A federal judge in Maryland has granted class certification in a data breach impacting over 133 million American consumers against hotel chain Marriott and its data security vendor Accenture, clearing the way for the litigation to move forward. The Court will allow the case to proceed as a class action on behalf of the first group of claimants the parties selected – an initial group of approximately 45 million consumers in California, Connecticut, Florida, Georgia, Maryland, and New York. The lawsuit stems from a data breach Marriott discovered in 2018 after it acquired Starwood, in which, by its own admission, 133.7 million guest records of Starwood customers were compromised. Marriott acknowledged in 2019 that the records included approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers, among other sensitive personal information regarding hotel stays.
In granting class certification, Judge Paul Grimm of the U.S. District Court for the Southern District of Maryland issued a 70-plus page opinion that made clear he was certifying the case for potential trial, rather than for a pending settlement (as occurs in most other data breach cases). The opinion allows the plaintiffs to seek damages related to overpayment for hotel rooms, as well as statutory and nominal damages. The Court also found that consumers might be able to recover damages for the inherent value of their personal information stolen during the breach based upon Marriott’s own valuation of that same data.
DiCello Levitt Gutzler partner Amy Keller, Hausfeld partner James Pizzirusso, and Cohen Milstein Sellers & Toll partner Andrew N. Friedman are Co-Lead Plaintiffs’ counsel in the case. They issued the following joint statement:
“After three years of hard-fought litigation, the Court issued a well-reasoned opinion which provides a path forward to hold Marriott accountable for its egregious, four-year data breach. While many companies do the right thing and work to help their customers after a data breach, Marriott and Accenture chose to deny responsibility, vigorously attempting to convince the Court that they cannot be held liable to anyone impacted by the breach. We look forward to presenting our evidence to a jury.
The valuation of personal information is still fairly new territory for many Courts, and this is the first case to reach class certification on the issue. While the Court precluded our expert on this point, it also recognized that we might have the ability to introduce the value that Marriott itself derived from its customers’ data at trial as a component of damages the class sustained. The Court also accepted our experts’ damages methodology that Marriott and Starwood guests overpaid when making hotel reservations because of substandard security. Finally, the Court found that we could seek to recover nominal damages and statutory damages in some states. Marriott and Accenture are facing significant liability here, and we look forward to holding them to their legal and moral responsibilities.”
Filed in January 2018, the lawsuit alleges that Starwood, and later Marriott, took more than four years to discover the long-running data breach. Marriott became the world’s largest hotel chain when it acquired Starwood that same year.
Beginning in 2014 or earlier, and continuing through November 2018, hackers exploited vulnerabilities in Starwood’s network to access the guest reservation system and steal customer data. Marriott discovered the breach on September 8, 2018 but failed to publicly disclose it until nearly three months later, on November 30, 2018, when it admitted that there had been unauthorized access to the Starwood guest reservation database. This database contained personal customer information, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation dates, and communication preferences. For some customers, the information also included payment card numbers and payment card expiration dates.
The case is In re: Marriott International, Inc. Customer Data Security Breach Litigation, MDL No. 19-md-2879 in the U.S. District Court for the Southern District of Maryland. The Court’s opinion may be found here.