Hoffmann v. Major Model Management, Inc.

COMPLAINT against Major Model Management, Inc. (Filing Fee $ 400.00, Receipt Number ANYSDC-21363093)Document filed by Stephanie Hoffmann.

Southern District of New York, nysd-1:2020-cv-06941

Current View

Full Text

2 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK _______________________________________________ STEPHANIE HOFFMANN, Individually an On Behalf of All Others Similarly Situated, Plaintiff, Civil Case No. -against- MAJOR MODEL MANAGEMENT, INC., Defendant. _________________________________________________ CLASS ACTION COMPLAINT Plaintiff STEPHANIE HOFFMANN, individually and on behalf of all others similarly situated, alleges the following against MAJOR MODEL MANAGEMENT, INC., based on personal knowledge with respect to herself and on information and belief as to other allegations: INTRODUCTION 1. When fashion models seek representation and management, they put their trust in the companies that promise to take reasonable precautions to protect their sensitive personally identifiable information ("PII"). Defendant, MAJOR MODEL MANAGEMENT, INC., ("MMMI") violated that trust. 2. MMMI collected and stored massive PII of Plaintiff and each member of the proposed class. MMMI failed to safeguard their clients' PII. MMMI failed to properly implement and maintain materials and privacy statements. MMMI failed to comply with industry standards, best practices, and state laws. As a proximate result, third parties gained unauthorized long-term access to the PII of Plaintiff and every class member. 3. Plaintiff and each member of the proposed class have suffered injury and pecuniary loss. In addition to the clear injury that any victim of a data breach suffers by virtue of the breach 2 itself, Plaintiff claims fraud, identity theft, temporary loss of use of their social security numbers, passports, bank accounts, credit or debit cards, and loss of time and money monitoring her finances for future fraud. 4. Upon information and belief, the Plaintiff's stolen/hacked PII is being sold on the dark web, a seedy corner of the internet where illicit black markets thrive. 5. Plaintiff brings this suit to recover their losses caused by MMMI's failure to keep her PII secure and to force MMMI to improve its data security practices and protocols. PARTIES 6. Plaintiff, STEPHANIE HOFFMANN, is an individual residing in Old Greenwich, CT who was a contract fashion model with MMMI from 2015 to 2018, and whose PII was compromised in the Data Breach. 7. Defendant, MMMI, is a New York corporation with its principal place of business located at 344 West 38th Street, New York, New York 10018. JURISDICTION AND VENUE 8. This Court has jurisdiction over this action under the Class Action Fairness Act, 28 U.S.C. § 1332(d). There are more than 100 individual members of the proposed class, their claims exceed the sum or value of $5,000,000, exclusive of interests and costs, and some members of the proposed class are residents of different states than Defendant. 9. This Court has jurisdiction over Defendant because MMMI is a New York corporation, subject to general jurisdiction in New York; many of the wrongful acts alleged in this Complaint took place in New York, such that the exercise of jurisdiction by this Court is necessary and proper. 2 10. This court has supplemental jurisdiction over Plaintiff's state law claims under 28 U.S.C. § 1367(a). 11. Venue is proper in this District under 28 U.S.C. §1391 (b) and (c) because a substantial part of the acts or omissions giving rise to this action occurred in this District and Defendant is subject to personal jurisdiction in this District. FACTUAL ALLEGATIONS A. Plaintiffs' Agency and Management Agreement with MMMI. 12. MMMI is engaged in the business of fashion model management. The company provides traditional, full-service fashion model and talent management services, specializing in the representation and management of models, entertainers, artists, athletes and another talent to various clients which includes retailers, designers, advertising agencies, print and electronic media and catalog companies. 13. On July 30, 2015, Plaintiff HOFFMANN entered into an Agency and Management Agreement with MMMI. 14. The AGREEMENT provided, in pertinent part, that Plaintiff was engaging MMMI as their sole and exclusive personal manager in New York "in connection with the development of Plaintiff's career in modeling, advertising, licensing, entertainment, musical, theatrical,dramatic,artistic,fashion,film,video,television,CD-ROM,social network industries (such as Facebook,MySpa,Twitter,Tumblr,Instagram,blogs,etc.) and other visual media industries, and all services." 15. The AGREEMENT contains a Registration Form which Plaintiff and members of the proposed class are required to complete manually. This form requests place of birth, date of birth, nationality, permanent address, cell number, email address, social security number, 2 signature, passport number and visa number. The form contains an instruction to "attach a copy of the social security card and passport" to the AGREEMENT. 16. Where applicable, the AGREEMENT sets forth information about the contracting party's bank account number and instructions for direct deposit transactions. 17. The AGREEMENT contains an Acknowledgement Clause that states that MMMI may use and transmit the contracting party's "name, personal information, images and/or likeness for the purpose of facilitating my participation on the Web." 18. At all relevant times, MMMI owned, operated and maintained a Website at https://www.majormodel.com. MMMI stores massive amounts of models' PII on their servers and utilizes this information to maximize their profits through predictive marketing and other marketing techniques. 19. This Website permits a search for specific MMMI male and female fashion models and offers access to their photos and related information, such as age and physical attributes. 