Overview
On May 3, 2022, Judge Paul W. Grimm of the United States District Court for the District of Maryland granted certification to eight classes in In re: Marriott International Inc. Customer Data Security Breach Litigation, MDL No. 2879. The ruling certifies potentially millions of class members spanning six states that were included in an initial 10 bellwether cases and an estimated 47.7 million exposed customer records associated with the bellwether states, the judge said.
On November 29, 2023, the Court recertified the class after Marriott had successfully appealed the class certification. The U.S. Court of Appeals for the Fourth Circuit found that the district court had not properly considered the “effect” on class certification of a “choice of law and venue” clause in a Starwood guest rewards contract that the members of the damages class had signed and remanded the dispute to the lower court for further consideration of this issue.
In its recertification order, the lower court concluded that Marriott had “waived any benefit from its Choice of Law and Venue provision” through both its “inaction and action” during the course of the case and that, even if the provision weren’t waived, the contest agreement was “ineffective to override the court’s discretion” to certify a class or consolidate proceedings in order to promote judicial efficiency.
The class action addresses one of the largest data breaches in U.S. history. By the hotel chain’s own acknowledgement in November 2018, the breach compromised the personal information of nearly 400 million customers who made reservations at Starwood-branded hotels, which Marriott acquired in 2016.
On April 29, 2019, the Court appointed Cohen Milstein’s Andrew N. Friedman Consumer Plaintiffs’ Co-Lead Counsel to oversee the litigation.
Case Background
On January 9, 2019, Cohen Milstein and co-counsel filed a putative nationwide data breach class action with the U.S. District Court, District of Maryland against Marriott International, Inc. (NASDAQ: MAR) following a massive, long-running data breach at the company, on behalf of behalf of 176 Plaintiffs from all fifty states, the District of Columbia, Puerto Rico, and the Virgin Islands.
This landmark court filing comes on the heels of Marriott’s recent admission that approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were among the sensitive customer records accessed by hackers.
Plaintiffs allege that Starwood, and later Marriott, took more than four years to discover the breach and then failed to notify its customers in a timely manner. Marriott became the world’s largest hotel chain when it acquired Starwood.
Beginning in 2014 and possibly earlier, and continuing through November 2018, hackers exploited vulnerabilities in Starwood’s network to access the guest reservation system and steal customer data. Marriott discovered the breach on September 8, 2018 but failed to publicly disclose it until nearly three months later, on November 30, 2018, when it admitted that there had been unauthorized access to the Starwood guest reservation database. This database contained personal customer information, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation dates, and communication preferences. For some customers, the information also included payment card numbers and payment card expiration dates.