Bank of La. v. Marriott Int'l, Inc.

Decision Date07 February 2020
Docket NumberThis document relates to Case No.: PWG-18-3833,MDL No. PWG-19-2879
Parties BANK OF LOUISIANA, Individually and on Behalf of All Others Similarly Situated, Plaintiff, v. MARRIOTT INTERNATIONAL, INC., Defendant.
CourtU.S. District Court — District of Maryland

Andrew C White, Joseph Francis Murphy, Jr, Steven Donald Silverman, William Nelson Sinclair, Silverman Thompson Slutkin and White LLC, Baltimore, MD, Arthur Mahony Murray, Caroline T White, Stephen B Murray, Pro Hac Vice, Murray Law Firm, New Orleans, LA, Brian C Gudmundson, Bryce D Riddle, Pro Hac Vice, Michael J Laird, Zimmerman Reed LLP, Minneapolis, MN, Charles H Van Horn, Katherine M Silverman, Pro Hac Vice, Berman Fink Van Horn PC, Atlanta, GA, Christopher C Gold, Dorothy P Antullis, Stuart A Davidson, Pro Hac Vice, Robbins Geller Rudman and Dowd LLP, Boca Raton, FL, Stephen G. Grygiel, Grygiel Law, LLC, Baltimore, MD, for Plaintiff.

Daniel R Warren, Lisa M Ghannoum, Pro Hac Vice, Gilbert S Keteltas, Baker and Hostetler LLP, Cleveland, OH, for Defendant.

MEMORANDUM OPINION AND ORDER *

Paul W. Grimm, United States District Judge

Pending before me is a Multidistrict Litigation ("MDL") action against Marriott International, Inc. and related entities concerning a data breach incident. In re Marriott , No. PWG-19-2879. One of the Plaintiffs in the MDL is the Bank of Louisiana ("BOL"),1 which seeks relief for harm and injuries arising from a massive cyberattack against a Marriott entity, Starwood Hotels and Resorts. BOL asserts claims under the tort theories of negligence and negligence per se and seeks declaratory and injunctive relief under 28 U.S.C. § 2201. First Am. Compl. ¶¶ 95, 108, 120, 129, ECF No. 306.2

Before this Court is Marriott International, Inc.'s ("Marriott") motion to dismiss BOL's first amended complaint ("FAC"). Def.'s Mot. to Dismiss, ECF No. 358-1. Marriott argues that BOL does not have standing to sue, that BOL's negligence claim fails because the economic loss doctrine bars recovery, and that BOL's negligence per se claim fails because Louisiana law (which Marriott says is controlling) does not recognize negligence per se as a standalone claim. Lastly, Marriott argues that BOL's request for declaratory and injunctive relief does not state a separate claim but is merely a request for relief that only is available in connection with other prevailing causes of action. Therefore, Marriott asks that the claim requesting declaratory and injunctive relief be dismissed along with the first two counts. Def.'s Mot. to Dismiss, ii. The motion to dismiss the FAC is fully briefed, ECF Nos. 358-1, 419, 456, 463. A hearing is not necessary. See Loc. R. 105.6 (D. Md. 2018). For the reasons discussed below, BOL has alleged facts sufficient to establish injury and causation under the Article III standing requirements. Additionally, I agree with Marriott that Louisiana law controls, but I find that BOL's claim for negligence is not barred by Louisiana's version of the economic loss doctrine, and therefore, BOL's claim for declaratory and injunctive relief is not dismissed. However, BOL's claim under negligence per se is dismissed because Louisiana does not recognize it as a separate doctrine from negligence.

Factual Background

Marriott is the world's largest hotel chain, operating more than 7,000 properties across the United States and the globe, accounting for over 1.3 million hotel rooms worldwide. First Am. Compl. ¶¶ 1, 29. In 2016, Marriott acquired Starwood Hotels & Resorts Worldwide, LLC, and with that, Starwood's computer database ("database"), which is a repository of Starwood's guests' personal identifying information (including payment card numbers). Id. ¶¶ 30, 59. After acquisition, Marriott gained control over the database and began including information from guests who also stay at Marriott properties. Id. ¶¶ 31-32.

In November 2018, Marriott announced that it was the victim of a data breach of enormous proportions. Id. ¶ 16. Marriott was first alerted to suspicious activity within the Starwood database in September 2018. Id. ¶ 14. A forensic investigation revealed that hackers had obtained access to Starwood's database for over four years before Marriott discovered the invasion. Id. ¶ 45. Intruders gained access to the database and stole personal identifying information of hundreds of millions of customers including [Redacted] unique encrypted payment card numbers and [Redacted] unencrypted payment card numbers. Id. ¶¶ 13, 19. Marriott is alleged to have eliminated the vulnerabilities from the database by [Redacted]. Id. ¶ 14.

BOL is an FDIC-insured bank, whose principal (and based on the pleadings, the only) place of business is in Louisiana (with locations in the city of New Orleans and three parishes within the state). Id. ¶ 27. In December 2018, BOL received a Compromised Account Management System ("CAMS") alert, notifying it that some of the payment cards it issued to its customers could be at risk because of the Marriott data breach. Id. ¶ 95. BOL pleads that it was under both a legal and business obligation to immediately respond, causing it to incur costs to "cancel or reissue credit and debit cards," "refund or credit any cardholder to cover the cost of any unauthorized transaction relating to the Marriott Data Breach," and "increase fraud monitoring efforts." Id. ¶ 21. BOL argues that had Marriott had a reasonable data security program, it could have prevented the breach altogether or detected the hackers' presence much earlier. Id. ¶ 48. BOL brings this action because it argues that the injuries it incurred were directly and proximately caused by Marriott's negligently vulnerable database. Id. ¶¶ 13, 22

Standard of Review

To survive a motion to dismiss, a complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Specifically, BOL must establish "facial plausibility" by pleading "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). However, "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. But at this juncture, BOL is only obligated to plead its claims, not prove them. Therefore, I must accept the well-pleaded facts as alleged in BOL's complaint as true. See Aziz v. Alcolac , 658 F.3d 388, 390 (4th Cir. 2011). And, I must construe the factual allegations "in the light most favorable to [the] plaintiff." Adcock v. Freightliner LLC , 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango , 743 F.2d 1060, 1062 (4th Cir. 1984) ).

