`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE DISTRICT OF MARYLAND
`Southern Division
`
`*
`
`SPRINGMEYER ET AL.
`
`V.
`
`MARRIOTT INTERNATIONAL, INC.
`
`*
`
`*
`
`
`
`Case No. 20-cv-867-PWG
`
`*
`
`
`*
`
`*
`
`*
`
`*
`
`*
`
`*
`
`* *
`
`*
`
`*
`
`*
`
`*
`
`*
`
`MEMORANDUM OPINION
`
`This case involves the class action complaint filed by Pati Springmeyer and Joe Lopez on
`
`behalf of themselves and all others similarly situated following a data breach of Defendant Marriott
`
`that occurred in early 2020. Plaintiffs allege that their personal information, along with that of
`
`approximately 5.2 million other guests, was improperly accessed. Plaintiffs bring eleven claims
`
`under various common law and statutory causes of action. Marriott moves to dismiss, arguing that
`
`Plaintiffs lack standing and failed to state a claim.1 For the reasons discussed below, Plaintiffs’
`
`claims are dismissed for lack of standing because they fail to adequately plead that their alleged
`
`injuries are fairly traceable to Marriott’s conduct.
`
`Factual Background
`
`Marriott is a global hotel and hospitality chain with more than 7,000 properties in 130
`
`countries, headquartered in Bethesda, Maryland. ECF No. 36, First Amended Class Action
`
`Complaint (“Compl.”) ¶ 25. On March 31, 2020, Marriott announced a data breach affecting
`
`approximately 5.2 million guests. Id. ¶ 23–24. On that day, Marriott sent an email to affected
`
`guests and posted an incident notification on its website. Id. ¶ 24. The incident notification stated
`
`
`1 The motion has been fully briefed. See ECF Nos. 40, 41, 42, and 43. A hearing is not necessary.
`See Loc. R. 105.6 (D. Md. 2018).
`
`
`
`Case 8:20-cv-00867-PWG Document 44 Filed 03/03/21 Page 2 of 9
`
`that at the end of February 2020, Marriott identified that “an unexpected amount of guest
`
`information may have been accessed using the login credentials of two employees at a franchise
`
`property.” Id. The notice said that Marriott believed the activity started in mid-January 2020. Id.
`
`After Marriott discovered the unauthorized access, it stated that it disabled the login credentials,
`
`began an investigation, implemented heightened monitoring, and arranged resources to inform and
`
`assist guests. Id.
`
`Marriott stated that it believed that the guest information that was accessed may have
`
`including the following, but that all this information was not present for every guest:
`
`• Contact Details (e.g., name, mailing address, email address, and phone number)
`
`• Loyalty Account Information (e.g., account number and points balance, but not
`passwords)
`
`• Additional Personal Details (e.g., company, gender, and birthday day and month)
`
`• Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
`
`• Preferences (e.g., stay/room preferences and language preference)
`
`Id. Marriott stated that its investigation was ongoing but had no reason to believe that the
`
`information involved included loyalty account passwords or PINs, payment card information,
`
`passport information, national IDs, or driver’s license numbers. Id.
`
`Plaintiffs Springmeyer and Lopez both allege that they stayed at Marriott properties, gave
`
`Marriott their personal identifying information (“PII”), and received the notice that their PII had
`
`been accessed without authorization. Id. ¶¶ 11, 17. Plaintiffs allege that since the data breach,
`
`they have each spent time monitoring their accounts to protect the integrity if their PII and to detect
`
`and prevent any misuse of their PII. Id. ¶¶ 13–14, 18–19. Marriott has offered Plaintiffs one year
`
`of free enrollment in Experian’s IdentityWorks credit monitoring service. Id. ¶ 71. Nonetheless,
`
`Plaintiff Springmeyer alleges that she purchased credit monitoring services at an annual cost of
`
`
`
`2
`
`
`
`Case 8:20-cv-00867-PWG Document 44 Filed 03/03/21 Page 3 of 9
`
`$159.96. Id. ¶ 12. Plaintiffs allege that this data breach and their alleged damages were the result
`
`of Marriott’s failure to implement appropriate safeguards for its guests’ PII. Id. ¶ 65.
`
`
`
`Pending is Defendant’s motion to dismiss under Federal Rules of Civil Procedure 12(b)(1)
`
`and 12(b)(6). Defendant argues that Plaintiffs lack standing and failed to state a claim upon which
`
`relief could be granted.
`
`I.
`
`Standing
`
`Discussion
`
`Marriott argues that Plaintiffs do not have standing, and therefore this Court lacks subject
`
`matter jurisdiction over their claims.
