DATA BREACH CLASS ACTION UPDATE
Summary: In eyes of law, not all data breaches or losses are the same. The class action survived Marriott’s Motion to Dismiss. Plaintiffs have standing because based on alleged motive behind the theft and actual misuse of the data, they adequately alleged Injury-In-Fact in the form of losses from identity theft, imminent threat of identity theft, costs spent mitigating the harms from the data breach, loss of the benefit-of-their-bargain, and loss of value of their personal information. The case is proceeding to discovery on alleged elements of negligence, breach of contract and several state statutes including MPIPA and MCPA.
While this ruling covers the threshold to bring viable litigation versus proving a case, it opens up the possibility for proliferation of future lawsuits in response to the growing number of data breaches.
General Findings Applicable to Future Cases
While the Court’s ruling applied to the facts of this case, there are number of key findings that can be extracted to provide general insights because Judge Grimm is viewed as a leading voice in the Fourth Circuit and beyond in the subject of cyberlaw.
Finding 1: Common sense compels acknowledgement of the value that personal identifying information (PII) has in our increasingly digital economy. This is not derived by its worth in some imagined market place where the consumer actually seeks to sell it to the highest bidder, but rather in the economic benefit the consumer derives from being able to purchase goods and services remotely and without the need to pay in cash or a check.
Rule 1: Imminent risk of injury of identity theft requires “something more” than just a breach or loss of data. This can include some indication of motive behind the attack or evidence that some of the victims have had their data misused in the aftermath of the incident.
Rule 2: Time and money spent to mitigate harms from the data breach count towards standing if the threatened harm is sufficiently non-speculative.
Finding 2: It is not necessary to pay separately for privacy or to parse out what portion of the bargain can be attributed to data security at the pleadings stage. It is enough to allege 1) explicit or implicit contract for data security, 2) placed value on that data security, and 3) failure to meet representations about data security. Valuation of these alleged damages may be done after discovery.
Finding 3: Loss of social security numbers is not necessarily required to adequately plead injuries fairly traceable to a data breach.
Finding 4: Failure to use reasonable measures to protect PII can form the basis of adequate pleadings for Negligence in States where to safeguarding PII from cyberattacks may be considered a common law duty.
Finding 5: Violation of Section 5 of the FTC Act can be used to plead Negligence Per Se in data breach violations.
Finding 6: To recover for loss of value of PII, time spent mitigating harm from the data breach, and personal aggravation arising from the increased risk of identity theft, a court must find these are non-economic injuries that fall outside the scope of the “economic loss rule” or that the economic loss rule should not apply in regards to data breach cases due to the intangible nature of the property damaged.
Finding 7: In regards to the Maryland Personal Information Privacy Act, a two-month time period to report a data breach (absent explanation of delay) is sufficient to meet the threshold of pleading an untimely notification.
Finding 8: Failure to reveal known risks and vulnerabilities in cyber security can constitute omissions that would have been important to a significant number of consumers and therefore meet the criteria of "unfair or deceptive trade practices" under Maryland Consumer Protection Act.
Finding 9: It is not necessary to place a specific value on alleged overpayment, loss of benefit-of-the bargain, or loss of value of PII to adequately plead damages.
Finding 10: When harms are found not to be speculative, time and money incurred to mitigate are adequately pled damages in addition to being an injury-in-fact.
Finding 11: Privacy Statements can constitute objective offers to protect PII and provision of PII with transactions can constitute acceptance of offers.
Finding 12: Privacy Statements can form sufficiently definite terms of a contract.
Case Background
· On November 30, 2018, Marriott announced that it was the target of one of the largest data breaches in history. Marriott acquired Starwood Hotels & Resorts in September 2016 making it the largest hotel chain in the world.
· Both Marriott and Starwood had privacy statements concerning collection and use of personal information and touting their ability to protect the security of this sensitive information.
