• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Another Court Dismisses Data Breach Class Action Lawsuit for Lack of Standing

March 12, 2021 By Donald Houser, Shifali Baliga and Noelle Reyes

In what appears to be a growing trend, another federal district court has dismissed a data breach case for lack of standing. In Springmeyer et al. v. Marriott International, Inc., 2021 WL 809894 (D. Md.), Plaintiffs, former guests of Marriott hotels, sued Marriott in connection with a data breach affecting over 5 million guests. Marriott moved to dismiss Plaintiff’s complaint for lack of standing and failure to state a claim. The Court dismissed Plaintiff’s claims for lack of standing, holding that Plaintiffs failed to plausibly allege that their alleged injuries were fairly traceable to Marriott’s conduct—an essential element of standing.

When “the actions of a third party are involved,” Article III requires a plaintiff to allege his injury “can be traced to the challenged action of the defendant” rather than “from the independent action of some third party not before the court.”  Id. at *2.  According to the Court, this meant Plaintiffs “must allege facts for the Court to plausibly infer that the unauthorized access of [the Plaintiffs’ personal information] by an unspecified bad actor or actors” is fairly traceable to Marriott’s conduct.  Id. at *3.  Plaintiffs attempted to meet their burden by alleging that that their injuries resulted from “Marriott’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests’” personal information, but those allegations were entirely conclusory.  Id.  Plaintiffs did not, for example, “allege any facts about what measures Marriott did or did not take to protect PII, what alleged inadequacies in its systems it should have disclosed, what ‘standard and reasonably available steps’ existed that Marriott did not take, how Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of the breach.”   Id.  In other words, Plaintiff’s allegations created no “plausible connection” between Plaintiffs’ alleged injuries and Marriott’s alleged security deficiencies.  Id.  at *4.  As a result, the Court held that Plaintiffs’ alleged injuries were not fairly traceable to Marriott and dismissed the complaint with prejudice for lack of Article III standing.

Filed Under: Data Breach, Data Breach Litigation Tagged With: Identity Theft

About Donald Houser

Donald Houser is a partner in Alston & Bird’s Litigation & Trial Practice Group and represents clients in a variety of industries in complex litigation matters, with a particular focus on privacy and antitrust litigation.

[Read Bio]

About Shifali Baliga

Shifali Baliga is a senior associate in Alston & Bird’s Litigation & Trial Practice Group. Shifali concentrates her practice in complex commercial litigation and internal investigations.

[Read Bio]

About Noelle Reyes

Noelle Reyes is an associate with Alston & Bird’s Litigation & Trial Practice Group. Noelle gained experience in the technology and privacy space as a legal and compliance intern at a multinational telecommunications and information technology corporation where she analyzed new agreements for risk assessment in consideration to block chain technology and data privacy regulation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • NYDFS Announces Cybersecurity Settlement, Addresses Multi-Factor Authentication Rules
  • The GDPR Reaches the US Supreme Court in Cert Petition
  • Another Court Dismisses Data Breach Class Action Lawsuit for Lack of Standing
  • NYDFS Reports Major Cybersecurity Settlement
  • Virginia Becomes First State with Comprehensive Privacy Law after CCPA
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.