Privacy & Data Security Law News

Marriott Says Notices Not Misleading in Bid to End Breach Suit

Nov. 24, 2020, 5:52 PM

Marriott International Inc. is pushing back against claims that it misled investors about a hotel reservations hack, telling a federal court its privacy disclosures were meant to caution customers about data security risks.

“Companies can warn their customers about privacy risks without reciting everything they know about data security,” Marriott said in a Monday filing in the U.S. District Court for the District of Maryland seeking dismissal of the suit.

The class action alleges that Marriott violated securities law by failing to inform investors of cybersecurity risks in its deal to purchase Starwood hotels. A cyberattack on the Starwood reservations database, which exposed data on up to 500 million guests, began before Marriott’s offer to buy the company in 2015, and was revealed in 2018, after the deal closed.

Marriott also argues that its privacy disclosures shouldn’t be used as a basis for the alleged investor fraud because the disclosures are directed at the hotel chain’s customers, not shareholders.

Marriott didn’t know about the hack, or that it involved customer’s personal information, until then, the company said in its filing.

“For numerous companies, being attacked by cybercriminals is an unfortunate reality, but it plainly is not a fraud on investors—particularly here,” the company said.

The case is: In re Marriott Int’l Inc. Customer Data Sec. Breach Litig., D. Md., No. 8:19-md-02879, 11/23/20.

To contact the reporter on this story: Andrea Vittorio in Washington at avittorio@bloomberglaw.com

To contact the editor responsible for this story: Kibkabe Araya at karaya@bloomberglaw.com; Keith Perine at kperine@bloomberglaw.com

To read more articles log in. To learn more about a subscription click here.