· For over four years, from July 2014 to September 2018, hackers had access to Starwood's guest information database (the data breach was ongoing before and after Marriott's acquisition of Starwood).
· Plaintiffs allege that Marriott failed to conduct appropriate due diligence of Starwood's cybersecurity risks before and after the merger, despite the fact that Starwood disclosed a data breach affecting more than 50 locations days before Marriott's announcement of the merger, and after knowing that it and other hotel chains were the targets of security threats in the months and years preceding the data breach.
· Several cybersecurity assessments allegedly revealed deficiencies in Starwood's system.
· Marriott does not fully know how much data was stolen, but the breach impacted at least 383 million guest records, including nearly 24 million passport numbers and more than 9 million credit and debit cards.
· Marriott waited more than two months to notify guests after discovering the breach.
Marriott filed a Motion to Dismiss on four grounds: lack of Standing, failure to meet elements of the common law torts claims, failure to meet elements of statutory violations, and lack of damages. Ruling was made in Feb 2020.
Court Rulings
I. Standing.[1]
Plaintiffs adequately alleged Injury-In-Fact by claiming (1) an imminent risk of injury of identity theft; (2) time and money expended to protect against identity theft; (3) loss of property value in their personal identifying information; and (4) loss of the benefit of their bargain with Marriott regarding data privacy.
Rule 1: Imminent risk of injury of identity theft requires “something more” than just a breach or loss of data. This can include some indication of motive behind the attack or evidence that some of the victims have had their data misused in the aftermath of the incident.
In this case, the risk was sufficiently imminent because it was alleged that 1) hackers specifically had targeted personal information, and 2) there has already been some misuse of the data that was stolen. In other cases, such as a stolen laptop or boxes of information that were either lost or stolen, it was not clear that access to information was the motive behind the theft, so threat of injury was too speculative.
Rule 2 : Time and money spent to mitigate harms from the data breach count towards standing if the threatened harm is sufficiently non-speculative.
Loss of value of property in PII
· Fourth Circuit has not decided whether the loss of property value in PII constitutes a cognizable injury in data breach cases.
· Growing trend across courts that have considered this issue is to recognize the lost property value of this information. Referencing other recent data breach cases (Experian, Anthem, and Yahoo) the court noted that "[A] growing number of federal courts have now recognized Loss of Value of PII as a viable damages theory.")
Plaintiffs adequately pled that PII collected by Marriott has value.
This was a departure from the reasoning of two prior cases (Chambliss and Khan) that had rejected alleged injuries based on the diminished value of personal information because those complaints did not allege that the plaintiffs attempted to sell it themselves or that they were forced to accept a decreased price for their information.
· Marriott allegedly recognizes the value of this information and collects it to better target customers and increase its profits.
· Marriott pays a customer analytics company to analyze PI for this purpose
· Information allegedly "highly-coveted and valuable on underground or black markets."
· Further allegations recognizing the value of personal information:
o European Union, Information Commissioner's Office, investigating the Marriott data breach, stated, "Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset."
o Court takes judicial notice of U.S. Attorney General William Barr announcing the indictment of four Chinese officials for the Equifax data breach, linking the attack to the Marriott data breach and recognizing value of the personal information taken:
o “For years, we have witnessed China's voracious appetite for the personal data of Americans, including the theft of personnel records from the U.S. Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax. This data has economic value, and these thefts can feed China's development of artificial intelligence tools as well as the creation of intelligence targeting packages.”[2]
Finding: Common sense compels acknowledgement of the value that PII has in our increasingly digital economy.
· Many business offer goods and services such as wifi access, special access to products, or discounts in exchange for a customer's personal information. Consumer choose whether to exchange their personal information for these goods and services every day.
· Value of PII is key to unlocking many parts of the financial sector for consumers. Whether someone can obtain a mortgage, credit card, business loan, tax return, or even apply for a job depends on the integrity of their personal identifying information.
· Businesses that request (or require) consumers to share PII as part of a commercial transaction do so with the expectation that its integrity has not been compromised.