Discussion

BOL asserts claims of negligence and negligence per se, and requests, as a separate count, declaratory and injunctive relief. Marriott moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(1), arguing that BOL lacks standing because it has not sufficiently alleged that it has suffered injury that was caused by Marriott. Def.'s Mot. to Dismiss 1. Marriott also moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(6), arguing that BOL has not stated a claim upon which relief can be granted because Louisiana's version of the economic loss doctrine prevents recovery under BOL's negligence claim, because Louisiana does not recognize the cause of action of negligence per se, and because declaratory and injunctive relief is not a stand-alone claim that can survive independently from some other viable claim. Id.

Plaintiffs Have Standing to Sue

To satisfy constitutional standing requirements, a plaintiff must have suffered an "injury in fact," that has a causal connection to the conduct complained of and can be "redressed by a favorable decision." Lujan v. Defenders of Wildlife , 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). Article III standing must be found to exist before a court may address the merits. Steel Co. v. Citizens for a Better Environment , 523 U.S. 83, 94, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998).

BOL received a Compromised Account Management System ("CAMS") alert warning that payment cards it had issued may have been compromised by hackers in the Marriott data breach and were at risk of being used for fraud. First Am. Compl. ¶ 96; Pl.'s Opp. 6, ECF No. 419; Pl.'s Surreply 1, ECF No. 463. Importantly, BOL has alleged (but just barely) that some of the cards covered by the CAMS alert were, in fact, used to make fraudulent charges. First Am. Compl ¶¶ 21, 27, 95, 96.

BOL alleges that it has suffered multiple types of harm in response to the data breach: reimbursement of fraudulent charges on debit and credit cards; costs associated with cancelling and reissuing debit and credit cards; operational expenses incurred from investigating efforts in response to the CAMS alert; and costs associated with increased fraud monitoring efforts. First Am. Compl. ¶¶ 21-22, 95-97. The latter three can be associated with attempting to prevent reasonably foreseeable future fraud, while the first is in direct response to actual fraudulent charges. Pl.'s Opp. 10.

Plaintiffs Have Alleged Plausible Injury in Fact

There are two types of harm that can satisfy Article III standing requirements; actual harm and threatened harm. Friends of the Earth, Inc. v. Gaston Copper Recycling Corp. , 204 F.3d 149, 160 (4th Cir. 2000) (en banc). Marriott argues that BOL has not alleged sufficient injury in fact to support Article III standing. Def.'s Mot. to Dismiss 5.3 Specifically, Marriott argues that BOL's allegations that it "chose to cancel and reissue payment cards after receiving a CAMS alert" was to "mitigate a perceived risk that fraud might occur in the future," as opposed to allegations that show BOL had incurred costs as a result of "threatened harm of future identity theft [that] was ‘certainly impending’ " as required by the Fourth Circuit. Beck v....

To continue reading

Request your trial
11 cases
  • In re Blackbaud, Inc., Customer Data Breach Litigation
    • United States
    • United States District Courts. 4th Circuit. United States District Court of South Carolina
    • October 19, 2021
    ...the last event necessary for a defendant to be liable for negligence is damage to the plaintiff. See Bank of Louisiana v. Marriott Int'l, Inc. , 438 F. Supp. 3d 433, 443 (D. Md. 2020) (claim for negligence would not exist without injury); Cockrum v. Donald J. Trump for President, Inc. , 365......
  • Keralink Int'l v. Stradis Healthcare, LLC
    • United States
    • United States District Courts. 4th Circuit. United States District Court (Maryland)
    • September 27, 2021
    ...claims against Marriott for economic losses sustained as a result of a data breach to Marriott's database of customer payment card numbers. Id. at 437. The parties disagreed as to whether loss was felt in Maryland, where Marriott's alleged negligent acts in failing to reasonably secure its ......
  • Carroll v. Walden Univ.
    • United States
    • United States District Courts. 4th Circuit. United States District Court (Maryland)
    • November 28, 2022
    ...... Bourgeois v. Live Nation Ent., Inc. , 3 F.Supp.3d. 423, 434 (D. Md. 2014) (quoting Twombly , 550 U.S. ...Md. Mar. 3,. 2021); see Spaulding v. Wells Fargo Bank, N.A. , 714. F.3d 769, 781 (4th Cir. 2013) (quoting FED. R. CIV. P. ... Bank of La v. Marriott Int'l, Inc. , 438. F.Supp.3d 433, 442 (D. Md. 2020) (quoting ......
  • In re Blackbaud Inc.
    • United States
    • United States District Courts. 4th Circuit. United States District Court of South Carolina
    • October 19, 2021
    ...... represented that sensitive. . 2 . . information such as SSNs and bank account numbers were not. compromised in the Ransomware Attack, Blackbaud informed. ... . 5 . . to the plaintiff. See Bank of Louisiana v. Marriott. Int'l, Inc. , 438 F.Supp.3d 433, 443 (D. Md. 2020). (claim for negligence would not ......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT