On January 12, 2021, Judge David O. Carter granted Marriott’s Motion to Dismiss and dismissed the case, including Plaintiffs’ CCPA claim based on lack of standing. Rahman v. Marriott International, Inc., et al. (C.D. CA; 8:20-cv-00654), here,
“Plaintiff alleges that class members were victims of a cybersecurity breach at Marriott when two employees of a Marriott franchise in Russia accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization. Id. at ¶ 1; FAC ¶ 31.” After completing its investigation, Marriott determine that while some information such as “names, addresses, and other publicly available information” was accessed, sensitive information was not.
Marriott challenged Plaintiffs’ standing and whether or not there was an injury in fact to proceed with the case.
Ninth Circuit precedent is relatively clear on this point. “The sensitivity of the personal information, combined with its theft” are prerequisites to finding that plaintiffs “adequately alleged an injury in fact.” In re Zappos.com, Inc., No. 2357, 2016 WL 2637810 (D. Nev. May 6, 2016), rev’d on other grounds, 888 F.3d 1020 (9th Cir. 2018), cert. denied, 139 S. Ct. 1373 (2019). District courts in the Ninth Circuit have been even more explicit. In Antman v. Uber Technologies, Inc., the Northern District of California wrote that “[w]ithout a hack of information such as social security numbers, account numbers, or credit card numbers, there is no … credible risk of identity theft that risks real, immediate injury.” Antman v. Uber Technologies, Inc., No. 15-CV- 01175, 2018 WL 2151231 at *10 (N.D. Cal. May 10, 2018). Similarly, the Southern District of California has written that that “Plaintiffs’ failure to allege that the exposed information included their social security numbers, or similarly sensitive financial or account information …, leaves Plaintiffs short of what is required.” Stasi v. Inmediata Health Grp. Corp., No. 19-CV-2353, 2020 WL 2126317 at *5 (S.D. Cal. May 5, 2020). Like in those cases, Plaintiff has not plausibly pled here that any of their more sensitive data—such as credit card information, passports, or social security numbers—has fallen into the wrong hands. Without a breach of this type of sensitive information, Plaintiff has not suffered an injury in fact and cannot meet the constitutional requirements of standing.
Without access to sensitive information, Plaintiffs lack standing and the case was dismissed in its entirety.