· Plaintiffs allege that they gave their PII as part of their exchange to stay at Marriott hotels.
· Plaintiffs allege that they suffered lower credit scores as a result of the data breach and that fraudulent accounts and tax returns were filed in their names.
The Court found the value of consumer personal information is not derived solely (or even realistically) by its worth in some imagined market place where the consumer actually seeks to sell it to the highest bidder, but rather in the economic benefit the consumer derives from being able to purchase goods and services remotely and without the need to pay in cash or a check.
Plaintiffs adequately pled alleged injury-in-fact based on "overpayment" and failure to receive the benefit of their bargain regarding data privacy.
Fourth Circuit has not addressed this issue of whether the value of data security can be implicitly considered as part of a contract, so the Court looked to other circuits. As in Carlsen, In re Yahoo!, and In re Anthem, plaintiffs alleged an explicit or implicit contract for data security, that they placed a significant value in data security, and that had they known the truth about data security practices they would have paid less or nothing.
Eighth Circuit found allegations sufficient to establish injury arising from a breach of contract and overpayment theory where information had been shared despite terms of a magazine subscription’s privacy policy that stated it would not.
· Plaintiff alleged he would not have paid as much for the subscription if he knew privacy policy would be violated. Carlsen v. GameStop, Inc., 833 F.3d 903 (8th Cir. 2016).
· Sufficiently alleged a binding contract—the terms of service included the privacy policy, undisputed contractual relationship.
· Violating that policy by "systematically disclosing” users' PII was a concrete and particularized breach with damages equal to the difference between the value of the subscription paid for and the value of the subscription received, i.e., a subscription with compromised privacy protection.
Other cases where benefit-of-the-bargain losses adequately pled based on security policy:
· Plaintiff paid for premium email service that were supposedly secure, and allegedly he would not have provided his personal information or signed up for the service if he knew they were not as secure as represented; therefore, the services paid for were worth nothing or worth less than he paid for them. In re Yahoo! Inc. Customer Data Sec. Breach Litigation. 313 F. Supp. 3d 1113, 1130 (N.D. Cal. 2018).
· Plaintiffs allegedly spent more on Adobe products than they would if they knew Adobe was not providing the reasonable security represented. In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1224 (N.D.Cal.2014)
· In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 985 (N.D. Cal. 2016)
Specific allegations data security was valued and misrepresentations diminished the value of their purchases differs from Chambliss, Irwin, Lewert, and In re SAIC where plaintiffs failed to make sufficient allegations data breaches diminished value of their purchases.
· Chambliss v. Carefirst, Inc, 189 F. Supp. 3d 564, 572 (D. Md. 2016). Plaintiffs could not quantify their alleged losses. No allegations that "the data breach diminished the value of the health insurance they purchased from CareFirst" or "indicating that the prices they paid for health insurance included a sum to be used for data security, and that both parties understood that the sum would be used for that purpose."
· Irwin v. Jimmy John's Franchise, LLC, 175 F. Supp. 3d 1064 (C.D. Ill. 2016). Improper to "chop up a contract" for data security. Irwin v. Unjust enrichment claim rejected because data security was not paid for separately. However, it was noted that existence of implied contract and that case failed to recognize the benefit companies derive by accepting credit or cards over cash.
· Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016). The court expressed skepticism but did not decide whether the plaintiffs established injury-in-fact based on allegations that the costs of the plaintiffs' meals were an injury because they would not have dined at P.F. Chang's had they known of its poor data security. In past cases, injuries were found where the product itself was defective or dangerous and consumers claim they would not have bought it (or paid a premium for it) had they known of the defect.
· In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 30 (D.D.C. 2014), the court rejected an overpayment theory of injury in a data breach case involving theft of personal information and medical records of 4.7 million members of the U.S. military and their families. No actual loss because plaintiffs did not allege facts that show the market value of their insurance coverage (plus security services) was somehow less than what they paid.
o Contrary to In re SAIC, where the claim that “some indeterminate part of their premiums went toward paying for security measures,” was found “too flimsy to support standing,” here the Court found it unnecessary at the pleadings stage to parse out what portion of the bargain between Plaintiffs and Marriott could be attributed to data security.
