In re Marriott Int'l, Inc. Customer Data Sec. Breach Litig.
| Decision Date | 11 June 2021 |
| Docket Number | MDL No. 19-md-2879 |
| Parties | IN RE: MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY BREACH LITIGATION SECURITIES ACTIONS |
| Court | U.S. District Court — District of Maryland |
This case involves the consolidated class action complaint filed by Plaintiff Construction Laborers Pension Trust for Southern California against Defendants Marriott International, Inc. and nine of its corporate officers and directors for violations of the securities laws related to a data breach of the Marriot-owned Starwood Hotels and Resorts, Inc.1 It is part of the Multidistrict Litigation ("MDL") pending before me concerning the data breach. Plaintiff alleges that Defendants made 73 false or misleading statements or omissions in violation of Section 10(b) of the Securities Exchange Act of 1934 ("Exchange Act") and SEC Rule 10b-5 promulgated thereunder ("Rule 10b-5"). Plaintiff also brings a claim for secondary liability under Exchange Act Section 20(a). Defendants moved to dismiss under the Private Securities Litigation Reform Act of 1995 ("PSLRA"), and Rules 12(b)(6) and 9(b) of the Federal Rules of Civil Procedure.2 As explained below, Defendants' motion to dismiss is granted because Plaintiff has failed to adequately allege a false or misleading statement or omission, a strong inference of scienter, and loss causation. Plaintiff's claims are dismissed with prejudice.
Plaintiff Construction Laborers Pension Trust for Southern California is a multi-employer pension plan that alleges it acquired thousands of shares of Marriott's securities and incurred substantial losses caused by allegedly false and misleading statements and omissions related to the data breach. ¶ 49. Plaintiff brings claims on behalf of itself and all persons and entities who purchased or otherwise acquired Marriott's publicly traded securities from November 16, 2015 to November 29, 2018 (the "Class Period") and who were damaged as a result of the allegedly false and misleading statements and omissions related to the data breach. ¶ 1.
Plaintiff names as defendants Marriott, along with nine of its corporate officers and board members (collectively, the "Individual Defendants"). Marriott is a worldwide operator, franchisor, and licensor of hotel, residential, and timeshare properties that is incorporated in Delaware and headquartered in Bethesda, Maryland. ¶ 50. Four of the Individual Defendants are Marriott corporate officers: Mr. Arne Sorenson, Marriott's Chief Executive Officer since 2012 and a board member since 2011 until his recent death in 2021; Ms. Kathleen Oberg, Marriott's Chief Financial Officer since 2016; Mr. Bao Giang Val Bauduin, Marriott's Chief Accounting Officer since 2014; and Mr. Bruce Hoffmeister, Marriott's Chief Information Officer since 2011, though Defendants state that he has recently retired. ¶¶ 51-54. The five remaining Individual Defendants are current or former members of Marriott's Board of Directors and Audit Committee. At the start of the Class Period, the Audit Committee had three members: Defendants Ms. Mary Bush, Mr. Frederick Henderson, and Mr. Lawrence Kellner. ¶ 55. On September 23, 2016, the Audit Committee expanded to four members: Defendants Ms. Mary Bush, Mr. Frederick Henderson, Mr. George Muñoz, and Mr. Aylwin Lewis. Id.
Plaintiff's allegations are centered on Marriott's acquisition of Starwood Hotels and Resorts Worldwide a subsequently identified breach of Starwood's guest reservations database.On November 16, 2015, Marriott announced that it would acquire Starwood. ¶ 122. Before the merger closed, Marriott conducted due diligence on Starwood, including on its IT systems. ¶ 136. Marriott continually updated investors on the progress of the Starwood merger in its SEC filings and other public statements. These statements form the basis of Plaintiff's claims and are discussed in detail below. The merger closed on September 23, 2016, at which point Marriott subsumed Starwood's assets, liabilities, and operations. ¶ 50.
On September 7, 2018, IBM Guardium, a security tool used by Marriott, generated an alert that an unknown user had run a query in the Starwood guest reservation database. ¶ 32. Accenture, a third-party IT contractor that was tasked with running the Starwood guest reservation database, alerted Marriott the following day. Id. Marriott brought in third-party investigator Crowdstrike two days later. Id. On September 17, 2018, Crowdstrike found malware that could be used to access or monitor a computer. ¶ 256. Mr. Sorenson informed the Board the next day. Id. The investigation continued and on November 13, 2018, Crowdstrike discovered that two encrypted filed had been deleted. ¶ 259. On November 19, 2018, Crowdstrike discovered that the files contained customers' personal information. Id. On that day, Marriott began preparing to notify affected guests, and on November 30, 2018, Marriott publicly announced the data breach. Id.; ¶ 262.
