Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 1 of 34
`
`UNITED STATES DISTRICT COURT
`DISTRICT OF MARYLAND
`GREENBELT DIVISION
`
`
`
`PATI SPRINGMEYER, an individual and
`Nevada Resident, on behalf of herself and all
`others similarly situated,
`
`
`
`v.
`
`MARRIOTT INTERNATIONAL, INC., a
`Montgomery County, Maryland Resident,
`
`
`Plaintiff,
`
`Defendant.
`
`
`
`
`
`CASE NO.
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`(1) Negligence
`(2) Negligence Per Se
`(3) Breach of Contract
`(4) Breach of Implied Contract
`(5) Breach of Confidence
`(6) Deceptive & Unfair Trade Practices
`
`For her Class Action Complaint, Plaintiff Pati Springmeyer, on behalf of herself and all
`
`others similarly situated, allege the following against Defendant Marriott International, Inc.
`
`(“Marriott”), based on personal knowledge as to herself and on information and belief as to all
`
`other matters based upon, inter alia, the investigation conducted by and through Plaintiff’s
`
`counsel:
`
`
`SUMMARY OF THE CASE
`
`1.
`
`Marriott is one of the largest hotel chains in the world servicing tens of millions of
`
`customers every year.
`
`2.
`
`As part of the reservation and booking process for staying at a Marriott property,
`
`Marriott’s guests create, maintain, and update profiles containing significant amounts of personal
`
`identifiable information (“PII”), including their names, birthdates, addresses, locations, email
`
`addresses, and payment card information.
`
`3.
`
`On March 31, 2020, Marriott announced that the login credentials of two of its
`
`employees had been compromised and “an unexpected amount of guest information” had been
`
`
`
`
`
`
`1
`Class Action Complaint
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 2 of 34
`
`improperly accessed as early as mid-January 2020. The compromised guest PII included: Contact
`
`Details (e.g., name, mailing address, email address, and phone number); Loyalty Account
`
`Information (e.g., account number and points balance, but not passwords); Additional Personal
`
`Details (e.g., company, gender, and birthday day and month); Partnerships and Affiliations (e.g.,
`
`linked airline loyalty programs and numbers); and Preferences (e.g., stay/room preferences and
`
`language preference) (“Data Breach”).
`
`4.
`
`This Data Breach comes on the heels of another massive breach Marriott announced
`
`in November 2018, wherein the PII of 500 million guests contained in Marriott’s Starwood
`
`reservation database was exposed due to a flaw in its reservation and database systems.
`
`5.
`
`This Data Breach was a direct result of Marriott’s failure to implement adequate
`
`and reasonable cyber-security procedures and protocols necessary to protect its guests’ PII.
`
`6.
`
`Marriott disregarded the rights of Plaintiff and Class Members (defined below) by,
`
`inter alia, intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable
`
`measures to ensure their data systems were protected against unauthorized intrusions; failing to
`
`disclose that it did not have adequately robust computer systems and security practices to safeguard
`
`guest PII; failing to take standard and reasonably available steps to prevent the Data Breach; failing
`
`to monitor and timely detect the Data Breach; and failing to provide Plaintiff and Class Members
`
`with prompt and accurate notice of the Data Breach.
`
`7.
`
`As a result of Marriott’s failure to implement and follow basic security procedures,
`
`guest PII is now in the hands of thieves. Plaintiff and Class Members have had to spend, and will
`
`continue to spend, significant amounts of time and money in an effort to protect themselves from
`
`the adverse ramifications of the Data Breach, and will forever be at a heightened risk of identity
`
`theft and fraud.
`
`
`
`
`
`2
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 3 of 34
`
`8.
`
`Plaintiff, on behalf of all others similarly situated, allege claims for negligence,
`
`breach of confidence, and violation of the Maryland’s Consumer Protection Act, and seek to
`
`compel Defendant to adopt reasonably sufficient security practices to safeguard guest PII that
`
`remains in its custody in order to prevent incidents like the Data Breach from reoccurring in the
`
`future.
`
`JURISDICTION AND VENUE
`
`9.
