Complaint

PARTIES:

THE COURT


Download PDF

View Incident

Full Text of Document

John Heenan HEENAN LAW FIRM, PLLC
P.O. Box 2278 Billings, Montana 59103 ph. (406) 839-9091 fax (406) 839-9092 [email protected]
ATTORNEY FOR PLAINTIFFS
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF MONTANA
BUTTE DIVISION LOWELL DENNIS SCHAFER and §
TERRI ANN OPPENHEIMER-SCHAFER, §
individually and on behalf of a class §
of persons similarly situated, §
§ Case No. CV-08-19-BU-SEH
Plaintiffs, §
§
v. §
§ CLASS ACTION COMPLAINT
DAVIDSON COMPANIES, § AND JURY DEMAND
D.A. DAVIDSON & CO., §
DAVIDSON INVESTMENT §
ADVISORS, INC., DAVIDSON §
TRUST CO., AND DAVIDSON FIXED §
INCOME MANAGEMENT, INC., §
§
Defendants. §
§
Plaintiffs, LOWELL DENNIS SCHAFER and TERRI ANN OPPENHEIMER• SCHAFER, individually and on behalf of a class of persons similarly situated, file this Class Action Complaint and Jury Demand against Defendants, DAVIDSON COMPANIES, D.A. DAVIDSON & CO., DAVIDSON INVESTMENT ADVISORS, INC., DAVIDSON TRUST CO., and DAVIDSON FIXED INCOME MANAGEMENT, INC., and respectfully show as follows: INTRODUCTION

This case arises from the compromise of confidential personal and financial information that occurred when Defendants allowed their computer systems to be hacked and mined for personal information concerning clients of Defendants’ financial services companies. Plaintiffs, for themselves and on behalf of the class of persons whose confidential personal and financial information was compromised in the data breach, seek relief from the Court to compensate them for their injuries caused by Defendants’ data breach and to protect them from potential identity theft and other consequences of Defendants’ data breach.

The Davidson Companies did not maintain reasonable procedures designed to prevent unauthorized access to their clients’ confidential personal and financial information.

PARTIES

Plaintiff LOWELL DENNIS SCHAFER is an individual residing in Bozeman, Montana. Mr. Schafer is a current client of Defendants whose confidential personal and financial information was accessed and compromised as a result of Defendants’ data breach.

Plaintiff TERRI ANN OPPENHEIMER-SCHAFER is an individual residing in San Antonio, Texas. Mrs. Oppenheimer-Schafer is a former client of Defendants whose confidential personal and financial information was accessed and compromised as a result of Defendants’ data breach.

Defendant DAVIDSON COMPANIES is a corporation organized under the laws of Montana with its principal office and place of business in Great Falls, Montana. Davidson Companies is the holding company with six wholly-owned subsidiaries that provide financial services to its clients throughout the United States.

Defendant D.A. DAVIDSON & CO. is a corporation organized under the laws of Montana with its principal office and place of business in Great Falls, Montana. D.A. Davidson & Co. is a wholly-owned subsidiary of Defendant Davidson Companies.

Defendant DAVIDSON INVESTMENT ADVISORS, INC. is a corporation organized under the laws of Montana with its principal office and place of business in Great Falls, Montana. Davidson Investment Advisors, Inc. is a wholly-owned subsidiary of Defendant Davidson Companies.

Defendant DAVIDSON TRUST CO. is a corporation organized under the laws of Montana with its principal office and place of business in Great Falls, Montana. Davidson Trust Co. is a wholly-owned subsidiary of Defendant Davidson Companies.

Defendant DAVIDSON FIXED INCOME MANAGEMENT, INC., upon information and belief, is a corporation organized under the laws of Nebraska with its principal office and place of business in Great Falls, Montana. Davidson Fixed Income Management, Inc. is a wholly-owned subsidiary of Defendant Davidson Companies.

