On November 30, 2018, Marriott announced that it was the victim of one of the largest cyber data breaches in history. It's still very early, but reports are that the breach started in 2014 and impacted over 500 million guests.
Just hours after Marriott announced the breach, attorneys filed the first class action lawsuit in Maryland. Why Maryland? Because Marriott’s terms of service states that Maryland is the agreed upon venue for all U.S. claims arising out of guest relationships.
An Innkeeper's Duty in Maryland
If you've been reading my blog posts, you'll know that I'm interested in how traditional legal principles are applied to cyber related events. Because Marriott is an "innkeeper", I was curious about an innkeeper's legal duties in Maryland. Sure enough, there is an 1867 case that states:
"An innkeeper, at common law, is bound to take more than ordinary care of the goods, money and baggage, of his guest, brought within his inn, and is responsible for loss or damage to the same by his servants, domestics, other guests, or persons unknown . . ." Treiber v. Burrows, 27 Md. 130 (Md. 1867)
Under this1867 case, a Maryland innkeeper may face liability if a criminal accessed a guest room and stole social security cards, passports, or credit cards.
Well, without accessing any guest rooms, Marriott is faced with the theft of similar information for almost 500 million guests.
Criminal or State-Sponsored?
In Maryland, an innkeeper has a duty to protect guests from the criminal acts of a third party if the innkeeper knows, or should have known, that the criminal act was occurring. There are similar laws in other states.
According to reports, Marriott’s guest information is not being sold on the dark web (yet), which is interesting because the breach occurred in 2014 and continued until this year. This suggests that the Marriott breach was not the typical criminal act for financial gain. If not for financial gain, there must be another motivation – cyber espionage maybe?
There are reports that this was a sophisticated state-sponsored event by China.
The Chicago Tribune reported that China is suspected of building a dossier on US citizens including diplomats, spies, military personnel, business executives and journalists. China has been building this dossier through the 2015 Office of Personnel Management intrusion and the breaches of healthcare institutions such as Anthem.
So, if China was involved, should or could Marriott have known beforehand and prevented the data breach?
Think of my hypothetical above, if the person who broke into the guest room happened to be a spy, can the innkeeper avoid liability?
China May Defeat Class Action
Here’s the interesting twist, if China orchestrated the breach for the sole purpose of building a dossier, does that defeat the class action?
In any class action, the class members must prove harm (e.g., my personal information was disclosed and it led to my identity being stolen). Marriott is likely to argue that the guests cannot prove harm, which goes back to the reports that the guests' information is not being sold on the dark web. No harm, no foul!
Of course, the complaint alleges harm, such as:
(1) Unauthorized charges on their debit and credit card
(2) Potential fraud and identity theft
(3) Out of pocket expenses and the value of their time to remedy or mitigate the effects of the Data Breach.
If China is involved, however, the purpose was not to make unauthorized charges or for potential fraud and identity theft. There are other nefarious purposes still undetermined.
Then again, how does Marriott prove that China was involved and for what purpose? Furthermore, does Marriott want to argue that the data breach was a state-sponsored event? Such an argument may have unintended consequences like insurance exclusions.
Are you confused yet? Yes, a cyber related lawsuit is a game of chess, not checkers.
Needless to say, this case has the potential of developing new law for innkeepers in the Cyber Age.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP
