Case No. 20-cv-867-PWG
This case involves the class action complaint filed by Pati Springmeyer and Joe Lopez on behalf of themselves and all others similarly situated following a data breach of Defendant Marriott that occurred in early 2020. Plaintiffs allege that their personal information, along with that of approximately 5.2 million other guests, was improperly accessed. Plaintiffs bring eleven claims under various common law and statutory causes of action. Marriott moves to dismiss, arguing that Plaintiffs lack standing and failed to state a claim. For the reasons discussed below, Plaintiffs' claims are dismissed for lack of standing because they fail to adequately plead that their alleged injuries are fairly traceable to Marriott's conduct.
The motion has been fully briefed. See ECF Nos. 40, 41, 42, and 43. A hearing is not necessary. See Loc. R. 105.6 (D. Md. 2018).
Marriott is a global hotel and hospitality chain with more than 7,000 properties in 130 countries, headquartered in Bethesda, Maryland. ECF No. 36, First Amended Class Action Complaint ("Compl.") ¶ 25. On March 31, 2020, Marriott announced a data breach affecting approximately 5.2 million guests. Id. ¶ 23-24. On that day, Marriott sent an email to affected guests and posted an incident notification on its website. Id. ¶ 24. The incident notification stated that at the end of February 2020, Marriott identified that "an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property." Id. The notice said that Marriott believed the activity started in mid-January 2020. Id. After Marriott discovered the unauthorized access, it stated that it disabled the login credentials, began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Id.
Marriott stated that it believed that the guest information that was accessed may have including the following, but that all this information was not present for every guest:
• Contact Details (e.g., name, mailing address, email address, and phone number)Id. Marriott stated that its investigation was ongoing but had no reason to believe that the information involved included loyalty account passwords or PINs, payment card information, passport information, national IDs, or driver's license numbers. Id.
• Loyalty Account Information (e.g., account number and points balance, but not passwords)
• Additional Personal Details (e.g., company, gender, and birthday day and month)
• Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
• Preferences (e.g., stay/room preferences and language preference)
Plaintiffs Springmeyer and Lopez both allege that they stayed at Marriott properties, gave Marriott their personal identifying information ("PII"), and received the notice that their PII had been accessed without authorization. Id. ¶¶ 11, 17. Plaintiffs allege that since the data breach, they have each spent time monitoring their accounts to protect the integrity if their PII and to detect and prevent any misuse of their PII. Id. ¶¶ 13-14, 18-19. Marriott has offered Plaintiffs one year of free enrollment in Experian's IdentityWorks credit monitoring service. Id. ¶ 71. Nonetheless, Plaintiff Springmeyer alleges that she purchased credit monitoring services at an annual cost of $159.96. Id. ¶ 12. Plaintiffs allege that this data breach and their alleged damages were the result of Marriott's failure to implement appropriate safeguards for its guests' PII. Id. ¶ 65.
Pending is Defendant's motion to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Defendant argues that Plaintiffs lack standing and failed to state a claim upon which relief could be granted.
Marriott argues that Plaintiffs do not have standing, and therefore this Court lacks subject matter jurisdiction over their claims.
a. Standard of Review
Marriott moves to dismiss for lack of standing under Federal Rule of Civil Procedure 12(b)(1). Under Rule 12(b)(1), the plaintiff bears the burden of proving, by a preponderance of evidence, the existence of subject matter jurisdiction. See Demetres v. E. W. Constr., Inc., 776 F.3d 271, 272 (4th Cir. 2015); see also Evans v. B.F. Perkins Co., 166 F.3d 642, 647 (4th Cir. 1999). A challenge to subject matter jurisdiction under Rule 12(b)(1) may proceed in two ways: either by a facial challenge, asserting that the allegations pleaded in the complaint are insufficient to establish subject matter jurisdiction, or a factual challenge, asserting "'that the jurisdictional allegations of the complaint [are] not true.'" Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009) (citing Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982)) (alteration in original); see Buchanan v. Consol. Stores Corp., 125 F. Supp. 2d 730, 736 (D. Md. 2001). Here Marriott brings a facial challenge to Plaintiffs' Article III standing. In a facial challenge, "the facts alleged in the complaint are taken as true, and the motion must be denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction." Kerns, 585 F.3d at 192. However, "[a] pleading that offers labels and conclusions or a formulaic recitation of the elements of a cause of action" or "naked assertions devoid of further factual enhancement" will not suffice. Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 623 (4th Cir. 2018) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)).
To establish standing, a plaintiff must have "(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable decision." Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). The Court focuses its discussion on the second element.
