In what appears to be a growing trend, another federal district court has dismissed a data breach case for lack of standing. In Springmeyer et al. v. Marriott International, Inc., 2021 WL 809894 (D. Md.), Plaintiffs, former guests of Marriott hotels, sued Marriott in connection with a data breach affecting over 5 million guests. Marriott moved to dismiss Plaintiff’s complaint for lack of standing and failure to state a claim. The Court dismissed Plaintiff’s claims for lack of standing, holding that Plaintiffs failed to plausibly allege that their alleged injuries were fairly traceable to Marriott’s conduct—an essential element of standing.
When “the actions of a third party are involved,” Article III requires a plaintiff to allege his injury “can be traced to the challenged action of the defendant” rather than “from the independent action of some third party not before the court.” Id. at *2. According to the Court, this meant Plaintiffs “must allege facts for the Court to plausibly infer that the unauthorized access of [the Plaintiffs’ personal information] by an unspecified bad actor or actors” is fairly traceable to Marriott’s conduct. Id. at *3. Plaintiffs attempted to meet their burden by alleging that that their injuries resulted from “Marriott’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests’” personal information, but those allegations were entirely conclusory. Id. Plaintiffs did not, for example, “allege any facts about what measures Marriott did or did not take to protect PII, what alleged inadequacies in its systems it should have disclosed, what ‘standard and reasonably available steps’ existed that Marriott did not take, how Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of the breach.” Id. In other words, Plaintiff’s allegations created no “plausible connection” between Plaintiffs’ alleged injuries and Marriott’s alleged security deficiencies. Id. at *4. As a result, the Court held that Plaintiffs’ alleged injuries were not fairly traceable to Marriott and dismissed the complaint with prejudice for lack of Article III standing.