Following the announcement of the data breach, Marriott contracted Verizon to conduct a forensic investigation of the incident. ¶ 331. Verizon conducted the investigation and authored a report on its findings, known as the Payment Card Industry Forensic Investigator ("PFI") Report. The PFI Report found that Starwood's systems were compromised for a period of more than four years, starting as early as July 28, 2014. ¶ 331. Therefore, the data breach was occurring for approximately two years before and after Marriott's acquisition of Starwood. The PFI Report'sfindings include that Starwood's system (1) allowed for insecure remote access; (2) lacked or had insufficient access/query and firewall logging; (3) lacked monitoring and logging of remote access; and (4) Starwood inadvertently stored payment account numbers on systems and in databases that were not designated for the storage of payment account numbers. ¶ 335. The data breach compromised the personal information of more than 380 million people, including name, payment card data, passport information, traveling companions, and home address. ¶ 618. The scope of the breach gives it the inauspicious designation of the second largest data breach in history. Id.
On December 1, 2018, the day after the data breach was announced, a litigant filed the first securities class action lawsuit against Marriott. See McGrath v. Marriott Int'l, Inc., No. 18-6845 (E.D.N.Y. Dec. 1, 2018). The Judicial Panel on Multidistrict Litigation transferred that lawsuit to this Court. ECF No. 1. I consolidated the securities class actions and appointed Construction Laborers Pension Trust for Southern California and its counsel as lead plaintiff and counsel. See ECF No. 238. Now on its third amended consolidated complaint, Plaintiff alleges two counts. The first count is brought under Section 10(b) of the Exchange Act and Rule 10b-5 for alleged false and misleading statements and omissions. ¶¶ 656-63. The second count is for secondary liability for control persons under Section 20(a) of the Exchange Act. ¶¶ 664-72. Pending is Defendants' motion to dismiss under the PSLRA and Rules 12(b)(6) and 9(b) of the Federal Rules of Civil Procedure. ECF No. 647.
Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of a complaint for "failure to state a claim upon which relief can be granted." This rule's purpose "is to test the sufficiency of a complaint and not to resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses." Presley v. City of Charlottesville, 464 F.3d 480, 483 (4th Cir.2006). A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Specifically, plaintiff must establish "facial plausibility" by pleading "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). But "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. Well-pleaded facts as alleged in the complaint are accepted as true. See Aziz v. Alcolac, 658 F.3d 388, 390 (4th Cir. 2011). Factual allegations must be construed "in the light most favorable to [the] plaintiff." Adcock v. Freightliner LLC, 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango, 743 F.2d 1060, 1062 (4th Cir. 1984)).
Where, as here, the allegations in a complaint sound in fraud, the plaintiff also must satisfy the heightened pleading requirements of Federal Rule of Civil Procedure 9(b) by "stat[ing] with particularity the circumstances constituting fraud." This requires that the plaintiff allege "the time, place, and contents of the false representations, as well as the identity of the person making the misrepresentation and what he obtained thereby." Harrison v. Westinghouse Savannah River Co., 176 F.3d 776, 784 (4th Cir. 1999) (internal quotation marks omitted).
Because Plaintiff alleges securities fraud under Exchange Act Section 10(b) and SEC Rule 10b-5, he must also face the higher burden imposed by Congress in the PSLRA, 15 U.S.C. § 78u-4. For each alleged material misrepresentation or omission, "the complaint shall specify each statement alleged to have been misleading, the reason or reasons why the statement is misleading, and, if an allegation regarding the statement or omission is made on information and belief, the complaint shall state with particularity all facts on which that belief is formed." 15 U.S.C. § 78u-4(b)(1). In addition, for each alleged misrepresentation or omission, the complaint must "statewith particularity facts giving rise to a strong inference that the defendant acted with the required state of mind." 15 U.S.C. § 78u-4(b)(2). If a complaint fails to meet these requirements, it must be dismissed. 15 U.S.C. § 78u-4(b)(3)(A).
To continue reading
Request your trial