In re Marriott Int'l, Inc. Customer Data Sec. Breach Litig.
| Decision Date | 11 June 2021 |
| Docket Number | MDL No. 19-md-2879 |
| Parties | IN RE: MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY BREACH LITIGATION DERIVATIVE ACTIONS |
| Court | U.S. District Court — District of Maryland |
This case is a derivative action filed by John P. Moore on behalf of Marriott International, Inc. related to a data breach of the Marriott-owned Starwood Hotels and Resorts, Inc.1 It is part of the Multidistrict Litigation ("MDL") pending before me concerning the data breach. Plaintiff brings claims against sixteen of Marriott's corporate officers and directors for violations of the federal securities laws and for corporate mismanagement under the laws of Delaware. Pending is Defendants' motion to dismiss.2 This motion is granted. Plaintiff's federal securities claims are dismissed for failure to adequately plead the ownership and demand requirements for a derivative action under Federal Rule of Civil Procedure 23.1 and for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). These claims are dismissed with prejudice because Plaintiff has already amended his Complaint twice and further amendment would be futile. The Court declines to exercise supplemental jurisdiction over Plaintiff's remaining Delaware state law claims, which are dismissed without prejudice.
BACKGROUND
This MDL is proceeding before me in five separate tracks, comprised of class action claims brought by Consumer Plaintiffs (the "Consumer Track"), claims brought by the City of Chicago (the "Government Track"), class action claims brought by the Bank of Louisiana (the "Financial Institutions Track"), class action claims brought by a Marriott shareholder (the "Securities Track"), and the instant claims, brought by a Marriott shareholder as a derivative action (the "Derivative Track"). The background to these cases is described in prior memorandum opinions in this MDL and need not be repeated here. See, e.g., ECF No. 540 ("Consumer Track Motion to Dismiss Memorandum Opinion"), published at In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447 (D. Md. 2020); ECF No. 809 ("Securities Track Motion to Dismiss Memorandum Opinion"). The relevant facts as alleged in the instant complaint are as follows.
Plaintiff John P. Moore alleges that "he is, and was at relevant times, a shareholder of Marriott." ¶ 23. As an alleged shareholder, he brings this suit as a derivative action on behalf of nominal defendant Marriott. Marriott is one of the largest hospitality companies in the world, and operates, franchises, and licenses hotel, residential, and timeshare properties worldwide. ¶¶ 25, 125. Marriott is incorporated in Delaware and headquartered in Bethesda, Maryland. ¶ 25.
In addition to nominal defendant Marriott, Plaintiff brings claims against thirteen members of Marriott's Board of Directors: J.W. Marriott, Jr., Mary K. Bush, Bruce W. Duncan, Deborah Marriott Harrison, Frederick A. Henderson, Eric Hippeau, Lawrence W. Kellner, Debra L. Lee, Aylwin B. Lewis, George Muñoz, Steven S. Reinemund, Susan C. Schwab, and Arne M. Sorenson. ¶¶ 26-45. Collectively, these board members are referred to as the "Director Defendants."
Ms. Henderson, Ms. Bush, Mr. Lewis, Mr. Kellner, and Mr. Muñoz served on Marriott's audit committee, and are referred to collectively as the "Audit Committee Defendants."
Mr. Sorenson served as Marriott's President and Chief Executive Officer since 2012, until his recent death in 2021. ¶ 34. In addition to Mr. Sorenson, Plaintiff brings claims against three other Marriott officers: Kathleen Oberg, Marriott's Chief Financial Officer and Executive Vice President since 2016; Bao Giang Val Bauduin, Marriott's Chief Accounting Officer since 2014; and Bruce Hoffmeister, Marriott's Chief Information Officer since 2011, though Defendants state that he has recently retired. ¶¶ 46-49. Collectively, Mr. Sorenson, Ms. Oberg, Mr. Bauduin, and Mr. Hoffmeister are referred to as the "Officer Defendants."
Plaintiff's allegations center on Marriott's acquisition of Starwood Hotels and Resorts Worldwide and a subsequently identified breach of Starwood's guest reservations database. On November 16, 2015, Marriott announced that it would acquire Starwood. ¶ 117. Before the merger closed, Marriott conducted due diligence on Starwood, including on its IT systems. ¶ 6. Marriott continually updated investors on the progress of the Starwood merger in its SEC filings and other public statements. Id. These statements form the basis of Plaintiff's federal securities claims discussed below. The merger closed on September 23, 2016. ¶ 4.
