Calling the Marriott data breach “one of the largest digital infestations in history,” a putative class action was filed in Oregon this week seeking up to $12.5 billion dollars in relief. It should come as no surprise that soon after Marriott announced its massive data breach affecting potentially 500 million customers in the Starwood reservations database, several putative class actions were filed around the country and at least one in Canada. Lawsuits were also filed in Maryland and New York.
The Oregon suit alleges negligence, and also seeks injunctive relief. The suit seeks, among other relief, up to $12.5 billion dollars in relief, or $25 for each of the potentially 500 million customers whose privacy may have been compromised. The Maryland lawsuit alleges negligence, FTC violations, and generally faults Marriott for failing to protect its customers’ data. The Complaint also alleges that Marriott failed to take appropriate protective measures to protect and secure customers’ PII, that Marriott took four years to discover the breach, and that customer data is potentially out there on the dark web. The complaint was also critical of Marriott’s response to the breach and its offer to customers of a service that monitors data on the internet to determine if their data was sold or exchanged. There is already talk of multi-district litigation and sorting out how a breach of this magnitude could go unnoticed for four years will be critically important as we learn more about this “digital infestation.”