Data Breach.

10
11 FOURTH CAUSE OF ACTION

UNJUST ENRICHMENT
12
13
herein.
14
110. Plaintiff and Class Members conferred a monetary benefit on Defendant. Specifically,
15
they purchased goods and services from Defendant and in so doing provided Defendant with their
16
PII. In exchange, Plaintiff and Class Members should have received from Defendant the goods and
17
services that were the subject of the transaction and have their PII protected with adequate data
18
security.
19
111. Defendant knew that Plaintiff and Class Members conferred a benefit which
20
Defendant accepted. Defendant profited from these transactions and used the PII of Plaintiff and
21
Class Members for business purposes.
22
112. The amounts Plaintiff and Class Members paid for goods and services were used, in
23
part, to pay for use of Defendant’s network and the administrative costs of data management and
24
security.
25
113. Under the principles of equity and good conscience, Defendant should not be
26
permitted to retain the money belonging to Plaintiff and Class Members, because Defendant failed to
27
28
1 implement appropriate data management and security measures that are mandated by industry
2 standards.
3 114. Defendant failed to secure Plaintiff’s and Class Members’ PII and, therefore, did not
4 provide full compensation for the benefit Plaintiff and Class Members provided.
5 115. Defendant acquired the PII through inequitable means in that it failed to disclose the
6 inadequate security practices previously alleged.
7 116. If Plaintiff and Class Members knew that Defendant had not secured their PII, they
8 would not have agreed to Defendant’s services.
9 117. Plaintiff and Class Members have no adequate remedy at law.

10 118. As a direct and proximate result of Defendant’s conduct, Plaintiff and Class Members
11 have suffered and will suffer injury, including but not limited to: (i) actual identity theft; (ii) the loss
12 of the opportunity how their PII is used; (iii) the compromise, publication, and/or theft of their PII;
13 (iv) out-of-pocket expenses associated with the prevention, detection, and recovery from identity
14 theft, and/or unauthorized use of their PII; (v) lost opportunity costs associated with effort expended
15 and the loss of productivity addressing and attempting to mitigate the actual and future consequences
16 of the Data Breach, including but not limited to efforts spent researching how to prevent, detect,
17 contest, and recover from identity theft; (vi) the continued risk to their PII, which remain in
18 Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails
19 to undertake appropriate and adequate measures to protect PII in their continued possession; and
20 (vii) future costs in terms of time, effort, and money that will be expended to prevent, detect, contest,
21 and repair the impact of the PII compromised as a result of the Data Breach for the remainder of the
22 lives of Plaintiff and Class Members.
23 119. As a direct and proximate result of Defendant’s conduct, Plaintiff and Class Members
24 have suffered and will continue to suffer other forms of injury and/or harm.
25 120. Defendant should be compelled to disgorge into a common fund or constructive trust,
26 for the benefit of Plaintiff and Class Members, proceeds that they unjustly received from them. In
27
28
1 the alternative, Defendant should be compelled to refund the amounts that Plaintiff and Class
2 Members overpaid for Defendant’s services.
3 FIFTH CAUSE OF ACTION

BREACH OF CONFIDENCE
4
5
herein.
6
122. Plaintiff and Class Members were required to provide their PII to Defendant as a
7
condition of their use of Defendant’s services.
8
123. Plaintiff and Class Members paid money to Defendant in exchange for services, along
9
with Defendant’s promise to protect their PII from unauthorized disclosure.
10
124. In its written privacy policies, MGM expressly promised Plaintiff and Class Members
11
that it would only disclose PII under certain circumstances, none of which relate to the Data Breach.
12
125. Implicit in the agreement between Plaintiff and Class Members and the Defendant to
13
14 provide PII, was the latter’s obligation to: (a) use such PII for business purposes only, (b) take
reasonable steps to safeguard that PII, (c) prevent unauthorized disclosures of the PII, (d) provide
15
Plaintiff and Class Members with prompt and sufficient notice of any and all unauthorized access
16
and/or theft of their PII, (e) reasonably safeguard and protect the PII of Plaintiff and Class Members
17
from unauthorized disclosure or uses, (f) retain the PII only under conditions that kept such
18
information secure and confidential.
19
126. Without such implied contracts, Plaintiff and Class Members would not have
20
provided their PII to Defendant.
21
127. Plaintiff and Class Members fully performed their obligations under the implied
22
contract with Defendant, however, Defendant did not.
23
128. Defendant breached the implied contracts with Plaintiff and Class Members by failing
24
to reasonably safeguard and protect Plaintiff and Class Members’ PII, which was compromised as a
25
result of the Data Breach.
26
27
28
1 SIXTH CAUSE OF ACTION

