Shortly after Marriott International’s November 2018 announcement that it had uncovered a data breach in the guest registration system of Starwood (which Marriott had acquired two years earlier), the company was hit with a raft of litigation, including both securities class action lawsuits and shareholder derivative lawsuits. In twin June 11, 2021 opinions, the federal district judge presiding over the various Marriott data breach-related lawsuits granted the defendants’ motions to dismiss both the consolidated securities suits and the consolidated derivative suits. The lengthy and detailed opinions make for interesting reading and underscore the challenge plaintiffs face in trying to turn a cybersecurity incident into a D&O claim. The opinion in the securities suit can be found here and the opinion in the derivative suit can be found here.
On November 30, 2018, Marriott issued a press release announcing that hackers had breached its Starwood guest reservation system and stolen the personal data of as many as 500 million guests. The company announced that on September 8, 2018 an internal security tool had alerted the company of attempted unauthorized access. The subsequent investigation of the incident revealed that there had been unauthorized access to the Starwood network since 2014. The investigation revealed that an unauthorized party had copied and encrypted information and had taken steps toward removing the information. On November 19, 2018, the company was able to decrypt the information and determine that the contents were from the Starwood guest database. (Marriott acquired Starwood in 2016 for $13.6 billion.)
In its press release, the company said that the database itself contained information on to approximately 500 million guests who had made reservations with Starwood. For about 327 million of the guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication information. For some guests, the information also includes payment card information including card expiration date, however, the company was not yet able to determine if the payment card information had been decrypted.
As discussed here, plaintiffs’ lawyers did not waste any time in filing securities litigation based on these disclosures. On December 1, 2018, a plaintiff lawyer filed the first of several securities suits against Marriott and certain of its directors and officers. The various securities suits were ultimately consolidated and transferred to the District of Maryland as a multidistrict litigation (MDL) proceeding. In addition to the class action securities lawsuits, various plaintiffs’ lawyers also filed several shareholder derivative lawsuits, which also were consolidated in the MDL proceeding.
The consolidated securities litigation purports to be filed on behalf of a class of investors who purchased Marriott securities between November 16, 2015 and November 29, 2018. The consolidated complaint names as defendants the company itself as well as nine corporate officers and directors. The complaint alleges that the defendants made 73 statements or omissions during the class period that misled investors. The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the class.
The consolidated derivative lawsuit complaint names as defendants thirteen members of Marriott’s board, as well as the company itself as nominal defendant. The derivative plaintiff asserts claims for violations of Sections 10(b), 14(a), and 20(a) of the Exchange Act of 1934 and corresponding rules thereunder, as well as under Delaware state law for breach of fiduciary duty, waste of corporate assets, and unjust enrichment.
Following several rounds of amended pleadings in both the securities and derivative litigation, the defendants filed motions to dismiss.
The June 11, 2021 Securities Suit Opinion
In a detailed 80-page June 11, 2021 opinion, Judge Paul W. Grimm granted the defendants’ motion to dismiss the consolidated amended securities class action complaint. Judge Grimm granted the motion based on his conclusion that the plaintiff had failed to adequately allege a false or misleading statement, a strong inference of scienter, and loss causation. Because the plaintiff had already had multiple opportunities to amend its complaint, Judge Grimm granted the motion with prejudice.
In assessing whether or not the plaintiff had adequately pled misrepresentation or omission, Judge Grimm broke the plaintiff’s claims down into categories of types of claims. With respect to each of the categories, Judge Grimm concluded that the plaintiff had not adequately met the requirements to plead misrepresentation.
Thus, with respect to the alleged misrepresentation and omissions with respect to Marriott’s due diligence and integration regarding the Starwood merger, Judge Grimm first reviewed the various statements at length, observing that “what stands out is that none of the statements alleged to be material misrepresentations were regarding cybersecurity due diligence or integration in particular.” The complaint, Judge Grimm observed, “contains no allegations to support the inference that Marriott was not conducting extensive due diligence or spending time to integrate the companies generally as Marriott’s statements claim.”
