In re Marriott Int'l, Inc. Customer Data Sec. Breach Litig.

• Decision Date: 03 May 2022
• Docket Number: MDL 19-md-2879
• Parties: IN RE MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY BREACH LITIGATION CONSUMER ACTIONS
• Court: U.S. District Court — District of Maryland

IN RE MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY BREACH LITIGATION CONSUMER ACTIONS

MDL No. 19-md-2879

United States District Court, D. Maryland, Southern Division

May 3, 2022

MEMORANDUM OPINION

PAUL W. GRIMM, UNITED STATES DISTRICT JUDGE

This case involves consolidated class action claims filed by consumers against Marriott and Accenture related to a data breach of the Marriott-owned Starwood Hotels and Resorts Inc.^[1]It is part of the Multidistrict Litigation ("MDL") pending before me concerning the data breach. Consumer Plaintiffs ("Plaintiffs") and Marriott and Accenture ("Defendants") selected ten "bellwether" claims to test the sufficiency of the pleadings, which include tort, contract, and statutory claims under the laws of various states.^[2] Following the resolution of Defendants' motions to dismiss, nine bellwether claims remain. Plaintiffs now move to certify classes for monetary damages, liability issues, and injunctive relief under Federal Rules of Civil Procedure 23(b)(3) 23(c)(4), and 23(b)(2), respectively.^[3] For the reasons discussed below, Plaintiffs' motion is GRANTED IN PART, and DENIED IN PART.^[4]

FACTUAL BACKGROUND

On November 30, 2018, Marriott announced that it was the target of one of the largest data breaches in history. Pls.' Tab 18.^[5] The breach took place in its Starwood guest reservation database. Id. Marriott International acquired Starwood Hotels and Resorts in September 2016. When guests make a reservation to stay at a Marriott property, they must provide personal information including name, address, email address, phone number, and payment card information. Pls.' Tab 19. In some instances, Marriott also collects passport information, room preferences, travel destinations and other personal information. Id. Both Marriott and Starwood had privacy statements, dated May 18, 2018 and October 5, 2014 respectively, concerning their collection and use of this personal information and touting their ability to protect the security of this sensitive information. Pls.' Tab .50 Investigations into the data breach indicated that for over four years, from July 2014 to September 2018, hackers had access to Starwood's guest information database-the "New" Data Storage ("NDS") database. Pls.' Tabs 18-19. In other words, the data breach was ongoing before and after Marriott's acquisition of Starwood. During the data breach, the hackers exported customers' personally identifiable information ("PII"). Pls.' Tab 19. Marriott discovered the breach on September 8, 2018 when Accenture-a consulting company Starwood contracted to provide data security services, see Tab 48-reported an anomaly pertaining to the NDS database. Pls.' Tab 18. In total, the breach impacted approximately 133.7 million guest records associated with the United States, including an estimated 47.7 million records associated with the bellwether states. Defs.' Ex. 12.^[6]

Plaintiffs are consumers who provided their PII to Marriott to stay at a Starwood property or use Starwood's services before the data breach. Plaintiffs allege that Marriott and Accenture are liable for the data breach under theories of tort, contract, and breach of statutory duties.^[7] The gravamen of these allegations is that Marriott and Accenture failed to take reasonable steps to protect Plaintiffs' personal information against the foreseeable risk of a cyberattack and, in the case of Marriott, contrary to its express privacy statements and statutory duties.

Pending is Plaintiffs' motion to certify thirteen damages classes and subclasses under Rule 23(b)(3), various liability issues under Rule 23(c)(4)', and a class for injunctive or declaratory relief under Rule 23(b)(2).

LEGAL STANDARD

Federal Rule of Civil Procedure 23 contains the requirements for class certification. A class action must first meet the prerequisites of Rule 23(a):

(a) Prerequisites. One or more members of a class may sue or be sued as representative parties on behalf of all members only if:

(1) the class is so numerous that joinder of all members is impracticable;

(2) there are questions of law or fact common to the class;

(3) the claims or defenses of the. representative parties are typical of the claims or defenses of the class; and

(4) the representative parties will fairly and adequately protect the interests of the class.

Fed. R. Civ. P. 23(a); see also Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 349 (2011); EQT Prod. Co. v. Adair, 764 F.3d 347, 357 (4th Cir. 2014). These prerequisites are commonly referred to as "numerosity, commonality, typicality, and adequacy of representation." Id.

