The Fourth Circuit dismissed an investor’s lawsuit against a hotel chain that had been subject to a data breach, ruling that the company had not made false or misleading public statements about its protection of customer data, its privacy practices, or its cybersecurity risks.
A recent decision of the U.S. Court of Appeals for the Fourth Circuit addressed a dispute between hotel giant Marriott International, Inc., and one of its institutional investors, the Construction Laborers Pension Trust for Southern California (the "investor"), following a data breach of Marriott’s guest records. In a class-action complaint, the investor claimed that Marriott and its executives breached federal securities laws by omitting from the company’s public statements material information about data vulnerabilities. Based on its interpretation of federal securities law requirements, the Fourth Circuit held that Marriott had not misled its investors, and the court affirmed the trial court’s dismissal of the investor’s claims.
Background to the 'Marriott' Case
In 2016, Marriott merged with Starwood Hotels and Resorts Worldwide. As part of the merger, Marriott acquired all of Starwood and its operations, including Starwood’s computer systems, reservation software, and databases, as well as all the sensitive personal information in those databases. Two years later, Marriott learned that malware had affected approximately 500 million guest records in the Starwood guest reservation database, resulting in the second largest data breach in history. Soon after, the investor filed suit in federal court in Maryland against Marriott and nine of its officers and directors. The investor alleged that Marriott violated federal securities laws, i.e., Section 10(b) of the Securities Exchange Act of 1934 and Securities and Exchange Commission Rule 10b-5, and that the officers and directors were also liable for those violations as control persons under Section 20(a) of the Act. The investor sought to bring the case as a class action.
At issue in the case were three categories of public statements by Marriott: (1) statements about the importance of protecting customer data; (2) privacy statements on Marriott’s website; and (3) cybersecurity-related risk disclosures. In its complaint, the investor alleged that Marriott’s public statements failed to disclose vulnerabilities in Starwood’s IT systems, rendering those public statements false or misleading in violation of Section 10(b) and Rule 10b-5.
Marriott moved to dismiss the investor’s claims and the trial court granted Marriott’s motion. The investor appealed.
The Fourth Circuit’s Decision
Affirming the trial court’s decision, the Fourth Circuit focused on the requirement that, to state a claim under Section 10(b) and Rule 10b-5, a plaintiff must allege a "material misrepresentation or omission by the defendant." The Fourth Circuit emphasized two points. First, omissions are actionable only if—absent the fact omitted—a reasonable investor, exercising due care, would gather a false impression from a statement, which would influence an investment decision. Second, Section 10(b) and Rule 10b-5 do not create an affirmative duty to disclose any and all material information. Rather, disclosure is required only when necessary "to make statements made, in light of the circumstances under which they were made, not misleading." Accordingly, the court endorsed the principle that companies can control what they have to disclose by controlling what they say to the market.
Turning to the investor’s allegations, the Fourth Circuit addressed the three categories of Marriott’s public statements the investor claimed as the basis of liability. First, the court considered Marriott’s statements about the importance of protecting customer data. Here, the investor alleged that Marriott’s repeated assertions that "the integrity and protection of customer, employee, and company data is critical to us" created a misleading impression that Marriott was securing and protecting this data. The investor alleged that Marriott was simultaneously omitting mention of the vulnerable state of Starwood’s IT systems.
But the court reasoned that Marriott’s statements were true, or at least not demonstrably false or misleading. Marriott only said that it considered cybersecurity to be important. This said nothing about the quality of Marriott’s cybersecurity. These statements could not be taken to be overrepresenting the extent to which Marriott was protecting customer data. That conclusion was reinforced by Marriott’s risk disclosures in its SEC filings indicating that Starwood’s IT systems were vulnerable. Accordingly, the Fourth Circuit concluded this category of statements was insufficient to support the investor’s claims.
Next, the court concluded that the investor had not shown that any of the next category of statements—the privacy statements on Marriott’s website—were false or misleading. Marriott asserted that it sought "to use reasonable organizational, technical and administrative efforts" to protect personal data. Importantly, though, Marriott also indicated it understood that "no data transmission or storage system can be guaranteed to be 100% secure." The court also found it significant that Marriott made risk disclosures in its SEC filings indicating that Marriott’s systems "may not be able to satisfy" the "increasingly demanding" and "changing" legal and regulatory cybersecurity requirements. The court reasoned that, in light of these disclosures, no reasonable investor could have been misled by Marriott’s privacy statements.
Finally, the court determined that Marriott’s cybersecurity risk disclosures were not false or misleading. The investor argued that Marriott’s statements, such as those regarding the risks posed to payment card data, were misleading because they warned of risks that already had materialized. The court acknowledged that generic risk warnings will not insulate a company from liability when undisclosed facts on the ground would affect a reasonable investor’s decision-making. But the court concluded that either Marriott did not have knowledge of the alleged facts or that Marriott corrected any misleading statements by later publicly disclosing those facts once they became known. Ultimately, the Fourth Circuit concluded that "Marriott certainly could have provided more information to the public about its experience with or vulnerability to cyberattacks, but the federal securities laws did not require it to do so."
Key Takeaways from the 'Marriott' Decision
Marriott reminds public companies of the steps they must take to protect from federal securities fraud claims, including event-driven securities claims—i.e. those in which an adverse event at a company is used as a basis for claims. Appropriate risk disclosures can protect a public company from federal securities fraud claims. As the Fourth Circuit explained in the Marriott decision, companies do not have "an affirmative duty to disclose any and all material information," which allows companies to "control what they have to disclose" by "controlling what they say to the market." But companies must provide sufficient information to make sure their public statements would not be false or misleading to a reasonable investor.
This article was first published on LAW.COM on May 11, 2022, and is republished here with permission. ©2022 ALM Media Properties, LLC. All rights reserved.