October 27, 2020

A cyberattack that exposed the personal details of at least 383 million people who stayed at Marriott International properties could be considered traceable to the alleged negligence of the hotel giant's consultants at Accenture, a Maryland federal judge has found.

In a Monday order, U.S. District Judge Paul Grimm also ruled that consumers in multidistrict litigation have adequately shown that Accenture may have owed them a "duty of care" by managing a guest reservation database at Marriott-owned Starwood Hotels that hackers infiltrated over more than four years, swiping a data trove including more than 5 million unencrypted passport numbers.

Accenture, which had filed a motion to dismiss, provided IT services to Starwood before and after Marriott acquired Starwood in 2016, including implementing security protocols and setting up corporate firewalls that aimed to keep malicious actors out of Starwood's systems, the 50-page order said.

Cybercriminals, however, were able to breach the Starwood database and siphon out sensitive data, which also included information about more than 9 million credit and debit cards, for at least four years without being detected, Marriott announced in November 2018. U.S. Attorney General William Barr has said the U.S. government believes that hackers linked to the Chinese government were behind the attack, but officials have yet to issue any criminal charges in the case.

Accenture, which has acknowledged its potential liability for client data breaches in public filings, should not be surprised that consumers in the Marriott case have named them as a defendant, Judge Grimm wrote Monday.

. . .

In total, the Maryland court, which was ruling on Accenture's motion to dismiss a consolidated consumer complaint, tossed only a single claim, that Accenture was negligent "per se" under Maryland law. Maryland does not recognize the "per se" claim, which would not have required a judge or jury to consider whether Accenture acted reasonably in allowing the breach to happen, as an independent cause of action that consumers can bring in such cases, the court said.

Claims that the court did keep alive in the MDL include charges that Accenture breached its duty of care to consumers by allegedly being negligent under Maryland, Connecticut and Florida law.

Judge Grimm also denied Accenture's bid to dismiss the consumer litigation for lack of standing, citing many of the arguments the court made in its February ruling keeping alive claims against Marriott by finding that guests had adequately claimed injuries traceable to the breach.

At the time, the judge cited allegations from some guests that the breach led to unauthorized charges being made on their payment cards or unauthorized cards being taken out in their name. There are also "extensive" allegations that the guests' personal data was specifically targeted for misuse, together leading to an "imminent threat" of identity theft for all of the plaintiffs, Grimm said in that ruling.

. . .

The consolidated class of plaintiffs is represented by co-lead counsel Andrew Friedman of Cohen Milstein Sellers & Toll PLLC, Amy Keller of DiCello Levitt Gutzler LLC and James Pizzirusso of Hausfeld LLP.

The complete article can be viewed here.