Court Dismisses Marriott Data Breach Suit For Lack of Standing

On Wednesday, Judge Paul W. Grimm of the District of Maryland issued an order and opinion granting Marriott International, Inc.’s (Marriott) motion to dismiss a putative class-action lawsuit following a data breach of Marriott that occurred in early 2020.

The plaintiffs filed the class-action complaint in April over Marriott’s data breach, which was disclosed in late March 2020 and affected approximately 5.2 million guests. Allegedly, the data breach caused guests’ information to be improperly accessed, this information included various contact details, loyalty account information, and additional personal information. 

The plaintiffs alleged that their personally identifying information was accessed without authorization. Marriott was accused of negligence, negligence per se, breach of contract, breach of implied contract, breach of confidence, and deceptive and unfair trade practices. In August, Marriott moved to dismiss the complaint alleging that the plaintiffs lacked standing and failed to adequately plead their causes of action.

The court noted that in order to “establish standing, a plaintiff must have ‘suffered an injury in fact, that is fairly traceable to the challenged conduct of the defendant, and that is likely to be redressed by a favorable decision.’” The court stated that it is focusing on the second requirement, which will require the plaintiffs to “allege facts for the Court to plausibly infer that the unauthorized access of Plaintiffs’ (personal identifying information) by an unspecified bad actor or actors using Marriott employee credentials is fairly traceable to Marriott’s conduct.”

The court stated that the plaintiffs attempted to plead this requirement by “alleging that the data breach and their injuries are a result of ‘Marriott’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests’ (personal information).” However, the court found the allegations to be “conclusory and not entitled to be assumed true.” The court added that the plaintiffs “fail to allege any facts describing Marriott’s cybersecurity or steps that it could have or should have taken to prevent this data breach.” As a result, the court found that the plaintiffs failed to sufficiently allege that their injuries are fairly traceable to Marriott’s conduct, not injuries resulting from the actions of a third party. 

The court pointed out that this suit against Marriott is different from another Marriott data breach suit pending before the court where hackers had access to Starwood Hotels and Resorts’ guest information database for four years. The judge stated that the plaintiffs in the Starwood suit alleged that “reasonable due diligence would have uncovered the breach, and that Marriott failed to act on several cybersecurity assessments regarding deficiencies in Starwood’s systems.” The court added that these allegations “created a plausible connection between the consumer plaintiffs alleged injuries and specific actions and failures of Marriott,” unlike the allegations in the instant action.

As a result, because of the plaintiffs’ failure to satisfy this requirement, the court concluded that their claims must be dismissed for lack of standing. The court added that it is dismissing the suit with prejudice because the plaintiffs already amended their complaint, but have still failed to satisfy these deficiencies, so, according to the court, another amendment would be futile.

The plaintiffs are represented by Murphy, Falcon & Murphy; Morgan & Morgan Complex Litigation Group; Lockridge Grindal Nauen; Glancy, Pongay & Murray; and Tostrud Law Group. Marriott is represented by Jenner & Block.