The Marriott data breach is one of the largest data breaches in history—resulting in the exposure of personal information of at least 383 million people who stayed at Marriott and Starwood hotel properties. Marriott, which acquired Starwood in 2016, disclosed the breach in November 2018. Investigation into the incident revealed that criminals had access to the Marriott and Starwood guest reservation database for over four years. During that time, they were able to extract volumes of personal information, including guest names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender information, arrival and departure information, reservation dates, communication preferences, payment card numbers and expiration dates, and tools needed to decrypt cardholder data.
The data breach has spawned multiple lawsuits against Marriott. In a somewhat unexpected twist, individuals impacted by the breach also brought lawsuits against Marriott’s IT vendor, Accenture. Typically, an IT vendor’s potential responsibility for a data breach would be a contract issue between the vendor and the business. In this case, however, the consumers are seeking to hold the IT vendor directly responsible.
In an October 26, 2020, decision issued by a federal district court in Maryland, the judge ordered the consumers’ direct claims against the IT vendor could proceed. After analyzing Accenture’s contractual obligations to Starwood/Marriott, the court held the consumer plaintiffs had sufficiently alleged claims of negligence against Accenture. Based on Accenture’s contractual relationship with Marriott and the responsibilities it had undertaken, the court found Accenture was “aware of a determinant class of potential claimants, whose interests as a group it contractually undertook to protect through the exercise of reasonable care.” Based on this duty Accenture allegedly owed directly to consumers, the court found that the consumer plaintiffs could continue to pursue their direct negligence claims against Accenture.
The court’s decision also reiterated its prior position on consumers’ “standing” to bring claims arising from the breach. Standing is a legal concept that requires plaintiffs to demonstrate they have suffered an “actual injury” that can be redressed in a lawsuit. In data breach cases, the courts have split over when a person suffers an actual injury associated with a data breach—often focusing on whether the mere exposure of personal information is sufficient, or whether it is necessary to show actual misuse of personal information.
In denying an earlier Marriott request to dismiss the consumer claims against it based on lack of standing, the court had previously ruled the consumers had sufficiently alleged misuse of personal information (for example, unauthorized charges to credit cards or fraudulent credit card accounts being opened). But the court also held in its prior decision that there was a sufficient “imminent threat” of identity theft to constitute “actual injury” to all affected consumers. The court found the same analysis applied to Accenture. Because the consumer plaintiffs had adequately claimed injuries traceable to the breach, the court concluded they had standing to assert claims against Accenture.
Key Takeaways
The Marriott case continues to serve as a prime example of the need for “cybersecurity due diligence” in acquisition transactions. Purchasers should fully evaluate the types of data maintained by the seller and the protections the seller has in place for that data. Cybersecurity due diligence should also include a full forensic evaluation of the seller’s computer system to identify any anomalous activity or potential intrusions. Marriott certainly could have benefitted from such a forensic analysis in 2016.
The case also serves as a reminder to carefully review agreements with vendors as well as licenses and software agreements to ensure both parties’ responsibilities and potential liabilities are clearly stated and understood. Standard terms and conditions on generally available software programs often contain strict liability limits in favor of the vendor. As demonstrated by this recent decision against Accenture, however, the content of these agreements can also have significant implications for vendors. The case is a good reminder to address and consider cybersecurity requirements in all contracts.
Lastly, the case is another in a recent line of cases permitting consumers to pursue lawsuits arising from data breaches. The standing issue has long been a contentious point in data breach cases. Earlier decisions tended to find there was no standing where personal data was “merely exposed” and there was no evidence of actual identity theft. But more recent cases, including the Marriott decisions, have found the mere exposure of personal data can constitute a sufficient injury for standing purposes. For this reason, potential liability for a data breach seems to be on the rise.
If you have any questions regarding the content of this alert, please contact Nick DiCesare, Cybersecurity Team co-leader, at ndicesare@barclaydamon.com, or another member of the team.