To meet the "fairly traceable" requirement, Plaintiffs must allege facts to plausibly show that their alleged injuries were the result of Defendant's conduct. This standard "is not equivalent to a requirement of tort causation." Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d at 623 (quoting Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 161 (4th Cir. 2000)). "When a complaint is evaluated at the pleading stage . . . 'general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support the claim.'" Id. (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 561(1992)). But the "[p]leadings must be something more than an ingenious academic exercise in the conceivable." Id. (quoting United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S. 669, 688 (1973)). "Where, as here, a case is at the pleading stage, the plaintiff must 'clearly . . . allege facts demonstrating' each element" of standing, including traceability. Spokeo, Inc. v. Robins, 136 S. Ct. at 1547 (quoting Warth v. Seldin, 422 U.S. 490, 518 (1975)). As in this case, when the actions of a third party are involved, "[t]he 'case or controversy' limitation of Art. III still requires that a federal court act only to redress injury that fairly can be traced to the challenged action of the defendant, and not injury that results from the independent action of some third party not before the court." Doe v. Obama, 631 F.3d 157, 161 (4th Cir. 2011) (quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976)).
Here Plaintiffs must allege facts for the Court to plausibly infer that the unauthorized access of Plaintiffs' PII by an unspecified bad actor or actors using Marriott employee credentials is fairly traceable to Marriott's conduct. In this regard Plaintiff attempts to plead the fairly traceable element by alleging that the data breach and their injuries are a result of "Marriott's failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests' PII." Id. ¶ 5. But "the[se] allegations are conclusory and not entitled to be assumed true." Ashcroft v. Iqbal, 556 U.S. at 681. Plaintiffs fail to allege any facts describing Marriott's cybersecurity or steps that it could have or should have taken to prevent this data breach. To be sure, Plaintiffs repeat their conclusory allegations that Marriott's cybersecurity was unreasonable throughout the Complaint in connection with their eleven causes of action. For example, Plaintiffs allege the following:
Plaintiffs do not specify whether it was Marriott employees that used their credentials to access Plaintiffs' PII without authorization or whether a third party gained access to the Marriott employees' credentials to do so. In either case, Plaintiffs do not allege that Marriott was responsible for the attack by virtue of its status as an employer.
Marriott disregarded the rights of Plaintiffs and Class Members . . . by, inter alia, intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure their data and cyber security systems were protected against unauthorized intrusions; failing to disclose that it did not have adequately robust computer systems and security practices to safeguard guest PII; failing to take standard and reasonably available steps to prevent the Data Breach; failing to monitor and timely detect the Data Breach; and failing to provide Plaintiffs and Class Members with prompt and accurate notice of the Data Breach.Id. ¶ 6; see also ¶¶ 36, 53, 65-66, 101-03, 112, 127, 135, 143, 161, 169-70, 175-76, 181, 184, 191 (similar). But mere repetition of conclusory and nonspecific allegations of Marriott's alleged shortcomings does not overcome the need to plead sufficient facts relating to what it did or did not do that led to the injuries claimed by the Plaintiffs. What is missing are any alleged facts to support these conclusory statements. For example, Plaintiffs do not allege any facts about what measures Marriott did or did not take to protect PII, what alleged inadequacies in its systems it should have disclosed, what "standard and reasonably available steps" existed that Marriott did not take, how Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of the breach. Thus, Plaintiffs fail to "clearly . . . allege facts demonstrating" their alleged injuries are fairly traceable to Defendant's conduct, Spokeo, Inc. v. Robins, 136 S. Ct. at 1547, "and not injury that results from the independent action of some third party not before the court." Doe v. Obama, 631 F.3d at 161.
The allegations here are similar to those in Anderson v. Kimpton Hotel & Rest. Grp., LLC, 2019 WL 3753308 (N.D. Cal. Aug. 8, 2019), which involved a data breach of the Kimpton Hotel and Restaurant Group's online reservation system. In July 2017, Kimpton informed its customers that hackers may have gained unauthorized access to its online reservation system over a nine-month period, exposing its customers' PII. Id. at *1. Three plaintiffs who received the notice filed a class action suit, alleging Kimpton "failed to implement and maintain reasonable security procedures and practices appropriate to protect [plaintiffs'] PII[,]" "failed to establish and implement appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of [plaintiffs'] PII[,]" "did not take all obligatory precautions to properly safeguard PII from unauthorized access[,]" and "opted to maintain an insufficient and inadequate system to protect [plaintiffs'] PII[,]" with the result that [plaintiffs'] "PII was left inadequately protected by Kimpton." Id. at *4 (internal citations and alternations omitted). The court found that "Plaintiffs fail[ed] to allege, however, any facts to support those conclusory allegations," explaining that "the complaint does not allege the nature of any assertedly reasonable, appropriate, obligatory, sufficient and/or adequate action Kimpton failed to take." Id. Accordingly, the complaint was dismissed for lack of standing. Plaintiffs' allegations here are quite similar, and likewise fail to allege "the nature of any assertedly reasonable, appropriate, obligatory, sufficient and/or adequate action" Marriott failed to take. Id.