`
`This Court has jurisdiction over this action pursuant to the Class Action Fairness
`
`Act (“CAFA”), 28 U.S.C. § 1332(d), because the aggregate amount in controversy exceeds
`
`$5,000,000, exclusive of interests and costs, there are more than 100 class members, and at least
`
`one class member is a citizen of a state different from Defendant and is a citizen of a foreign state.
`
`The Court also has supplemental jurisdiction over the state law claims pursuant to 28 U.S.C. §
`
`1367.
`
`10.
`
`Venue is proper under 28 U.S.C. § 1391(c) because Defendant is a corporation that
`
`does business in and is subject to personal jurisdiction in this District. Venue is also proper because
`
`a substantial part of the events or omissions giving rise to the claims in this action occurred in or
`
`emanated from this District, including the decisions made by Marriott’s governance and
`
`management personnel that led to the breach. Further, Marriott’s terms of service governing users
`
`in the United States provides for Maryland venue for all claims arising out of Plaintiff’ relationship
`
`with Marriott.
`
`PARTIES
`
`11.
`
`Plaintiff Pati Springmeyer is a resident and citizen of Las Vegas, Nevada. Plaintiff
`
`Springmeyer has stayed at a number of Marriott properties and hotels over the past 10 years,
`
`entrusting Marriott with her PII. On March 31, 2020, Ms. Springmeyer received an email from
`
`
`
`
`
`3
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 4 of 34
`
`Marriott International stating that her PII had been compromised and “accessed without
`
`authorization.”
`
`12.
`
`Since the announcement of the Data Breach, Ms. Springmeyer continues to monitor
`
`her various accounts in an effort to detect and prevent any misuses of her personal information.
`
`13. Ms. Springmeyer has, and continues to spend her valuable time to protect the
`
`integrity of her PII — time which she would not have had to expend but for the Data Breach.
`
`14. Ms. Springmeyer suffered actual injury from having her PII exposed as a result of
`
`the Data Breach including, but not limited to: (a) paying monies to Marriott for its services which
`
`she would not have, had Marriott disclosed that it lacked data security practices adequate to
`
`safeguard consumers’ PII from theft; (b) damages to and diminution in the value of her PII—a
`
`form of intangible property that the Plaintiff entrusted to Marriott as a condition for hotel services;
`
`(c) imminent and impending injury arising from the increased risk of fraud and identity theft.
`
`15.
`
`As a result of the Data Breach, Ms. Springmeyer will continue to be at heightened
`
`risk for fraud and identity theft, and their attendant damages for years to come.
`
`16.
`
`Defendant Marriott, Inc., is a corporation with its principal executive offices
`
`located at 10400 Fernwood Rd, Bethesda, Maryland 20817.
`
`FACTUAL BACKGROUND
`
`A.
`
`The Marriott 2020 Data Breach
`
`17.
`
`In February 2020, Marriott learned that the login credentials of two employees at a
`
`franchise property had been compromised a large amount of guest PII had been improperly
`
`accessed. Over a month later, Marriott notified approximately 5.2 million guests that their PII such
`
`as names, addresses, phone numbers, birthdays, loyalty information had been compromised.
`
`Although Marriott said it doesn’t believe that credit card information, passport numbers or driver’s
`
`
`
`
`
`4
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 5 of 34
`
`license information were accessed, they stated the investigation was ongoing and they did not rule
`
`out the possibility.1
`
`18.
`
`On March 31, 2020, Marriott sent an email to affected guests and posted an incident
`
`notification on its website stating in relevant part as follows:
`
`Marriott International: Incident Notification
`This site has information concerning the incident, answers to questions,
`and steps guests can take.
`
`
`March 31, 2020
`
`
`What Happened?
`
`Hotels operated and franchised under Marriott’s brands use an application
`to help provide services to guests at hotels. At the end of February 2020, we
`identified that an unexpected amount of guest information may have been
`accessed using the login credentials of two employees at a franchise property. We
`believe this activity started in mid-January 2020. Upon discovery, we confirmed
`that the login credentials were disabled, immediately began an investigation,
`implemented heightened monitoring, and arranged resources to inform and assist
`guests.
