The question of standing has proven to be a tricky one in data breach litigation.  (See our prior coverage here and here).  Last week a federal district court in Maryland rejected a proposed class action brought by Marriott guests related to a data breach suffered by the hotel chain in early 2020, finding that the plaintiffs did not have Article III standing because they could not trace any alleged injury to particular actions or inactions by Marriott.  This decision is an important reminder that the fact of a breach is not itself sufficient to confer standing, even where personal data is improperly accessed. In other words, even though a company that had your data suffered a data breach, you may not have been injured by its actions.

In Springmeyer v. Marriott, plaintiffs Pati Springmeyer and Joe Lopez sought to represent a class of hotel guests whose information had been improperly accessed after the login credentials of two Marriott employees were compromised.  Marriott had informed its customers that the information accessed may have included guests’ names, addresses, phone numbers, email addresses, genders, birth dates and loyalty account numbers, but did not include more sensitive information like social security or credit card numbers. Plaintiffs alleged that since the data breach, they had each spent time monitoring their accounts to protect the integrity of their personally identifiable information (PII) and to detect and prevent any misuse of their PII, and that the data breach and their alleged damages were the result of Marriott’s failure to implement appropriate safeguards for its guests’ PII.  The plaintiffs’ Amended Complaint contained eleven claims, including claims for negligence, breach of contract, and violations of various state consumer protection statutes, and a declaratory judgment. 

Marriott moved to dismiss, arguing that the plaintiffs lacked Article III standing and that the conclusory allegations failed to state a legally-cognizable claim.  The Court granted the motion to dismiss – with prejudice – based on the former grounds.  The court focused on one part of the standing analysis: whether the alleged injury is fairly traceable to the challenged conduct of the defendant.  The plaintiffs alleged that the data breach and their injuries were a result of “Marriott’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests’ PII.”  But the court found these allegations too conclusory, and pointed out that the plaintiffs had failed to allege any facts describing Marriott’s cybersecurity or steps that it could or should have taken to prevent this data breach.  The court dismissed the action with prejudice because plaintiffs had already had one opportunity to amend the complaint.

In a world where data breaches are not a question of if but when, the court in this case correctly recognized that the fact of a data breach alone did not mean Marriott had taken any actions or inactions which were traceable to any injuries alleged by the plaintiffs.  The Marriott decision reinforces the important rule that plaintiffs suing in the wake of a data breach must have some basis for saying they were harmed by something the defendant actually did or failed to do—it’s not enough just to say a data breach occurred.  Fortunately for both Marriott and its customers, this breach did not involve the most sensitive information like credit card numbers, which may have been a silent factor in the court’s decision.  We’ll continue to monitor the case law surrounding Article III standing in this context.