Dana B. Taschner [SBN 135494]
LAW OFFICES OF DANA B. TASCHNER
Telephone (949) 644-7718
Attorney for Individual and Representative Plaintiff,
The Proposed Class and General Public
OF THE STATE OF
MARCY LEVITAS HAMILTON, Individual and Representative for all others similarly situated and the General Public,
MICROSOFT CORPORATION; and DOES 1 through 100,
JURY TRIAL DEMANDED
Individual and Representative Plaintiff Marcy Levitas Hamilton on behalf of herself and all others similarly situated, and on behalf of the General public, alleges:
NATURE OF THE CASE
Corporation (“Microsoft”) is the largest worldwide producer of software,
services and Internet technologies for personal and business computing. In this class action lawsuit, Plaintiffs and
the class seek a remedy against Microsoft for unfair business practices and
JURISDICTION AND VENUE
This Court has jurisdiction over this action pursuant to Code of Civil Procedure Section 410.10. No federal; claims or right is alleged herein. Venue is proper in this court. Plaintiff resides in this County and the acts of Microsoft occurred in this County.
Marcy Levitas Hamilton, a resident of
Microsoft is a
Does 1 through 100 are persons whose identities are unknown to plaintiff at this time. Defendant Does 1 though 100 are business entities controlled by, and/or agents of and/or employees and/or affiliated with Defendant. Plaintiff is ignorant of the true names and capacities of the Doe defendants sued herein under fictitious names Does 1 through 1000, and they are sued pursuant to Code of Civil Procedure 474. When Plaintiff becomes aware of the true names and capacities of the Doe Defendants, Plaintiff will amend this Complaint to state their true names and capacities.
A. Microsoft Corporation
Microsoft Corporation is the largest worldwide producer of software, services and Internet technologies for personal and business computing.
In August 1989, Microsoft introduced Office Suite. In May 1990, Microsoft launched Windows 3.0. In August 1995, Microsoft launched Windows 95. In June 1998, Microsoft launched Windows 98. In February 2000, Microsoft launched Windows 2000. In June 2000, Microsoft announced .NET software: next generation Internet services. In May 2001, Microsoft launched Office XP. In October 2001, Microsoft launched Windows XP. In February 2002, Microsoft launched Visual Studio .NET. In November 2002, Microsoft and partners launched TabletPC. In April 2003, Microsoft launched Windows Server 2003. Microsoft operates numerous business units, including:
· Windows Client, including the Microsoft Windows XP desktop operating system, Windows 2000, and Windows Embedded operating system.
· Information Worker, including Microsoft Office, Microsoft Publisher, Microsoft Visio, Microsoft Project, and other stand-alone desktop applications.
· Business Solutions, with business process applications, and bCentral business services.
· Server Platforms, including the Microsoft Windows Server System integrated server software, software developer tools, and MSDN.
· Windows CE & Mobility, featuring mobile devices including the Windows Pocket PC, the Mobile Explorer micro browser, and the Windows phone software platform.
· MSN, including the MSNnetwork, MSN Internet Access, MSNTV, MSN Hotmail and other Web-based services.
(“hereinafter collectively referred to as “Microsoft Operating Systems”)
Microsoft has diversified business relationships with thousands of businesses and organizations, Microsoft Certified Partners, Value Added Resellers, and System Builders.
On May 18, 1998, the United States of America and the Attorneys General for 20 states and the District of Columbia filed related legal actions against Microsoft alleging, inter alia, that (i) Microsoft violated Section 1 of the Sherman Act by allegedly tying its "Internet browser software" to Microsoft’s Windows 95 and 98 operating systems; (ii) Microsoft violated Section 1 of the Sherman Act by entering into purportedly exclusionary agreements with Internet Service Providers, Internet Content Providers and Online Services relating to the promotion and distribution of Internet Explorer; (iii) Microsoft violated Section 2 of the Sherman Act by unlawfully maintaining a monopoly in a "market" restricted to personal computer operating systems; and (iv) Microsoft violated Section 2 of the Sherman Act by attempting to monopolize a "market" for Internet browsers.
