Dismissal Of Marriott Data Breach Lawsuit Shows How Plaintiffs Still Face Standing Hurdles In The Post-CCPA Era

Stradling Yocca Carlson & Rauth
Contact

Stradling Yocca Carlson & Rauth

After the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, a surge of class action lawsuits predicated on alleged CCPA violations hit businesses.  Because of the act’s novelty, it was unclear whether courts would hold to the narrow construction of the CCPA’s private right of action or allow plaintiffs to plead around these statutory restrictions to recover damages.  Early last year, we discussed how defendants could move to dismiss these claims based on the CCPA’s explicit limitations and that plaintiffs would be facing an uphill battle.

Indeed, defendants have been moving to dismiss on those grounds.  But in at least one case, the court dismissed the complaint without even needing to reach the defendant’s argument that plaintiffs failed to allege a viable CCPA claim.  On January 12, 2021, the federal District Court for the Central District of California granted Marriott International, Inc.’s (“Marriott”) motion to dismiss due to plaintiffs’ lack of standing to sue.  

Arifur Rahman v. Marriott International, Inc. et al.

The case, Arifur Rahman v. Marriott International, Inc. et al., No.: 8:20-cv-00654, arose from a cybersecurity breach at Marriott after two Marriott employees in Russia allegedly accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.  The complaint asserted a violation of the CCPA, along with five other causes of action. 

In its motion responding to the complaint, Marriott argued for dismissal on two independent grounds.  First, Marriott argued that plaintiffs had not established standing to sue as required under Article III of the U.S. Constitution, because they had not alleged a concrete injury as a result of the data breach.  Second, Marriott argued that, even if plaintiffs had satisfied the standing requirements, they had not alleged facts that, if proven true, would be legally adequate to establish a CCPA violation and their other causes of action.

The court granted Marriott’s motion and dismissed the complaint based solely on the standing grounds.  In doing so, the court relied on Ninth Circuit precedent that pre-dates the CCPA, holding that the personal information allegedly compromised in the data breach lacked “the degree of sensitivity required by the Ninth Circuit to establish an injury in fact.”  Plaintiffs’ suit failed because, while the data breach undisputedly compromised some categories of personal information, it did not involve the theft of sensitive categories of personal information—such as social security numbers or credit card numbers—necessary to establish an imminent injury, such as the threat of identity theft, to the plaintiff.  Because the court found that the plaintiffs lacked standing, it decided it “need not consider Defendant’s Rule 12(b)(6) argument” challenging the sufficiency of the plaintiff’s allegations in each cause of action.

Takeaway

The Marriott case demonstrates how, so far, despite the CCPA’s enactment of a new private right of action and statutory damages, courts in the Ninth Circuit remain a challenging forum for plaintiffs bringing data breach claims under state law due to the constitutional standing requirements unique to federal courts.  We’ll be watching to see whether the plaintiffs appeal this ruling and will report on any further developments of interest.  

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stradling Yocca Carlson & Rauth | Attorney Advertising

Written by:

Stradling Yocca Carlson & Rauth
Contact
more
less

Stradling Yocca Carlson & Rauth on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.