VIOLATION OF NEVADA’S CONSUMER FRAUD ACT
2 Nevada Revised Statutes 41.600
3
129. Plaintiff restates and realleges Paragraphs 1 through 73 as if fully set forth herein.
4
130. MGM engaged in unfair and unlawful acts and practices by failing to maintain
5
adequate procedures to avoid a data breach, and permitting access to consumer reports by data
6
thieves, for whom MGM had no reasonable grounds to believe would be used for a proper purpose.
7
Plaintiff and Class members relied on MGM’s implied promise of data security when providing their
8
PII to MGM.
9
131. MGM conduct violated NRS 598.0917(7) because it constituted a tender of “goods
10
advertised for sale . . . or tendering terms of sale or lease less favorable than the terms advertised,”
11
i.e., goods offered for sale by credit card without the corresponding promise that a consumer’s PII
12
would be kept reasonably safe from harm.
13
132. MGM’s violations of NRS 598.0917(7) constituted “consumer fraud” for purposes of
14
NRS 41.600(2)(e).
15
133. MGM also breached its duty under NRS 603A.210, which requires any data collector
16
“that maintains records which contain personal information” of Nevada residents to “implement and
17
maintain reasonable security measures to protect those records from unauthorized access,
18
acquisition, . . . use, modification or disclosure.” MGM did not take such reasonable security
19
measures, as shown by a system-wide breach of payment processing systems.
20
134. MGM also breached its duty under NRS 603A.215, which requires any data collector
21
doing business in Nevada who accept payment cards in connection with a sale of goods or services
22
to “comply with the current version of the . . . PCI Security Standards Council . . . with respect to
23
those transactions.” On information and belief, MGM failed to adhere to PCI standards, and was
24
grossly negligent because the violation occurred in multiple stores across the United States.
25
135. MGM’ violations of NRS 598.0923(3) constituted “consumer fraud” for purposes of
26
NRS 41.600(2)(e).
27
28
1 136. Additionally, NRS 598.0923(3) provides that a violation of any federal or Nevada law
2 constitutes consumer fraud. Thus, MGM violations of the FTC Act, NRS 598.0917(7), and NRS
3 603A violated NRS 598.0923(3).
4 137. MGM’ violations of NRS 598.0923(3), NRS 598.0917(7), and NRS 603A in turn
5 constituted “consumer fraud” for purposes of NRS 41.600(2)(e).
6 138. MGM engaged in an unfair practice by engaging in conduct that is contrary to public
7 policy, unscrupulous, and caused injury to Plaintiff and Class Members.
8 139. As a direct and proximate result of the foregoing, Plaintiff and Class Members have
9 suffered injuries including, but not limited to actual damages, and in being denied a benefit
10 conferred on them by the Nevada legislature.
11 140. As a result of these violations, Plaintiff and Class Members are entitled to an award of
12 actual damages, equitable injunctive relief preventing MGM to continue to violate the PCI DSS
13 standards, as well as an award of reasonable attorney’s fees and costs. Plaintiff and Class Members
14 also seek declaratory relief pursuant to 28 U.S.C. § 2201, specifically an order declaring that MGM’
15 data security procedures failed to meet the PCI DSS standards, which led to the exposure of the PII
16 of Plaintiff and Class Members in the Data Breach.
17
18 WHEREFORE, Plaintiff, on behalf of himself and all others similarly situated, respectfully
19 requests the following relief:
20
a. An Order certifying this case as a class action;
21
b. An Order appointing Plaintiff as the class representative;
22
c. An Order appointing undersigned counsel as class counsel;
23
d. A mandatory injunction directing the Defendant to hereinafter adequately
24
safeguard the PII of the Class by implementing improved security procedures
25
and measures;
26
e. An award of damages;
27
f. An award of costs and expenses;
28
1 g. An award of attorneys’ fees; and
2 h. Such other and further relief as this court may deem just and proper.
4 DEMAND FOR JURY TRIAL