In addition to meeting the requirements of Rule 23(a), a class action must fit one of the categories in Rule 23(b). As relevant here, Rule 23(b)(2) provides that a class action may be maintained if "the party opposing the class has acted or refused to act on grounds that apply generally to the class, so that final injunctive relief or corresponding declaratory relief is appropriate respecting the class as a whole." Fed.R.Civ.P. 23(b)(2). In addition, Rule 23(b)(3) provides that a class action may be maintained if "the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Fed.R.Civ.P. 23(b)(3). Factors relevant to the "predominance", and "superiority" requirements include:

(A) the class members' interests in individually controlling the prosecution or defense of separate actions;

(B) the extent and nature of any litigation concerning the controversy already begun by or against class members;

(C) the desirability or undesirability of concentrating the litigation of the claims in the particular forum; and

(D) the likely difficulties in managing a class action.

Id.; see also Thorn v. Jefferson-Pilot Life Ins. Co., 445 F.3d 311, 319 (4th Cir. 2006).

Federal Rule of Civil Procedure 23(c)(4) states that, "[w]hen appropriate, an action may be brought or maintained as a class action with respect to particular issues." Fed.R.Civ.P. 23(c)(4). A class action for particular issues under Rule 23(c)(4) must then meet the requirements of Rule 23(a) and the criteria for one of the types of class actions in Rule 23(b). See Gunnells v. Healthplan Servs., Inc., 348 F.3d 417, 439 (4th Cir. 2003).

In addition to the explicit requirements listed in Rule 23, the Fourth Circuit has recognized that Rule 23 "contains an implicit threshold requirement that the members of a proposed class be 'readily identifiable.'" EQT Prod. Co., 164 F.3d at 358. This is commonly referred to as the "ascertainability" requirement. See id.

Rule 23 '"does not set forth a mere pleading standard.'" Comcast Corp. v. Behrend, 569 U.S. 27, 33 (2013) (quoting Wal-Mart, 564 U.S. at 350). Instead, "aparty must...' be prepared to prove that there are in fact sufficiently numerous parties, common questions of law or fact,' typicality of claims or defenses, and adequacy of representation, as required by Rule 23(a)." Id. (quoting Wal-Mart, 564 U.S. at 350). Likewise, "[t]he party must also satisfy through evidentiary proof at least one of the provisions of Rule 23(b)." Id. "It is the plaintiffs' burden to demonstrate compliance with Rule 23, but the district court has an independent obligation to perform a 'rigorous analysis' to ensure that all of the prerequisites have been satisfied." EQT Prod. Co., 764 F.3d at 358 (citing Wal-Mart, 564 U.S. at 350.)

"Frequently that 'rigorous analysis' will entail some overlap with the merits of the plaintiffs underlying claim." Wal-Mart, 564 U.S. at 350. "Although Rule 23 does not give district courts a 'license to engage in free-ranging merits inquiries at the certification stage,' a court should consider merits questions to the extent 'that they are relevant to determining whether the Rule 23 prerequisites for class certification are satisfied.'" EQT Prod. Co., 764 F.3d at 357-58 (quoting Amgen Inc. v. Conn. Ret. Plans & Tr. Funds, 568 U.S. 455, 466 (2013)).

DISCUSSION

Plaintiffs move to certify classes for monetary damages under Rule 23(b)(3), for liability issues under Rule 23(c)(4), and for injunctive or declaratory relief under Rule 23(b)(2). Before addressing the requirements for these specific class action types, I will address standing and the explicit, as well as implicit, Rule 23(a) prerequisites that are applicable to all class action types.

I. Standing

In class actions, "the standing inquiry focuses on the class representatives." 2 W. Rubenstein, Newberg on Class Actions § 2:3 (5th ed. 2021). For a class representative, or named plaintiff, to establish standing, he or she must have (1) "suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical," (2) "fairly traceable to the challenged action of the defendant," and (3) "likely...[to] be redressed by a favorable decision." Bishop v. Bartlett, 575 F.3d 419, 423 (4th Cir. 2009)); see also Lujan v. Defs. of Wildlife, .504 U.S. 555, 560-61 (1992) (same)/ Each of the elements of standing "must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation." Overbey v. Mayor of Baltimore, 930 F.3d 215, 227 (4th Cir. 2019) (quoting Lujan, 504 U.S. at 561). For example, "[a]t the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice," but at the summary judgment stage, plaintiffs "must 'set forth' by affidavit or other evidence 'specific facts'" supporting standing. Lujan, 504 U.S. at 561.

...