Privacy.Minded. - Dismissal Of Marriott Data Breach Lawsuit Shows How Plaintiffs Still Face Standing Hurdles In The Post-CCPA Era

Blog Post

January 2021

By: Travis P. Brennan

After the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, a surge of class action lawsuits predicated on alleged CCPA violations hit businesses.  Because of the act’s novelty, it was unclear whether courts would hold to the narrow construction of the CCPA’s private right of action or allow plaintiffs to plead around these statutory restrictions to recover damages. 

Arifur Rahman v. Marriott International, Inc. et al.

The case, Arifur Rahman v. Marriott International, Inc. et al., No.: 8:20-cv-00654, arose from a cybersecurity breach at Marriott after two Marriott employees in Russia allegedly accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.  The complaint asserted a violation of the CCPA, along with five other causes of action. 

In its motion responding to the complaint, Marriott argued for dismissal on two independent grounds.  First, Marriott argued that plaintiffs had not established standing to sue as required under Article III of the U.S. Constitution, because they had not alleged a concrete injury as a result of the data breach.  Second, Marriott argued that, even if plaintiffs had satisfied the standing requirements, they had not alleged facts that, if proven true, would be legally adequate to establish a CCPA violation and their other causes of action.

The court granted Marriott’s motion and dismissed the complaint based solely on the standing grounds.  In doing so, the court relied on Ninth Circuit precedent that pre-dates the CCPA, holding that the personal information allegedly compromised in the data breach lacked “the degree of sensitivity required by the Ninth Circuit to establish an injury in fact.”  Plaintiffs’ suit failed because, while the data breach undisputedly compromised some categories of personal information, it did not involve the theft of sensitive categories of personal information—such as social security numbers or credit card numbers—necessary to establish an imminent injury, such as the threat of identity theft, to the plaintiff.  Because the court found that the plaintiffs lacked standing, it decided it “need not consider Defendant’s Rule 12(b)(6) argument” challenging the sufficiency of the plaintiff’s allegations in each cause of action.

Takeaway

The Marriott case demonstrates how, so far, despite the CCPA’s enactment of a new private right of action and statutory damages, courts in the Ninth Circuit remain a challenging forum for plaintiffs bringing data breach claims under state law due to the constitutional standing requirements unique to federal courts.  We’ll be watching to see whether the plaintiffs appeal this ruling and will report on any further developments of interest.