In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., MDL No. 19-md-2879

Decision Date21 February 2020
Docket NumberMDL No. 19-md-2879
Citation440 F.Supp.3d 447
Parties IN RE: MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY BREACH LITIGATION Consumer Actions
CourtU.S. District Court — District of Maryland
MEMORANDUM OPINION

Paul W. Grimm, United States District Judge

This case involves the consolidated complaint filed by consumers against Marriott and related entities following one of the largest data breaches in history.1 It is part of the Multidistrict Litigation ("MDL") pending before me concerning the data breach. The Plaintiffs and Marriott have selected ten "bellwether" claims to test the sufficiency of the pleadings.2 Plaintiffs argue that Marriott is liable under theories of tort, contract, and statutory duties in various states. Defendants moved to dismiss, arguing that Plaintiffs lack standing and failed to state a claim. Def. Mot., ECF Nos. 450, 451.3 For the reasons discussed below, Defendants' motion to dismiss Plaintiffs' claim for negligence under Illinois law is granted. Defendants motion to dismiss the remaining tort, contract, and statutory claims is denied.

Factual Background

On November 30, 2018, Marriott announced that it was the target of one of the largest data breaches in history. Compl. ¶ 1. The breach took place in its Starwood guest reservation database. Compl. ¶¶ 1, 172–93. Marriott International acquired Starwood Hotels & Resorts in September 2016. Compl. ¶ 98. This acquisition made Marriott the largest hotel chain in the world – accounting for 1 in 15 hotel rooms worldwide – with Marriott, Courtyard, Ritz-Carlton, Sheraton, Westin, W Hotels, and St. Regis properties under its umbrella. Compl. ¶ 98. When guests make a reservation to stay at a Marriott property, they must provide personal information including name, address, email address, phone number, and payment card information. Compl. ¶ 99. In some instances, Marriott also collects passport information, room preferences, travel destinations, and other personal information. Compl. ¶ 99. Both Marriott and Starwood had privacy statements, dated May 18, 2018 and October 5, 2014 respectively, concerning their collection and use of this personal information and touting their ability to protect the security of this sensitive information. Compl. ¶¶ 100–03, 113.

Investigations into the data breach indicated that for over four years, from July 2014 to September 2018, hackers had access to Starwood's guest information database. Compl. ¶ 2. In other words, the data breach was ongoing before and after Marriott's acquisition of Starwood. Plaintiffs allege that Marriott failed to conduct appropriate due diligence of Starwood's cybersecurity risks before and after the merger, despite the fact that Starwood disclosed a data breach affecting more than 50 locations days before Marriott's announcement of the merger, and after knowing that it and other hotel chains were the targets of security threats in the months and years preceding the data breach. Compl. ¶¶ 120; 139–65. Plaintiffs allege that several cybersecurity assessments that were conducted revealed deficiencies in Starwood's system. Compl. ¶¶ 124–33.

During the course of the four-year data breach, the hackers allegedly stole names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, communication preferences, payment card numbers, payment card expiration dates, and tools needed to decrypt cardholder data. Compl. ¶ 2. Further, several files that the hackers exfiltrated were deleted, so Marriott does not fully know how much data was stolen. Compl. ¶ 2. In total, Marriott allegedly disclosed that the breach impacted at least 383 million guest records, including nearly 24 million passport numbers and more than 9 million credit and debit cards. Compl. ¶ 3. Plaintiffs allege that Marriott discovered the breach on September 8, 2018 when Accenture (a consulting company providing cybersecurity assistance to defendants, and now a third-party defendant itself) reported an anomaly on Starwood's database, but that Marriott waited more than two months to notify guests. Compl. ¶¶ 178, 187, 194.

Plaintiffs are consumers who allegedly provided their personal information to Marriott to stay at a Marriott property or use Marriott's services before the data breach. See Compl. ¶¶ 25– 28, 34–39, 42–43, 52–53, 55–56, 70–72, 77. Plaintiffs allege that Marriott is liable for the data breach under theories of tort, contract, and breach of statutory duties. The gravamen of these allegations is that Marriott failed to take reasonable steps to protect Plaintiffs' personal information against the foreseeable risk of a cyber attack and contrary to their express privacy statements and statutory duties.

