EPIC and EFF Urge Appeals Court to Recognize that Customers May Sue When Companies’ Lax Data Security Practices Result in Data Breaches

On November 22, EPIC and the Electronic Frontier Foundation filed an amicus brief in Peter Maldini v. Marriott International, Inc., urging the Fourth Circuit Court of Appeals to affirm that plaintiffs can sue companies that negligently allow hackers to steal customers’ sensitive personal data.

In 2018, Marriott announced that its customers were the victims of one of the largest data breaches in history. Hackers made off with millions of customers’ names, addresses, phone numbers, email addresses, payment-card information, and in some cases, passport information, room preferences, and travel destinations. Marriott’s data security practices before the breach were weak, and the company knew it. Marriott’s own employees described its security practices as the “cumulative effect” of “having a couple of shots of tequila . . . every night for years,” making Marriott “vulnerable to [a] weak defense in the court of law in case of a breach.”

Plaintiffs sued Marriott, alleging that the company’s negligence led to the data breach and harmed the plaintiffs. But Marriott and its co-defendant Accenture claim that the court must throw out the plaintiffs’ claims because they have not established that the defendants’ conduct harmed the plaintiffs in any real way. They essentially argue that the plaintiffs’ alleged privacy harm is not real, so each plaintiff must prove a specific amount of economic harm from having their personal information stolen.

Recent Supreme Court cases TransUnion LLC v. Ramirez and Spokeo, Inc. v. Robins have made it harder for some plaintiffs to establish “standing” or the ability to bring a suit in court. These cases direct courts to look at whether the harm caused by the violation of a person’s right has a “close relationship” with a harm traditionally recognized by courts. The Supreme Court explicitly stated that the privacy torts cause harms that confer standing.

Arguing in favor of the plaintiffs, EPIC and the Electronic Frontier Foundation, with help from Morgan and Morgan, submitted an amicus brief explaining that plaintiffs who properly allege that a defendant’s negligence harmed their privacy have established standing because their privacy rights have been violated. EPIC and the EFF noted that the Supreme Court specifically highlighted privacy torts as being ones that establish standing to sue. EPIC and EFF also described the harms that data breaches cause.

See the EFF’s Deeplinks blog for more analysis. EPIC regularly submits amicus briefs in cases involving standing and consumer protection issues.