River City Media, LLC
Plaintiff ……………………., individually for his Complaint against Defendant River City
Media. LLC allege as follows:
1. River City Media (RCM) is a Wyoming corporation that engages in internet-based
marketing, its principal place of business is Liberty Lake, Washington. For purpose of
this claim the address being 812 SW Washington St., Ste 500 Portland, OR 97205
2. In a press release in March 10, 2017 RCM dismissed the data breach claims that had been
reporting by numerous individuals including the information published by Chris Vickery,
Mackeeper.com, Steve Ragan and CXO Media, Inc. terming them false and defamatory
3. RCM failed to protect Plaintiff’s personal information including name, address, telephone
number, email address, and password.
4. Since the data breach occurred, the Plaintiff as a customer of RCM have been exposed to
identity theft and subjected to resulting economic loss. The plaintiff has and will incur
costs to mitigate the risk of the data breach, such as paying for email and other social
websites monitoring services. Regardless of whether the Plaintiff is yet to incur out-of-
pocket losses from the personal information that was stolen subject to a pervasive,
substantial and imminent risk of identity theft and fraud.
5. The suit is brought by the Plaintiff because of being victimized by the RCM data breach
to redress the damage that have been suffered and to obtain appropriate equitable relief to
mitigate the risk that RCM will allow another breach in the future. Plaintiff asserts claims
for RCM’s negligence, negligence per se, and violations of state consumer protection
1. This Court has subject-matter jurisdiction pursuant to …………………………
2. Venue is proper in this District pursuant to 28 U.S.C. § 1391 because a substantial part of
the events or omissions giving rise to the claims occurred in this District and RCM does
business in this District and is therefore subject to personal jurisdiction in this District.
3. Plaintiff……………………………….is a resident and citizen of the District of Columbia
(………..County) whose personal information was compromised in the Defendant RCM
data beach. The Plaintiff through news outlets got information that on or about January
27, 2019 RCM that Network systems had been compromised. Plaintiff has and will spend
time and money employing online monitoring services and putting freezes in place to
mitigate possible arm. In addition, as a result of the breach, Plaintiff will spend time and
effort making multiple telephone calls to his bank and any other relevant authorities,
monitoring his financial accounts and any other relevant online accounts, searching for
fraudulent activity, and reviewing his credit reports. Plaintiff would not have engaged in
a business relationship with RCM had he known of its inadequate data security practices.
Given the nature of the information stolen, Plaintiff remains at a substantial and imminent
risk of future harm.
4. On or about January 27, 2079, a suspicious IP address logged into RCM’s systems.
5. On or about January 28, 2017, a then-unknown threat agent connected to one of River
City’s servers. This threat agent spent several days inside the server, learning as much as
it could about River City Media’s network before ultimately using that information to
compromise additional River City computer systems. This particular server was used to
monitor River City Media’s network for possible irregularities and intruders. By
purposefully attacking and compromising this server, the threat agent effectively
hamstrung River City Media’s ability to detect and stop their cyberattack.
6. The threat agent accessed and destroyed data on River City Media’s server that stored
records of River City Media’s network topology. Without this “map” of its network,
River City lost the ability to manage its own systems, causing severe service disruptions
and making recovery of River City’s network much more difficult.
7. Further, the threat agent accessed the “rcm dev” system using cryptographically-secured
credentials that could only have been obtained from the prior illegal access. Once the
threat agent gained access to River City’s systems, it located and used River City Media’s
credentials for its (1) company email accounts; (2) its Dropbox.com account; (3) its
accounts for affiliate networks; (4) its PayPal accounts; (5) its Hipchap accounts; (6) its
email service provider accounts; and (7) its Github accounts. While none of these
accounts were exposed to the public, they all were accessed by the threat agent without
8. The threat agent also used River City Media’s PayPal account to make unauthorized
purchases at http://www.alphames.com, a domain registrar. The unauthorized activity
was traced to mailto:email@example.com. The threat agent also used the data
they obtained to log in to River City’s email service provider accounts to draft and send
9. In March, 2017, Chris Vickery posted a story titled: “Spammergate: The Fall of an
Empire.” Also around this same time, Steve Ragan posted a story titled: “Spammers
expose their entire operation through bad backups.” These articles indicate that RCM
operated an illegal/criminal spam operation that allegedly used “illegal hacking”
techniques to send “up to a billion daily emails.”