20. At all relevant times, the Website did not contain a privacy policy, cookie policy or data use policy. 21. On August 25, 2020 MMMI served a notice on Plaintiff that states as follows: We at Major Models value your privacy and respect the right to keep your information private, which is why, as a precautionary measure, we are writing to let you know about a data security incident that may involve your personal information. Over this past weekend, from approximately August 22 to August 23, Major Models' website was hacked in an attack wherein some past and present models contracting information was made accessible to third parties who breached Major Models' industry leading website security protocols. To our knowledge, this data breach only affected a very small number of models and within hours of being made aware of this issue, Major's technology and security department rectified the hack and any surrounding issues. 2 22. Upon information and belief, the data breach has been continuous since at least May 27, 2020. 23. Upon information and belief, the data breach affects at least 500 current and former fashion models whose PII was made accessible to third parties and the general public via the MMMI Website. 24. The data breach consists of PII disclosure of the place of birth, date of birth, nationality, permanent address, cell number, email address, social security number, signature, passport numbers and visa numbers. 25. The data breach consists of PII disclosure of actual copies of social security number cards, passports, and visas. 26. Plaintiff sustained loss and pecuniary injury because her PII was compromised in the Data Breach which consisted of disclosure of her place of birth, date of birth, nationality, permanent address, cell number, email address, social security number, signature, passport numbers and actual copies of her social security number card and passport. 27. This data breach affects all former and current fashion models who are or were featured on the website http://www.majormodels.us,and whose PII was compromised as a result of MMMI'S failure to: (i) adequately protect its users PII, (ii) warn users of its inadequate information security practices, and (iii) effectively monitor and control those on MMMI'S network that present a threat. 28. All private profiles, contracts, financial information, confidential and sensitive personal information of Plaintiffs and proposed members was publicly searchable by anyone in the World for at least four [4] consecutive months and probably more. 29. Plaintiff and proposed class members were never given an "opt out" option or privacy settings to prevent such disclosure of their PII on the Website. 30. As a result, even after Plaintiff's contractual relationship with MMMI was terminated, the MMMI network and Website continued to actively provide access to Plaintiff's PII, photos and profiles without her authorization and consent. 2 B. Value of PII to Hackers and Lack of Segregation of PII Data 31. It is well known and the subject of many media reports that PII data is highly coveted and a frequent target of hackers. PII data is often easily taken because it is less protected and regulated than payment card data. 32. Network segmentation of, or isolating (segmenting), the PII data from the remainder of MMMI'S network was not done. Segregation is recommended because, among other reasons, "[i]t's not just cardholder data that's important; criminals are also after personally identifiable information (PII) and corporate data." See Verizon 2014 PCI Compliance Report, available at http://www.nocash.info.ro/wp-content/uploads/2014/02/Verizon_pci-report-2014.pdf (hereafter "2014 Verizon Report"), at 54. 33. As noted in the 2014 Verizon Report, in "one of 2013's largest breaches. . . not only did hackers compromise the [card holder data] of three million customers, they also took registration data from 38 million users." Id. Similarly, in the Target data breach, in addition to PCI data pertaining to 40,000 credit and debit cards, hackers stole PII pertaining to 70,000 customers. "Increasingly, criminals are using biographical data gained from multiple sources to perpetrate more and larger thefts." Id. Illicitly obtained PII and PCI, sometimes aggregated from different data breaches, is sold on the black market, including on websites, as a product at a set price. See, e.g., <http://krebsonsecurity.com/2011/11/howmuch-is-your-identity-worth> (last visited March 4, 2014). 34. Moreover, PII of individuals with something in common is extremely valuable to criminals because it can help them perpetrate targeted spear phishing attacks. Spear phishers target select groups with something in common, i.e., they are fashion models so that they can send members of the group an email that looks just like an email from a trending designer who 2 seeks their services. But once recipients click on a link, they can be tricked into downloading malware on their own computers or deceived into giving up additional confidential information such as new passwords, financial information, personal data and much more. C. Consequences of the Data Breach 35. MMMI failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach. 36. The ramifications of MMMI'S failure to keep class members' data secure are severe. 37. Plaintiff and proposed class members have suffered injury as a result of MMMI'S conduct. Injuries include: (i) the loss of the opportunity to control how their PII is used. (ii) the compromise, publication, and/or theft of their PII. (iii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII. (iv) lost opportunity costs associated with effort expended and the loss of productivity addressing and attempting to mitigate the actual and future consequences of the Data Breach, including but not limited to efforts spent researching how to prevent, detect, contest, and recover from tax fraud and identity theft; (v) costs associated with placing freezes on credit reports; (vi) the continued risk to their PII, which remains in MMMI'S poss