Similarly, after reviewing what he characterized as “statements of optimism” on which the plaintiff sought to rely, Judge Grimm concluded that the plaintiff “does not plead factual allegations to suggest that Defendants did not actually believe any of the statements of optimism.” Judge Grimm concluded further that the Defendants’ “positive statements” about “the expected overall success”of the merger “say nothing about cybersecurity and did not give rise to a duty to provide information about cybersecurity.”
Further, Judge Grimm reviewed (and set out at length and verbatim in his opinion) Marriott’s extensive precautionary disclosures about the risks surrounding the merger, concluding that “these cautionary statements are detailed and highly specific to Marriott and the Starwood transaction, and therefore qualify as meaningful cautionary statements for the purposes of the PSLRA and the bespeaks caution doctrine.”
With respect to the plaintiff’s allegations that the company’s risk factor disclosures were misleading, Judge Grimm said that “to the extent Plaintiff’s allegations relate to a failure to disclose information about future harms, Plaintiff failed to allege how a reasonable investor could be misled into thinking that Marriott’s detailed risk factors, including that ‘cyber-attacks could have a disruptive effect on our business,’ would suggest the opposite.”
With regard to plaintiffs’ allegations based on the company’s statements regarding the measures it was taking to protect customer data, Judge Grimm drew a distinction between the allegations in the data breach-related securities suit filed against Equifax and the data breach suit filed against Marriott, Judge Grimm noted that in contrast to the Equifax lawsuit allegations, “Marriott’s statements that data protection was ‘critical’ are not specific and verifiable and do not assign a quality to Marriott’s cybersecurity that it did not have; indeed, unlike the statements found to be actionable in Equifax, Marriott made no characterization at all with respect to the quality of its cybersecurity, only that Marriott considered it important.”
Judge Grimm also exhaustively reviewed the plaintiff’s scienter allegations, which he ultimately concluded failed to support an inference of scienter. Summarizing his analysis of the confidential witness testimony, internal documents, and IT audits on which the plaintiff sought to rely, Judge Grimm said that these items “all support an inference that Marriott’s cybersecurity was deficient” and that “Individual Defendants were aware of cybersecurity risks.” But, he said, the allegations also support the opposing inference that Marriott conducted due diligence and made investments in its IT infrastructure, even if they were not the same decisions that some of the confidential witnesses would have made.
Judge Grimm said further with respect to the scienter issue that “the lack of an alleged motive [for example in the absence of insider trading allegations], investigation into the data breach, cooperating with law enforcement, and disclosure of the risk of a cyberattack all support an inference of innocence.” Taken together, Judge Grimm said, the plaintiff “fails to allege a strong inference that Defendants acted with an intent to deceive or with severe recklessness to the truth.”
Finally, Judge Grimm concluded that the plaintiff had also failed to adequately allege loss causation.
The June 11, 2021 Derivative Lawsuit Opinion
In a separate June 11, 2021 opinion, Judge Grimm also granted the defendants’ motion to dismiss the separate shareholder derivative suit. Judge Grimm granted the motion based on his conclusion that the plaintiff had failed, under the requirements of Fed. R. Civ. Proc. 23.1, to adequately plead the ownership and demand requirements applicable to derivative lawsuits. Because the plaintiff had previously amended this complaint twice, Judge Grimm granted the dismissal with prejudice. He declined to exercise supplemental jurisdiction over the plaintiff’s remaining state law claims.
With respect to Rule 23.1’s ownership requirement, the plaintiff based his claims upon alleged misstatements or omissions over the course of a several-year period and alleged that he held shares “at all relevant times.” However, he admitted that he did not buy Marriott shares until June 11, 2018, which, Judge Grimm said shows that the plaintiff’s “at relevant times” allegation was deficient, as it showed that he “did not hold shares for almost the entirety of the relevant period.”
Judge Grimm also concluded that the plaintiff’s complaint did not meet the requirements to plead demand futility. The plaintiff had attempted to argue that demand would have been futile because of the potential liability that they faced. However, with respect to the plaintiff’s securities law claims in the derivative lawsuit, Judge Grimm noted that, for reasons he had stated in his separate opinion in the securities lawsuit, the plaintiff could not establish a substantial likelihood of liability as would be required to establish demand futility. Judge Grimm separately concluded that the plaintiff’s claims under Section 14(a) and related rules were also insufficient. Judge Grimm declined to exercise supplemental jurisdiction with respect to the plaintiff’s state law claims.
Both of Judge Grimm’s opinions are exhaustive and detailed. Both opinions are worth reading at length and in full, particularly for anyone concerned about possible liabilities that directors and officers of publicly traded companies face with respect to cybersecurity issues.
The Marriott data breach-related lawsuits, and in particular the data breach-related securities lawsuit, are very high-profile cases. The lawsuits were being closely watched not only because of the significant publicity that surrounded the Marriott data breach, but also for what the case might say about the prospects generally for D&O litigation related to cybersecurity incident. If nothing else, the opinions demonstrated that plaintiffs seeking to assert D&O claims based on cybersecurity incidents face an uphill battle.
To be sure, there have been some data breach-related D&O claims that have been successful for the plaintiffs. In particular, the Equifax cybersecurity incident related securities lawsuit, which Judge Grimm mentioned in his securities suit opinion, resulted in a $149 million settlement. The Yahoo data breach-related securities lawsuit resulted in an $80 million settlement, and the related Yahoo data breach-related derivative lawsuit settled for an additional $29 million million settlement. Otherwise, the claimants in cybersecurity-related D&O lawsuits have been largely unsuccessful.
Indeed, it could be argued that the settled Yahoo data breach-related derivative lawsuit might be the only data breach-related derivative lawsuit that has gotten any traction at all. Certainly, as I have documented in prior posts, the derivative lawsuits filed against Target (about which refer here), Home Depot (refer here), and Wyndham Worldwide produced little for plaintiffs. (To be sure, following dismissal at the district court level, the Home Depot case while on appeal for the defendants’ agreement to pay plaintiffs’ attorneys’ fees of $1.125 million, as discussed here.)
In addition to what they suggest about the plaintiffs’ prospects in success in cybersecurity-related D&O lawsuits generally, the two opinions also have important lessons for companies anxious to take proactive steps to try to protect themselves from cybersecurity-related corporate and securities law liabilities. Judge Grimm’s opinions are both full of the references to the extensive and detailed risk factor disclosures Marriott had included in its SEC filings. Indeed, in the securities lawsuit dismissal opinion, he quotes at length from the company’s risk disclosures addressing the company’s vulnerability to cybersecurity risks.
Judge Grimm’s willingness to distinguish between Equifax’s more specific and qualitative assertions about its cybersecurity measures, by comparison so Marriott’s statements that its cybersecurity measures were based on the company’s recognition that cybersecurity measures are important and should have an important priority, also have lessons for those advising companies on the cybersecurity disclosures.
Judge Grimm’s opinions may be particularly important in connection with cybersecurity disclosures in the context of a corporate merger. The underlying incident and indeed the securities and derivative lawsuits themselves highlight the potential significance of cybersecurity issues in the merger context. Cybersecurity weaknesses of a target company represent a significant vulnerability for the go-forward merged company. However, it is clear from Judge Grimm’s reading of Marriott’s disclosures that companies can address cybersecurity issues in their disclosure context in a way that addresses potential securities litigation exposure, even in the merger context.
For a long time, observers (including me) have been predicting that we would see significant D&O litigation arising out of cybersecurity incidents. But while there have been some significant cybersecurity-related D&O lawsuits, and while a small number of the suits have, as I noted above, been successful, by and large the cybersecurity-related D&O lawsuits just have not arisen in volume. In part that is because the financial markets have become so inured to news of a cybersecurity incident that by and large company share prices rarely drop significantly on the news. But another reason these kinds of lawsuits have not materialized in significant numbers is that the cases that have been filed largely have not been very successful. Judge Grimm’s two opinions in the Marriott cases will certainly reinforce that point.