At all times relevant to this class action plaintiff and Class were direct purchasers of the Microsoft operating systems.
B. Internet Cyber Attacks - Viruses,
Consumers and businesses have embraced the Internet as means of communicating, sharing information, and transacting business. Unfortunately, consumers and businesses are increasingly subjected to security failures and various “cyber attacks” that can severely cripple computer systems, compromise data stored on personal computers and computer databases, and cause loss, damage and/or injury.
The vast majority of successful Internet attacks are attributable to major vulnerabilities in Microsoft’s operating system software, which is used by more than 90% of computer users. Microsoft’s operating systems are closely integrated with numerous other Microsoft applications creating a very complex computer code containing numerous security holes that can be exploited. The popularity of the software and its complexity has made Microsoft’s operating systems a prime target of online attacks.
Small malicious computer programs known as viruses are easily spread throughout the Internet and computer network systems causing a variety of damage. They can slow down or shut down websites, computer systems, or computer network; erase or compromise data; or even give an unauthorized party complete access and control over a computer system and all its data.
A computer virus is a piece of program code that behaves much like a bilogical virus. The computer virus makes copies of itself and spreads by attaching itself to another computer programs (usually a computer operating system), often causing damage to the infected computer system. Many viruses replicate themseleves rapidy, infecting other computer programs. Computers that share or use infected computer files also become carriers and help to further spread the virus.
A computer “trojan” (named after the Trojan Horse) is similar to virus except that it does not attach itself to another program. Rather, a “trojan” is often disguised as a legitimate program claiming to perform a useful function, but which actually contains damaging instructions hidden inside their code. When someone installs or utilizes the trojan, the trojan carries out it malicious instructions.
Many viruses are destructive. Some are designed to damage or interefere with proper functioning operating systems and other programs. More malicious viruses may be programmed to erase files or even format hard disks (resulting in total loss of data on that disk). Some viruses are programmed to to give unauthorized parties complete access to computer.
A computer worm is another type of computer virus. Unlike a virus, worm is a self-contained program that does not need to be part of another program to replicate and propagate itself. Like a virus, a worm may be designed to do any number of things, such as modify or delete files. Unlike viruses, worms spread without human interaction. As such they are capable of spreading very quickly. The September 2001 Nimda Worm infected over two million systems in a three day period.
Such attacks may be used to disrupt and harm businesses or government entities. They may be used to steal or destroy personal information from unsuspecting consumers. Theft of online data may result in unauthorized use of personal, financial, or even medical information, resulting in identity theft. Moreover, viruses can be used to clog computer networks, negatively impacting entire industries worldwide. Online attacks present a threat to the Genral Public, to commerce and to national security. Virulent new worms that exploit vulnerable Microsoft operating systems and programs and may infect hundreds of thousands of computers in seconds creating a serious threat for Internet users worldwide.
C. Number and Scope of Virus Attacks is Substantial and Growing
The number of devastating virus attacks has and continues to rapidly grow, in large part due widespread consumer and business reliance on Microsoft’s operating systems and products. A copy of the “Current Microsoft Product Support Security Response Team Virus Alert” of September 30, 2003 is attached hereto as Exhibit A and incorporated herein by reference. Industry estimates place the number of attacks now occuring in North America in excess of eight million each week. Microsoft operating systems such as Windows, which are used by more than 90% of the public, are highly susceptible to a variety of “cyber attacks” in large part due the complexity and the popularity of the operating system(s).
In June 2003, the SQL slammer worm attacked Microsoft SQL Servers causing widespread problems on the Internet. In August 2003, two major worms named the Sobig worm and the Blaster worm began to aggresively attack several millions of Microsoft Windows computers, resulting in the largest down-time and clean-up cost ever, prompting a widespread call for government action to prevent further damages from Windows worms.