E. CAUSE OF ACTION
10. Plaintiff realleges and incorporates the foregoing allegations as if fully set forth herein.
11. Defendant owed a duty to Plaintiff to exercise reasonable care in obtaining, retaining,
securing, safeguarding, deleting, and protecting Personal Information in its possession
from being compromises, lost, stolen, accessed and misused by unauthorized persons.
More specifically, this duty included, among other things; (a) designing, maintaining, and
testing its security systems to ensure that Plaintiff’s Personal Information in its
possession was adequately secured and protected; (b) implementing processes that would
detect a breach of its security system in a timely manner; (c) timely acting upon warning
and alerts, including those generated by its own security systems, regarding intrusions to
its networks; and (d) maintaining data security measures consistent with current
technology and industry standards.
12. Defendant’s duty to use reasonable care arose from several sources. Defendant had a
common law duty to prevent foreseeable harm to others. This duty existed because
Plaintiff was the foreseeable and probable victim of any inadequate security practices. In
fact, not only was it foreseeable that Plaintiff would be harmed by the failure to protect
their Personal Information because hackers routinely attempt to steal such information
and use it for nefarious purposes, Defendant knew that it was more likely than not
Plaintiff would be harmed.
13. Defendant’s duty also arose under Section 5 of the Federal Trade Commission Act (“FTC
Act”), 15 U.S.C. § 45, which prohibits “unfair…practices in or affecting commerce,”
including, as interpreted and enforced by the FTC, the unfair practices of failing to use
reasonable measures to protect Personal Information by companies such as Defendant.
Various FTC publications and data security breach orders further from the basis of
Defendant’s duty. In addition, individual states have enacted statutes based upon the FTC
Act that also created a duty.
14. Further, Defendant’s duty also arose under The Controlling the Assault of Non-Solicited
Pornography and Marketing Act of 2003, 15 U.S.C. Ch. 103a statute that established the
United States' first national standards for the sending of commercial e-mail and requires
the Federal Trade Commission to enforce its provisions.
15. Notification of the data breach was required, appropriate and necessary so that, among
other things, Plaintiff could take appropriate measures to freeze or delete their profiles,
avoid unauthorized access and use of their personal information, cancel or change
username and password, and take other steps to mitigate or ameliorate the damages
caused by Defendant’s misconduct.
16. Defendant breached the duties it owed to Plaintiff described above and this was
17. But for Defendant’s wrongful and negligent breach of its duties owed to Plaintiff the
Personal Information would not have been compromised.
18. As a direct and proximate result of Defendant’s negligence, Plaintiff has been injured as
described herein, and is entitled to damages, including compensatory, punitive, and
nominal damages, in an amount to be proven at trial. Plaintiff’s injuries include:
a. Theft of Personal Information;
b. costs associated with the detection and prevention of identity theft and unauthorized
use of the accounts compromised;
c. costs associated with purchasing monitoring and identity theft protection services;
d. continued risk of exposure to hackers and thieves of Personal Information, which
remains in Defendant’s possession and is subject to further breaches so long as
Defendant fails to undertake appropriate and adequate measures to protect Plaintiff.
F. THE RELIEF
19. In the view of the foregoing, the Plaintiff pray to this Honourable Court to grant the
i) A declaration that the Defendant owed the Plaintiff a duty of care;
ii) The Defendant breached that duty of care;
iii) The Plaintiff suffered injury for such breach of duty of care;
iv) An order directing the Defendant to pay the Plaintiff a sum of $10,000 as