When news of the recent massive data breach at Marriott began circulating late last week, a colleague emailed and asked me how long I thought it would take for a D&O lawsuit to be filed. I emailed back that I thought there would be a securities class action lawsuit before the end of business on Monday (December 3). Turns out, I didn’t give the plaintiffs’ lawyers nearly enough credit for haste. The plaintiffs’ lawyers managed to file a securities class action lawsuit against the company on December 1, 2018, just one day after Marriott announced the breach. The lawsuit is the latest example both of a data breach-related D&O lawsuit and an event-driven securities suit, as discussed further below.
Background
On November 30, 2018, Marriott issued a press release announcing that hackers had breached its Starwood guest reservation system and stolen the personal data of as many as 500 million guests. The company announced that on September 8, 2018 an internal security tool had alerted the company of attempted unauthorized access. The subsequent investigation of the incident revealed that there had been unauthorized access to the Starwood network since 2014. The investigation revealed that an unauthorized party had copied and encrypted information and had taken steps toward removing the information. On November 19, 2018, the company was able to decrypt the information and determine that the contents were from the Starwood guest database. (Marriott acquired Starwood in 2016 for $13.6 billion.)
In its press release, the company said that the database itself contained information on to approximately 500 million guests who had made reservations with Starwood. For about 327 million of the guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication information. For some guests, the information also includes payment card information including card expiration date, however, the company was not yet able to determine if the payment card information had been decrypted.
The plaintiffs’ lawyers did not waste any time in launching lawsuits based on the company’s disclosures. On November 30, 2018, the same day that Marriott issued its press release, a plaintiffs’ lawyer filed what undoubtedly will be the first of many consumer class action lawsuits. And, as discussed below, on December 1, 2018, plaintiffs’ lawyers filed what may prove to be only the first of the D&O lawsuits filed in connection with the breach.
The Securities Class Action Lawsuit
On December 1, 2018, plaintiffs’ lawyers filed a securities class action lawsuit in the Eastern District of New York against Marriott; its CEO; its CFO; and its Chief Accounting Officer and Controller. The lawsuit purports to be filed on behalf of a class of persons who purchased their Marriott shares between November 9, 2016 and November 29, 2018. A copy of the plaintiffs’ complaint can be found here.
The complaint refers to statements in the company’s SEC filings during the class period about the importance of information technology security. The complaint also refers to the company’s November 30, 2018 press release. The complaint alleges that this the statements in the company’s SEC filings were false and misleading because: “(1) Marriott’s and Starwood’s systems storing their customers’ personal data were not secure; (2) there had been unauthorized access on Starwood’s network since 2014; (3) consequently the personal data of approximately 500 million Starwood guests and sensitive personal information of approximately 327 million of those guests may have been exposed to unauthorized parties; and (4) as a result Marriott’s public statements were materially false and/or misleading at all relevant times.” The complaint alleges that on the news of the breach of the guest information systems, the company’s share price declined 5.5%.”
Discussion
Earlier this year, when Yahoo’s successor in interest announced the $80 million settlement of the data breach-related securities class action lawsuit, I speculated that the sizeable settlement (which represented a milestone as the first significant recovery in a data breach-related D&O lawsuit) might encourage other prospective claimants to file data breach related securities suits.
Since then, there have been a number of other data breach-related securities suit filed. For example, as discussed here, in October 2018, a plaintiff shareholder filed a data breach-related securities suit against online educational service provider Chegg, Inc and certain of its executives. A few days later in October, a shareholder of China-based hospitality group, Huazhu, filed a securities class action lawsuit against the company and certain of its directors and officers, as discussed here. In October, a plaintiff shareholder also filed a data security lawsuit against Alphabet related to data security issues in connection with the company’s Google+ platform, although that lawsuit did not involve a data breach, as discussed here.
Given the number of securities suits, it is clear that data security issues represent a significant area of D&O exposure. And as I have noted, the advent of the EU’s General Data Protection Regulation even further increases this exposure. Indeed, in its article about the Marriott breach, the New York Times quoted one observer as saying that, given the volume and sensitivity of personal data taken, as well as the length of the breach, Marriott “has the potential to trigger the first hefty GDPR fine.”
The Marriott incident is also a reminder that companies remain vulnerable to massive data attacks. As the Times said, in its article about the breach, the intrusion is “a reminder that after years of headline-grabbing attacks, the computer networks of big companies are still vulnerable.” These vulnerabilities suggest we will continue to see data breach-related litigation, including in particular data breach-related D&O litigation.
But while the new securities lawsuit against Marriott focuses on the breach information the company released on November 30, the complaint does not refer to the earlier breach announced at Starwood. As discussed in a December 3, 2018 Wall Street Journal article (here), in 2015, just after its merger deal with Marriott was announced, Starwood announced that it had sustained a data security incident involving a breach of the security in its point of sale system. The Journal article contains statements from several data security commentators to the effect that, though the earlier data breach was unrelated to the more recently announced hack, the investigation into the 2015 hack should have uncovered the larger guest information system breach.
The new complaint also does not refer to the very high-profile data problems Marriott was having with its customer loyalty program, primarily because of difficulties of integrating the Starwood preferred guest information. The company’s data and information technology problems with the customer loyalty program were the subject of a substantial article in the Wall Street Journal earlier last week (here), before the news of the data hack was made public.
While the new lawsuit against Marriott is noteworthy to the extent it represents yet another example of a data breach related securities litigation, it is also noteworthy as the latest example of an event-driven securities lawsuit. As I have noted, plaintiffs’ lawyers have recently filed others of these event-driven lawsuits, for example, in connection with the California wildfires (here) and the Lion Air 610 airliner crash (here).
Like those earlier suits, the new lawsuit does not involve allegations of financial or accounting misrepresentations. Instead, it involves allegations that the company suffered a significant reverse in its operations. In the securities lawsuit, the plaintiffs allege that the company failed to inform investors that the adverse event might occur and that if it did occur it would have a negative impact on the company.
Like the earlier suits, the scienter allegations in the new Marriott lawsuit are not extensive (to say the least). Also the magnitude of the stock price drop, in this suit and in the lawsuit filed against Boeing, is quite slight.
Whatever the merits of these event-driven securities lawsuits, they represent an increasingly important component of securities litigation filing activity, and indeed, represent an important part of the elevated levels of securities suit filings going back into 2016. When the annual securities suit filing tally is put together at the end of this year, when we are looking for explanations for the elevated levels of securities lawsuit filings, one explanation is clearly going to be the willingness of certain segments of the plaintiffs’ bar to file these kind of lawsuits, despite not extensive scienter allegations and only slight stock price drops.
The new Marriott lawsuit has only just been filed, and it remains to be seen how it will fare. I will say that the more of these event-driven lawsuits that are filed, the more people are going to be willing to the recently renewed call for securities class action litigation reform. Indeed, in its recent report calling for Congress to take up securities litigation reform, the U.S. Chamber of Commerce’s report specifically cited event-driven litigation as one of the main reasons why Congress should take up the reform issue, as discussed at length here.