Last month, U.S. District Judge Paul W. Grimm granted class certification to eight classes with claims against Marriott or Accenture LLP, a consulting company that worked with Marriott-owned Starwood Hotels and Resorts Inc. at the time of Marriott’s 2018 data breach. The massive breach that began in 2014 hacked the Starwood guest reservation system and went undetected by Marriott until 2018, affecting at least 133.7 million guest records. Marriott acknowledged in 2019 that the records included approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers, among other sensitive personal information regarding hotel stays.
In rejecting the defendants’ argument that the plaintiffs’ proposed damages implicated “too much individualized inquiry,” Judge Grimm noted that “[w]hile this class action presents management difficulties, those difficulties are ultimately outweighed by those associated with the alternative: thousands of individual trials.”
The eight certified classes are all based primarily on state claims grouped into negligence classes, contract classes and one approved consumer protection class. Six states, in Florida, Georgia, Maryland, Connecticut, California and New York, were included in the 10 initial bellwether cases.
The plaintiffs’ proposed “overpayment” theory was approved by the judge, but an alternative “market value theory” based on the loss of the value of personal identifying information was rejected on the basis that it presented “too many open questions remain as to individualization to satisfy the predominance requirement.” The valuation of personal information is still fairly new territory for many courts, and this is the first case to reach class certification on the issue.
The judge also ruled that only those class members who “bore the economic burden” of their hotel stay were part of the certified classes, eliminating those whose employers or relatives paid for the hotel. The plaintiffs’ bid to certify one class seeking only injunctive or declaratory relief was also rejected.
The judge reserved rights to amend the classes later in the litigation, noting that “if at a later point in the litigation the individual inquiries related to damages calculations metastasize to an impermissible level, the court retains the ability to modify its class certification order. The court could create subclasses, bifurcate liability and damages, or decertify the class altogether to address these individualized damages issues.”
Recognizing this significant win, plaintiffs’ counsel issued the following joint statement: “After three years of hard-fought litigation, the court issued a well-reasoned opinion which provides a path forward to hold Marriott accountable for its egregious, four-year data breach. While many companies do the right thing and work to help their customers after a data breach, Marriott and Accenture chose to deny responsibility, vigorously attempting to convince the court that they cannot be held liable to anyone impacted by the breach. We look forward to presenting our evidence to a jury.”
The case is captioned In Re: Marriott International, Inc. Customer Data Security Breach Litigation, MDL No. 19-md-2879.