“Companies can warn their customers about privacy risks without reciting everything they know about data security,” Marriott said in a Monday filing in the U.S. District Court for the District of Maryland seeking dismissal of the suit.
The class action alleges that Marriott violated securities law by failing to inform investors of cybersecurity risks in its deal to purchase Starwood hotels. A cyberattack on the Starwood reservations database, which exposed data on up to 500 million guests, began before Marriott’s offer to buy the company in 2015, and was revealed in 2018, after the deal closed.
Marriott also argues that its privacy disclosures shouldn’t be used as a basis for the alleged investor fraud because the disclosures are directed at the hotel chain’s customers, not shareholders.
Marriott didn’t know about the hack, or that it involved customer’s personal information, until then, the company said in its filing.
“For numerous companies, being attacked by cybercriminals is an unfortunate reality, but it plainly is not a fraud on investors—particularly here,” the company said.
The case is: In re Marriott Int’l Inc. Customer Data Sec. Breach Litig., D. Md., No. 8:19-md-02879, 11/23/20.