5
Plaintiff demands a jury trial as to all issues triable by a jury.
6
Dated: February 21, 2020
7
8 s/______________________________
TANASI LAW OFFICES
9
Richard Tanasi, Esq.
10 8716 W. Spanish Ridge Ave. Suite 105
Las Vegas, NV 89148
11 Telephone: 702-906-2411
Facsimile: 866-299-4274
12 rtanasi@tanasilaw.com
13 MORGAN & MORGAN COMPLEX
14 LITGATION GROUP
John A. Yanchunis (pro hac vice to be submitted)
15 Jean S. Martin (pro hac vice to be submitted)
Marcio Valladares (pro hac vice to be submitted)
16 201 N. Franklin Street, 7th Floor
Tampa, FL 33602
17
Telephone: (813) 223-5505
18 Facsimile: (813) 223-5402
jyanchunis@forthepeople.com
19 jeanmartin@forthepeople.com
mvalladares@forthepeople.com
20
LAW OFFICE OF PAUL C. WHALEN, P.C.
21
Paul C. Whalen (pro hac vice to be submitted)
22 768 Plandome Road
Manhasset, NY 11030
23 Telephone: (516) 426-6870
paul@paulwhalen.com
24
25
26
27
28
1
Brian P. Murray (pro hac vice to be submitted)
2 GLANCY PRONGAY & MURRAY LLP
230 Park Avenue, Suite 530
3
New York, NY 10169
4 Telephone: (212) 682-5340
Fax: (212) 884-0988
5 bmurray@glancylaw.com
6 Attorneys for Plaintiff
7
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Complaint Smallman v. MGM

Uploaded by

Copyright:

Available Formats

Complaint Smallman v. MGM

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Complaint Smallman v. MGM

Uploaded by

Copyright:

Available Formats

Case 2:20-cv-00376 Document 1 Filed 02/21/20 Page 1 of 30

1 TANASI LAW OFFICES

13 LAW OFFICE OF PAUL C. WHALEN, P.C.

17 Additional Counsel Listed On Signature Page

18 UNITED STATES DISTRICT COURT

28 1 CLASS ACTION COMPLAINT

4 internet hacking forum, available for misuse by a host of bad actors.

6 occurred in the summer of 2019.

8 reasonable cyber-security procedures and protocols necessary to protect customer PII.

20 identity theft and fraud.

25 Breach from reoccurring in the future.

5 payment cards at Bellagio.

19 JURISDICTION AND VENUE

23 different citizenship from MGM.

7 A. The MGM Data Breach

5 of Data Incident (“Notice”) stated in relevant part.

6 Notice of Data Incident

13 What Information Was Involved

14 MGM immediately initiated an internal forensic investigation into this

18 What We Are Doing

11 B. MGM Privacy Policies

1 account number, biometrics, medical/health-related information, driver’s license number,

15 C. Prevalence of Cyber Attacks and Susceptibility of the Hotel Industry

8 usually conducted through weak point-of-sale systems.” Id.

19 amount of personally identifiable information on its customers.

21 entrust it with highly sensitive personal information.

5 confidentiality of their PII.

8 disclosures of this information.

2 particular dataset continues to have appeal….” 12

7 F. MGM Fails to Comply with FTC Guidelines

20 response plan ready in the event of a breach.

2 regarding critical points. 16

5 caused from poor cloud configuration and security hygiene…. 17

6 H. Plaintiff and Class Members Suffered Damages

20 reasonably foreseeable threats to the security or integrity of such information.

1 50. Defendant is a multi-billion-dollar company and had the resources necessary to

3 obligation to protect customer data.

6 their systems and, ultimately, the theft of PII.

19 Plaintiff’s and Class Members’ PII.

2 customers recommending they sign up for the services.

4 Members have suffered, will suffer, or are at increased risk of suffering:

5 a. The compromise, publication, theft and/or unauthorized use of their PII;

6 b. Out-of-pocket costs associated with the prevention, detection, recovery and

7 remediation from identity theft or fraud;

21 misappropriation and theft.

8 themselves” (internal citations omitted). 22

15 CLASS ACTION ALLEGATIONS

18 certification of a Nationwide class defined as follows:

5 greater specificity or division after having had an opportunity to conduct discovery.

20 d. Whether MGM was negligent in failing to implement reasonable and adequate

21 security procedures and practices;

22 e. Whether MGM’s failure to implement adequate data security measures

23 allowed the breach of its data systems to occur;

25 proximate cause of the breach of its systems, resulting in the unlawful

26 exposure of the Plaintiff’s and Class Members’ PII;

3 data network; and

4 h. Whether Plaintiff and Class members are entitled to relief.

2 notified of the pendency of this action by recognized, Court-approved notice dissemination

7 the Class as a whole.

20 customer PII; and