DATA BREACH CLASS ACTION COMPLAINT

TABLE OF CONTENTS

1. Caption
2. Nature of the Action
3. Jurisdiction and Venue
4. Parties
5. Factual Background
6. The Data Breach
7. Defendant's Inadequate Security Practices
8. Harm to Plaintiff and Class Members
9. Class Action Allegations
10. Causes of Action
11. Prayer for Relief
12. Jury Demand

1. CAPTION

UNITED STATES DISTRICT COURT
[________________________________] DISTRICT OF [________________________________]

2. NATURE OF THE ACTION

1. This class action arises from Defendant's failure to implement reasonable data security practices, resulting in a data breach that exposed the personally identifiable information ("PII") of approximately [________] individuals, including Plaintiff and Class members.

2. On or about [__/__/____], Defendant disclosed that unauthorized third parties accessed its systems and obtained consumers' [________________________________] (e.g., names, Social Security numbers, financial account information, medical records, email addresses, passwords).

3. Plaintiff brings this action to obtain redress for Defendant's failure to adequately protect, secure, and safeguard PII, and for Defendant's failure to provide timely and adequate notice of the breach.

3. JURISDICTION AND VENUE

4. This Court has subject matter jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d), because: (a) there are at least 100 class members; (b) the aggregate amount in controversy exceeds $5,000,000, exclusive of interest and costs; and (c) at least one Class member is a citizen of a state different from Defendant.

5. Venue is proper under 28 U.S.C. § 1391(b) because [________________________________].

4. PARTIES

Plaintiff

6. Plaintiff [________________________________] is a resident of [________________________________] (city, state). Plaintiff provided PII to Defendant in connection with [________________________________] (e.g., purchasing products, creating an account, receiving services). Plaintiff's PII was compromised in the Data Breach.

Defendant

7. Defendant [________________________________] is a [________________________________] (corporation, LLC) organized under the laws of [________________________________], with its principal place of business at [________________________________]. Defendant [________________________________] (describe Defendant's business and why it collects/stores consumer PII).

5. FACTUAL BACKGROUND

8. In the course of its business, Defendant collects and stores the PII of millions of consumers, including: [________________________________].

9. Defendant's privacy policy, available at [________________________________], stated: "[________________________________]" (quote the relevant security representations).

10. Consumers, including Plaintiff, provided their PII to Defendant with the reasonable expectation that Defendant would protect that information consistent with its representations and applicable law.

6. THE DATA BREACH

11. On or about [__/__/____], Defendant's systems were accessed by unauthorized third parties through [________________________________] (e.g., phishing attack, ransomware, unpatched vulnerability, credential stuffing, insider access).

12. The breach remained undetected for approximately [____] days/months, during which time the attackers had access to: [________________________________].

13. Types of PII compromised include:
    - ☐ Full names
    - ☐ Social Security numbers
    - ☐ Dates of birth
    - ☐ Financial account / credit card numbers
    - ☐ Health/medical information
    - ☐ Login credentials (usernames and passwords)
    - ☐ Driver's license numbers
    - ☐ Email addresses and phone numbers
    - ☐ Other: [________________________________]

14. Defendant notified affected individuals on [__/__/____], approximately [____] days after discovery of the breach, by [________________________________] (mail, email, website posting).

7. DEFENDANT'S INADEQUATE SECURITY PRACTICES

15. Defendant failed to implement reasonable and industry-standard security measures, including:

• ☐ Failure to encrypt sensitive PII at rest and in transit
• ☐ Failure to implement multi-factor authentication
• ☐ Failure to patch known security vulnerabilities in a timely manner
• ☐ Failure to maintain adequate network segmentation
• ☐ Failure to conduct regular security audits and penetration testing
• ☐ Failure to train employees on data security and phishing awareness
• ☐ Failure to implement adequate intrusion detection systems
• ☐ Failure to comply with industry standards (e.g., PCI-DSS, NIST Cybersecurity Framework)
• ☐ Other: [________________________________]

16. Defendant knew or should have known of these deficiencies based on [________________________________] (e.g., prior security incidents, industry warnings, regulatory guidance).

