Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

District Court partially certifies data breach suit

Privacy/Cyber Risk & Data Security Courts Data Breach Class Action

Privacy, Cyber Risk & Data Security

On May 3, the U.S. District Court for the District of Maryland granted in part and denied in part certification of eight class actions against a hotel corporation (defendant) alleging that it misled consumers regarding a major breach of customers’ personal information. According to the opinion, the plaintiffs filed suit after allegedly learning that the defendant took more than four years to discover the breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted, to provide data security services reported an anomaly pertaining to a guest information database. In total, the breach impacted approximately 133.7 million guest records associated with the U.S., including an estimated 47.7 million records associated with the bellwether states. The defendant argued that certification should be denied because not all of the class members demonstrated that they suffered an injury, which the court rejected, noting that the plaintiffs do not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendants’ argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”