With Plenty of Plaintiffs, Lawyers Flood the Courts Over Marriott's Massive Breach
Lawyers have moved to coordinate suits into multidistrict litigation and questioned an arbitration clause in Marriott's free internet monitoring program offered to its customers.
December 03, 2018 at 07:30 PM
5 minute read
Lawyers rushed to bring about a dozen class actions over Marriott's data breach—and with about 500 million people potentially impacted, they didn't have to go far to find a plaintiff.
“There are so many people that have been potentially compromised, which means basically people could trip over a plaintiff if they just walk outside,” said Amy Keller, who filed one the lawsuits. Marriott announced Nov. 30 that hackers breached the reservations program of its Starwood properties, which include W Hotels and the Westin Hotels & Resorts.
Keller's Chicago firm, DiCello Levitt & Casey, partnered in its case with Washington, D.C.-based Cohen, Milstein, Sellers & Toll and Hausfeld. That team brought a motion Monday to coordinate all the Marriott consumer cases into multidistrict litigation.
Keller said she expected hundreds of lawsuits against Marriott, which the suits allege failed to protect the personal information of its guests for four years. The suits also challenge Marriott's response to the breach, both in delaying its announcement by several months and offering a free internet monitoring service for one year that they consider insufficient.
On Monday, Keller's firm sent a letter to Marriott CEO Arne Sorenson and general counsel Rena Hozore Reiss asking whether the hotel chain plans to enforce an arbitration agreement in the internet monitoring program, called WebWatcher, that included a class action waiver.
“WebWatcher does have a clause that could prevent individuals from seeking relief on a class basis,” she said. “There have been some cases where companies have inserted arbitration clauses that provide for arbitration of any past disputes, and we want to make sure they're not trying to do that here.”
A Marriott spokeswoman declined to comment about the lawsuits.
But in a statement Nov. 30, Sorenson said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
In a filing with the U.S. Securities and Exchange Commission, Marriott said it did not anticipate the breach would affect its long-term financial health given its “meaningful cash flow each year.” But it gave no dollar figure to the estimated cost.
“It is premature to estimate the financial impact to the company,” the filing stated. “The company carries insurance, including cyber insurance, commensurate with its size and the nature of its operations. The company is working with its insurance carriers to assess coverage.”
As of Monday, lawsuits were in federal courts in Maryland, California, Massachusetts and Illinois, and in Multnomah County Circuit Court in Oregon. At least one class action is in New York federal court on behalf of shareholders of Marriott, incorporated in Delaware, but many other firms are investigating securities fraud claims. Marriott shares fell 5 percent after the Nov. 30 announcement of the breach.
New York Attorney General Barbara Underwood also has opened an investigation.
Monday's petition before the U.S. Judicial Panel on Multidistrict Litigation advocated for all the consumer cases to go to Maryland, home to Marriott's headquarters. In particular, it requested U.S. District Judge Theodore Chuang, a 2014 Obama appointee who was deputy general counsel of the U.S. Homeland Security Department.
The sheer magnitude of the breach—second only in size to Yahoo's breaches involving 3 billion of its account holders—has lawyers predicting that a potential settlement could be large. Yahoo settled its litigation on Oct. 22 for $85 million, among the largest of any data breach settlements.
But there are some distinctions in the Marriott breach. The types of data compromised—names, addresses, passport numbers, and some credit and debit card numbers, along with Marriott customer travel information and reward points—set the case apart from other data breaches, said Gary Mason of Whitfield Bryson & Mason in Washington, D.C., who filed a suit with Philadelphia's Levin Sedran & Berman.
“Someone thinks they can use this data; it's a rich and robust data set,” he said. “It's not like a credit card where they can take that money and move on.”
“All data breaches are horrible, and its impact on people's lives could be disastrous,” said Ben Meiselas of Los Angeles-based Geragos & Geragos, which, along with Michael Fuller of Oregon's OlsenDaines, filed the Multnomah County Circuit Court case, which sought $12.5 billion. “But there is something particularly unsettling about the Marriott data breach in that it feels like a physical space which is supposed to be safe and secure when consumers' travel has been invaded.”
Lawyers also are pointing to Marriott's actions. Lawsuits question why Marriott waited until Nov. 30 to announce a breach when it first got a security alert Sept. 8. In both the consumer and shareholder actions, lawyers questioned how Marriott failed to discover the breach when it acquired Starwood in 2016 for $13.6 billion, making it the largest hotel company in the world.
Marriott said it has set up a dedicated website and call center and would offer customers the “WebWatcher” program. But the lawsuits say that's not as good as credit monitoring and that hackers could simply wait a year to steal their identities.
There's also the question of whether Kroll's arbitration clause could thwart the ability of consumers to bring class actions. The same issue arose with Equifax's credit monitoring service offered in the wake of its 2017 breach that impacted 143 million people.
Keller, who is co-lead counsel for consumers in the multidistrict litigation over Equifax's data breach, said: “Equifax had signed people up for additional monitoring and initially had an arbitration clause in the product that extended to everyone impacted by the data breach until the lawyers raised a ruckus.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute read'Unlawful Release'?: Judge Grants Preliminary Injunction in NASCAR Antitrust Lawsuit
3 minute read'Almost Impossible'?: Squire Challenge to Sanctions Spotlights Difficulty of Getting Off Administration's List
4 minute readTrending Stories
- 1Authenticating Electronic Signatures
- 2'Fulfilled Her Purpose on the Court': Presiding Judge M. Yvette Miller Is 'Ready for a New Challenge'
- 3Litigation Leaders: Greenspoon Marder’s Beth-Ann Krimsky on What Makes Her Team ‘Prepared, Compassionate and Wicked Smart’
- 4A Look Back at High-Profile Hires in Big Law From Federal Government
- 5Grabbing Market Share From Rivals, Law Firms Ramped Up Group Lateral Hires
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250