in Newswire Published on April 2, 2020

Marriott Hit with Class Action Suit Days After Announcing Latest Data Breach Affecting 5.2 Million Guests [UPDATE]

by Corrado Rizzi

Last Updated on March 10, 2021

View Comments

Springmeyer v. Marriott International, Inc.

Filed: April 1, 2020 § 8:20-cv-00867

Read Complaint

Marriott faces more proposed class action litigation, centered this time on a data breach that exposed the information of roughly 5.2M guests in early 2020.

Defendant(s)

Marriott International Inc.

Law(s)

State(s)

Maryland

Categories

Privacy Data Breach

Case Updates

March 3, 2021 – Lawsuit Dismissed

The judge overseeing the case detailed on this page has dismissed the lawsuit with prejudice, meaning the plaintiffs cannot re-file their claims.

In a March 3 memorandum opinion, found here, U.S. District Judge Paul W. Grimm ruled that the plaintiffs failed to show that their alleged injuries were “fairly traceable” to Marriott’s conduct.

More specifically, the judge stated that the plaintiffs repeated “conclusory” statements throughout their complaint without alleging any steps that Marriott could have or should have taken to prevent the data breach at issue.

“What is missing are any alleged facts to support these conclusory statements,” the judge wrote. “For example, Plaintiffs do not allege any facts about what measures Marriott did or did not take to protect [personally identifiable information], what alleged inadequacies in its systems it should have disclosed, what ‘standard and reasonably available steps’ existed that Marriott did not take, how Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of the breach.”

The memorandum went on to compare the plaintiffs’ claims with those in sprawling multidistrict litigation filed against Marriott over a massive November 2018 data breach involving the hotel chain’s Starwood Hotels & Resorts reservation system. In that case, the plaintiffs allege that Marriott had access to Starwood’s guest information database for over four years before acquiring the company and would have discovered the breach had it conducted reasonable due diligence. Moreover, Marriott allegedly failed to address deficiencies uncovered during several cybersecurity investigations. These factual allegations, the judge wrote, are enough to allege a “plausible connection” between Marriott’s actions and failures and the plaintiffs’ injuries.

“Here, Plaintiffs fail to allege facts to support any such connection,” the memo reads. “Because Plaintiffs have failed to allege this essential element of standing, their claims must be dismissed.”

Marriott International has been hit with a proposed class action lawsuit filed roughly 48 hours after disclosing the hotel chain had again been struck by a data breach involving the information of millions of guests. 

The latest breach, announced by Marriott on March 31, involved compromised login credentials of two employees at a franchise property, the 34-page lawsuit begins. According to the complaint, Marriott, who claims to have discovered the incident in February, disclosed that “an unexpected amount of guest information” had been improperly accessed by a third party as early as mid-January 2020. The case says approximately 5.2 million Marriott guests had their data improperly accessed in this latest cybersecurity incident.

Of the information allegedly accessed during the breach, the case says guest names, email and mailing addresses, phone numbers, demographically identifiable data, stay/room preferences and loyalty account information were compromised. 

Through Marriott has offered those affected by the incident one year of free enrollment in Experian’s IdentityWorks credit monitoring, the remedy is inadequate given the long-term nature of the threat of identity theft and fraud, the suit says. As the lawsuit tells it, the data breach was the direct result of Marriott’s failure to have in place adequate and reasonable cybersecurity safeguards. The suit argues that as a result of Marriott’s data protection shortcomings, consumers have had to and will continue to spend significant amounts of time and money in order to protect themselves against a forever-heightened risk of identity theft and fraud.

In acquiring consumers’ information, Marriott assumed the legal duties of maintaining such, which include the responsibility of protecting guest data from disclosure to unauthorized parties, the lawsuit says. Notwithstanding the assurance that the hotel giant “values you as a guest and recognizes that privacy is important to you,” Marriott has altogether failed to adopt reasonable cybersecurity security measures despite its wealth of resources and “being engaged in litigation regarding one of the largest data breaches in history.” 

“Marriott had the resources to prevent a breach,” the case reads. “Marriott made significant expenditures to market its hotels and hospitality services, but neglected to adequately invest in data security, despite the growing number of data intrusions and several years of well-publicized data breaches, including its own massive breach a little over a year ago.”

The case’s filing comes roughly a year and a half after the personally identifiable information of 500 million guests was exposed in an unprecedented November 2018 data breach linked to a flaw in Marriott’s reservation and database systems.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on March 10, 2021 — 4:23 PM

Corrado Rizzi

corrado@classaction.org

Corrado Rizzi is the Senior Managing Editor of ClassAction.org.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.