Pending is Defendants' motion to dismiss the bellwether claims under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Defendants argue that most of the Plaintiffs lack standing and that all of the Plaintiffs failed to state claims upon which relief could be granted.

Standard of Review

Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of a complaint for "failure to state a claim upon which relief can be granted." This rule's purpose "is to test the sufficiency of a complaint and not to resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses." Presley v. City of Charlottesville , 464 F.3d 480, 483 (4th Cir. 2006). A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Specifically, plaintiffs must establish "facial plausibility" by pleading "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). But "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. Well-pleaded facts as alleged in the complaint are accepted as true. See Aziz v. Alcolac , 658 F.3d 388, 390 (4th Cir. 2011). And, factual allegations must be construed "in the light most favorable to [the] plaintiff." Adcock v. Freightliner LLC , 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango , 743 F.2d 1060, 1062 (4th Cir. 1984) ).

Where the allegations in a complaint sound in fraud, the plaintiff also must satisfy the heightened pleading requirements of Federal Rule of Civil Procedure 9(b) by "stat[ing] with particularity the circumstances constituting fraud." This requires that the plaintiff allege "the time, place, and contents of the false representations, as well as the identity of the person making the misrepresentation and what he obtained thereby." Harrison v. Westinghouse Savannah River Co. , 176 F.3d 776, 784 (4th Cir. 1999) (internal quotation marks omitted).

Federal Rule of Civil Procedure 12(b)(1) governs motions to dismiss for lack of subject matter jurisdiction. See Khoury v. Meserve , 268 F. Supp. 2d 600, 606 (D. Md. 2003), aff'd , 85 F. App'x 960 (4th Cir. 2004). Under Rule 12(b)(1), the plaintiff bears the burden of proving, by a preponderance of evidence, the existence of subject matter jurisdiction. See Demetres v. E. W. Constr., Inc. , 776 F.3d 271, 272 (4th Cir. 2015) ; see also Evans v. B.F. Perkins Co. , 166 F.3d 642, 647 (4th Cir. 1999). A challenge to subject matter jurisdiction under Rule 12(b)(1) may proceed in two ways: either by a facial challenge, asserting that the allegations pleaded in the complaint are insufficient to establish subject matter jurisdiction, or a factual challenge, asserting " ‘that the jurisdictional allegations of the complaint [are] not true.’ " Kerns v. United States , 585 F.3d 187, 192 (4th Cir. 2009) (citing Adams v. Bain , 697 F.2d 1213, 1219 (4th Cir. 1982) ) (alteration in original); see Buchanan v. Consol. Stores Corp. , 125 F. Supp. 2d 730, 736 (D. Md. 2001). Here Defendants bring facial and factual challenges to Plaintiffs' Article III standing. Def. Mot. at 14.

In a facial challenge, "the facts alleged in the complaint are taken as true, and the motion must be denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction." Kerns , 585 F.3d at 192. In a factual challenge "the district court is entitled to decide disputed issues of fact with respect to subject matter jurisdiction." Id. The court "may regard the pleadings as mere evidence on the issue and may consider evidence outside the pleadings without converting the proceeding to one for summary judgment." Velasco v. Gov't of Indonesia , 370 F.3d 392, 398 (4th Cir. 2004) (citing Adams , 697 F.2d at 1219 and Evans , 166 F.3d at 647 ).

