Let Data Breach Victims Sue Marriott

A company harvested your personal data, but failed to take basic steps to secure it. So thieves stole it. Now you’ve lost control of your data, and you’re at greater risk of identity theft. But when you sue the negligent company, they say you haven’t really been injured, so you don’t belong in court – not unless you can prove a specific economic harm on top of the obvious privacy harm.

We say “no way.” Along with our friends at EPIC, and with assistance from Morgan & Morgan, EFF recently filed an amicus brief arguing that negligent data breaches inflict grievous privacy harms in and of themselves, and so the victims have “standing” to sue in federal court – without the need to prove more. The case, In re Marriott Customer Data Breach, arises from the 2018 breach of more than 130 million records from the hotel company’s reservation system. This included guests’ names, phone numbers, payment card information, travel destinations, and more. We filed our brief in the federal appeals court for the Fourth Circuit, which will decide whether the plaintiff class certified by the lower court shares a class-wide injury.

Our brief explains that once personal data is stolen, it can be used against the breach victims for identity theft, ransomware attacks, and to send unwanted spam. The risk of these attacks causes psychological injury, including anxiety, depression, and PTSD. To avoid these attacks, breach victims must spend time and money to freeze and unfreeze their credit reports, to monitor their credit reports, and to obtain identity theft prevention services.

Courts have long granted standing to sue over harms like these. Intrusion upon seclusion and other privacy torts are more than a century old. As the U.S. Supreme Court has recognized: “both the common law and literal understanding of privacy encompass the individual’s control of information concerning [their] person.”

Further, the harms from a single data breach must be understood in the context of the larger data broker ecology. As we explain in our amicus brief:

Data breaches like the Marriott data breach cannot be considered individually. Once data has been disclosed from databases such as Marriott’s, it is often pooled with other information, some gathered consensually and legally and some gathered from other data breaches or through other illicit means. That pooled information is then used to create inferences about the affected individuals for purposes of targeted advertising, various kinds of risk evaluation, identity theft, and more. Thus, once individuals lose control over personal data that they have entrusted to entities like Marriott, the kinds of harms can grow and change in ways that are difficult to predict. Also, it can be onerous, if not impossible, for an ordinary individual to trace these harms and find appropriate redress.

Standing doctrine gone wrong

Under the current standing doctrine, your privacy is violated – and so you have standing to sue – when your data leaves the custody of a company that is supposed to protect it. So In re Marriott is an easy case for the Fourth Circuit.

But make no mistake, the U.S. Supreme Court has wrongly narrowed the standing doctrine in recent data privacy cases, and it should reverse course. These cases are Spokeo v. Robins (2016) and &