Alston & Bird Privacy, Cyber & Data Strategy Blog

Another Court Dismisses Data Breach Class Action Lawsuit for Lack of Standing

By , and

In what appears to be a growing trend, another federal district court has dismissed a data breach case for lack of standing. In Springmeyer et al. v. Marriott International, Inc., 2021 WL 809894 (D. Md.), Plaintiffs, former guests of Marriott hotels, sued Marriott in connection with a data breach affecting over 5 million guests. Marriott moved to dismiss Plaintiff’s complaint for lack of standing and failure to state a claim. The Court dismissed Plaintiff’s claims for lack of standing, holding that Plaintiffs failed to plausibly allege that their alleged injuries were fairly traceable to Marriott’s conduct—an essential element of standing.

When “the actions of a third party are involved,” Article III requires a plaintiff to allege his injury “can be traced to the challenged action of the defendant” rather than “from the independent action of some third party not before the court.”  Id. at *2.  According to the Court, this meant Plaintiffs “must allege facts for the Court to plausibly infer that the unauthorized access of [the Plaintiffs’ personal information] by an unspecified bad actor or actors” is fairly traceable to Marriott’s conduct.  Id. at *3.  Plaintiffs attempted to meet their burden by alleging that that their injuries resulted from “Marriott’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests’” personal information, but those allegations were entirely conclusory.  Id.  Plaintiffs did not, for example, “allege any facts about what measures Marriott did or did not take to protect PII, what alleged inadequacies in its systems it should have disclosed, what ‘standard and reasonably available steps’ existed that Marriott did not take, how Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of the breach.”   Id.  In other words, Plaintiff’s allegations created no “plausible connection” between Plaintiffs’ alleged injuries and Marriott’s alleged security deficiencies.  Id.  at *4.  As a result, the Court held that Plaintiffs’ alleged injuries were not fairly traceable to Marriott and dismissed the complaint with prejudice for lack of Article III standing.

About Donald Houser

Donald Houser is a partner in Alston & Bird’s Litigation & Trial Practice Group and represents clients in a variety of industries in complex litigation matters, with a particular focus on privacy and antitrust litigation.

[Read Bio]

About Shifali Baliga

Shifali Baliga is a senior associate in Alston & Bird’s Litigation & Trial Practice Group. Shifali concentrates her practice in complex commercial litigation and internal investigations.

[Read Bio]

About Noelle Reyes

Noelle Reyes is an associate with Alston & Bird’s Litigation & Trial Practice Group. Noelle gained experience in the technology and privacy space as a legal and compliance intern at a multinational telecommunications and information technology corporation where she analyzed new agreements for risk assessment in consideration to block chain technology and data privacy regulation.

[Read Bio]