Discussion
I. Standing

Marriott argues that most of the Bellwether Plaintiffs do not have standing, and therefore this Court lacks subject matter jurisdiction over their claims. Def. Mot. at 4.4 Each of the elements of standing "must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e. , with the manner and degree of evidence required at the successive stages of the litigation." Overbey v. Mayor of Baltimore , 930 F.3d 215, 227 (4th Cir. 2019) (quoting Lujan v. Defs. of Wildlife , 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ). "Thus, when a defendant challenges a plaintiff's standing, we analyze the challenge differently depending on the stage of litigation at which the challenge is brought and the substance of the defendant's arguments." Id. When, as here, " ‘standing is challenged on the pleadings, [the court will] accept as true all material allegations of the complaint and construe the complaint in favor of the complaining party.’ " Deal v. Mercer Cty. Bd. of Educ. , 911 F.3d 183, 187 (4th Cir. 2018) (quoting S. Walk at Broadlands Homeowner's Ass'n, Inc. v. OpenBand at Broadlands, LLC , ...

To continue reading

Request your trial
53 cases
  • Klein v. Facebook, Inc.
    • United States
    • U.S. District Court — Northern District of California
    • 14 January 2022
    ... ... Facebook's Motion to Dismiss Consumers Data Privacy Claims ... 785 1. Consumers Allege that ... of demand." In re Webkinz Antitrust Litig. , 695 F. Supp. 2d 987, 995 (N.D. Cal. 2010). In ... perceptions by consumers," "distinct customer targeting by manufacturers," "distinct analyses ... example, in a February 2017 filing with the SEC, Facebook stated that, although "some of our ... Speaks Out Over Cambridge Analytica Breach , BBC News (Mar. 22, 2018), ... injury and had standing."); In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig. , ... ...
  • In re Capital One Consumer Data Sec. Breach Litig.
    • United States
    • U.S. District Court — Eastern District of Virginia
    • 18 September 2020
    ... ... exploited to exfiltrate Capital One's customer data in the Data Breach. See id. 65-73. The Data ... Commercial Builders, Inc. , 936 F. 2d 1462, 1465 (4th Cir. 1991). Moreover, "the ... Cf. In re Marriott Int'l, Inc. , 440 F. Supp. 3d 447, 462-65 (D. Md. 2020) ... ...
  • Toretto v. Donnelley Fin. Solutions, Inc.
    • United States
    • U.S. District Court — Southern District of New York
    • 4 February 2022
    ... ... for negligence, negligence per se , breach of contracts to which Plaintiffs are third-party ... enrichment, violation of the California Customer Records Act (the "CRA"), violation of the ... Plaintiffs claims stem from a data breach of one of Mediant's email servers, in ... One Consumer Data Sec. Breach Litig. , 488 F. Supp. 3d 374, 396 (E.D ... See In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig. , ... Breach Litig. , No. 19-MD-2879, 2020 WL 6290670, at *15 (D. Md. Oct. 27, 2020) ... ...
  • Calhoun v. Google LLC
    • United States
    • U.S. District Court — Northern District of California
    • 17 March 2021
    ... ... Google's Alleged Collection of Plaintiffs Data Plaintiffs are users of Google's Chrome browser ... is linked, by the Google Analytics customer or by Google, using Google technology, with ... privacy; (7) intrusion upon seclusion; (8) breach of contract; (9) breach of the implied covenant ... , In re Google Assistant Privacy Litig. , 457 F. Supp. 3d 797, 81314 (N.D. Cal. 2020) ... Google, Inc. , 2016 WL 5339806, at *7 (N.D. Cal. Sept. 23, ... v. Sec. Pac. Bus. Credit, Inc. , 222 Cal. App. 3d 1371, ... In re Marriott Int'l, Inc. Cust. Data Sec. Breach Litig. , ... ...
  • Request a trial to view additional results
1 books & journal articles
  • Defining 'Reasonable' Cybersecurity: Lessons from the States.
    • United States
    • Yale Journal of Law & Technology No. 25, January 2023
    • 1 January 2023
    ...(185) Cal. Civ. Code [section] 1798.81.5(b) (West 2022). (186) Id. (187) In re Marriott Intl., Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 495 (D. Md. 2020) (holding consumers "adequately alleged injury-in-fact in the form of losses from identity theft, imminent threat of i......

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT