Hospitality company’s bid to dismiss data breach suit denied
On February 21, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss multidistrict litigation resulting from its 2018 data breach. As previously covered by InfoBytes, the court also recently denied the company’s motion to dismiss in a suit brought by the city of Chicago as well as in a suit brought by a group of banks, both based on the same data breach of the company. The plaintiffs in this instance filed suit following the data breach, which exposed personal information including passport numbers and payment card numbers. The company argued, however, that the plaintiffs lacked standing and that they did not state a claim for which relief could be granted.
In the opinion, the court determined that the plaintiffs had successfully established injury-in-fact by claiming, among other things, that (i) plaintiffs’ personal information was targeted in the data breach and some plaintiffs were victims of identity theft, which “makes the threatened injury sufficiently imminent”; (ii) plaintiffs had spent time and money to mitigate harm from the data breach; and (iii) plaintiffs’ personal information lost value. The court also found that the company’s failure to properly secure the plaintiffs’ personal data could be traced to fraudulent accounts opened in certain plaintiffs’ names. In addition, the court denied the company’s motion to dismiss state negligence claims, contract claims, tort claims, and statutory claims in California, Florida, Georgia, Maryland, Michigan, New York, and Oregon. The court did, however, dismiss the plaintiffs’ negligence claims under Illinois law.