[BreachExchange] UK class action style claim filed over Marriott data breach

Thu Aug 20 10:25:47 EDT 2020

https://techcrunch.com/2020/08/19/uk-class-action-style-claim-filed-over-marriott-data-breach/

A class action style suit has been filed in the UK against hotel group
Marriott International  over a massive data breach that exposed the
information of some 500 million guests around the world, including
around 30 million residents of the European Union, between July 2014
and September 2018.

The representative legal action against Marriott has been filed by UK
resident, Martin Bryant, on behalf of millions of hotel guests
domiciled in England & Wales who made reservations at hotel brands
globally within the Starwood Hotels group, which is now part of
Marriott International.

Hackers gained access to the systems of the Starwood Hotels group,
starting in 2014, where they were able to help themselves to
information such as guests’ names; email and postal addresses;
telephone numbers; gender and credit card data. Marriott International
acquired the Starwood Hotels group in 2016 — but the breach went
undiscovered until 2018.

Bryant is being represented by international law firm, Hausfeld, which
specialises in group actions.

Commenting in a statement, Hausfeld partner, Michael Bywell, said:
“Over a period of several years, Marriott International failed to take
adequate technical or organisational measures to protect millions of
their guests’ personal data which was entrusted to them. Marriott
International acted in clear breach of data protection laws
specifically put in place to protect data subjects.”

“Personal data is increasingly critical as we live more of our lives
online, but as consumers we don’t always realise the risks we are
exposed to when our data is compromised through no fault of our own. I
hope this case will raise awareness of the value of our personal data,
result in fair compensation for those of us who have fallen foul of
Marriott’s vast and long-lasting data breach, and also serve notice to
other data owners that they must hold our data responsibly,” added
Bryant in another supporting statement.

Reached for a response, a Marriott International spokesperson said it
does not comment on pending litigation.

A claim website for the action invites other eligible UK individuals
to register their interest — and “hold Marriott to account for not
securing your personal data”, as it puts it.

Here are the details of who is eligible to register their interest:

The ‘class’ of claimants on whose behalf the claim is brought includes
all individuals who at any date prior to 10 September 2018 made a
reservation online at a hotel operating under any of the following
brands: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels
& Resorts, Element Hotels, Aloft Hotels, The Luxury Collection,
Tribute Portfolio, Le Méridien Hotel & Resorts, Four Points by
Sheraton, Design Hotels. In addition, any other brand owned and/or
operated by Marriott International Inc or Starwood Hotels and Resorts
Worldwide LLC. The individuals must have been resident in England and
Wales at some point during the relevant period prior to 10 September
2018 and are resident in England and Wales at the date the claim was
issued. They must also have been at least 18 years old at the date the
claim was issued.

The claim is being brought as a representative action under Rule 19.6
of the Civil Procedure Rules, per a press release, which also notes
that everyone with the same interest as Bryant is included in the
claimant class unless they opt out.

Those eligible to participate face no fees or costs, nor do affected
guests face any financial risk from the litigation — which is being
fully funded by Harbour Litigation Funding, a global litigation
funder.

The suit is the latest sign that litigation funders are willing to
take a punt on representative actions in the UK as a route to
obtaining substantial damages for data issues. Another class action
style suit was announced last week — targeting tracking cookies
operated by data broker giants, Oracle and Salesforce.

Both lawsuits follow a landmark decision by a UK appeals court last
year which allowed a class action-style suit against Google’s use
between 2011 and 2012 of tracking cookies to override iPhone users’
privacy settings in Apple’s Safari browser to proceed, overturning an
earlier court decision to toss the case.

The other unifying factor is the existence of Europe’s General Data
Protection Regulation (GDPR) framework which has opened the door to
major fines for data protection violations. So even if EU regulators
continue to lack uniform vigour in enforcing data protection law,
there’s a chance the region’s courts will do the job for them if more
litigation funders see value in bringing representative cases to
pursue damages for privacy violations.

The dates of the Marriott data breach means it falls under GDPR —
which came into application in May 2018.

The UK’s data watchdog, the ICO, proposed a $123M fine for the
security failing in July last year — saying then that the hotel
operator had “failed to undertake sufficient due diligence when it
bought Starwood and should also have done more to secure its systems”.

However it has yet to hand down a final decision. Asked when the
Marriott decision will be finalized, an ICO spokeswoman told us the
“regulatory process” has been extended until September 30. No
additional detail was offered to explain the delay.

Here’s the regulator’s statement in full:

Under Schedule 16 of the Data Protection Act 2018, Marriott has agreed
to an extension of the regulatory process until 30 September. We will
not be commenting until the regulatory process has concluded.