The Fourth Circuit’s opinion last week in In re Marriott International, Inc., — F.4th —-, No. 21-1802 (4th Cir. Apr. 21, 2022), could prove useful to companies facing data breach class actions.  Following a data breach of the Starwood guest reservation system, Marriott investors brought securities claims alleging that the purported failure to disclose vulnerabilities in Starwood’s IT systems rendered certain public statements false or misleading.

For example, the investors argued that Marriott’s statement that “the integrity and protection of customer, employee, and company data is critical to us as we use such data for business decisions and to maintain operational efficiency” was misleading because it gave the “impression that Marriott was securing and protecting the customer data acquired from Starwood.”  The district court rejected this argument after finding that the challenged statements “did not assign a quality to Marriott’s cybersecurity that it did not have.”

The Fourth Circuit affirmed.  It rejected the investors’ reliance on district court cases holding that statements describing the strength of security measures may be false if the measures are actually deficient because “Marriott made no such representation.”  Instead, the Fourth Circuit agreed with the district court that a statement about the importance a company places on data security is not a representation about the quality or effectiveness of its security measures.  The Fourth Circuit also acknowledged that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.”  This case is an important precedent for dismissing complaints alleging false statements concerning data security.

Photo of Amy Heath Amy Heath

Amy Heath focuses on complex commercial litigation and class actions. She has handled matters involving contract, privacy, consumer protection, fraud, unfair competition, and intellectual property claims. She also has experience with internal investigations. Before practicing law, Amy served as an intelligence analyst.

Photo of Eric Bosset Eric Bosset

Eric Bosset is a partner whose practice encompasses a broad range of complex litigation matters, with an emphasis on (1) privacy, data security and consumer protection, (2) employment and ERISA, and (3) financial products and services. Eric has extensive experience in class actions…

Eric Bosset is a partner whose practice encompasses a broad range of complex litigation matters, with an emphasis on (1) privacy, data security and consumer protection, (2) employment and ERISA, and (3) financial products and services. Eric has extensive experience in class actions, MDL proceedings, and other multi-party lawsuits. His trial victories include a jury verdict in an employment class action lawsuit that The National Law Journal ranked among the 25 most notable defense verdicts of the year.

Privacy and Consumer Protection

Eric was named “Most Valuable Player” in Privacy & Consumer Protection by Law360. He has an extensive practice representing Internet service providers, publishers and advertisers in class action litigation involving claims of unauthorized collection and disclosure of personally identifiable information (“PII”). He has successfully represented Microsoft, AOL, CBS, McDonald’s, Mazda, the Indianapolis Colts, and other companies in obtaining the dismissals of putative class action lawsuits that asserted federal law claims under the Electronic Communications Privacy Act (“ECPA”), Computer Fraud and Abuse Act (“CFAA”), and Video Privacy Protection Act (“VPPA”), as well as state law claims under the Illinois Biometric Information Privacy Act (“BIPA”) and for unfair practices, trespass, and invasion of privacy.

Eric also represents companies in connection with matters arising under the Fair Credit Reporting Act (“FCRA”), Fair and Accurate Credit Transaction Act (“FACTA”), Telephone Consumer Protection Act (“TCPA”), and other consumer protection statutes.

Employment and ERISA

Eric has extensive experience defending companies in individual and class action litigation brought under federal and state laws concerning discrimination, retaliation, whistleblowing, wage and hour disputes, and wrongful termination, as well as in class action litigation involving the Employee Retirement Income Security Act (“ERISA”). Eric has the rare distinction of having tried and won a jury verdict in a class action lawsuit alleging “pattern or practice” discrimination on the basis of age in connection with a corporate reduction in force. Bush, et al. v. Deere & Company (C.D. Ill.). He also secured the reversal on appeal of a class certification order in a “stock drop” lawsuit that claimed breaches of fiduciary duty in the administration of a company retirement savings plan. In re Schering Plough Corporation ERISA Litig., 589 F.3d 585 (3d Cir. 2009). Eric also represents clients in EEOC investigations.

Financial and Fintech

Eric’s practice includes the representation of financial and fintech companies on a broad array of civil litigation, arbitration, and regulatory enforcement matters relating to financial products and services, including matters for Wells Fargo Bank, JPMorgan Chase, Synchrony Bank, Envestnet, Yodlee, and MidFirst Bank.