8. HARM TO PLAINTIFF AND CLASS MEMBERS

17. As a direct result of the Data Breach, Plaintiff and Class members have suffered and continue to suffer:

• ☐ Actual identity theft or fraud: [________________________________]
• ☐ Unauthorized charges on financial accounts
• ☐ Fraudulent tax filings using stolen Social Security numbers
• ☐ Time and expense spent monitoring accounts and credit reports
• ☐ Cost of credit monitoring and identity theft protection services
• ☐ Cost of credit freezes
• ☐ Diminished value of their PII
• ☐ Emotional distress, anxiety, and loss of privacy
• ☐ Ongoing and imminent risk of future identity theft and fraud

18. Plaintiff has specifically experienced: [________________________________].

9. CLASS ACTION ALLEGATIONS

19. Plaintiff brings this action under Fed. R. Civ. P. 23(a), 23(b)(2), and 23(b)(3) on behalf of a nationwide class defined as:

All persons in the United States whose PII was compromised as a result of the Data Breach disclosed by Defendant on or about [__/__/____] (the "Nationwide Class").

20. Alternatively, Plaintiff brings this action on behalf of a state subclass:

All persons in [________________________________] whose PII was compromised in the Data Breach (the "[State] Subclass").

21. Numerosity. The Class comprises approximately [________] individuals, making joinder impracticable.

22. Commonality. Common questions include: (a) whether Defendant owed a duty to protect PII; (b) whether Defendant's security practices were reasonable; (c) whether Defendant's conduct violated applicable statutes; and (d) whether Class members suffered damages.

23. Typicality. Plaintiff's claims are typical because all Class members' PII was compromised in the same breach.

24. Adequacy. Plaintiff will fairly and adequately represent the Class.

10. CAUSES OF ACTION

COUNT I: Negligence

(On behalf of the Nationwide Class)

25. Defendant owed a duty of care to Plaintiff and Class members to implement reasonable security measures to protect their PII.

26. Defendant breached that duty by failing to implement adequate safeguards as described in Section 7.

27. The breach was the proximate cause of Plaintiff's and Class members' damages.

COUNT II: Negligence Per Se

(On behalf of the Nationwide Class)

28. Defendant violated [________________________________] (cite applicable data security statutes), which were enacted to protect the class of persons that includes Plaintiff and Class members.

COUNT III: Breach of Contract / Implied Contract

(On behalf of the Nationwide Class)

29. An implied contract existed between Defendant and Class members to safeguard PII in exchange for the provision of PII. Defendant breached that contract by failing to implement reasonable security.

COUNT IV: Violation of the California Consumer Privacy Act

(On behalf of the California Subclass)

30. Defendant violated Cal. Civ. Code § 1798.150 by failing to implement and maintain reasonable security procedures, resulting in the unauthorized access of non-encrypted and non-redacted personal information.

31. Plaintiff provided 30 days' pre-suit notice as required by § 1798.150(b).

32. Class members are entitled to statutory damages of not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater.

COUNT V: Violation of State Consumer Protection Statutes

(On behalf of applicable State Subclasses)

33. Defendant's conduct violated the consumer protection statutes of [________________________________], including: [________________________________].

COUNT VI: Unjust Enrichment

(On behalf of the Nationwide Class)

34. Defendant was unjustly enriched by saving costs on data security at the expense of Plaintiff and Class members.

11. PRAYER FOR RELIEF

WHEREFORE, Plaintiff, on behalf of the Class, requests:

a. Certification of this action as a class action under Fed. R. Civ. P. 23;

b. Compensatory, statutory, and/or punitive damages;

c. Restitution and disgorgement of profits;

d. Injunctive relief requiring Defendant to implement reasonable security measures;

e. An order requiring Defendant to provide credit monitoring and identity theft insurance for a period of [____] years;

f. Reasonable attorneys' fees, costs, and expenses;

g. Pre- and post-judgment interest;

h. Such other relief as the Court deems just and proper.

12. JURY DEMAND

Plaintiff demands a trial by jury on all triable issues.

DATED: [__/__/____]

ATTORNEY FOR PLAINTIFF:

[________________________________]
Bar No.: [________________________________]
Firm: [________________________________]
Address: [________________________________]
Phone: [________________________________]
Email: [________________________________]

SOURCES AND REFERENCES

• Cal. Civ. Code § 1798.150 (CCPA private right of action)
• Cal. Civ. Code § 1798.80 et seq. (Database Breach Act)
• TransUnion LLC v. Ramirez, 594 U.S. 413 (2021) (Article III standing)
• In re Equifax, Inc. Customer Data Security Breach Litigation (N.D. Ga.)
• NIST Cybersecurity Framework (SP 800-53)
• FTC data security enforcement guidance
• PCI-DSS (Payment Card Industry Data Security Standard)