On March 3, 2021, the U.S. District Court for the District of Maryland dismissed a data breach suit with prejudice against the global hotel chain Marriott International, Inc., after finding that the plaintiffs, former guests of the hotel, had failed to allege sufficient facts to support standing. In February 2020, Marriott announced that it had suffered a data breach in early 2020 that had compromised personal identifying information (“PII”) of approximately 5.2 million of its guests. Plaintiffs alleged that because Marriott had failed to implement appropriate safeguards to protect its guests’ PII, the hotel chain’s inadequate cybersecurity practices were responsible for both the breach and plaintiffs’ harm.
The court dismissed plaintiffs’ claims for lack of standing, finding that plaintiffs had failed to adequately plead that their alleged injuries were traceable to Marriott’s cybersecurity practices. The court distinguished plaintiffs’ allegations from those made by the consumer-plaintiffs in a separate class action suit against Marriott involving a different data breach that is pending before the same court. In that case, the plaintiffs alleged with specificity that Marriott failed to conduct sufficient due diligence on the guest information systems of another hotel chain that Marriott was in the process of acquiring when the hack occurred. The plaintiffs tied Marriott’s due diligence failure to their claim of harm by alleging that, had Marriott conducted reasonable due diligence and acted on multiple cybersecurity assessments regarding deficiencies in the hacked systems, it would have uncovered the ongoing breach. According to the court, these allegations created a sufficiently plausible connection between plaintiffs’ injuries and Marriott’s specific actions and inactions to establish standing. By contrast, the current plaintiffs merely asserted that Marriott “fail[ed] to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests’ PII,” without offering any factual support for such conclusions. As a result, the court held that the plaintiffs failed to allege that their injuries were fairly traceable to defendants’ conduct, and therefore lacked standing.