On information and belief new worms or virus are propagating at this time in October 2003 at levels closely approximated at—or exceeding—the “So Big” virus. Some hosting companies are reporting millions of attempted penetrations, in numbers approximating the attacks experienced during the “So Big” virus.
D. Microsoft’s Virtual Monopoly Has Created a Global Security Risk
In the context of the security threats outlined above, Microsoft’s eclipsing dominance in desktop software has created a global security risk. As a result of Microsoft's concerted effort to strengthen and expand its monopolies by tightly integrating applications with its operating system, as well as its success in achieving near ubiquity in personal computing, the world's computer networks are now susceptible to massive, cascading failures.
E. Microsoft Integration and Complexity Promotes Vulnerability
Microsoft's attempts to tightly integrate numerous computer applications with its operating system have significantly contributed to excessive complexity and, consequently, vulnerability.
Microsoft is run on approximately 90 percent of all desktops, and very large numbers of systems are vulnerable to attacks as the vast number of connections among Microsoft-based computers enables the rapid spread of denial-of-service and other attacks.
Microsoft's operating systems are notable for their complexity. The near universal deployment of Microsoft operating systems is highly conducive to cascade failure, with such cascades already demonstrating an ability to disable critical infrastructure and compromise business, personal and financial data.
The volume of Windows-based systems and their variety of uses suggests security breaches may occur in potentially every forum, organization, business, school, hospital and household. Recent attacks have caused damaged or data compromise at myriad points, from immigration computers to emergency 911 systems.
In August 2002, Microsoft announced that serious security failures found in Microsoft Office, including Windows 2000, Windows XP and Internet Explorer could permit hackers to read, compromise and alter files. Plaintiffs allege on information and belief that Microsoft is aware that their marketplace dominance and widespread strategic positioning of their operating systems increases security risk.
Rapid response by Microsoft to known or potential security risks is critical. Plaintiff alleges on information and belief that Microsoft has failed to provide adequate and effective notice of security risks created in part due to Microsoft application integration and complexity. Plaintiff alleges on information and belief in known instances of security breaches that Microsoft has failed to provide adequate and effective notice of known attacks, causing substantial loss, damage and injury.
alleges that greater future loss, damage and injury may be expected, and is now
anticipated by many industry experts.
Significant action is required in the directing of Microsoft, requiring
improved notice and safeguarding of data and information, advanced and
effective disclosure of potential security breaches due to Microsoft
integration and complexity, and prompt and effective notice of compromised
personal, private, confidential, medical, financial or other sensitive
The recent “bug bear” worm and other harmful viruses have recently disabled online security firewalls and anti-virus devices. The worms prepared a port through which remote instructions of the hacker could pass, allowing the hacker to access passwords, view and compromise computer data and monitor mouse and keyboard stroke events. The bugbear worm exploited vulnerabilities known in the Microsoft OS for many months.
Due to the growing proliferation of computers and networks, the growing interconnectedness of the Internet, the increasingly inexpensive and available tools available for hacking, and the near universal use by computer users of Microsoft operating systems, cyber-attacks are reasonably expected to increase with a consequent and correlating increase in access and compromise of personal, private, confidential, medical and financial information and data.
Plaintiff and Proposed Class Representative experienced unauthorized access, use and theft use of her personal data and social security number, experiencing damage to financial and bank account data, information and financial holdings, which plaintiff alleges was due to the failure of Microsoft to provide adequate security, and the failure to provide plaintiff with adequate notice of the vulnerability of online data and information transmitted through Microsoft operating systems.
