GitHub and OpenAI Accused of Negligent Handling of Personal Data

VIII. CLAIMS FOR RELIEF

COUNT X

NEGLIGENCE—NEGLIGENT HANDLING OF PERSONAL DATA

Common Law

(GitHub and OpenAI)

230. Plaintiffs and the Class hereby repeat and incorporate by reference each preceding and succeeding paragraph as though fully set forth herein.

231. GitHub and OpenAI owed a duty of reasonable care toward Plaintiffs and the Class based upon GitHub’s and OpenAI’s relationship to them. This duty is based upon GitHub’s and OpenAI’s contractual obligations, custom and practice, right to control information in its possession, exercise of control over the information in its possession, authority to control the information in its possession, and the commission of affirmative acts that resulted in said harms and losses. Additionally, this duty is based on the requirements of California Civil Code section 1714 requiring all “persons,” including GitHub and OpenAI, to act in a reasonable manner toward others. This duty is also based on the specific statutory duties imposed on GitHub and OpenAI under California Civil Code sections 1798.100, et seq., as businesses operating in the State of California that either have annual operating revenue above $25 million, collect the personal information of 50,000 or more California residents annually, or derive at least 50 percent of their annual revenue from the sale of personal information of California residents.

232. GitHub and OpenAI breached their duties by negligently, carelessly, and recklessly collecting, maintaining, and controlling their customers’ sensitive personal information and engineering, designing, maintaining, and controlling systems—including Copilot—that exposed and continue to expose their customers’ sensitive personal information of which GitHub and OpenAI had control and possession to the risk of exposure to unauthorized persons.

233. GitHub and OpenAI also committed per se breaches of said duty by negligently violating the dictates of California Civil Code sections 1798.82, et seq., and 1798.100, et seq., and the provisions of the California Constitution enshrining the right to privacy, by failing to inform Plaintiffs and the Class of the access to their sensitive personal information by unauthorized persons expeditiously and without delay and failing to adequately safeguard this information from unauthorized access even after GitHub and OpenAI became aware of multiple instances of release of this information by Copilot. The provisions of the California Civil Code and the California Constitution that GitHub and OpenAI violated were enacted to protect the class of Plaintiffs here involved from the type of injury here incurred, namely their right to privacy and the protection of their personal data. Plaintiffs and the Class were within the class of persons and consumers who were intended to be protected by California Civil Code sections 1798.82, et seq., and 1798.100*, et seq.*

234. As a direct consequence of the actions described herein, and the breaches of duties indicated thereby, unauthorized users gained access to, exfiltrated, stole, and gained disclosure of the sensitive personal information of Plaintiffs and the Class, causing them harms and losses including but not limited to economic loss, the loss of control over the use of their identity, harm to their constitutional right to privacy, lost time dedicated to cure harm to their privacy, the need for future expenses and time dedicated to the recovery and protection of further loss, and privacy injuries associated with having their sensitive personal and financial information disclosed.