Maryland Court Breaks New Fourth Circuit Standing Ground in Data Breach Suit

In another skirmish in the Spokeo war, a Maryland federal district court has dismissed a data breach suit against Marriott for lack of standing, but it took a remarkable route to this unremarkable result.

This lawsuit — Springmeyer v. Marriott International Inc., Case No. 20-cv-867-PWG, 2021 U.S. Dist. LEXIS 39891 (D. Md. March 23, 2021) — arose from unauthorized access to Marriott’s databases, which may have compromised guests’ personally identifiable information (“PII”), including their names, mailing addresses, birthdays, and loyalty program information. After receiving Marriott’s data breach notification, the plaintiffs sued. They alleged that, since the breach, they had spent time monitoring their accounts to protect to detect and prevent any misuse of their PII. They further claimed that the data breach and their injuries resulted from Marriott's failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests' PII.

The Fourth Circuit’s decision in Beck v. McDonald would appear to provide controlling precedent. There, the appeals court ruled that a heightened fear of identify theft and the plaintiffs’ proactive mitigation efforts did not qualify as an “injury-in-fact” under Article III. See also Tsao v. Captiva MVP Rest. Partnres, Ltd. Liab. Co., 986 F.3d 1332 (11th Cir. 2021), discussed here. However, although Marriott’s motion to dismiss spent 10 pages urging Beck’s injury-in-fact rationale as its primary argument, the Springmeyer court did not even cite Beck or address the parties’ injury-in-fact arguments. Instead, the court relied solely on one paragraph in Marriott’s brief that argued that plaintiffs had not pled that their injuries were fairly traceable to Marriott’s conduct.

First, the Court ruled that the allegation that Marriott had failed to implement adequate data protection policies was conclusory and not entitled to be assumed true under the Ashcroft v. Iqbal standard. Therefore, the court ruled, the complaint failed to “allege any facts about what measures Marriott did or did not take to protect PII, what alleged inadequacies in its systems it should have disclosed, what standard and reasonably available steps existed that Marriott did not take, how Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of the breach.” Absent these facts, the court found that the complaint did not demonstrate that the plaintiffs’ alleged injuries were fairly traceable to Defendant's conduct.

Springmeyer may offer a path forward for defendants in circuits that consider a heightened risk of identity theft sufficient to support standing, such as the District of Columbia. Using Springmeyer, data breach defendants in such jurisdictions may challenge whether the plaintiffs’ injuries are “fairly traceable” to their conduct, rather than fighting the already-lost battle regarding the concreteness of the injury on which Beck focused.

By sidestepping Beck and the injury-in-fact rationale, Springmeyer may have opened another battlefield in the standing war. If so, the Supreme Court will have to decide whether close it.