Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

The Central District Court of California Grants Marriott International’s Motion to Dismiss in Data Breach Suit

By Rahul Mukhi & Lilianna (Anna) Rembar on January 27, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

On January 12, 2021, the United States District Court for the Central District of California granted Marriott’s motion to dismiss in Arifur Rahman v. Marriott International, Inc. et al[1], a class action filed against the company following its disclosure of a data breach in March 2020.  The court held that Plaintiff lacked standing to sue, breathing life into a defense that has been unsuccessful in several recent cases.

Background

The litigation against Marriott stemmed from its announcement that two employees of a Marriott franchise in Russia accessed personal information of 5.2 million guests.  The company further acknowledged that the compromised information included names, addresses, emails, phone numbers, and other personal details such as birth dates.  In April 2020, Plaintiff Arifur Rahman (“Plaintiff”), on behalf of a class, alleged six causes of action against Marriott International (“Defendant”): (1) negligence; (2) violation of the California Consumer Privacy Act; (3) breach of contract; (4) breach of implied contract; (5) unjust enrichment; and (6) violation of the California Unfair Competition Law.

The C.D. Cal. Decision

On Marriott’s motion to dismiss, the court agreed with the company that the information obtained in the data breach was not “sensitive” enough to establish an injury for federal standing purposes.  Ninth Circuit precedent requires “sensitivity of the personal information, combined with its theft” to find that an injury has occurred.[2]  Other California district courts have further stated that if no “information such as social security numbers, account numbers, or credit card numbers” was compromised there is no injury[3] and that the compromised information must include “social security numbers, or similarly sensitive financial or account information” for there to be an injury.[4]  While Marriott acknowledged that certain personal information was accessed, the court emphasized that it was all publicly available information.  No sensitive information, such as social security numbers or credit card information, was breached.

Plaintiff argued that the hacked information does not need to be sensitive to establish standing, and even if it does, it was possible that the Marriott breach contained yet to be discovered sensitive information.  The court rejected this argument, noting that Marriott’s investigation into the breach had already concluded and it found no evidence of compromised sensitive information.

Plaintiff also argued that even with the lack of social security and credit card numbers in the breach, the information could still be sensitive, citing Adkins v. Facebook Inc.[5] to support this proposition.  However, the court distinguished Adkins on the grounds that that case involved sensitive information not present in the Marriott incident—namely, social media data, which included personal details such as employment information, educational background, relationship status, and religion, among other information.

The court was further unpersuaded that the value of Plaintiff’s personal information decreased due to the breach, such that Plaintiff could claim injury based on mitigation costs.

Implications

The court’s decision will potentially lead to additional traction for defendants seeking to dismiss data breach litigation on standing grounds.  In another case pending against Marriott in the District Court of Maryland, based on compromised personal information of up to 383 million Starwood guests,[6]  Marriott urged the Maryland court to dismiss the suit, arguing that it is a “carbon copy” of the California suit[7]—just one week after the decision by the Court for the Central District of California.  While the Maryland District Court has yet to rule on Marriott’s argument, it is possible that the California decision will serve as persuasive authority in that case and others.

[1] No. 8:20-cv-00654 (C.D. Cal. Jan. 12, 2021).

[2] In re Zappos.com, Inc., No. 2357, 2016 WL 2637810 (D. Nev. May 6, 2016), rev’d on other grounds, 888 F.3d 1020 (9th Cir. 2018), cert. denied, 139 S. Ct. 1373 (2019).

[3] Antman v. Uber Technologies, Inc., No. 15-CV-01175, 2018 WL 2151231 at *10 (N.D. Cal. May 10, 2018).

[4] Stasi v. Inmediata Health Grp. Corp., No. 19-CV-2353, 2020 WL 2126317 at *5 (S.D. Cal. May 5, 2020).

[5] 424 F. Supp. 3d 686 (N.D. Cal 2019).

[6] https://www.law360.com/articles/1246240/marriott-can-t-duck-hotel-guests-data-breach-claims

[7] https://www.law360.com/cybersecurity-privacy/articles/1346438/marriott-looks-to-toss-md-breach-suit-after-calif-ruling

Photo of Rahul Mukhi Rahul Mukhi

Rahul Mukhi’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.

Read more about Rahul MukhiEmail
  • Posted in:
    Other
  • Blog:
    Cleary Cybersecurity and Privacy Watch
  • Organization:
    Cleary Gottlieb Steen & Hamilton LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo