Duane Morris Class Action Review - 2023 - Report - Page 139
had been destroyed and would not be further distributed, but failed to notify the
individuals whose PII had been stolen until four months after the data breach occurred.
The defendant moved to dismiss for failure to state a cause of action. The court denied
in part and granted in part the defendant’s motion to dismiss. First, the court determined
that the plaintiffs had alleged a sufficient injury or harm to survive dismissal because the
hospital conceded that Social Security numbers and other financial data had been taken
and that the confidential health information that had been taken is the type of
information that is considered the most valuable to identity thieves. Second, the court
rejected the defendant’s motion to dismiss the plaintiffs’ negligence claims based on the
economic loss doctrine. In denying the defendant’s argument, the court concluded that
the plaintiffs and the Hospital may possess a “special relationship” that would eliminate
the application of the economic loss doctrine. Id. at *23. Finally, the court granted the
defendant’s motion for the plaintiffs’ claim under Mass. Gen. Laws ch. 93A because the
hospital did not operate in trade or commerce under Mass. Gen. Laws ch. 93A, § 2(a) in
that it did not receive and retain confidential information to make a profit but as part of
its provision of medical care
E.
Class Certification Decisions
While the landmark Marriott case proceeded as a class actions, plaintiffs in other
matters were not as fortunate in their motions for class certification. In particular, issues
of predominance and individualized inquiries relative to potential damages proved to be
the greatest barriers to class certification to courts considering these motions in 2022.
In Re Marriott International Customer Data Securities Breach Litigation, 341 F.R.D. 128
(D. Md. May 3, 2022), the court granted class certification in a data breach impacting
over 133 million American consumers against hotel chain Marriott and its data security
vendor Accenture. In allowing the case to proceed as a class action on behalf of the first
group of claimants the parties selected, the case will proceed forward on behalf of an
initial group of approximately 45 million customers in California, Connecticut, Florida,
Georgia, Maryland, and New York. The lawsuit stems from a data breach Marriott
discovered in 2018 after it acquired Starwood, in which, by its own admission, 133.7
million guest records of Starwood customers were compromised. Marriott
acknowledged in 2019 that the records included approximately 5.25 million unencrypted
passport numbers and 20.3 million encrypted passport numbers, among other sensitive
personal information regarding hotel stays. Beginning in 2014 and possibly earlier, and
continuing through November 2018, hackers exploited vulnerabilities in Starwood’s
network to access the guest reservation system and steal customer data. This database
contained personal customer information, including names, mailing addresses, phone
numbers, email addresses, passport numbers, Starwood Preferred Guest account
information, date of birth, gender, arrival and departure information, reservation dates,
and communication preferences. For some customers, the information also included
payment card numbers and payment card expiration dates. In granting class
certification, the court made clear that it was certifying the case for potential trial, rather
than for a pending settlement (as most other data breach cases proceed). The opinion
allows the plaintiffs to seek damages related to overpayment for hotel rooms, as well as
statutory and nominal damages. The court also found that consumers might be able to
138
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
