A federal court in California has ruled that the plaintiff in a putative class action alleging theft of non-sensitive personal information arising from a cybersecurity data breach lacks Article III standing to maintain his claims. In Rahman v. Marriott International, Inc., the Plaintiff asserted claims for violation of the California Consumer Privacy Act (“CCPA”), negligence, breach of implied contract, unjust enrichment, and violation of the California Unfair Competition Act. Plaintiff alleged that class members were victims of a cybersecurity incident when two employees of a Marriott franchise in Russia accessed class member names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account information. Although the CCPA requires a plaintiff to provide the defendant 30 days’ written notice and an opportunity to cure before filing suit for statutory damages, Cal. Civ. Code § 1798.150(b), Plaintiff provided written notice to Marriott on the same day he filed suit. He did not, however, assert a claim for statutory damages until he amended his complaint three months later.
Marriott moved to dismiss for lack of subject matter jurisdiction after confirming that no sensitive information – such as social security numbers, credit card information, or account information and passwords – were compromised in the breach. Marriott argued that although the bad actors accessed Plaintiff’s personal information, the data lacked the “sensitivity” required by the Ninth Circuit to merit a finding of injury in fact. Judge David O. Carter agreed with Marriott, finding that Ninth Circuit precedent is clear that injury in fact requires both “sensitivity of personal information, combined with its theft”. The court distinguished the only cited case finding standing where no social security numbers or credit card information was stolen because the hack in that case involved more than basic information, but also “a constellation of social-media data.” See, e.g., Adkins v. Facebook, Inc., 424 F. Supp. 3d 686 (N.D. Cal. 2019). Because the Plaintiff has not pleaded that “any of their more sensitive data – such as credit card information, passports, or social security numbers” was stolen, “Plaintiff has not suffered an injury in fact and cannot meet the constitutional requirements of standing.” The court did not address whether Plaintiff’s written notice, sent on the day the suit was filed but more than 30 days before a claim for statutory damages was asserted, was sufficient under the CCPA.
Importantly, the federal court also expressly rejected the argument that the value of Plaintiff’s personal information diminished as a result of the breach, joining a growing number of courts rejecting arguments alleging diminution of the value of PII stemming from data breaches. See, e.g., In re: Capital One Consumer Data Security Breach Litig., 2020 U.S. Dist. LEXIS 175304, *40 (E.D. Va. Sept. 18, 2020) (Plaintiffs “failed to plausibly allege damages based on the lost or reduced value of their PII.”) The court also ruled that it was “unmoved” by Plaintiff’s argument that he should be compensated for mitigation costs. Quoting Clapper v. Amnesty International USA, 568 U.S. 398 (2013), the district court held that “‘mitigation costs . . . rise and fall together’ with claims based on the risk of future harm.”
The case teaches that data breach defendants sued in California federal court or considering a California federal forum for MDL consolidated proceedings should carefully evaluate standing as a defense. Likewise, consumer lawyers initiating litigation should consider whether the personal information compromised is sensitive enough to survive the standing hurdle defendants will most certainly launch given the substantial precedent precluding lawsuits involving non-sensitive data in the Ninth Circuit.