`
`
`
`Although our investigation is ongoing, we currently have no reason to
`believe that the information involved included Marriott Bonvoy account
`passwords or PINs, payment card information, passport information, national IDs,
`or driver’s license numbers.
`
`
`At this point, we believe that the following information may have been
`involved, although not all of this information was present for every guest
`involved:
`
`• Contact Details (e.g., name, mailing address, email address, and phone
`number)
`
`• Loyalty Account Information (e.g., account number and points balance,
`but not passwords)
`
`
`1 Millions of Guests Impacted in Marriott Data Breach, Again, Threatpost, Mach 31, 2020,
`https://threatpost.com/millions-guests-marriott-data-breach-again/154300/
`
`
`
`
`
`5
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 6 of 34
`
`
`• Additional Personal Details (e.g., company, gender, and birthday day and
`month)
`
`• Partnerships and Affiliations (e.g., linked airline loyalty programs and
`numbers)
`
`• Preferences (e.g., stay/room preferences and language preference)
`
`Guest Notification
`
`On March 31, 2020, Marriott sent emails about the incident to guests
`involved. The email was sent from marriott@email-marriott.com because this is the
`standard email account used to communicate with our guests.2
`
`
`
`B. Marriott Acquires, Collects, and Stores Plaintiff’s and Class Members’ PII
`
`19. Marriott is an American multinational, diversified hospitality company that
`
`manages and franchises a broad portfolio of hotels and related lodging facilities, including 30
`
`brands with more than 7,000 properties across 130 countries and territories globally. Founded in
`
`1927, the company is headquartered in Bethesda, Maryland, and maintains hotel brands including
`
`Marriott, Courtyard, and Ritz-Carlton. Marriott reported revenues of $20.75 billion in the 2018
`
`fiscal year.
`
`20.
`
`Upon information and belief, Marriott collects, stores, and maintains the PII of all
`
`guests who stay at Marriott properties.
`
`21.
`
`As a condition of staying at one of its properties, Marriott requires that guests
`
`entrust it with their PII.
`
`22.
`
`By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class
`
`Members’ PII, Marriott assumed legal and equitable duties and knew or should have known that
`
`it was responsible for protecting Plaintiff’s and Class Members’ PII from disclosure.
`
`2 https://mysupport.marriott.com/
`
`
`
`
`
`
`
`6
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 7 of 34
`
`23.
`
`Plaintiff and the Class Members have taken reasonable steps to maintain the
`
`confidentiality of their PII. Plaintiff and the Class Members relied on Marriott to keep their PII
`
`confidential and securely maintained, to use this information for business purposes only, and to
`
`make only authorized disclosures of this information.
`
`24.
`
`In Marriott’s Global Privacy Statement dated May 18, 2018, Marriott represents
`
`that: “The Marriott Group, which includes Marriott International, Inc., Starwood Hotels & Resorts
`
`Worldwide, LLC … and their affiliates, values you as our guest and recognizes that privacy is
`
`important to you.” It explains that the Marriott Group collects data:
`
`•
`
`through websites operated by us from which you are accessing this Privacy
`
`Statement, including Marriott.com and other websites owned or controlled by the Marriott
`
`Group (collectively, the “Websites”)
`
`•
`
`through the software applications made available by us for use on or through
`
`computers and mobile devices (the “Apps”)
`
`•
`
`through our social media pages that we control from which you are
`
`accessing this Privacy Statement (collectively, our “Social Media Pages”)
`
`•
`
`through HTML-formatted email messages that we send you that link to this
`
`Privacy Statement and through your communications with us
`
`•
`
`when you visit or stay as a guest at one of our properties, or through other
`
`offline interactions.
`
`25.