On September 8, 2018, Marriott's information technology team was notified by Accenture, a third-party information technology contractor, of an alert from a security tool called IBM Guardium that had occurred the previous day. ¶ 132. Marriott brought in a third-party investigator two days later. ¶ 133. On September 17, 2018, the third-party investigator found malware that could be used to access or monitor a computer. Id. Mr. Sorenson informed the Board the next day. Id. On November 13, 2018, the third-party investigator discovered that two encrypted files had been deleted. ¶ 135. On November 19, 2018, the investigator discovered that the files contained customers' personal information. Id. On November 30, 2018, Marriott publicly announced the data breach. ¶ 137.
Marriott entered into a contract with Verizon to conduct a forensic investigation of the incident. ¶ 205. Verizon conducted the investigation and authored a report on its findings, known as the Payment Card Industry Forensic Investigator ("PFI") Report. The PFI Report did not bring good news. It found that Starwood's systems were compromised for a period of more than four years, starting as early as July 28, 2014. ¶ 209. Therefore, the data breach was occurring for approximately two years before and after Marriott's acquisition of Starwood. The PFI Report's findings include that Starwood's system (1) allowed for insecure remote access; (2) lacked or had insufficient access/query and firewall logging; (3) lacked monitoring and logging of remote access; and (4) Starwood inadvertently stored payment account numbers on systems and in databases that were not designated for the storage of sensitive payment account numbers. ¶ 208. The data breach compromised the personal information of up to 500 million people, including names, payment card data, passport information, traveling companions, and mailing addresses. ¶ 409.
On February 26, 2019, Plaintiff filed a derivative action in the Southern District of New York. See Moore v. Marriott, No. 19-1776 (S.D.N.Y. Feb. 26, 2019). It was consolidated with a derivative action filed by Mr. Edmund Alves and transferred to this Court for pretrial proceedings as part of the MDL.3 Plaintiff brings claims for violation of the Securities Exchange Act of 1934 ("Exchange Act") Section 10(b) and SEC Rule 10b-5, Exchange Act Section 20(a), and Exchange Act Section 14(a) and SEC Rule 14a-9 (the "federal securities claims"). Plaintiff also brings claims under Delaware state law for breach of fiduciary duty, waste of corporate assets, and unjust enrichment (the "Delaware state law claims"). Pending is Defendants' motion to dismiss underRules 12(b)(1), 12(b)(6), and 23.1 of the Federal Rules of Civil Procedure and under the Private Securities Litigation Reform Act of 1995 ("PSLRA").
Federal Rule of Civil Procedure 12(b)(1) governs motions to dismiss for lack of subject matter jurisdiction. See Khoury v. Meserve, 268 F. Supp. 2d 600, 606 (D. Md. 2003), aff'd, 85 F. App'x 960 (4th Cir. 2004). Under Rule 12(b)(1), the plaintiff bears the burden of proving, by a preponderance of evidence, the existence of subject matter jurisdiction. See Demetres v. E. W. Constr., Inc., 776 F.3d 271, 272 (4th Cir. 2015); see also Evans v. B.F. Perkins Co., 166 F.3d 642, 647 (4th Cir. 1999). A challenge to subject matter jurisdiction under Rule 12(b)(1) may proceed in two ways: either by a facial challenge, asserting that the allegations pleaded in the complaint are insufficient to establish subject matter jurisdiction, or a factual challenge, asserting "that the jurisdictional allegations of the complaint [are] not true." Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009) (citing Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982)) (alteration in original). Here Defendants bring a facial challenge to Plaintiff's Article III standing. Def. Mot. at 9-10. In a facial challenge, "the facts alleged in the complaint are taken as true, and the motion must be denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction." Kerns, 585 F.3d at 192.
Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of a complaint for "failure to state a claim upon which relief can be granted." This rule's purpose "is to test the sufficiency of a complaint and not to resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses." Presley v. City of Charlottesville, 464 F.3d 480, 483 (4th Cir. 2006). A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Specifically, plaintiff must establish "facialplausibility" by pleading "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). But "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. Well-pleaded facts as alleged in the complaint are accepted as true. See Aziz v. Alcolac, 658 F.3d 388, 390 (4th Cir. 2011). Factual allegations must be construed "in the light most favorable to [the] plaintiff." Adcock v. Freightliner LLC, 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango, 743 F.2d 1060, 1062 ...
To continue reading
Request your trial