F. Microsoft Response to Security Vulnerability is Not Sufficient to Protect Important and Vital Information and Data
response to the growing number of cyber-attacks and their attempts or success
in penetrating Microsoft operating systems, Windows and Internet Explorer,
Microsoft has issued alerts, occasionally rising to the “critical” threshold,
along with providing a serial patch. A
copy of the Microsoft TechNet Security Page: Troubleshoot & Maintain of
During the last year, Microsoft issued over 50 security warning of such technical complexity that a normal member of the General Public could not reasonably understand the security warning and/or could not implement the Microsoft distributed security patches before the fast moving hackers could move to exploit the Microsoft publicized weakness. Thus, while Microsoft has issued strings of alerts, they cannot be understood by the General Public and the method of delivery of the warning has actually increased the probability of harm from hackers who are educated by the information about the flaws and potential breach in the operating systems as described by Microsoft.
G. Need for Court Determination and Intervention is Great
is Plaintiff’s belief that Microsoft is aware of widespread and serious
security breaches with regard to the Microsoft operating systems. On
The need for court intervention and judicial relief is great. The General Public is daily becoming more reliant on computers, networks and technology to communicate, purchase and transmit information and data. The conduct of Microsoft is not sufficient under the law and is not enough to protect plaintiff, the proposed Class or the General Public.
CLASS ACTION ALLEGATIONS
1. Plaintiff brings this action on her own behalf and on behalf of all others similarly situated as members of the proposed Plaintiff Class. The proposed Plaintiff Class that plaintiff represents is defined as follows: All natural persons, businesses and organized entities nationwide who have purchased, licensed or used Microsoft operating systems. Excluded from the class are Defendants, and entities in which Defendant has a controlling interest, any employees, officers, directors of Defendant, and any legal representative, assigns, successors of Defendants, and any judge assigned to hear this case.
2. This action is brought and may be properly maintained as a class action pursuant to California Code of Civil Procedure Section 382 and Civil Code Section 1798.82, as well as under Federal Rule of Civil Procedure 23(a)(1-4), 23 (b)(1)(2) or (3), and case law thereunder, to which the California trial courts have been directed for guidance by the California Supreme Court.
3. Members of the class are so numerous, consisting of millions of individuals, that the joinder of all such persons is impracticable and that the disposition of their claims in a class action rather than in individual actions will benefit the parties and the court. The numerosity of the Class is clearly satisfied under California Code of Civil Procedure Section 382, Civil Code Section 1781(b)(1). Federal Rule of Civil Procedure 23(a)(1).
4. There is a well-defined community of interest in the questions of law and fact involved affecting the plaintiff class satisfying California Code of Civil Procedure Section 382, Civil Code 1781(b)(2). Federal Rule of Civil Procedure 23(a)(2). Common questions of law and fact predominate over the questions affecting only individual class members. The claims of the plaintiff are typical of those of the class and plaintiff will fairly and adequately represent the interests of the case.
5. Plaintiffs claims are typical of those of each class member as plaintiff, like other member of the Class, has been exposed to the same violations and conduct, and is entitled to relief under the same causes of actions as other members of the Class satisfying California Civil Code Section 1781(b)(3). Federal Rule of Civil Procedure 23(a)(3).
6. Plaintiff is an adequate representative of the Class as her interests do not conflict with the interests of the members of the Class, and she has retained counsel competent and experienced in complex class action litigation, and they intend to vigorously prosecute this action. The interest of members of the Class will be fairly and adequately protected by Plaintiff and counsel.
7. There is no plain, speedy, or adequate remedy other than by maintenance of this class action, making it economically unfeasible to pursue remedies other than a class action. Consequently, there would be a failure of justice but for the maintenance of the present class action.
8. The class action is superior to other available means for fair and efficient adjudication of claims. Individual prosecutions would prove burdensome and expensive given the complex and extensive litigation necessitated by the claims presented. Additionally, it would be virtually impossible for the members of the Class individually to seek redress for wrongs. Even if individual class members could afford individual prosecution, the judicial systems cannot. Individual prosecution presents a potential for inconsistent or contradictory judgments. Individual litigation of the complex legal and factual issues presented increases delay and expense for all parties and the courts. Conversely, class action treatment will result in substantial benefits to the litigants, courts and public by permitting the Court to address and resolve claims based upon a single set of proof in a case where the individual costs of litigation these claims would make class action litigation more economical and cost effective that individual litigation.
