“Not until roughly three months after it claims to have discovered the data breach did defendant begin sending the notice to persons whose [personal identifying information] defendant confirmed was potentially compromised,” the complaint said. “The notice lacked sufficient information on how the breach occurred, what safeguards have been taken since then to safeguard further attacks, and/or where the information hacked exists today.”