On April 21, 2022, the United States Court of Appeals for the Fourth Circuit affirmed the dismissal by the United States District Court for the District of Maryland of allegations that Marriott International had violated federal securities laws by omitting from its public filings material information pertaining to cybersecurity vulnerabilities.[1]  This blog post examines the facts underlying the decision and the holding’s implications for comparable securities fraud claims.

Facts and Background

In 2016, Marriott merged with Starwood Hotels and Resorts Worldwide.  As part of the merger, Marriott acquired all of Starwood’s operations, including computer systems, databases, and software.  In 2018, Marriott discovered that the Starwood guest reservation database had been breached and personal consumer data had been compromised.  Specifically, malware had impacted 500 million guest records in the Starwood databases, “resulting in the second largest data breach in history.”[2]  It appears that the data breach actually began in 2014, although it was not noticed until 2018.  The breach included disclosure of many categories of sensitive information, including names, phone numbers, passport numbers, and more.[3]  

In 2019, the European Commission’s Information Commissioner’s Office fined Marriott more than $120 million for failure to comply with the EU’s data protection regulations and declared that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”[4]

Between the announcement of the merger in November 2015 and Marriott’s disclosure of the data breach in November 2018, Marriott made multiple public statements in SEC filings and other forums assuring investors that each stage of the transaction was going well and that the company remained optimistic about the benefits of the merger.  For example, prior to the close of the merger in November 2016, Marriott told investors that it was conducting extensive due diligence of Starwood’s assets, including “a thorough analysis of the systems,” and continued to believe that the transaction would save costs.[5]  After the merger closed, Marriott continued to publicly state that the integration of the two entities was proceeding smoothly.  Marriott also made public statements about the importance of data privacy to its business.  For example, in October 2017, the Online Privacy Statement on the Starwood Hotels website stated, “All Starwood owned web sites and servers have security measures in place to help protect your personal data against accidental, loss, misuse, unlawful or unauthorized access, disclosure, or alteration while under our control.”[6]

Based on the above statements and other similar ones, multiple plaintiffs sued Marriott and nine of its corporate officers and directors for violations of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5, alleging that Defendants had knowingly or recklessly made false and misleading statements and omissions about the security of Starwood’s technological systems.

Proceedings in District Court

The first plaintiff brought suit against Defendants on December 1, 2018, the day after Marriott announced the data breach.  The Judicial Panel on Multidistrict Litigation transferred the lawsuit to the District of Maryland, before Judge Paul W. Grimm.  Judge Grimm consolidated multiple securities class actions and appointed the Construction Laborers Pension Trust for Southern California as lead plaintiff.[7]  In September 2020, Defendants moved to dismiss the Third Amended Consolidated Complaint. 

To successfully allege securities fraud, a plaintiff must meet the heightened pleading standards of the Private Securities Litigation Reform Act of 1995 (the “PSLRA”), which applies to securities actions brought by private plaintiffs, and Federal Rule of Civil Procedure 9(b), which applies to all allegations of fraud.  Under the PSLRA, a securities plaintiff must “specify each statement alleged to have been misleading, the reason or reasons why the statement is misleading, and, if an allegation regarding the statement or omission is made on information and belief, the complaint shall state with particularity all facts on which that belief is formed.”[8]  Meanwhile, Rule 9(b) requires plaintiffs to “state with particularity the circumstances constituting fraud.”[9]

Keeping these heightened pleading standards in mind, a plaintiff must plausibly allege the following elements to establish a securities fraud case: “(1) a material misrepresentation or omission by the defendant; (2) scienter; (3) a connection between the misrepresentation or omission and the purchase or sale of a security; (4) reliance upon the misrepresentation or omission; (5) economic loss; and (6) loss causation.”[10]

In June 2021, the District Court dismissed the Complaint, determining that Plaintiffs had not plausibly alleged all of the above elements.  First, the District Court determined that Plaintiffs failed to plausibly allege that Marriott’s statements about conducting due diligence and a “thorough analysis” of Starwood’s assets were actually false.  Indeed, many allegations supported the inference that Marriott and its employees had engaged in proper due diligence and integration processes.  According to the District Court, public statements about engaging in due diligence or a thorough analysis could not have communicated to a reasonable investor that “there would be no issues,” particularly when Marriott made other, simultaneous disclosures about multiple risk factors, including statements like, “Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.”[11]

The District Court also rejected Plaintiffs’ theory that statements of general optimism about the merger and integration with Starwood were material misrepresentations because they failed to disclose vulnerabilities in Starwood’s IT systems.  Some of the statements cited include: (1) “the prospects for the combined company are favorable”; (2) “we have become even more convinced of the tremendous opportunity presented by this merger”; and (3) “we are even more excited about the power of the combined companies.”[12]  Relying on well-established law, the District Court explained that these statements constitute “inactionable puffery.”[13]  The puffery doctrine dictates that a corporation’s generally positive statements about the future cannot mislead reasonable investors unless the statements are framed as guarantees or the plaintiff can show that the speaker did not genuinely hold that belief at the time a given statement was made. 