9. The prosecution of individual remedies by members of the plaintiff class would tend to establish inconsistent standards of conduct for the defendant and to result in the impairment of class members’ rights and disposition of their interests through actions to which they were not parties.
10. In the alternative, this action is certifiable under the provisions of Rule 23(b)(1)(2) and/or (b)(2) of the Federal Rule of Civil Procedure, which have been found applicable to the State of California, as (a) the prosecution of separate actions by the individual members of the Class would create a risk of inconsistent or varying adjudications with respect to individuals Class members that would establish incompatible standards for Defendant Microsoft; (b) the prosecution of separate actions by individual class members would create a risk of adjudications with respect to Microsoft that would be dispositive of the interests of other Class members not party to the adjudication, or substantially impair or impede such Class members ability to protect their interests; and/or (c) Microsoft has not acted on grounds generally applicable to the Class, making appropriate final declaratory or injunctive relief with respect to the Class as a whole.
FIRST CAUSE OF ACTION
11. Plaintiff hereby incorporates the preceding allegations as though set forth in full.
12. Pursuant to California Business and Professions Code sections 17200 et seq., and the common law of unfair competition, the business practices of defendants, described above, are, and have been, unlawful, unfair and deceptive.
13. Plaintiff, on behalf of himself, and on behalf of the general public, seeks all remedies and relief pursuant to the provisions of Business and Professions Code sections 17200 et seq., including, inter alia, injunctive relief, restitution and the disgorgement of money acquired by means of the unlawful and unfair business practices alleged above.
14. As a result of defendants’ unlawful and unfair business practices, Plaintiff has suffered damages in an amount that will be established during the trial. Plaintiffs will also suffer irreparable harm if defendants’ conduct is not enjoined.
15. Defendant’s conduct is willful, deceptive, and oppressive, thereby entitling Plaintiff to an award of punitive damages.
SECOND CAUSE OF ACTION
(Violation of California’s Consumers’ Legal Remedies Act)
16. Plaintiff hereby incorporates the preceding allegations as though set forth in full.
17. Pursuant to California Consumer’s Legal Remedies Act, Civil Code sections 1750 et seq., to protect consumers against unfair business practices, unfair competition, and false advertising.
19. As a direct and proximate result of the above conduct, Plaintiff has suffered damages. Plaintiffs have not complied with the notice requirements of Civil Code Section 1782, and therefore do not at this time seek damages to this cause of action. Plaintiffs do intend to comply and thereafter amend the Complaint as permitted under Civil Code Section 1782(d).
THIRD CAUSE OF ACTION
(Violation of California Civil Code Section 1798.82 Requiring Notification of Security Breaches Involving Personal Information of California’s Consumers’ Legal Remedies Act)
20. Plaintiff hereby incorporates the preceding allegations as though set forth in full.
21. Section § 1798.82 et seq. of the California Civil Code (California Security Act or “CSA”), requires companies doing business in California to provide notice to California residents of any computer security breach that allowed an unauthorized person to acquire such resident’s personal information. The Act was designed to address the risk of identity theft stemming from the ever-increasing stores of personal information maintained in computer databases.
22. The CSA applies to any person or business that conducts business in California and owns or licenses computerized data that includes unencrypted personal information of California residents. CSA also applies to any business that maintains data. Under CSA, companies are required to notify the owners or licensees of data who are then required to notify affected California residents of a security or data breach.
