DiCello Levitt persuades court that consumer data has inherent value.

In September 2018, Marriott International discovered a data breach on its network affecting more than 300 million American consumers. From 2014 to late 2018, hackers exploited a weakness in Marriott’s computer network, enabling them to access Marriott’s guest reservation system to steal customer data. Marriott waited almost three months to alert the victims.

To date, the Marriott data breach remains one of the largest in U.S. history. When Marriott acquired Starwood Hotels in 2016, a vulnerability in Starwood’s network allowed hackers to steal some of the most sensitive consumer information—including anything from specific hotel stay information to unencrypted passport numbers.

Amy Keller, DiCello Levitt’s Privacy, Technology, and Cybersecurity practice chair, serves as Plaintiffs’ Co-Lead Counsel in the nationwide multidistrict litigation, representing clients from all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands.

The United States District Court for the District of Maryland, in an opinion widely regarded by experts as breaking new ground in data security and privacy law, found that consumer data has inherent value. The court also recognized that the breach could result in diminished value of personal data, lost time and money mitigating damages, and overpayment for hotel rooms.

“Consumers have a good case here because the company did not take basic steps to keep information secure,” Keller told the legal publication Law360. “When customers provide this information to companies, they rightfully expect that those companies will keep it secure. And if companies opt to store customer information, then there is no question that those companies should be taking steps to secure it.”