JURISDICTION AND VENUE

The Court has subject matter jurisdiction under the Class Action Fairness Act of 2005, codified at 28 U.S.C. § 1332(d), because the class has more than one hundred (100) members, the amount in controversy exceeds $5 million, exclusive of interest and costs, and some members of the class are citizens of states different than Defendants. The Court has personal jurisdiction over Defendants because each of them transacts sufficient business in this district to subject it to the jurisdiction of this Court.

Venue is proper in this district under 28 U.S.C. § 1391 because Defendants are subject to personal jurisdiction in this district, and therefore, reside in this district for the purposes of 28 U.S.C. § 1391, and because a substantial part of the events or omissions giving rise to the claims in this case occurred in this district.FACTS

Davidson Companies and its wholly-owned subsidiaries provide financial services to its clients in at least 16 states throughout the United States. Davidson Companies’ wholly-owned subsidiaries include:D.A. Davidson & Co., a full-service investment firm;
Davidson Investment Advisors, Inc., a professional money management firm;
Davidson Trust Co., a wealth management and trust company; and
Davidson Fixed Income Management, Inc., a registered investment adviser firm that provides portfolio management and other fixed income services.

References below to the “Davidson Companies” mean and include all Defendants, Davidson Companies, D.A. Davidson & Co., Davidson Investment Advisors, Inc., Davidson Trust Co., and Davidson Fixed Income Management, Inc.

In the course of their business as financial and investment services companies, the Davidson Companies collect and maintain confidential personal and financial information of its clients. On January 30, 2008, the Davidson Companies announced publicly in a press release that a computer database containing the confidential personal and financial information of its current and former clients was compromised by a computer hacker who illegally obtained access to the clients’ confidential information. Just one day prior to the press release, the Davidson Companies sent Plaintiffs and class members a letter dated January 29, 2008, stating that the confidential information that the third-party hacker obtained through the data breach included the names, addresses, birth dates, Social Security numbers, and/or account numbers of the DavidsonCompanies’ current and former clients. On information and belief, approximately 226,000 Davidson Companies clients were affected by the data breach, including Plaintiffs.

On information and belief, the Davidson Companies did not immediately learn about the data breach. On information and belief, the data breach occurred in late December 2007, and the Davidson Companies did not discover the breach until mid-January 2008. Law enforcement and regulatory authorities were notified at that time. Nonetheless, the Davidson Companies did not notify their clients about the data breach until at least January 29, 2008.

The Davidson Companies’ have released little information concerning the manner in which the data breach occurred other than to say that the hacker used “sophisticated techniques.”

The Davidson Companies’ data breach and compromise of Plaintiffs’ and class members’ confidential personal and financial information—particularly their Social Security numbers and dates of birth—exposes them to possible fraud and identity theft. Indeed, in their letter to Plaintiffs on January 29, 2008, about the data breach, the Davidson Companies state that they were “concerned about the possible misuse of” Plaintiffs’ and class members’ confidential personal and financial information.

The Davidson Companies have both statutory and common law duties to maintain adequate computer data security and adequately protect their clients’ confidential personal and financial information.

The Davidson Companies are “financial institutions” for purposes of the Gramm•Leach-Bliley Financial Services Modernization Act, Pub. L. 106-102, 113 Stat. 1338 (1999), codified at 15 U.S.C. § 6801-6809 (hereinafter referred to as the “GLB Act”), and the FTCPrivacy Rule, 16 C.F.R. § 313 (2000), and Safeguards Rule, 16 C.F.R. § 314 (2002), promulgated thereunder.

The GLB Act and the FTC Privacy and Safeguards Rules imposed duties on the Davidson Companies to protect and keep their clients’ personal and financial information confidential and to safeguard such information from theft and unauthorized access. Section 6801 of the GLB Act, entitled “Protection of nonpublic personal information,” states:(a)
Privacy obligation policy. It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information. (b)
Financial institutions safeguards. In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) [15 USCS § 6805(a)] shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards— (1)
to insure the security and confidentiality of customer records and information; (2)
to protect against any anticipated threats or hazards to the security or integrity of such records; and (3)
to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

In addition, the FTC Safeguards Rule, 16 C.F.R. § 314 (2002), sets forth industry-wide standards for the protection of consumers’ confidential information.