`
`The Privacy Statement defines “Collection of Personal Data” as follows: “Personal
`
`Data” are data that identify you as an individual or relate to an identifiable individual. At
`
`touchpoints throughout your guest journey, we collect Personal Data in accordance with law, such
`
`as:
`
`
`
`
`
`7
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 8 of 34
`
`• Name
`
`• Gender
`
`• Postal address
`
`• Telephone number
`
`• Email address
`
`• Credit and debit card number or other payment data
`
`• Financial information in limited circumstances
`
`• Language preference
`
`• Date and place of birth
`
`• Nationality, passport, visa or other government-issued identification data
`
`•
`
`Important dates, such as birthdays, anniversaries and special occasions •
`
`Membership or loyalty program data (including co-branded payment cards, travel
`
`partner program affiliations)
`
`• Employer details
`
`• Travel itinerary, tour group or activity data
`
`26. Marriott further represents that: “We seek to use reasonable organizational,
`
`technical and administrative measures to protect Personal Data.”
`
`27.
`
`Knowing the significant value and sensitive nature of the information it collects,
`
`Marriott’s current privacy policy represents that Marriott uses “reasonable physical, electronic,
`
`and administrative safeguards to protect your Personal Data from loss, misuse and unauthorized
`
`access, disclosure, alteration and destruction, taking into account the nature of the Personal Data
`
`and the risks involved in processing that information.”3
`
`
`3 Marriott U.S. Privacy Shield Guest Privacy Policy (updated May 24, 2019), available at:
`
`
`
`
`
`8
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 9 of 34
`
`28.
`
`Despite collecting and holding “Personal Data” for millions of individuals
`
`worldwide, Marriott failed to adopt reasonable data security measures to prevent and detect
`
`unauthorized access to their highly-sensitive databases. Marriott had the resources to prevent a
`
`breach and has made significant expenditures to market their hotels and hospitality services, but
`
`neglected to adequately invest in data security, despite being engaged in litigation regarding one
`
`of the largest data breaches in history.
`
`C.
`
`The Value of Personally Identifiable Information and the Effects of Unauthorized
`Disclosure
`
`29.
`
`The types of information compromised in the Data Breach are highly valuable to
`
`identity thieves. The names, email addresses, recovery email accounts, telephone numbers,
`
`payment card information, passport information, and other valuable PII can all be used to gain
`
`access to a variety of existing accounts and websites.
`
`30.
`
`Identity thieves can also use the PII to harm Plaintiff and Class Members through
`
`embarrassment, blackmail, or harassment in person or online, or to commit other types of fraud
`
`including obtaining ID cards or driver’s licenses, fraudulently obtaining tax returns and refunds,
`
`and obtaining government benefits. A Presidential Report on identity theft from 2008 states that:
`
`In addition to the losses that result when identity thieves fraudulently open
`accounts or misuse existing accounts, . . . individual victims often suffer indirect
`financial costs, including the costs incurred in both civil litigation initiated by
`creditors and in overcoming the many obstacles they face in obtaining or
`retaining credit. Victims of non-financial identity theft, for example, health-
`related or criminal record fraud, face other types of harm and frustration.
`
`In addition to out-of-pocket expenses that can reach thousands of dollars for the
`victims of new account identity theft, and the emotional toll identity theft can
`take, some victims have to spend what can be a considerable amount of time to
`repair the damage caused by the identity thieves. Victims of new account
`identity theft, for example, must correct fraudulent information in their credit
`
`
`https://www.marriott.com/about/global-privacy.mi (last accessed March 31, 2020).
`
`
`
`
`
`9
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 10 of 34
`
`reports and monitor their reports for future inaccuracies, close existing bank
`accounts and open new ones, and dispute charges with individual creditors.4
`
`31.
`
`To put it into context, the 2013 Norton Report, based on one of the largest consumer
`
`cybercrime studies ever conducted, estimated that the global price tag of cybercrime was around
`
`$113 billion at that time, with the average cost per victim being $298 dollars.
`
`32.
`
`The problems associated with identity theft are exacerbated by the fact that many
`
`identity thieves will wait years before attempting to use the PII they have obtained. Indeed, in
`
`order to protect themselves, Class members will need to remain vigilant against unauthorized data
`
`use for years and decades to come.
`
`33.
`
`Once stolen, PII can be used in a number of different ways. One of the most
`
`common is that it is offered for sale on the “dark web,” a heavily encrypted part of the Internet that
`
`makes it difficult for authorities to detect the location or owners of a website. The dark web is not
`
`indexed by normal search engines such as Google and is only accessible using a Tor browser (or
`
`similar tool), which aims to conceal users’ identities and online activity. The dark web is notorious
`
`for hosting marketplaces selling illegal items such as weapons, drugs, and PII.5 Websites appear
`
`and disappear quickly, making it a very dynamic environment.
