Fourth Circuit Affirms Dismissal Of Putative Class Action Against Hotel Chain
On April 21, 2022 the United States Court of Appeals for the Fourth Circuit unanimously affirmed a district Court’s dismissal of a putative class action against a major hotel chain (the “Company”) for violations of Section 10(b) of the Securities Exchange Act of 1934 and Securities and Exchange Commission Rule 10b-5. In re Marriott Int’l, Inc., No. 21-1802 (4th Cir. Apr. 21, 2022). Plaintiff alleged that the Company failed to disclose data vulnerabilities of a rival hotel company that it acquired in 2016, which rendered the Company’s subsequent public statements regarding its cybersecurity systems and the importance of protecting customer data false or misleading. Agreeing with the district court that none of the Company’s statements were false or misleading when made, the Fourth Circuit affirmed the district court’s dismissal.
In 2016, when the Company acquired its rival, it “subsumed all of . . . [its rival’s] computer systems, reservation software, and databases, as well as all the sensitive personal information in those databases.” In 2018, the Company learned that malware had impacted approximately 500 million guest records in its rival’s guest reservation database, resulting in the second largest data breach in history. Plaintiff alleged that, in light of these data vulnerabilities, three categories of statements made by the Company were false and misleading: (1) statements about the importance of protecting consumer data; (2) privacy statements on the Company’s website; and (3) the Company’s cybersecurity-related risk disclosures.
With respect to first category of statements – that customer data integrity was “critical” to the Company – the Court rejected plaintiff’s argument that these statements were false or misleading. The Court noted that “the investor’s whole theory of the case turns on those statements being true—i.e., that data integrity is ‘critically important to [the Company] and its investors.’” The Court emphasized that the Company “made no characterization at all with respect to the quality of its cybersecurity, only that [the Company] considered it important.” Moreover, the Court found that the Company’s SEC disclosures had adequately disclosed data vulnerabilities, including the risk of data breaches.
With respect to the second category of purportedly misleading statements – that the Company sought “to use reasonable organizational, technical and administrative measures to protect” customer data – the Court held that plaintiff similarly failed to demonstrate that the statements were false or misleading when made. The Court noted that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.” The Court added that many of these privacy statements “were accompanied by such sweeping caveats that no reasonable investor could have been misled by them.” For example, the Company’s disclosures specifically warned that the Company’s data security systems “may not be able to satisfy” the “increasingly demanding” and “changing” legal and regulatory requirements.
Finally, plaintiff alleged that the Company’s general warnings of potential cybersecurity risks were misleading “when it knew those events had in fact already occurred.” The Court rejected plaintiff’s argument, noting that the Company’s “disclosure also acknowledged that the [C]ompany had already experienced the sort of challenges being discussed.” Specifically, the Court noted that once the Company became aware of the data breaches, it updated its disclosures to clarify that it had “experienced cyber-attacks, attempts to disrupt access to [its] systems and data, and attempts to affect the integrity of [its] data.” According to the Court, [t]his admission ensured that forward-looking warnings did not “constitute misleading omissions about current or past challenges.”