Federal judge rules massive data breach class action against Marriott may proceed

Claims about company’s lax data security, which led to breach that impacted over 133 million guest records, moving forward on behalf of nearly 45 million consumers as a certified   

Greenbelt, Md. – May 5, 2022 – A federal judge in Maryland granted class certification in a data breach impacting over 133 million American consumers against hotel chain Marriott (NASDAQ: MAR) and its data security vendor Accenture (NYSE: ACN).  In allowing the case to proceed as a class action on behalf of the first group of claimants the parties selected, the case will proceed forward on behalf of an initial group of approximately 45 million customers in California, Connecticut, Florida, Georgia, Maryland, and New York. The lawsuit stems from a data breach Marriott discovered in 2018 after it acquired Starwood, in which, by its own admission, 133.7 million guest records of Starwood customers were compromised. Marriott acknowledged in 2019 that the records included approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers, among other sensitive personal information regarding hotel stays.

In granting class certification, Judge Paul Grimm of the U.S. District Court for the Southern District of Maryland issued a 70-plus page opinion that made clear he was certifying the case for potential trial, rather than for a pending settlement (as most other data breach cases proceed). The opinion allows the plaintiffs to seek damages related to overpayment for hotel rooms, as well as statutory and nominal damages. The Court also found that consumers might be able to recover damages for the inherent value of their personal information stolen during the breach based upon Marriott’s own valuation of that same data. 

DiCello Levitt Gutzler partner Amy Keller, Hausfeld partner James Pizzirusso, and Cohen Milstein Sellers & Toll partner Andrew N. Friedman are Co-Lead Plaintiffs’ counsel in the case. They issued the following joint statement:

“After three years of hard-fought litigation, the court issued a well-reasoned opinion which provides a path forward to hold Marriott accountable for its egregious, four-year data breach. While many companies do the right thing and work to help their customers after a data breach, Marriott and Accenture chose to deny responsibility, vigorously attempting to convince the court that they cannot be held liable to anyone impacted by the breach. We look forward to presenting our evidence to a jury."

The valuation of personal information is still fairly new territory for many courts, and this is the first case to reach class certification on the issue. While the court precluded our expert on this point, it also recognized that we might have the ability to introduce the value that Marriott itself derived from its customers’ data at trial as a component of damages the class sustained. The court also accepted our experts’ damages methodology that Marriott and Starwood guests overpaid when making hotel reservations because of substandard security. Finally, the court found that we could seek to recover nominal damages and statutory damages in some states. Marriott and Accenture are facing significant liability here, and we look forward to holding them to their legal and moral responsibilities.”

Filed in January 2018, the lawsuit alleges that Starwood, and later Marriott, took more than four years to discover the data breach. Marriott became the world’s largest hotel chain when it acquired Starwood that same year.

Beginning in 2014 and possibly earlier, and continuing through November 2018, hackers exploited vulnerabilities in Starwood’s network to access the guest reservation system and steal customer data. Marriott discovered the breach on September 8, 2018, but failed to publicly disclose it until nearly three months later, on November 30, 2018, when it admitted that there had been unauthorized access to the Starwood guest reservation database. This database contained personal customer information, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation dates, and communication preferences. For some customers, the information also included payment card numbers and payment card expiration dates.

The case is In re: Marriott International, Inc. Customer Data Security Breach Litigation, MDL No. 19-md-2879 in the U.S. District Court for the Southern District of Maryland. The Court’s opinion can be found here.  

 

About Hausfeld

Hausfeld is a leading litigation law firm with offices in Boston, New York, Philadelphia, San Francisco, and Washington, D.C., as well as in the UK and continental Europe. In the last decade, Hausfeld has won landmark trials, negotiated complex settlements, and recovered billions of dollars for clients both in and out of court. Hausfeld lawyers consistently apply forward-thinking ideas and creative solutions to the most vexing global legal challenges faced by clients. As a result, the firm’s litigators have developed numerous innovative legal theories that have expanded the quality and availability of legal recourse for claimants around the globe.