`
`34.
`
`Once someone buys PII, it is then used to gain access to different areas of the
`
`victim’s digital life, including bank accounts, social media, and credit card details. During that
`
`
`4 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, Federal
`Trade Commission, 11 (April 2007),
`https://www.ftc.gov/sites/default/files/documents/reports/presidents-identity-theft-task-force-
`report/081021taskforcereport.pdf
`5 Brian Hamrick, The dark web: A trip into the underbelly of the internet, WLWT News (Feb. 9,
`2017 8:51 PM), http://www.wlwt.com/article/the-dark-web-a-trip-into-the-underbelly-of-the-
`internet/8698419.
`
`
`
`
`
`
`10
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 11 of 34
`
`process, other sensitive data may be harvested from the victim’s accounts, as well as from those
`
`belonging to family, friends, and colleagues.
`
`D. Marriott Failed to Comply With FTC Requirements
`
`35.
`
`Federal and State governments have likewise established security standards and
`
`issued recommendations to temper data breaches and the resulting harm to consumers and financial
`
`institutions. The Federal Trade Commission (“FTC”) has issued numerous guides for business
`
`highlighting the importance of reasonable data security practices. According to the FTC, the need
`
`for data security should be factored into all business decision-making.6
`
`36.
`
`In 2016, the FTC updated its publication, Protecting Personal Information: A
`
`Guide for Business, which established guidelines for fundamental data security principles and
`
`practices for business.7 The guidelines note businesses should protect the personal customer
`
`information that they keep; properly dispose of personal information that is no longer needed;
`
`encrypt information stored on computer networks; understand their network’s vulnerabilities; and
`
`implement policies to correct security problems. The guidelines also recommend that businesses
`
`use an intrusion detection system to expose a breach as soon as it occurs; monitor all incoming
`
`traffic for activity indicating someone is attempting to hack the system; watch for large amounts
`
`of data being transmitted from the system; and have a response plan ready in the event of a breach.
`
`37.
`
`The FTC recommends that companies not maintain cardholder information longer
`
`than is needed for authorization of a transaction; limit access to sensitive data; require complex
`
`
`6 Federal Trade Commission, Start With Security, available at
`https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
`
`7Federal Trade Commission, Protecting Personal Information: A Guide for Business, available at
`https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-
`business
`
`
`
`
`
`
`11
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 12 of 34
`
`passwords to be used on networks; use industry-tested methods for security; monitor for suspicious
`
`activity on the network; and verify that third-party service providers have implemented reasonable
`
`security measures.8
`
`38.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer data, treating the failure to employ reasonable and
`
`appropriate measures to protect against unauthorized access to confidential consumer data as an
`
`unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15
`
`U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take
`
`to meet their data security obligations.
`
`39. Marriott was at all times fully aware of its obligation to protect the personal and
`
`financial data of its guests and customers. Marriott was also aware of the significant repercussions
`
`if it failed to do so.
`
`40. Marriott’s failure to employ reasonable and appropriate measures to protect against
`
`unauthorized access to confidential consumer data constitutes an unfair act or practice prohibited
`
`by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`The Marriott Data Breach Caused Harm and Will Result in Additional Fraud
`
`E.
`
`
`41.
`
`The ramifications of Marriott’s failure to keep Plaintiff’s and Class members’ data
`
`secure are severe.
`
`42.
`
`Consumer victims of data breaches are much more likely to become victim of
`
`identity fraud. This conclusion is based on an analysis of four years of data that correlated each
`
`year’s data breach victims with those who also reported being victims of identity fraud.9
`
`
`8 FTC, Start With Security, supra note 5.
`9 2014 LexisNexis True Cost of Fraud Study,
`https://www.lexisnexis.com/risk/downloads/assets/true-cost-fraud-2014.pdf.
`
`
`
`
`
`12
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 13 of 34
`
`43.