In contrast, the allegations in this case are unlike those made by the consumer plaintiffs in a separate class action suit against Marriott involving a different data breach that is pending before the undersigned as part of a multi-district litigation. There the consumer plaintiffs alleged that for over four years, from July 2014 to September 2018, hackers had access to Starwood Hotels and Resorts' guest information database. In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 454 (D. Md. 2020). During this period, Marriott was conducting due diligence on Starwood leading up to its eventual acquisition. Id. The consumer plaintiffs alleged that reasonable due diligence would have uncovered the breach, and that Marriott failed to act on several cybersecurity assessments regarding deficiencies in Starwood's systems. Id. These factual allegations created a plausible connection between the consumer plaintiffs alleged injuries and specific actions and failures of Marriott. See id. at 454, 466-67. Here, Plaintiffs fail to allege facts to support any such connection. Because Plaintiffs have failed to allege this essential element of standing, their claims must be dismissed.
In both the In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., and in the Fourth Circuit's decision in Hutton, the traceability question was focused on whether the compromised PII that caused the plaintiffs' alleged injuries could have come from the defendants' respective data breaches. See In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d at 467; Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d at 623. Here the Court faces a more rudimentary question: whether Plaintiffs alleged sufficient facts for the Court to plausibly infer that Defendant was responsible for Plaintiffs' PII being compromised in the data breach in the first place.
Given that the Complaint is dismissed for Plaintiffs' failure to plead that their alleged injuries are fairly traceable to Defendant's conduct, the Court does not address Defendant's arguments for dismissal based on the other elements of standing or for failure to state a claim. --------
II. Dismissal with Prejudice
For the reasons stated above, Plaintiffs' claims are dismissed for lack of standing. This dismissal is with prejudice. "'The determination whether to dismiss with or without prejudice under Rule 12(b)(6) is within the discretion of the district court.'" Weigel v. Maryland, 950 F. Supp. 2d 811, 825-26 (D. Md. 2013) (quoting 180S, Inc. v. Gordini U.S.A., Inc., 602 F. Supp. 2d 635, 638-39 (D. Md. 2009)). Generally, when there has been no opportunity to amend, the dismissal should be without prejudice and the plaintiff granted an opportunity to amend. See Adams v. Sw. Va. Reg'l Jail Auth., 524 F. App'x 899, 900 (4th Cir. 2013) ("Where no opportunity is given to amend the complaint, the dismissal should generally be without prejudice."). Here, Plaintiffs were given an opportunity to amend and did so after Defendant raised the very deficiencies with Plaintiffs' allegations discussed herein in accordance with my pre-motion procedure. See Defendant's Pre-Motion Letter, ECF No. 31 at 2 ("Ms. Springmeyer has not satisfied Article III's traceability requirement. She does not identif[ied] how Marriott's security practices supposedly fell short of what she bargained for, and fails to plead that adequate practices would have avoided her (nonexistent) harm."); Plaintiffs' Pre-Motion Letter Response, ECF No. 34 at 1 ("Pursuant to the Court's Order, Plaintiff's counsel has had the opportunity to review, analyze, and consider the substance of Marriott's Letter outlining its arguments concerning Rules 12(b)(1) and 12(b)(6), Federal Rules of Civil Procedure. (Doc. No. 31). Following that review, Plaintiff has decided to amend the current operative class action complaint."); Plaintiffs' First Amended Complaint, ECF No. 36. Therefore, Plaintiffs' have already amended their complaint in light of these particular deficiencies. Further amendment would be futile and the claims are dismissed with prejudice.
In sum, Marriott's motion to dismiss is granted. Plaintiffs have failed to allege facts to show that their alleged injuries are fairly traceable to Marriott's conduct. Because Plaintiffs have already amended their complaint in view of these deficiencies, further amendment would be futile and this dismissal is with prejudice. A separate Order follows. March 3, 2021
Paul W. Grimm
United States District Judge