Finding: It is not necessary to pay separately for privacy or to parse out what portion of the bargain can be attributed to data security at the pleadings stage. It is enough to allege 1) explicit or implicit contract for data security, 2) placed value on that data security, and 3) failure to meet representations about data security. Valuation of these alleged damages may be done after discovery.
Plaintiffs adequately pled injuries fairly traceable to the data breach even though discovery may ultimately show injuries were not caused by the breach.
· Defendants argued the injuries purportedly require social security numbers or banking information which no plaintiff alleges to have given to Marriott, but the court agreed with the rulings of multiple other courts that have found identify theft and fraud did not require loss of social security numbers (In re Zappos.com, Inc., 9th Cir. 2018; Lewert v. P.F. Chang's China Bistro, Inc., 7th Cir. 2016); Bass v. Facebook, Inc., N.D. Cal. 2019)
· In Antman v. Uber Techs., Inc., (N.D. Cal. May 10, 2018) a claim where alleged fraudulent accounts were applied for or opened was dismissed due to lack of traceability.
o Only drivers' licenses and names were stolen in a data breach and it was conceded that a social security number was required for the fraudulent application in question.
Finding: Loss of social security numbers is not necessarily required to adequately plead injuries fairly traceable to a data breach.
II. Negligence Claims
Finding: Negligence under Florida law adequately pled based on lack of dispute over any aspect other than the sufficient allegations of damages.
Finding: Negligence per se under Georgia law[3] adequately pled based on alleged violation of Section 5 of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. § 45 which prohibits "unfair . . . practices in or affecting commerce."
· Unfair practices, as interpreted and enforced by the FTC includes failure to use reasonable measures to protect personal information.
· Plaintiffs are within class of persons intended to be protected by the statute, and harm suffered is the kind the statute meant to protect.
· Several federal district courts have found Georgia negligence per se adequately pled based on alleged violations of Section 5 of the FTC act in data breach cases.
o In re: The Home Depot, Inc., Cust Data Sec. Breach Litig. N.D. Ga. May 17, 2016
o In re Equifax, Inc., Customer Data Security Breach Litig., N.D. Ga. 2019
o In re Arby's Rest. Grp. Inc. Litig., N.D. Ga. Mar. 5, 2018
o First Choice Fed. Credit Union v. Wendy's Co., W.D. Pa. Feb. 13, 2017
· Defendant argued FTC Act did not create an enforceable duty based on recent Georgia Supreme Court cases.
o In contrast, however, Court held that unlike the statement of policy in Wells Fargo Bank and the legislative findings in McConnell, Section 5 of the FTC Act is a statute that creates enforceable ascertainable duties in the data beach context.
Finding: Illinois negligence claims dismissed because Illinois law does not impose a duty on retailers to safeguard personal information from cyberattacks and the "economic loss rule" precludes recovery for damages that do not result from personal injuries or physical damage to tangible property.
No common law duty to safeguard personal information in Illinois. Cooney v. Chicago Public Schools, Ill. App. Ct. 2010 & Community Bank of Trenton v. Schnuck Markets, Inc., 7th Cir. 2018.
· To determine whether the Illinois’s general duty analysis can be applied in future data breaches cases would require action by an Illinois court.
· Additionally, as the Illinois Supreme Court has yet to address the economic loss rule in the context of data breaches it is not clear how it would be applied.
Claim alleged two categories of losses in data breach:
· Economic Losses: unauthorized charges, money spent to mitigate harms of the breach, and benefit-of-the-bargain losses.
· Non-Economic: loss of value of personal information, time spent mitigating harm from the data breach, and personal aggravation arising from the increased risk of identity theft.