`
`The FTC defines identity theft as “a fraud committed or attempted using the
`
`identifying information of another person without authority.”10 The FTC describes “identifying
`
`information” as “any name or number that may be used, alone or in conjunction with any other
`
`information, to identify a specific person.”11
`
`44.
`
`PII is a valuable commodity to identity thieves once the information has been
`
`compromised. As the FTC recognizes, once identity thieves have personal information, “they can
`
`drain your bank account, run up your credit cards, open new utility accounts, or get medical
`
`treatment on your health insurance.”12
`
`45.
`
`Identity thieves can use personal information, such as that of Plaintiff and Class
`
`Members, which Marriott failed to keep secure, to perpetrate a variety of crimes that harm victims.
`
`For instance, identity thieves may commit various types of government fraud such as: immigration
`
`fraud; obtaining a driver’s license or identification card in the victim’s name but with another’s
`
`picture; using the victim’s information to obtain government benefits; or filing a fraudulent tax
`
`return using the victim’s information to obtain a fraudulent refund.
`
`46.
`
`Javelin Strategy and Research reports that identity thieves have stolen $112 billion
`
`in the past six years.13
`
`47.
`
`Reimbursing a consumer for a financial loss due to fraud does not make that
`
`individual whole again. On the contrary, identity theft victims must spend numerous hours and
`
`their own money repairing the impact to their credit. After conducting a study, the Department of
`
`
`10 17 C.F.R § 248.201 (2013).
`11 Id.
`12 Federal Trade Commission, Warning Signs of Identity Theft, available at:
`https://www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft.
`13 https://www.javelinstrategy.com/coverage-area/2016-identity-fraud-fraud-hits-inflection-point
`
`
`
`
`
`
`13
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 14 of 34
`
`Justice’s Bureau of Justice Statistics (“BJS”) found that identity theft victims “reported spending
`
`an average of about 7 hours clearing up the issues” and resolving the consequences of fraud in
`
`2014.14
`
`48.
`
`An independent financial services industry research study conducted for
`
`BillGuard—a private enterprise that automates the consumer task of finding unauthorized
`
`transactions that might otherwise go undetected—calculated the average per-consumer cost of all
`
`unauthorized transactions at roughly US $215 per cardholder incurring these charges,15 some
`
`portion of which could go undetected and thus must be paid entirely out-of-pocket by consumer
`
`victims of account or identity misuse.
`
`49.
`
`There may be a time lag between when harm occurs versus when it is discovered,
`
`and also between when PII is stolen and when it is used. According to the U.S. Government
`
`Accountability Office (“GAO”), which conducted a study regarding data breaches:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be held
`for up to a year or more before being used to commit identity theft. Further, once
`stolen data have been sold or posted on the Web, fraudulent use of that
`information may continue for years. As a result, studies that attempt to measure
`the harm resulting from data breaches cannot necessarily rule out all future
`harm.16
`
`Thus, Plaintiff and Class members now face years of constant surveillance of their
`
`50.
`
`financial and personal records, monitoring, and loss of rights.
`
`
`
`
`14 Victims of Identity Theft, 2014 (Sept. 2015) available at:
`http://www.bjs.gov/content/pub/pdf/vit14.pdf.
`
`15 Hadley Malcom, Consumers rack up $14.3 billion in gray charges, research study
`commissioned for Billguard by Aite Research, USA Today (July 25, 2013), available at:
`https://www.usatoday.com/story/money/personalfinance/2013/07/25/consumers-unwanted-
`charges-in-billions/2568645/.
`16 GAO, Report to Congressional Requesters, at 29 (June 2007),
`http://www.gao.gov/new.items/d07737.pdf
`
`
`
`
`
`14
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 15 of 34
`
`F.
`
`Plaintiff and Class Members Suffered Damages
`
`51.
`
`The PII of Plaintiff and Class Members is private and sensitive in nature and was
`
`left inadequately protected by Marriott. Marriott did not obtain Plaintiff’s and Class members’
`
`consent to disclose their PII to any other person as required by applicable law and industry
`
`standards.
`
`52.