`
`a. Standard of Review
`
`Marriott moves to dismiss for lack of standing under Federal Rule of Civil
`
`Procedure 12(b)(1). Under Rule 12(b)(1), the plaintiff bears the burden of proving, by a
`
`preponderance of evidence, the existence of subject matter jurisdiction. See Demetres v. E. W.
`
`Constr., Inc., 776 F.3d 271, 272 (4th Cir. 2015); see also Evans v. B.F. Perkins Co., 166 F.3d 642,
`
`647 (4th Cir. 1999). A challenge to subject matter jurisdiction under Rule 12(b)(1) may proceed
`
`in two ways: either by a facial challenge, asserting that the allegations pleaded in the complaint
`
`are insufficient to establish subject matter jurisdiction, or a factual challenge, asserting “‘that the
`
`jurisdictional allegations of the complaint [are] not true.’” Kerns v. United States, 585 F.3d 187,
`
`192 (4th Cir. 2009) (citing Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982)) (alteration in
`
`original); see Buchanan v. Consol. Stores Corp., 125 F. Supp. 2d 730, 736 (D. Md. 2001). Here
`
`Marriott brings a facial challenge to Plaintiffs’ Article III standing. In a facial challenge, “the facts
`
`alleged in the complaint are taken as true, and the motion must be denied if the complaint alleges
`
`sufficient facts to invoke subject matter jurisdiction.” Kerns, 585 F.3d at 192. However, “[a]
`
`
`
`3
`
`
`
`Case 8:20-cv-00867-PWG Document 44 Filed 03/03/21 Page 4 of 9
`
`pleading that offers labels and conclusions or a formulaic recitation of the elements of a cause of
`
`action” or “naked assertions devoid of further factual enhancement” will not suffice. Hutton v.
`
`Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 623 (4th Cir. 2018) (quoting Ashcroft v.
`
`Iqbal, 556 U.S. 662, 678 (2009)).
`
`b. Application
`
`To establish standing, a plaintiff must have “(1) suffered an injury in fact, (2) that is fairly
`
`traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a
`
`favorable decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). The Court focuses its
`
`discussion on the second element.
`
`To meet the “fairly traceable” requirement, Plaintiffs must allege facts to plausibly show
`
`that their alleged injuries were the result of Defendant’s conduct. This standard “is not equivalent
`
`to a requirement of tort causation.” Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d
`
`at 623 (quoting Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 161
`
`(4th Cir. 2000)). “When a complaint is evaluated at the pleading stage . . . ‘general factual
`
`allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss
`
`we presume that general allegations embrace those specific facts that are necessary to support the
`
`claim.’” Id. (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 561(1992)). But the
`
`“[p]leadings must be something more than an ingenious academic exercise in the conceivable.” Id.
`
`(quoting United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S.
`
`669, 688 (1973)). “Where, as here, a case is at the pleading stage, the plaintiff must ‘clearly . . .
`
`allege facts demonstrating’ each element” of standing, including traceability. Spokeo, Inc. v.
`
`Robins, 136 S. Ct. at 1547 (quoting Warth v. Seldin, 422 U.S. 490, 518 (1975)). As in this case,
`
`when the actions of a third party are involved, “[t]he ‘case or controversy’ limitation of Art. III
`
`
`
`4
`
`
`
`Case 8:20-cv-00867-PWG Document 44 Filed 03/03/21 Page 5 of 9
`
`still requires that a federal court act only to redress injury that fairly can be traced to the challenged
`
`action of the defendant, and not injury that results from the independent action of some third party
`
`not before the court.” Doe v. Obama, 631 F.3d 157, 161 (4th Cir. 2011) (quoting Simon v. E. Ky.
`
`Welfare Rights Org., 426 U.S. 26, 41–42 (1976)).
