The Central District Court of California Grants Marriott International’s Motion to Dismiss in Data Breach Suit

By Rahul Mukhi & Lilianna Rembar on January 27, 2021

Posted in Breach Notifications, Cybersecurity, Litigation, Privacy

On January 12, 2021, the United States District Court for the Central District of California granted Marriott’s motion to dismiss in Arifur Rahman v. Marriott International, Inc. et al^[1], a class action filed against the company following its disclosure of a data breach in March 2020. The court held that Plaintiff lacked standing to sue, breathing life into a defense that has been unsuccessful in several recent cases.

Background

The litigation against Marriott stemmed from its announcement that two employees of a Marriott franchise in Russia accessed personal information of 5.2 million guests. The company further acknowledged that the compromised information included names, addresses, emails, phone numbers, and other personal details such as birth dates. In April 2020, Plaintiff Arifur Rahman (“Plaintiff”), on behalf of a class, alleged six causes of action against Marriott International (“Defendant”): (1) negligence; (2) violation of the California Consumer Privacy Act; (3) breach of contract; (4) breach of implied contract; (5) unjust enrichment; and (6) violation of the California Unfair Competition Law.

The C.D. Cal. Decision

On Marriott’s motion to dismiss, the court agreed with the company that the information obtained in the data breach was not “sensitive” enough to establish an injury for federal standing purposes. Ninth Circuit precedent requires “sensitivity of the personal information, combined with its theft” to find that an injury has occurred.^[2] Other California district courts have further stated that if no “information such as social security numbers, account numbers, or credit card numbers” was compromised there is no injury^[3] and that the compromised information must include “social security numbers, or similarly sensitive financial or account information” for there to be an injury.^[4] While Marriott acknowledged that certain personal information was accessed, the court emphasized that it was all publicly available information. No sensitive information, such as social security numbers or credit card information, was breached.

Plaintiff argued that the hacked information does not need to be sensitive to establish standing, and even if it does, it was possible that the Marriott breach contained yet to be discovered sensitive information. The court rejected this argument, noting that Marriott’s investigation into the breach had already concluded and it found no evidence of compromised sensitive information.

Plaintiff also argued that even with the lack of social security and credit card numbers in the breach, the information could still be sensitive, citing Adkins v. Facebook Inc.^[5] to support this proposition. However, the court distinguished Adkins on the grounds that that case involved sensitive information not present in the Marriott incident—namely, social media data, which included personal details such as employment information, educational background, relationship status, and religion, among other information.

The court was further unpersuaded that the value of Plaintiff’s personal information decreased due to the breach, such that Plaintiff could claim injury based on mitigation costs.

Implications

The court’s decision will potentially lead to additional traction for defendants seeking to dismiss data breach litigation on standing grounds. In another case pending against Marriott in the District Court of Maryland, based on compromised personal information of up to 383 million Starwood guests,^[6] Marriott urged the Maryland court to dismiss the suit, arguing that it is a “carbon copy” of the California suit^[7]—just one week after the decision by the Court for the Central District of California. While the Maryland District Court has yet to rule on Marriott’s argument, it is possible that the California decision will serve as persuasive authority in that case and others.

[1] No. 8:20-cv-00654 (C.D. Cal. Jan. 12, 2021).

[2] In re Zappos.com, Inc., No. 2357, 2016 WL 2637810 (D. Nev. May 6, 2016), rev’d on other grounds, 888 F.3d 1020 (9th Cir. 2018), cert. denied, 139 S. Ct. 1373 (2019).

[3] Antman v. Uber Technologies, Inc., No. 15-CV-01175, 2018 WL 2151231 at *10 (N.D. Cal. May 10, 2018).

[4] Stasi v. Inmediata Health Grp. Corp., No. 19-CV-2353, 2020 WL 2126317 at *5 (S.D. Cal. May 5, 2020).

[5] 424 F. Supp. 3d 686 (N.D. Cal 2019).

[6] https://www.law360.com/articles/1246240/marriott-can-t-duck-hotel-guests-data-breach-claims

[7] https://www.law360.com/cybersecurity-privacy/articles/1346438/marriott-looks-to-toss-md-breach-suit-after-calif-ruling