Marriott recently won dismissal of a proposed class action data breach lawsuit alleging several violations, including a violation of the California Consumer Privacy Act (CCPA). The case, Arifur Rahman v. Marriott International, Inc. et al., Case No.: 8:20-cv-00654, was dismissed in an Order by U.S. District Court Judge David O. Carter on January 12, 2021.

The Plaintiff in the lawsuit alleged that he was a member of a “class that were victims of a cybersecurity breach at Marriott when to employees of a Marriott franchise in Russia accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.” Marriott admitted there was a breach, sent letters to affected individuals, and confirmed that no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.

The matter was dismissed, as the Court found that it lacked subject matter jurisdiction as the Plaintiff lacked standing to sue. The Court was clear that in the 9^th Circuit, the sensitivity of the personal information, combined with its theft, are prerequisites to finding that plaintiffs alleged injury in fact. Injury in fact is one of the three elements necessary to support Article III standing.

The data breach in this case affected approximately 5.2 million Marriott customers, but the information accessed by hackers was not “sensitive information,” which was a required element to be able to continue the lawsuit.