(MDL) action concerning data breach claims against Marriott International, Inc., and its related entities. One of the plaintiffs in the MDL is the City of Chicago, which sued Marriott and Starwood Hotels and Resorts Worldwide LLC pursuant to a municipal consumer protection ordinance. Id. at *50. Marriott filed a motion for partial summary judgment, and the court denied the motion. Marriott disclosed that it had been the target of one of the largest data breaches in history, during which hackers had access to customers’ personal information in the Starwood guest information database for over four years. The breach impacted approximately 133.7 million guest records associated with the United States, including an estimated 2.4 million records associated with Chicago. Id. at *51. Chicago contended that Marriott ’ s conduct with respect to the data breach violated the City ’ s consumer protection ordinance by failing to safeguard the personal information of Chicago residents, failing to implement and maintain reasonable security measures for that information, misrepresenting to Chicago residents that it had reasonable security safeguards in place, and failing to give prompt notice of the data breach to Chicago residents. Id. Marriott moved for summary judgment by requesting that the court limit as a matter of law the monetary fines Chicago may seek pursuant to its municipal statute. Under the monetary provision in the statute, “any person who violates any of the requirements of this section shall be subject to a fine of not less than $500.00 nor more than $10,000.00 for each offense. Each day that a violation continues shall constitute a separate and distinct offense to which a separate fine shall apply.” Id. at *55. Marriott contended that the second sentence did not apply to past conduct, but only to ongoing and active violations. Chicago argued that any ruling on damages at this stage would constitute an impermissible advisory opinion because (i) future rulings on liability may render the damages issue moot; and (ii) Chicago may choose not to seek both daily and per- record fines. The court concluded that the circumstances and posture of the case favored denying the motion as premature because Chicago stated that it had not decided whether it will seek both daily and per-record fines. Further, the court reasoned that damages can be more effectively and efficiently addressed after discovery, once the record evidence and theories of liability and damages have been more fully developed. For these reasons, the court denied Marriott ’ s motion for partial summary judgment. In Perry, et al. v. Bay & Bay Transportation Services, 2023 U.S. Dist. LEXIS 5630 (D. Minn. Jan. 12, 2023), the plaintiff filed a class action against the defendant alleging negligence, negligence per se, and breach of implied contract stemming from a ransomware attack on the defendant ’ s network that resulted in unauthorized access to its computer systems and customer and employee data. The defendant filed a motion to dismiss for lack of standing. The court denied the motion. The plaintiff asserted that the defendant failed to comply with the Federal Trade Commission ’ s established cyber-security guidelines for businesses and industry standards, and such neglect increased the chance for fraud and was negligent. The court found that the plaintiff sufficiently established an injury-in-fact of a threat of future harm which was traceable to the defendant ’ s conduct to confer Article III standing. The court also opined that the increased risk of identity theft and fraud resulting from the data breach was a sufficient injury to bring claims for injunctive and equitable relief. Furthermore, the court concluded that the plaintiff had adequately pleaded his negligence and negligence per se claims, thereby establishing causation and damages. The court determined that the defendant ’ s alleged failure to protect sensitive personal information constituted a cognizable injury. The court also asserted that the plaintiff had alleged sufficient facts to meet the elements of contract formation, performance of conditions precedent, breach, and damages. Accordingly, the court denied the defendant ’ s motion to dismiss. In Ruskiewicz, et al. v. Oklahoma City University, 2023 U.S. Dist. LEXIS 178928 (W.D. Okla. Oct. 4, 2023), the plaintiff, a law school graduate, filed a class action alleging that her personal information was accessed by an unauthorized third party during a data breach. The defendant notified the plaintiff that her information was compromised during the breach, and stated that it had no reason to believe any impacted information had been misused, but offered complimentary credit monitoring and identity protection services. The plaintiff contended that, because of the data breach, she now faced a heightened risk of identity theft. The plaintiff brought claims for negligence, negligence per se, breach of contract, invasion of privacy, and violation of the Oklahoma Consumer Protection Act. The defendant moved to dismiss for lack of standing, and the court granted the motion. The plaintiff alleged that her personal information “was compromised and stolen by unauthorized third parties” and consequently was “released into the public domain.” Id. at *4. The
12
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online