Marriott Faces Another Data Breach LawsuitUK Suit Seeks Damages Under GDPR for Long-Running Starwood Reservation System Hack
Marriott faces another lawsuit, filed in Britain, over the hotel giant experiencing one of the worst data breaches in history.
The breach of the Starwood guest reservation system ran from July 2014 to September 2018 - Marriott acquired Starwood in 2016 - and exposed personal information for approximately 339 million customers worldwide.
On Tuesday, a data breach representative action - aka group action or class action lawsuit - was filed in the High Court of Justice for England and Wales by Martin Bryant, who runs a Manchester, England-based consultancy called Big Revolution.
Bryant's lawsuit seeks damages for Marriott losing control of customers' personal data, thus breaching the EU's General Data Protection Regulation as well as the U.K.'s Data Protection Act. It's being brought under rule 19.6 of the Civil Procedure Rules, which allows for representative actions. The lawsuit seeks to include all individuals in England and Wales - the other two nations in the U.K., Scotland and Northern Ireland, have separate legal systems - whose personal information was exposed, unless they opt out.
"I have filed a data breach group action in the High Court of England and Wales against Marriott International," Bryant says in a Wednesday LinkedIn post. "The action seeks compensation on behalf of millions of hotel guests who made reservations at hotel brands within the Starwood group. This action follows the data breach of hundreds of millions of guest records between July 2014 and September 2018."
Marriott did not immediately respond to a request for comment.
Marriott already faces class action lawsuits filed in other countries, including lawsuits in Canada. In the United States, a judge combined 11 class action lawsuits into a single one in early 2019. In February, a judge ruled that the lawsuit against Marriott should proceed.
Alleged: Breach of Data Protection Laws
Bryant is being represented by Hausfeld, an international law firm based in Washington that specializes in bringing class action lawsuits.
"Over a period of several years, Marriott International failed to take adequate technical or organizational measures to protect millions of their guests' personal data which was entrusted to them," says attorney Michael Bywell, a partner at Hausfeld. "Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects."
Europeans' right to seek damages from organizations that have violated their privacy rights is enshrined in GPDR.
"Under data protection law, you are entitled to take your case to court to: enforce your rights under data protection law if you believe they have been breached; claim compensation for any damage caused by any organization if they have broken data protection law, including any distress you may have suffered; or a combination of the two," according to the U.K.'s Information Commissioner's Office, which enforces data protection laws in the country.
Lawsuit Costs Being Paid by Litigation Funder
The cost of bringing the lawsuit against Marriott is being funded by Harbour Litigation Funding, a global litigation funder based in London.
"As new legislation protecting personal data is enacted, more and more data breaches are resulting in litigation," says Ellora MacPherson, the chief investment officer at Harbour. "Claims of this size and nature are extremely difficult to bring and sustain without the benefit of litigation funding."
The full amount of damages that Marriott potentially faces is not clear; it will be up to the court to set the per capita sum - should the case go ahead - based on evidence submitted by the hotel chain.
"I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott's vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly," Bryant says.
In November 2018, Marriott announced that its Starwood guest reservation database had been hacked, exposing approximately 339 million customer records worldwide. Exposed data included names, mailing addresses, phone numbers, email addresses, passport numbers and, in some cases, encrypted payment card information.
In the U.K., approximately 7 million customers' records were exposed.
The breach led the ICO - Britain's privacy watchdog - to propose in July 2019 that Marriott be fined £99 million ($131 million) under the EU's General Data Protection Regulation.
GDPR empowers EU regulators to levy fines of up to 4% of an organization's annual global revenue or €20 million ($23.9 million) - whichever is greater - if they violate Europeans' privacy rights, for example, by failing to secure their personal data.
"The ICO's investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems," the regulator said at that time.
Based in Washington, Marriott International has over 7,300 hotel and guest properties in 134 countries and territories around the world. In addition to the Marriott name, its 30 brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. In 2019, the company had $20.9 billion in revenue.
Marriott Faces UK Fine
Marriott is appealing the ICO's proposed fine, and experts say the legal uncertainty caused by Britain having now formally exited the EU - via its so-called Brexit - may require the EU to launch a new investigation. The same goes for British Airways, which the regulator proposed fining a record-setting £184 million ($243.5 million) over breaches it suffered from September to October 2018 that enabled attackers to route customers to a fraudulent site, exposing 500,000 individuals' personal details.
More than a year after proposing fines, however, the ICO has yet to impose final fines. Except in unusual circumstances, the ICO is meant to issue final fines within six months of issuing its notice of intent to fine, unless the offending organization agrees to a delay (see: Big GDPR Fines in UK and Ireland: What's the Holdup?).
In April, the ICO said that COVID-19 counts as exceptional circumstances, both for the timing of its enforcement actions, as well as its business impact. Accordingly, it's hinted that it will recommend lower fines for both Marriott and BA, which have agreed to a delay in those final fines being set. The ICO has also said that for as long as the pandemic continues, it will be applying to all of its efforts a more flexible, "empathetic and pragmatic approach" (see: GDPR and COVID-19: Privacy Regulator Promises 'Flexibility').
Class Action Lawsuit Against British Airways
In the meantime, British Airways - owned by IAG, for International Airlines Group - also is facing a lawsuit, which was launched in September 2018 by SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman. SPG Law said it was seeking £500 million ($661 million) via its group action.
The airline in September and October 2018 said it had notified more than 500,000 customers that they may have been affected by the breach.
Last year, the High Court of England and Wales ruled that the group action could proceed, and set a cut-off date of Jan. 17, 2021, for victims to join the action. By October 2019, reportedly only 1% of eligible victims had done so.
It's not clear what level of compensation victims might receive, although various attorneys have suggested it could be anywhere from £3,000 ($4,000) to £6,000 ($8,000) per victim, or in cases of extreme impact, up to £16,000 ($21,500). Whether any such penalty levels would be approved, however, remains for the court to decide.