Case law contradictory categorization of noneconomic vs economic injuries.
· Loss of value of personal information and loss of time are non-economic injuries:
o Morris v. Harvey Cycle & Camper, Inc., Ill. App. Ct. 2009 (emotional distress, inconvenience, and aggravation are non-economic injuries under Illinois Consumer Fraud Act)
o Hameed-Bolden v. Forever 21 Retail, Inc., C.D. Cal. Oct. 1, 2018 (loss of value in personal information "may represent 'property damages' as a legal matter," but ultimately finding that plaintiffs failed to establish that theft of their personal information damaged them in a non-economic manner);
o Bass v. Facebook, Inc. N.D. Cal. 2019 (loss of time was not economic injury and therefore economic loss rule did not bar negligence claim under California law).
· Loss of value of personal information and loss of time are economic injuries:
o Fox v. Iowa Health System, W.D. Wis. 2019. Data breach of a health system - lost time, loss in the value of personal information, and damages caused by the violation of privacy rights, were NOT outside the scope of the economic loss rule because "all of these are economic damages because they reflect a pecuniary loss rather than a personal injury or damage to property."
o In re Illinois Bell Switching Station Lit (Ill. 1994) (loss of phone services "claims for inconvenience or lost time fall squarely within the economic loss doctrine.")
o Followell v. Cent. Illinois Pub. Serv. Co., (Ill. App. Ct. 1996) (lost time and profits due to mismarked gas lines were economic damages)).
III. Contract Claims
Finding: Marriott and Starwood's Privacy Statements constituted objective offers to protect PI collected under the terms of the privacy statements and that provision of the PI in concert with a stay at their properties constituted acceptance of the offers.
Finding: The terms of the contract regarding data security were sufficiently definite based on the Marriot and SPG Privacy Statements. Although not stated, the dates of formation of the contracts could be determined in discovery.
Adequately pled for breach of express contract based on alleged contracts formed by Marriott and Starwood's privacy statements that were in effect at the time of the breach.
· Marriott's privacy statement provided that individuals agreed to be subject to its terms and conditions upon use of their on-line services or staying at their properties.
o Marriott Privacy Statement stated it would use "reasonable organizational, technical and administrative measures to protect [its customers'] Personal Data."
· Starwood's privacy statement provided that individuals agreed to be subject to its terms and conditions when they become a member of the Starwood program or exchange information with the company.
o Starwood Privacy Statement stated it would "safeguard your information using appropriate administrative, procedural and technical safeguards," and provided detailed examples of the methods it would use.
· In other Districts, courts have found that broad statements of company policy do not generally give rise to contract claims and the absence of specific allegations that Privacy Statements had been relied upon, or even read, seen, or understood defeated the claims.
IV. Statutory Claims
a. Maryland Personal Information Privacy Act (PIPA) Claims
Finding: In regards to the Maryland Personal Information Privacy Act, a two-month time period to report a data breach (absent explanation of delay) is sufficient to meet the threshold of untimeliness in notification.
Plausibly alleged failure to employ reasonable security measures to protect PI collected.
· Court did not resolve whether security codes must be compromised to state a PIPA claim.
· Plaintiffs allege that such codes likely were compromised in the data breach.
o Marriott argued PIPA covers only unencrypted payment card numbers when they are accompanied by access or security codes, and that Plaintiffs did not allege that any such codes or passwords were implicated in the cyberattack.
o Plaintiff’s response:
· Do not allege codes were "required" to allow fraudulent use of the PI.
· There have been some fraudulent charges.
· Full scope not yet known, may have compromised security codes.
· Hackers likely had access to "full payment card information with encryption keys" and that “stolen information includes . . . tools needed to decrypt cardholder data….”
· At least one initial report indicated security codes were compromised.
Plausibly alleged failure to disclose data breach for more than two months was a violation of timely notice to consumers affected by a data breach.