The Davidson Companies breached the duties owed to Plaintiffs and class members by failing to adequately protect their clients’ confidential personal and financial information from theft and unauthorized disclosure and by failing to maintain adequate computer
data security. The Davidson Companies should have undertaken adequate security measures to prevent and/or detect illegal intrusions into their computer systems. COUNT ONE—
NEGLIGENCE

Plaintiffs incorporate by reference and restate here the factual allegations contained in paragraphs 1-22 above.

The Davidson Companies obtained possession of confidential personal and financial information belonging to Plaintiffs and class members and had a duty to adequately protect that information from theft and unauthorized disclosure. The Davidson Companies did not exercise reasonable care in safeguarding their current and former clients’ confidential personal and financial information. The Davidson Companies failed to comply with industry standards designed to protect such confidential personal and financial information from theft and/or prevent others from obtaining unauthorized access to that information.

Plaintiffs and class members have been injured as a proximate result of the Davidson Companies’ breaches because, among other things, Plaintiffs and class members are now exposed to possible fraud and identity theft or will be excluded from the point-of-sale credit market if they follow the Davidson Companies’ advice to enroll in a credit monitoring service due to the placement of fraud alerts on their credit files. The Davidson Companies’ conduct described above constitutes negligence.

COUNT TWO—
NEGLIGENCE PER SE

Plaintiffs incorporate by reference and restate here the factual allegations contained in paragraphs 1-22 above.

The Davidson Companies failed to comply with the duties and requirements of the G-L-B Act by not providing for adequate safeguards in its storage and handling of its clients’ confidential personal and financial information.

In addition, the Davidson Companies were obligated to comply with the industry-wide standards for the protection of consumers’ confidential information set out in the FTC Privacy and Safeguards Rules, and failed to do so.

The Davidson Companies’ failure to comply with § 6801 of the G-L-B Act and/or the FTC Privacy and Safeguards Rules regarding the protection of Plaintiffs’ and class members’ confidential personal and financial information constitutes negligence per se.

Plaintiffs and class members belong to the class of persons and suffered the type of injury that the G-L-B Act and the FTC Privacy and Safeguards Rules were designed to protect. Plaintiffs and class members have been injured as a proximate result of the Davidson Companies’ breaches described above because, among other things, Plaintiffs and class members are now exposed to possible fraud and identity theft or will be excluded from the point-of-sale credit market if they follow the Davidson Companies’ advice to enroll in a credit monitoring service due to the placement of fraud alerts on their credit files. The Davidson Companies’ conduct constitutes negligence per se.

COUNT THREE—
BREACH OF FIDUCIARY DUTY

Plaintiffs incorporate by reference and restate here the factual allegations contained in the paragraphs 1-30 above.

The Davidson Companies stood in a fiduciary capacity to Plaintiffs and class members. The Davidson Companies on the one hand and Plaintiffs and class members on the other hand had a special, advisor-advisee relationship giving rise to a fiduciary duty. Plaintiffsand class members reasonably placed their trust and confidence in the Davidson Companies by providing their confidential personal and financial information to the Davidson Companies.

The Davidson Companies breached their fiduciary duty by failing to adequately protect the confidential personal and financial information provided to them by Plaintiffs and class members. The Davidson Companies’ breaches of fiduciary duty caused harm and injury to Plaintiffs and class members because, among other things, Plaintiffs and class members are now exposed to possible fraud and identity theft or will be excluded from the point-of-sale credit market if they follow the Davidson Companies’ advice to enroll in a credit monitoring service due to the placement of fraud alerts on their credit files.

CLASS DEFINITION, ALLEGATIONS,
AND INJURY TO THE CLASS (Counts One through Four)

Plaintiffs bring this action on their own behalf and on behalf of all other persons similarly situated pursuant to Rule 23 of the Federal Rules of Civil Procedure. Plaintiffs seek certification of a class under Rule 23(b)(1), (b)(2), and (b)(3).

