September 4, 2019

Federal District court unseals forensic investigative report in Marriott data breach litigation

On August 30, 2019, the US District Court for the District of Maryland ordered to be unsealed a Payment Card Industry Forensic Investigative Report (“PFI Report”) obtained by Marriott International in connection with a data security incident involving its Starwood reservation database.  The Court had previously ordered Marriott to produce the PFI Report to putative class action plaintiffs in ongoing multi-district securities litigation.  

Marriott moved to dismiss the class action complaint on July 15, 2019, and filed the PFI Report as a sealed exhibit to its motion.  Marriott argued that it was justified in sealing the PFI Report because its public disclosure would (1) provide “hackers with specific and detailed non-public information about Marriott’s IT operations,” (2) “undermine ongoing investigations into the Marriott data security incident,” and (3) “cause Marriott competitive harm by giving third parties, including Marriott’s direct competitors, insight into certain aspects of Marriott’s internal business practices, allowing those third parties to gain an unfair advantage against Marriott.”

The District Court rejected Marriott’s contention that sealing the entire PFI Report is necessary to prevent the types of harm described in its sealing motion.  First, the Court held that unsealing the PFI Report would not violate the PSLRA discovery stay because the PFI Report, an exhibit to Marriott’s motion to dismiss, no longer qualified as the “discovery” contemplated by the PLSRA.  Second, the Court held that the confidentiality interests advanced by Marriott failed to overcome the First Amendment right of access to judicial records.  The Court nevertheless permitted the parties to confer regarding specific portions of the PFI Report that should remain redacted in the publicly filed version of the PFI Report, until which time the full version will remained sealed.

Letter order | Motion to seal