Lawyers rushed to bring about a dozen class actions over Marriott’s data breach—and with about 500 million people potentially impacted, they didn’t have to go far to find a plaintiff.
“There are so many people that have been potentially compromised, which means basically people could trip over a plaintiff if they just walk outside,” said Amy Keller, who filed one the lawsuits. Marriott announced Nov. 30 that hackers breached the reservations program of its Starwood properties, which include W Hotels and the Westin Hotels & Resorts.
As of Monday, lawsuits were in federal courts in Maryland, California, Massachusetts and Illinois, and in Multnomah County Circuit Court in Oregon. At least one class action is in New York federal court on behalf of shareholders of Marriott, incorporated in Delaware, but many other firms are investigating securities fraud claims. Marriott shares fell 5 percent after the Nov. 30 announcement of the breach.
New York Attorney General Barbara Underwood also has opened an investigation.
Keller’s Chicago firm, DiCello Levitt & Casey, partnered in its case with Washington, D.C.-based Cohen, Milstein, Sellers & Toll and Hausfeld. That team brought a motion Monday to coordinate all the Marriott consumer cases into multidistrict litigation.
Keller said she expected hundreds of lawsuits against Marriott, which the suits allege failed to protect the personal information of its guests for four years. The suits also challenge Marriott’s response to the breach, both in delaying its announcement by several months and offering a free internet monitoring service for one year that they consider insufficient.
On Monday, Keller’s firm sent a letter to Marriott CEO Arne Sorenson and general counsel Rena Hozore Reiss asking whether the hotel chain plans to enforce an arbitration agreement in the internet monitoring program, called WebWatcher, that included a class action waiver.
“WebWatcher does have a clause that could prevent individuals from seeking relief on a class basis,” she said. “There have been some cases where companies have inserted arbitration clauses that provide for arbitration of any past disputes, and we want to make sure they’re not trying to do that here.”
A Marriott spokeswoman declined to comment about the lawsuits.
But in a statement Nov. 30, Sorenson said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
In a filing with the U.S. Securities and Exchange Commission, Marriott said it did not anticipate the breach would affect its long-term financial health given its “meaningful cash flow each year.” But it gave no dollar figure to the estimated cost.
“It is premature to estimate the financial impact to the company,” the filing stated. “The company carries insurance, including cyber insurance, commensurate with its size and the nature of its operations. The company is working with its insurance carriers to assess coverage.”
Monday’s petition before the U.S. Judicial Panel on Multidistrict Litigation advocated for all the consumer cases to go to Maryland, home to Marriott’s headquarters. In particular, it requested U.S. District Judge Theodore Chuang, a 2014 Obama appointee who was deputy general counsel of the U.S. Homeland Security Department.
The sheer magnitude of the breach—second only in size to Yahoo’s breaches involving 3 billion of its account holders—has lawyers predicting that a potential settlement could be large. Yahoo settled its litigation on Oct. 22 for $85 million, among the largest of any data breach settlements.
But there are some distinctions in the Marriott breach. The types of data compromised—names, addresses, passport numbers, and some credit and debit card numbers, along with Marriott customer travel information and reward points—set the case apart from other data breaches, said Gary Mason of Whitfield Bryson & Mason in Washington, D.C., who filed a suit with Philadelphia’s Levin Sedran & Berman.
“Someone thinks they can use this data; it’s a rich and robust data set,” he said. “It’s not like a credit card where they can take that money and move on.”
“All data breaches are horrible, and its impact on people’s lives could be disastrous,” said Ben Meiselas of Los Angeles-based Geragos & Geragos, which, along with Michael Fuller of Oregon’s OlsenDaines, filed the Multnomah County Circuit Court case, which sought $12.5 billion. “But there is something particularly unsettling about the Marriott data breach in that it feels like a physical space which is supposed to be safe and secure when consumers’ travel has been invaded.”
Lawyers also are pointing to Marriott’s actions. Lawsuits question why Marriott waited until Nov. 30 to announce a breach when it first got a security alert Sept. 8. In both the consumer and shareholder actions, lawyers questioned how Marriott failed to discover the breach when it acquired Starwood in 2016 for $13.6 billion, making it the largest hotel company in the world.
Marriott said it has set up a dedicated website and call center and would offer customers the “WebWatcher” program. But the lawsuits say that’s not as good as credit monitoring and that hackers could simply wait a year to steal their identities.
There’s also the question of whether Kroll’s arbitration clause could thwart the ability of consumers to bring class actions. The same issue arose with Equifax’s credit monitoring service offered in the wake of its 2017 breach that impacted 143 million people.
Keller, who is co-lead counsel for consumers in the multidistrict litigation over Equifax’s data breach, said: “Equifax had signed people up for additional monitoring and initially had an arbitration clause in the product that extended to everyone impacted by the data breach until the lawyers raised a ruckus.”