Marriott recently won dismissal of a proposed class action data breach lawsuit alleging several violations, including a violation of the California Consumer Privacy Act (CCPA). The case, Arifur Rahman v. Marriott International, Inc. et al., Case No.: 8:20-cv-00654, was dismissed in an Order by U.S. District Court Judge David O. Carter on January 12, 2021.

The Plaintiff in the lawsuit alleged that he was a member of a “class that were victims of a cybersecurity breach at Marriott when to employees of a Marriott franchise in Russia accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.” Marriott admitted there was a breach, sent letters to affected individuals, and confirmed that no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.

The matter was dismissed, as the Court found that it lacked subject matter jurisdiction as the Plaintiff lacked standing to sue. The Court was clear that in the 9th Circuit, the sensitivity of the personal information, combined with its theft, are prerequisites to finding that plaintiffs alleged injury in fact. Injury in fact is one of the three elements necessary to support Article III standing.

The data breach in this case affected approximately 5.2 million Marriott customers, but the information accessed by hackers was not “sensitive information,” which was a required element to be able to continue the lawsuit.

Photo of Deborah George Deborah George

Deborah George is a member of Robinson+Cole’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team. Ms. George advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She…

Deborah George is a member of Robinson+Cole’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team. Ms. George advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters. She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as drafting and reviewing contracts, business associate agreements, and data use agreements. Read her full rc.com bio here.