Marriott International, one of the world’s leading hotel chain operators, is facing a massive class-action lawsuit over a data breach affecting over 300 million guests. The suit, filed in early January in Maryland federal district court, is the most sweeping to date related to the data breach, which experts believe may be the largest of its kind in history.
In the class action, over 175 plaintiffs from all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands claim Marriott and its subsidiary Starwood failed to take the necessary steps to protect them from the breach, and that Marriott failed to notify affected guests in a timely and accurate manner. Here’s a breakdown of what happened:
- Marriott initially disclosed the data breach on November 30, 2018, reporting that cyberattacks targeting its Starwood reservation system gained access to the personal information of up to 500 million guests. Marriott later amended that initial estimate to roughly 383 million guest records, which included millions of unencrypted and encrypted passwords, passport numbers, and credit or debit cards.
- The data breach affected only the records of guests who stayed at certain properties and hotels since 2014, and specifically those in the company’s Starwood portfolio, which Marriott acquired in 2016. It includes Westin, Sheraton, St. Regis, and W Hotels, among others.
- As detailed in the lawsuit, Marriott’s purchase of Starwood is part of the problem. Plaintiffs’ attorneys stated the breach of Starwood’s reservation system had been ongoing since 2014, and that Marriott should have discovered it and taken more action in terms of cybersecurity to protect guests and their confidential information. Instead, the breach continued for an additional two years after the acquisition. What’s more, plaintiffs claim, Marriott waited until the end of November to notify guests, despite having identified the hack in September of 2018.
- Cybersecurity experts suggest the breach could have been identified years before it was disclosed, as the Starwood database had known vulnerabilities and had previously been targeted by a different hacking breach in 2015, which lasted for eight months before being discovered.
The latest class action may be the most sweeping suit in the data breach case, but it isn’t the only one. A class action filed in December noted similar claims of Marriott’s inexplicable failures to safeguard private information and detect the breach, as well as failures to notify customers about what happened.
Mega Litigation: Why Major Cases May be the New Norm
The Marriott data breach case has many elements, including highly technical concepts of cybersecurity. Though experts say the hospitality industry is often targeted by hackers precisely because of lax security policies, and that the recent leak may signify a need for better protections across the board, the size of the recent class action may also suggest massive cases may very well become the new norm in our justice system.
Periodically on our blog, we discuss legal headlines involving major cases and truly massive results. This includes large, unprecedented, and record-setting verdicts and settlements in cases such as:
- The $1 billion NFL concussion settlement
- GM’s faulty ignition switches
- Johnson & Johnson’s $4.7 billion baby powder verdict (in addition to millions more)
- MSU’s $500M settlement for victims of Larry Nassar sexual abuse
- Pfizer’s qui tam (False Claims Act) $1 billion settlement
These are only a few examples of seriously monstrous case results. In the past year alone, for instance we’ve also discussed record-setting verdicts, settlements, and large awards for victims in cases involving a bicycle accident lawsuit against the City of Los Angeles, a $100+ million Texas tractor-trailer verdict, a hotel stabbing victim, and many more. While these particular cases involved only a single victim, it’s become clear larger awards are happening more frequently, something we’ve discussed specifically in personal injury and death cases involving truck accidents.
That trend isn’t only being seen in cases involving single victims; it’s become more pronounced in major litigation involving some of the world’s largest corporations. Since the infamous Tobacco Master Settlement Agreement of 1998 broke new boundaries with its $206 billion settlement against the four largest tobacco manufacturers, mega verdicts are also happening more often. That includes many verdicts and settlements in excess of $1 billion dollars, such as the NFL concussion case and Johnson & Johnson talcum powder cancer suits, which are still pending. In the near future, it’s possible the pending opioid lawsuits against Big Pharma may set a new record for the country’s largest civil litigation agreement in history.
Justice & Compensation: Protecting Victims’ Rights
While those figures are indeed staggering and nearly unfathomable for many, what they suggest is not just that awards are getting bigger (even though they very well might be), but that the egregiousness and sheer scope of wrongful conduct committed by the largest corporations is becoming worse, or are simply being detected more often. We’ve discussed these trends in our blogs on the American Association for Justice’s annual “Worst Corporate Conduct” lists, and have noted the importance of the civil justice system when it comes to creating a level playing field upon which victims can fight back against the biggest and most powerful entities responsible for such wrongdoings – whether they do as individuals, whistleblowers, or groups of individuals banded together in class actions.
What’s should not be overlooked is the fact that these cases have real stakes: the talcum powder products implicated in J&J lawsuits have allegedly caused numerous women to develop deadly cancers, GM’s concealment of defective ignition switches is directly linked to many injuries and deaths, and the devastation wrought by the opioid epidemic is all too evident, with opioid overdoses now surpassing auto accidents as the leading cause of death in America. Those types of damages are the same as those addressed by our legal team every day – and they demand justice and compensation for victims.
As Marriott’s data breach litigation and other major cases play out, our attorneys at Chaikin, Sherman, Cammarata & Siegel, P.C. will continue to keep you apprised – and will always be available to take your call should you have legal needs of your own anywhere in Washington, DC, Maryland, or Virginia. Contact us to speak with an attorney.