`
`The Data Breach was a direct and proximate result of Marriott’s failure to properly
`
`safeguard and protect Plaintiff’s and Class members’ PII from unauthorized access, use, and
`
`disclosure, as required by various state and federal regulations, industry practices, and the common
`
`law, including Marriott’s failure to establish and implement appropriate administrative, technical,
`
`and physical safeguards to ensure the security and confidentiality of Plaintiff’s and Class members’
`
`PII to protect against reasonably foreseeable threats to the security or integrity of such information.
`
`53. Marriott had the resources to prevent a breach. Marriott made significant
`
`expenditures to market its hotels and hospitality services, but neglected to adequately invest in
`
`data security, despite the growing number of data intrusions and several years of well-publicized
`
`data breaches, including its own massive breach a little over a year ago.
`
`54.
`
`Had Marriott remedied the deficiencies in its information storage and security
`
`systems, followed industry guidelines, and adopted security measures recommended by experts in
`
`the field, Marriott would have prevented intrusion into its information storage and security systems
`
`and, ultimately, the theft of its customers’ confidential PII.
`
`55.
`
`As a direct and proximate result of Marriott’s wrongful actions and inaction and
`
`the resulting Data Breach, Plaintiff and Class members have been placed at an imminent,
`
`immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring
`
`them to take the time which they otherwise would have dedicated to other life demands such as
`
`
`
`
`
`15
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 16 of 34
`
`work and family in an effort to mitigate the actual and potential impact of the Data Breach on their
`
`lives including, inter alia, by placing “freezes” and “alerts” with credit reporting agencies,
`
`contacting their financial institutions, closing or modifying financial accounts, closely reviewing
`
`and monitoring their credit reports and accounts for unauthorized activity, and filing police reports.
`
`This time has been lost forever and cannot be recaptured.
`
`56. Marriott’s wrongful actions and inaction directly and proximately caused the theft
`
`and dissemination into the public domain of Plaintiff’s and Class members’ PII, causing them to
`
`suffer, and continue to suffer, economic damages and other actual harm for which they are entitled
`
`to compensation, including:
`
`a. theft of their personal and financial information;
`
`b. the imminent and certainly impending injury flowing from potential fraud and identity
`
`theft;
`
`c. the untimely and inadequate notification of the Data Breach;
`
`d. the improper disclosure of their PII;
`
`e. loss of privacy;
`
`f. ascertainable losses in the form of out-of-pocket expenses and the value of their time
`
`reasonably incurred to remedy or mitigate the effects of the Data Breach;
`
`g. ascertainable losses in the form of deprivation of the value of their PII, for which there
`
`is a well-established national and international market;
`
`h. the loss of productivity and value of their time spent to address, attempt to ameliorate,
`
`mitigate, and deal with the actual and future consequences of the Data Breach.
`
`57. While Plaintiff’ and Class members’ PII have been compromised, Marriott
`
`continues to hold consumers’ PII, including Plaintiff and Class members. Particularly because
`
`
`
`
`
`16
`Class Action Complaint
`
`
`
`
`
`

`

`Case 8:20-cv-00867-DKC Document 1 Filed 04/01/20 Page 17 of 34
`
`Marriott has demonstrated an inability to prevent a breach or stop it from continuing even after
`
`being detected, Plaintiff and Class members have an undeniable interest in ensuring that their PII
`
`is secure, remains secure, is properly and promptly destroyed, and is not subject to further theft.
`
`G. Marriott’s Offer of Credit Monitoring is Inadequate
`
`58.
`
`At present, Marriott has offered one year of free enrollment in Experian’s
`
`IdentityWorks, a credit monitoring service.
`
`59.
`
`As previously alleged, consumers’ PII may exist on the Dark Web for months, or
`
`even years, before it is used for ill gains and actions. With only one year of monitoring, and no
`
`form of insurance or other protection, Plaintiff and Class Members remain unprotected from the
`
`real and long-term threats against their PII.
`
`60.
`
`Therefore, the “monitoring” services are inadequate, and Plaintiff and Class
`
`Members have a real and cognizable interest in obtaining equitable relief, in addition to the
`
`monetary relief requested herein.
`
`61. Marriott’s response to the Data Br