`
`Here Plaintiffs must allege facts for the Court to plausibly infer that the unauthorized access
`
`of Plaintiffs’ PII by an unspecified bad actor or actors using Marriott employee credentials is fairly
`
`traceable to Marriott’s conduct.2 In this regard Plaintiff attempts to plead the fairly traceable
`
`element by alleging that the data breach and their injuries are a result of “Marriott’s failure to
`
`implement adequate and reasonable cyber-security procedures and protocols necessary to protect
`
`its guests’ PII.” Id. ¶ 5. But “the[se] allegations are conclusory and not entitled to be assumed
`
`true.” Ashcroft v. Iqbal, 556 U.S. at 681. Plaintiffs fail to allege any facts describing Marriott’s
`
`cybersecurity or steps that it could have or should have taken to prevent this data breach. To be
`
`sure, Plaintiffs repeat their conclusory allegations that Marriott’s cybersecurity was unreasonable
`
`throughout the Complaint in connection with their eleven causes of action. For example, Plaintiffs
`
`allege the following:
`
`Marriott disregarded the rights of Plaintiffs and Class Members . . . by, inter alia,
`intentionally, willfully, recklessly, or negligently failing to take adequate and
`reasonable measures to ensure their data and cyber security systems were protected
`against unauthorized intrusions; failing to disclose that it did not have adequately
`robust computer systems and security practices to safeguard guest PII; failing to
`take standard and reasonably available steps to prevent the Data Breach; failing to
`monitor and timely detect the Data Breach; and failing to provide Plaintiffs and
`Class Members with prompt and accurate notice of the Data Breach.
`
`
`2 Plaintiffs do not specify whether it was Marriott employees that used their credentials to access
`Plaintiffs’ PII without authorization or whether a third party gained access to the Marriott
`employees’ credentials to do so. In either case, Plaintiffs do not allege that Marriott was
`responsible for the attack by virtue of its status as an employer.
`
`
`
`5
`
`
`
`Case 8:20-cv-00867-PWG Document 44 Filed 03/03/21 Page 6 of 9
`
`Id. ¶ 6; see also ¶¶ 36, 53, 65–66, 101–03, 112, 127, 135, 143, 161, 169–70, 175–76, 181, 184,
`
`191 (similar). But mere repetition of conclusory and nonspecific allegations of Marriott’s alleged
`
`shortcomings does not overcome the need to plead sufficient facts relating to what it did or did not
`
`do that led to the injuries claimed by the Plaintiffs. What is missing are any alleged facts to support
`
`these conclusory statements. For example, Plaintiffs do not allege any facts about what measures
`
`Marriott did or did not take to protect PII, what alleged inadequacies in its systems it should have
`
`disclosed, what “standard and reasonably available steps” existed that Marriott did not take, how
`
`Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of
`
`the breach. Thus, Plaintiffs fail to “clearly . . . allege facts demonstrating” their alleged injuries
`
`are fairly traceable to Defendant’s conduct, Spokeo, Inc. v. Robins, 136 S. Ct. at 1547, “and not
`
`injury that results from the independent action of some third party not before the court.” Doe v.
`
`Obama, 631 F.3d at 161.
`
`
`
`The allegations here are similar to those in Anderson v. Kimpton Hotel & Rest. Grp., LLC,
`
`2019 WL 3753308 (N.D. Cal. Aug. 8, 2019), which involved a data breach of the Kimpton Hotel
`
`and Restaurant Group’s online reservation system. In July 2017, Kimpton informed its customers
`
`that hackers may have gained unauthorized access to its online reservation system over a nine-
`
`month period, exposing its customers’ PII. Id. at *1. Three plaintiffs who received the notice filed
`
`a class action suit, alleging Kimpton “failed to implement and maintain reasonable security
`
`procedures and practices appropriate to protect [plaintiffs’] PII[,]” “failed to establish and
`
`implement appropriate administrative, technical, and physical safeguards to ensure the security
`
`and confidentiality of [plaintiffs’] PII[,]” “did not take all obligatory precautions to properly
`
`safeguard PII from unauthorized access[,]” and “opted to maintain an insufficient and inadequate
`
`system to protect [plaintiffs’] PII[,]” with the result that [plaintiffs’] “PII was left inadequately
`
`
`
`6
`
`
`
`Case 8:20-cv-00867-PWG Document 44 Filed 03/03/21 Page 7 of 9
`
`protected by Kimpton.” Id. at *4 (internal citations and alternations omitted). The court found
`
`that “Plaintiffs fail[ed] to allege, however, any facts to support those conclusory allegations,”
`
`explaining that “the complaint does not allege the nature of any assertedly reasonable, appropriate,
`
`obligatory, sufficient and/or adequate action Kimpton failed to take.” Id. Accordingly, the
`
`complaint was dismissed for lack of standing. Plaintiffs’ allegations here are quite similar, and
`
`likewise fail to allege “the nature of any assertedly reasonable, appropriate, obligatory, sufficient
`
`and/or adequate action” Marriott failed to take. Id.