Note: circumstances may later show two months was “reasonably prompt.”
b. Maryland Consumer Protection Act (CPA) Claims
Finding: Failure to reveal known risks and vulnerabilities in cyber security can constitute omissions that would have been important to a significant number of consumers and therefore meet the criteria of "unfair or deceptive trade practices" under Maryland Consumer Protection Act.
Adequately alleged violations of the Maryland CPA.
· Adequately pled a violation of the MD PIPA which constitutes an "unfair or deceptive trade practice" for purposes of Title 13 of the Maryland Commercial Law Code, and provides a sufficient basis for CPA claims.
· Met heightened pleading requirement of Federal Rule of Civil Procedure 9(b), including with regard to allegations of reliance on material omissions because "it is substantially likely that the consumer would not have made the choice in question had the commercial entity disclosed the omitted information." [4]
· Extensive allegations that Marriott knew or should have known about its allegedly inadequate data security practices and the risk of a data breach.
· "lack of cybersecurity due diligence"
· knew they were prime targets for hackers and had been the target of cyberattacks
· failure to follow FTC guidelines to reduce risk of cyberattack
· omissions would have been important to a significant number of consumers
· Plaintiffs relied on the omissions
· "would not have paid for goods and services or would have paid less for such goods and services" if it had known the truth about Marriott's alleged omissions.
V. Damages
Adequately alleged actual injury and actual loss to state their contract, negligence, and statutory claims, and Defendants' motion to dismiss on this basis is denied.
· Damages include loss of the benefit-of-the bargain, loss of time and money spent mitigating harms, and loss of value of personal information.
· Some alleged losses from identify theft in the form of unauthorized charges and accounts.
Finding: Although a specific value was not placed on the alleged overpayment, loss of benefit-of-the bargain, or loss of value of personal information, that is not required at this stage to adequately plead damages.
Finding: When harms are found to not be speculative, time and money incurred to mitigate are adequately pled damages in addition to being an injury-in-fact.
[1] To establish standing, a plaintiff must have (1) suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical, (2) fairly traceable to the challenged action of the defendant, and (3) likely to be redressed if there is a favorable decision of the court.
[2] https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military (emphasis added).
[3] Under Georgia law, a negligence per se claim must contain an alleged "breach of a legal duty with some ascertainable standard of conduct." To evaluate a negligence per se claim, courts must "examine the purposes of the legislation and decide (1) whether the injured person falls within the class of persons it was intended to protect and (2) whether the harm complained of was the harm it was intended to guard against."
[4] Rule 9(b) requires the Plaintiffs to allege "the time, place, and contents of the false representations, as well as the identity of the person making the misrepresentation and what he obtained thereby." Harrison v. Westinghouse Savannah River Co., 176 F.3d 776, 784 (4th Cir. 1999) Where a claim of fraud is based on an omission, particularity requirement takes a different form. Lombel v. Flagstar Bank F.S.B., No. PWG-13-704, 2013 WL 5604543, at *6 (D. Md. Oct. 11, 2013); Willis v. Bank of Am. Corp., No. ELH-13-02615, 2014 WL 3829520, at *8 (D. Md. Aug. 1, 2014) ("Rule 9(b) is 'less strictly applied with respect to claims of fraud by concealment' or omission of material facts, as opposed to affirmative misrepresentations, because 'an omission cannot be described in terms of the time, place, and contents of the misrepresentation or the identity of the person making the misrepresentation.') (quoting Shaw v. Brown & Williamson Tobacco Corp., 973 F. Supp. 539, 552 (D. Md. 1997)).
"'[A] consumer relies on a material omission under the [Maryland CPA] where it is substantially likely that the consumer would not have made the choice in question had the commercial entity disclosed the omitted information.'" Willis v. Bank of Am. Corp., 2014 WL 3829520, at *22 (quoting Bank of Am., N.A. v. Jill P. Mitchell Living Trust, 822 F. Supp. 2d 505, 535 (D. Md. 2011)).