Federal judge reinstates class certification in ongoing Marriott data breach case

On November 29, federal Judge John Preston Bailey reinstated certification for several classes of consumers suing Marriott and its information technology provider, Accenture, over a massive data breach at the hotel's Starwood-branded properties, finding that Marriott's response to the litigation has been "wholly inconsistent" with its argument that guests had agreed to pursue their claims individually. In particular, he found that Marriott’s actions foreclosed the ability to rely on the waiver and that an adhesion contract like the one at issue cannot overrule Rule 23.

Judge Bailey's current ruling marks the latest development in ongoing litigation. Hausfeld filed the first Marriott Data Breach complaint with named plaintiff representatives residing in all fifty states. This landmark court filing came on the heels of Marriott’s admission that approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were among the sensitive customer records accessed by hackers. By the hotel chain’s own acknowledgement, the breach compromised the personal information of nearly 400 million customers who made reservations at Starwood-branded hotels, which Marriott acquired in 2016, making it one of the largest data breaches in the country’s history.

In a ground-breaking decision, in February 2020, the Court largely denied Marriott’s Motion to Dismiss finding that the Plaintiffs had standing to pursue several novel areas of damages including benefit of the bargain and loss in value of their personal information. Even more notably, in November 2020, the Court denied Accenture’s Motion to Dismiss, becoming the first case to hold that a third party responsible for a company’s security could be held liable in the event of a breach.

A federal judge in Maryland granted class certification in May 2022. In granting class certification, Judge Paul Grimm of the U.S. District Court for the District of Maryland issued a 70-plus page opinion that made clear he was certifying the case for potential trial. The opinion allows the plaintiffs to seek damages related to overpayment for hotel rooms, as well as statutory and nominal damages. The Court also found that consumers might be able to recover damages for the inherent value of their personal information stolen during the breach based upon Marriott’s own valuation of that same data.  This is by far the largest of any consumer data breach class action ever certified.

In August 2023, the Fourth Circuit Court of Appeals vacated Judge Grimm’s decision on the narrow issue of whether a class action waiver applied.

The case is In re: Marriott International, Inc. Customer Data Security Breach Litigation, MDL No. 19-md-2879 in the U.S. District Court for the Southern District of Maryland.

Other News