Fourth Circuit Rules Omission Of Marriott's Data Vulnerabilities Not Actionable Because Challenged Statements Were Not False When Made

• Published date: 05 May 2022
• Subject Matter: Corporate/Commercial Law, Technology, Corporate and Company Law, Securities, Security
• Law Firm: Akin Gump Strauss Hauer & Feld LLP
• Author: Ms Natasha Kohne, M. Scott Barnard, Michelle A. Reed, Matthew V. Lloyd and Jessica Jones Mannon

Key Points

• Fourth Circuit points to SEC guidance on "less is more" approach to cybersecurity disclosures, while finding such disclosures did not violate federal securities laws.
• Omissions of data vulnerabilities were not actionable because the challenged statements were not false when made.
• Although investors argued statements about the "importance" of data security to Marriott were false and misleading, the statements were not actionable because the Court held that Marriott did not "assign a quality to Marriott's cybersecurity that it did not have."
• Marriott's "sweeping caveats" regarding cybersecurity risks ensured no investor could be misled regarding the risks outlined.
• Forward-looking generalized risk disclosures that cybersecurity issues "may" occur were not actionable even though some of those risks had been realized, because Marriott also disclosed it had experienced such challenges.

Summary

Although Marriott could have provided additional information to investors regarding its cybersecurity risks following a merger with Starwood, the federal securities laws did not require it to do so, and Securities and Exchange Commission (SEC) guidance advises companies against detailed disclosures that could compromise their cybersecurity efforts.

Even though Marriott had already experienced some cybersecurity incidents at the time some of the challenged statements were published, its general forward-looking disclosures of cybersecurity risks and "sweeping caveats" shielded it from liability because it also disclosed the challenges it faced and the statements were not false when made.

Background

In 2016, Marriott merged with Starwood Hotels and Resorts Worldwide. This merger included incorporating all Starwood computer systems and sensitive personal information stored in Starwood databases. Two years later, Marriott learned malware impacted 500 million guest records in Starwood's guest reservation database, constituting the second largest data breach in history at the time.

A putative class action was filed against Marriott and nine of its officers and directors, alleging Marriott's failure to disclose the serious vulnerabilities in 73 different public statements made the statements false or misleading in violation of Section 10(b) of the Securities Exchange Act of 1934 and SEC Rule 10b-5. The investors also brought a claim for secondary liability against the executives under Section 20(a) of the 1934 Act.

The district court granted Marriott's motion to...