Class Definition. The class is composed of all persons who were current or former clients of the Davidson Companies and whose confidential personal and financial information was accessed during the period of the data breach.

Numerosity. The class is comprised of thousands of persons and is so numerous that joinder of all members is impracticable.

Commonality. There are questions of law or fact common to the class. The claims or defenses of Plaintiffs as the representative parties are typical of the claims or defenses of the class. Further, the questions of law or fact common to the members of the class predominate over any questions affecting only individual members, and include without limitation, the following:a.
Whether the Davidson Companies took reasonable measures to safeguard the confidential personal and financial information of their current and former clients; b.
Whether the Davidson Companies owed a duty to Plaintiffs and the class to protect their confidential personal and financial information; c.
Whether the Davidson Companies breached a duty and were negligent in failing to maintain adequate computer data security for Plaintiffs’ and class members’ confidential personal and financial information; d.
Whether the class is entitled to notice as to whether the security of their confidential personal and financial information was compromised as a result of a data breach at the Davidson Companies; e.
Whether the class is entitled to compensatory relief, including but not limited to a constructive trust for the victims of fraud or identity theft; f. Whether the class is entitled to injunctive relief; and g.
Whether the class is entitled to an award of reasonable attorneys’ fees and costs of Court.

Typicality and Adequacy. Plaintiffs are adequate representatives of the class because their interests do not conflict with the interests of the class members they seek to represent, and they are similarly situated with members of the class. Plaintiffs, as representative parties for the class, will fairly and adequately represent and protect the interests of the class. Furthermore, Plaintiffs’ interests are not antagonistic to the class. Plaintiffs have retained counsel who are competent and experienced in the prosecution of class action litigation.

Predominance. Common questions of fact or law predominate over individualized issues. The facts surrounding the Davidson Companies’ practices will clearly
predominate over any individualized issues because this case centers on the Davidson
Companies’ failure to adequately safeguard and protect Plaintiffs’ and class members’ confidential personal and financial information and maintain adequate computer data security. A class action is superior to other available methods for the fair and efficient adjudication of the controversy. The interest of members of the class in individually controlling the prosecution or defense of separate actions is not great given the amount in controversy and the difficulty of detection of the enterprise and proof of it; there is no other known litigation concerning the controversy already commenced by or against members of the class; it is desirable to concentrate this litigation in one forum and there are no known difficulties likely to be encountered in the management of a class action.

Plaintiffs request on behalf of themselves and the class that the Clerk issue summons for service on Defendants with a copy of this Complaint.

Plaintiffs also request that the Court certify the class described above.

Plaintiffs request a jury trial on any issue to which there is a right to trial by jury.

Plaintiffs also request that the Court award them and the class actual and/or compensatory damages, interest as allowed by law, costs of Court, attorneys’ fees, and all other relief to which Plaintiffs and the class are entitled at law or in equity.

Plaintiffs request that, after trial, the Court enjoin the Davidson Companies from further actions that place the class at risk of future data breaches and require the Davidson Companies to comply with industry standards.

Plaintiffs request general relief.
Dated: March 27, 2008.
Respectfully submitted,
HEENAN LAW FIRM, PLLC
P.O. Box 2278 Billings, Montana 59103 ph. (406) 839-9091 fax (406) 839-9092
BY:___________________________________ JOHN HEENAN [email protected]
ATTORNEY-IN-CHARGE FOR PLAINTIFFS
BINGHAM & LEA, P.C. 319 Maverick Street San Antonio, Texas 78212 ph. (210) 224-1819 fax (210) 224-0141
Benjamin R. Bingham Texas Bar No. 02322350 [email protected] (Admission pro hac vice pending) Lindsay M. Rose Texas Bar No. 24049272 [email protected] (Admission pro hac vice pending)
ATTORNEY FOR PLAINTIFFS

Edit | Back
Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.