`
`
`
`In contrast, the allegations in this case are unlike those made by the consumer plaintiffs in
`
`a separate class action suit against Marriott involving a different data breach that is pending before
`
`the undersigned as part of a multi-district litigation. There the consumer plaintiffs alleged that for
`
`over four years, from July 2014 to September 2018, hackers had access to Starwood Hotels and
`
`Resorts’ guest information database. In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig.,
`
`440 F. Supp. 3d 447, 454 (D. Md. 2020). During this period, Marriott was conducting due
`
`diligence on Starwood leading up to its eventual acquisition. Id. The consumer plaintiffs alleged
`
`that reasonable due diligence would have uncovered the breach, and that Marriott failed to act on
`
`several cybersecurity assessments regarding deficiencies in Starwood’s systems. Id. These factual
`
`allegations created a plausible connection between the consumer plaintiffs alleged injuries and
`
`specific actions and failures of Marriott. See id. at 454, 466–67.3 Here, Plaintiffs fail to allege
`
`
`3 In both the In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., and in the Fourth Circuit’s
`decision in Hutton, the traceability question was focused on whether the compromised PII that
`caused the plaintiffs’ alleged injuries could have come from the defendants’ respective data
`breaches. See In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d at 467;
`Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d at 623. Here the Court faces a more
`rudimentary question: whether Plaintiffs alleged sufficient facts for the Court to plausibly infer
`that Defendant was responsible for Plaintiffs’ PII being compromised in the data breach in the first
`place.
`
`
`
`7
`
`
`
`Case 8:20-cv-00867-PWG Document 44 Filed 03/03/21 Page 8 of 9
`
`facts to support any such connection. Because Plaintiffs have failed to allege this essential element
`
`of standing, their claims must be dismissed.4
`
`II. Dismissal with Prejudice
`
`For the reasons stated above, Plaintiffs’ claims are dismissed for lack of standing. This
`
`dismissal is with prejudice. “‘The determination whether to dismiss with or without prejudice
`
`under Rule 12(b)(6) is within the discretion of the district court.’” Weigel v. Maryland, 950 F.
`
`Supp. 2d 811, 825–26 (D. Md. 2013) (quoting 180S, Inc. v. Gordini U.S.A., Inc., 602 F. Supp. 2d
`
`635, 638–39 (D. Md. 2009)). Generally, when there has been no opportunity to amend, the
`
`dismissal should be without prejudice and
`
`the plaintiff granted an opportunity
`
`to
`
`amend. See Adams v. Sw. Va. Reg'l Jail Auth., 524 F. App'x 899, 900 (4th Cir. 2013) (“Where no
`
`opportunity is given to amend the complaint, the dismissal should generally be without
`
`prejudice.”). Here, Plaintiffs were given an opportunity to amend and did so after Defendant raised
`
`the very deficiencies with Plaintiffs’ allegations discussed herein in accordance with my pre-
`
`motion procedure. See Defendant’s Pre-Motion Letter, ECF No. 31 at 2 (“Ms. Springmeyer has
`
`not satisfied Article III’s traceability requirement. She does not identif[ied] how Marriott’s
`
`security practices supposedly fell short of what she bargained for, and fails to plead that adequate
`
`practices would have avoided her (nonexistent) harm.”); Plaintiffs’ Pre-Motion Letter Response,
`
`ECF No. 34 at 1 (“Pursuant to the Court’s Order, Plaintiff’s counsel has had the opportunity to
`
`review, analyze, and consider the substance of Marriott’s Letter outlining its arguments concerning
`
`Rules 12(b)(1) and 12(b)(6), Federal Rules of Civil Procedure. (Doc. No. 31). Following that
`
`review, Plaintiff has decided to amend the current operative class action complaint.”); Plaintiffs’
`
`
`4 Given that the Complaint is dismissed for Plaintiffs’ failure to plead that their alleged injuries are
`fairly traceable to Defendant’s conduct, the Court does not address Defendant’s arguments for
`dismissal based on the other elements of standing or for failure to state a claim.
`
`
`
`8
`
`
`
`Case 8:20-cv-00867-PWG Document 44 Filed 03/03/21 Page 9 of 9
`
`First Amended Complaint, ECF No. 36. Therefore, Plaintiffs’ have already amended their
`
`complaint in light of these particular deficiencies. Further amendment would be futile and the
`
`claims are dismissed with prejudice.
`
`Conclusion
`
`
`
`In sum, Marriott’s motion to dismiss is granted. Plaintiffs have failed to allege facts to
`
`show that their alleged injuries are fairly traceable to Marriott’s conduct. Because Plaintiffs have
`
`already amended their complaint in view of these deficiencies, further amendment would be futile
`
`and this dismissal is with prejudice. A separate Order follows.
`
`
`
` March 3, 2021
`Date
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` /S/
`Paul W. Grimm
`United States District Judge
`
`
`
`
`
`9
`
`