Following a 2018 breach of the computer systems of Starwood Hotels and Resorts Worldwide, which merged with Marriott International in 2016, an institutional investor sued Marriott and its executives, claiming that their omission of material information about the company’s data vulnerabilities in 73 public statements constituted false or misleading statements in violation of Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The investor also claimed that Marriott executives were secondarily liable under Section 20(a) of the Exchange Act.
Marriott moved to dismiss the claims for failure to state a cause of action. The District Court for the District of Maryland granted Marriott’s motion on the grounds that the complaint failed to allege adequately a “false or misleading statement or omission, a strong inference of scienter, and loss of causation,” as the Exchange Act requires. The plaintiff appealed.
Noting that “not all material omissions are actionable,” the Court of Appeal for the Fourth Circuit affirmed the district court’s dismissal with prejudice. The court addressed the investor’s assertions regarding three sets of statements made by Marriott:
- Statements that “the integrity and protection of customer, employee and company data is critical to us, as we use such data for business decisions and to maintain operational efficiency.”
- On-line privacy statements saying that Marriott sought to use reasonable organizational, technical and administrative measures to protect personal data;
- Forward-looking cybersecurity risk disclosures that gave general warnings about the risk of adverse events that had actually occurred.
Examining the company’s statements carefully against the required elements for a Section 10(b) violation, the court reiterated the district court’s finding that Marriott’s public statements about the importance of data protection did not “assign a quality to the company’s cybersecurity that it did not have.” The court also agreed that Marriott’s privacy statements were neither false nor misleading, and that the company’s acknowledgement of past breaches sufficiently tempered the its forward-looking statements about future cybersecurity risks. And although, in the court’s opinion, Marriott could have provided more information to the public about these topics, US securities laws did not require it to do so.
Marriott faces consumer lawsuits in several jurisdictions, and has been fined by the UK authorities as a result of the breach, which compromised the protected personal information of five and a half million people.