On February 21, the District of Maryland held that consumers had standing to assert claims arising from the historic data breach that hit Marriott in 2018, but the court dismissed the plaintiffs’ claim for negligence under Illinois law. The court declined to dismiss the remaining tort, contract, and statutory claims.
- In November 2018, Marriott announced that it had been the target of one of the largest-ever data breaches, in which hackers gained access to Starwood’s guest information database. Over four years, hackers allegedly stole contact information and even passport numbers from guests in the database.
- Shortly after the breach was announced, consumers who had provided their personal information to Marriott filed a putative class action against the hotel chain under theories of tort, contract, and breach of statutory duties. The plaintiffs claimed Marriott failed to take reasonable steps to protect their personal information against the foreseeable risk of a cyber-attack.
- Marriott moved to dismiss under Fed. R. Civ. P. 12(b)(1) and 12(b)(6), arguing, among other things, that most of the plaintiffs lacked standing because they did not allege that their information had been misused. The court disagreed.
- The court held that the plaintiffs adequately alleged an injury-in-fact for purposes of standing. The court explained that the fact that the plaintiffs’ personal information was targeted for misuse created a non-speculative, imminent threat of identity theft. For that reason, the plaintiffs’ allegations that they were forced to incur time and money to mitigate that harm also established a concrete injury-in-fact.
- The court further held that a loss in the value of the plaintiffs’ personal information could satisfy the injury-in-fact requirement for Article III standing, as could allegations that the plaintiffs did not receive the benefit of their bargain—which included data security.
- The court also rejected Marriott’s traceability arguments, concluding it was premature to dismiss the plaintiffs’ claims on this basis.
- The court did, however, dismiss the plaintiffs’ negligence claim under Illinois law, concluding that Illinois law did not impose on Marriott a legal duty to plaintiffs to protect their personal information.
- The court denied Marriott’s motion to dismiss the remaining claims, including negligence claims under Florida and Georgia law, breach of contract claims, and statutory claims.
The case is In re: Marriott Int’l, Inc., Customer Data Security Breach Litig., MDL No. 19-md-2879. Read more here.