Data breaches that expose consumer information to hackers are an increasingly and, distressingly, familiar problem, with a near-constant stream of headlines discussing the latest data breach suffered by a major company. Yet, while breaches generate a great deal of media attention and consumer concern, plaintiffs have struggled to convert these incidents into successful class action lawsuits. Few courts have certified damages classes of breach victims, in large part due to the problem of defining exactly how consumers suffered a common (as opposed to individualized) harm by exposure of their personal data.

On May 3, a federal judge in Maryland bucked this trend by certifying a class of Marriott hotel guests whose personal information was potentially exposed in a data breach. See In re Marriott International Customer Data Securities Breach Litigation, No. 19-MD-2879 (D. Md. May 3, 2022). The novel “overpayment theory” of damages at the center of the Marriott class certification analysis cut through many of the problems of individualized harm that have stymied efforts to certify data breach classes in the past. This theory could represent a major change to the landscape of consumer data breach litigation.

Historically, Individualized Harm Issues Blocked Certification in Breach Cases