Here, according to the District Court, Plaintiffs failed to allege that Defendants “did not actually believe any of the statements of optimism”; instead, Plaintiffs sought to rely on the mere fact that the data breach occurred to suggest that Defendants could not have reasonably expected a favorable outcome.[14]  Allegations that rely on hindsight to allege prior knowledge of a problem are rarely successful in private securities actions.  The court also explained that the public filings included meaningful “cautionary language” that tempered the reliability of forward-looking statements, including about the success of the Starwood merger and the inability to completely guarantee data security.[15]  The court found the disclosures meaningful enough to render implausible the falsity of any forward-looking statement.

Next, the District Court determined that Plaintiffs failed adequately to plead that any Defendant acted with scienter, or “a mental state embracing intent to deceive, manipulate, or defraud.”[16]  Running through several categories of allegations that Plaintiffs used to allege scienter—statements from confidential witnesses who were former Marriott employees, internal documents showing that the Board was discussing and contemplating cybersecurity weaknesses, lack of strong cybersecurity defenses in Starwood’s database, and the magnitude of the breach itself—the District Court determined that none of them plausibly alleged that any Defendant knew about the nature and scope of the data breach at the time that they made any of the purported misrepresentations or omissions about the merger. 

Interestingly, the District Court acknowledged that, in a separate track of litigation, it had held under Maryland and California consumer protection laws that the allegations adequately established the inference that “Marriott knew or should have known that the personal information was not secure.”[17]  But the court reconciled this apparent inconsistency by explaining that “the pleading requirements of the PSLRA are substantially more demanding than those of Rule 9(b),” and the PSLRA’s heightened standard was not applicable to the plaintiffs who sued under state consumer protection laws.[18]  Ultimately, that prior holding could not save the securities fraud claims.

The Fourth Circuit’s Opinion

In April 2022, the Fourth Circuit affirmed the District Court’s dismissal of the securities fraud complaint.  In so doing, the Circuit explained that the allegations in the Complaint—even if true—simply suggest that Defendants made statements about “the importance of data protection to Marriott’s business,” not statements that “overrepresent[ed] the extent to which it was securing and protecting the customer data.”[19]  In other words, “Marriott’s public statements about the importance of data protection did not assign a quality to Marriott’s cybersecurity that it did not have.”[20]  The Circuit also agreed with the District Court that accompanying disclosures about possible investor risks, including risks relating to data privacy, provided sufficient notice to reasonable investors. 

The Circuit also discredited Plaintiffs’ theory that Marriott failed to disclose the data breach even after the company and its leadership knew about it.  The Circuit found that the allegations did not support the notion that Marriott leadership intentionally misrepresented the compliance of the Starwood systems with certain security standards; in fact, Marriott disclosed that the systems might not satisfy those requirements.  Additionally, according to the Circuit, once the breach was actually discovered, a November 2018 disclosure timely and sufficiently notified investors about the incident.  Nevertheless, the Circuit warned that, although the “federal securities laws did not require it,” “Marriott certainly could have provided more information to the public about its experience with or vulnerability to cyberattacks.”[21]

The Circuit did not address the District Court’s conclusions on whether Plaintiffs had plausibly alleged scienter, suggesting that the Circuit was more comfortable affirming on the grounds that the purported material misstatements and omissions did not mislead any reasonable investor about the security of the Starwood systems or the existence of the data breach after it was discovered. 

Takeaways

It is important to note that Marriott included in its public filings accurate and detailed risk disclosures regarding the security of its systems and the possibility of cyberattacks.  Marriott also immediately disclosed the nature of the data breach after it discovered the full extent of the breach.  Without providing similarly adequate risk disclosures and timely notice of data breaches, other companies could very well be exposed to liability under applicable regulations. The extent to which this was instrumental in guiding the District Court suggests the importance of continued focus on such disclosures.