23. CSA’s disclosure requirements have been triggered as there is a breach of the security of California resident computer systems containing data, and Microsoft has discovered or received notification of such breach, or Microsoft reasonably believes that data has been acquired by an unauthorized person. The Microsoft operating systems have been compromised as set forth above and incorporated herein by this reference. Microsoft has discovered or has knowledge and reasonable belief that unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. 24. CSA requires that disclosure of a date by breach be made in “the most expedient time possible and without unreasonable delay.” CSA requires that Microsoft provide notice by actual notice, in writing or electronically, or by substituted notice via e-mail, web sites and statewide media.
25. CSA provides for private actions for damages and injunctive relief, and plaintiffs seek both compensatory damages and injunctive relief. The remedies sought by plaintiff are both appropriate and necessary to protect the public and to force Microsoft to place a higher priority on informing the public and about their data security.
26. In connection with the sale and license of Microsoft operating systems to plaintiff and the Class, Defendant has violated Civil Code Section 1798.
27. As a direct and proximate result of the above conduct, Plaintiff and the Proposed Class have been injured and suffered damages and are entitled to injunctive relief in order to avoid further injury and damage.
FOURTH CAUSE OF ACTION
28. Plaintiff hereby incorporates the preceding allegations as though set forth in full.
29. An actual controversy exists between plaintiff and defendants concerning their respective rights and duties. Accordingly, Plaintiff and the Class request class-wide equitable relief in the form or a court determination of the rights of Plaintiffs and the Class and the corresponding rights of the Defendant.
30. Plaintiff is informed and believes and on that basis alleges defendant disputes the contentions.
31. A judicial declaration is necessary and appropriate to avoid a multiplicity of actions in the future.
PRAYER FOR RELIEF
WHEREFORE, Individual and Representative Plaintiffs request of this Court the following monetary and declaratory relief for themselves and all others similarly situated.
1. For an order certifying the proposed Class herein under Code of Civil Procedure section 382 and Civil Code section 1781 and appointing Plaintiffs and their undersigned counsel of record to represent the Class;
2. Injunctive relief restraining defendants, their agents, servants, employees, successors and assigns, and all others in concert and privity with them, from violating state laws, and from engaging in unfair and deceptive trade practices;
3. For an order requiring Defendants to provide adequate and effective notice of security threats and breaches pursuant to California Civil Code section 1798;
4. For an order requiring Defendants to restore any money or property that Defendants may have acquired as a result of any act or practice constituting unfair competition under Business & Professions Code section 17200;
5. For any additional orders necessary to restore to the general public any money or property that Defendants may have acquired as a result of any act or practice constituting unfair competition under Business & Professions Code section 17200, including the appouintment of a receiver pursuant to Business & Professions Code section 17203;
4. For distribution of any moneys recovered on behalf of the general public or the class of similarly situated consumers via fluid recovery or cy pres recovery or where necessary to prevent Defendant from retaining the benefits of its wrongful conduct as provided in California v. Levi Strauss & Co. (1986) 41 Cal.3d 460 and People v. Thomas Shelton Powers, M.S. Inc. (19912) 2 Cal.App. 4th 330;
5. For permanent injunctive relief preventing each Defendant from engaging in any act or practice constituting unfair competition under Business & Professions Code section 17200, and requiring each Defendant to take appropriate acts needed to prevent future deception;
6. For compensatory and consequential damages suffered by Plaintiff and the members of the Class, except that no damages are currently sought on Plaintiffs’ Cause of Action pursuant to the Consumers Legal Remedies Act;
7. Exemplary damages, except that no damages are currently sought on Plaintiffs’ Cause of Action pursuant to the Consumers Legal Remedies Act;
8. Restitution and disgorgement of money received by defendants as a result of their wrongful conduct;
9. For Plaintiffs’ Attorneys’ fees;
10. For Pre-judgment interest;
11. For costs of suit;
12. For trial by jury; and
13. And for such other and further legal and equitable relief in favor of Plaintiffs as this Court may deem proper.
Dated: September 30, 2003 LAW OFFICES OF DANA B. TASHCNER
DANA B. TASCHNER
Attorney for Plaintiff and Proposed Class