Failure to Conduct Cybersecurity Due Diligence Before M&A
In the words of Julia Robert’s character, Vivian Ward in Pretty Woman, “Big mistake. Big. Huge.” Just ask Marriott yesterday, today, tomorrow, and pretty much every day for the next 5 years. Meanwhile, Starwood’s former owners are finishing Julia Robert’s famous quote: “I have to go shopping now!”
It’s very old news that in November 2018, Marriott announced a MASSIVE cybersecurity breach involving more than 500 million of its guests and employees. The source of the breach was malware that provided remote access, leaking highly-sensitive guest data for years from Starwood Hotel and Resorts Worldwide prior to and after Starwood’s acquisition by Marriott.
During the acquisition of Starwood, Marriott reportedly examined Starwood’s information technology system as part of its due diligence prior to closing the sale in September 2016. Since the breach, Marriott received a GDPR fine of $24 million and during the course of the regulatory investigation, Marriott’s deal documents reflect a shallow concern for cybersecurity.
Usually strapped with strong representations and warranties on various items of due diligence, Marriott and Starwood’s Agreement and Plan of Merger does not mention cybersecurity in Article III (its representation and warranties section). Indeed, neither “cyber” nor “information security” appear anywhere in the document. This is alarming as it essentially means that no where in the document did Starwood have to legally “promise” to Marriott that exercised reasonable care for its IT infrastructure or exercised diligent cyber hygiene to detect and thwart malware prior to the sale. As a result, malware that existed in Starwood’s network, during the time that Starwood owned and maintained sole liability for its network, eventually became Marriott’s problem without recourse against Starwood.
Now, in 2021, a multi-district litigation is slugging away in the Southern District of Maryland (my old homestead) to adjudicate the data breach litigations rapidly stemming from the November 2018 revelation by the hotel giant. On June 11, 2021, the Southern District of Maryland released two new opinions in MDL No. 19-md-2879 involving Marriott. Both opinions came down in Marriott’s favor, dismissing various plaintiffs’ claims against members of Marriott’s board of directors. However, both claims dismissed were on their third complaint, causing Marriott to incur substantial defense and litigation costs, with more to follow.
In the first opinion, plaintiff John P. Moore brought suit as a shareholder of Marriott, against certain members of Marriott’s Board of Directors for claims that they violated the Securities Exchange Act of 1934 ("Exchange Act") and Delaware state law for breach of fiduciary duty, waste of corporate assets, and unjust enrichment (collectively, the "Delaware state law claims"). Specifically, Mr. Moore claims that the defendants made false and misleading statements and omissions related to Marriott's cybersecurity posture and the acquisition and integration of Starwood.
In November 2015, Marriott first announced that it would acquire Starwood Hotels and Resorts Worldwide. Before the merger closed, Marriott analyzed Starwood’s IT systems as part of its due diligence and updated its investors on the status of the merger through SEC filings and public statements. The merger eventually closed in September 2016.
Approximately two years following the close of the merger, Marriott’s IT team was notified by Accenture, a third-party information technology contractor, of an alert from a security tool called IBM Guardium of a potential cybersecurity breach. Marriott then retained a third-party forensic investigator, CrowdStrike, which found malware that was used to access and monitor the computer networks. Two months following the discovery of the malware on November 30, 2018, Marriott publicly announced the data breach, which included highly sensitive information such as passport numbers.
In a later report published by Verizon, a separate vendor, Marriott disclosed that the malware that led to the breach was present in the Starwood system dating back to July 2014, prior to Marriott’s acquisition of the hotel chain. Verizon’s report further stated that the data breach resulted from Starwood’s “insufficient access/query and firewall logging[,]” Starwood’s failure to monitor or log remote access events, and Starwood inadvertently storing payment account numbers on systems and in databases that were not designated for the storage of sensitive payment account numbers.
Plaintiff’s Exchange Act and Delaware State Law Claims are primarily based off Marriott’s notices to its investors during the merger with Starwood. The Southern District of Maryland ultimately dismissed all of Mr. Moore’s claims with prejudice (meaning he cannot reassert them), after him giving him previous chances to amend, finding that he could not challenge transactions by Marriott that predated his stock purchases.
In the second suit, plaintiff was the Construction Laborers Pension Trust for Southern California, a multi-employer pension plan, acting as a class action representative that asserted similar allegation as Mr. Moore. In addition to naming Marriott itself as a defendant, the trust named nine of its corporate officers and board members as defendants, including its Chief Financial Officer and Chief Information Officer.
Plaintiffs argued that the Defendants' statements to investors regarding due diligence and integration that were made after they allegedly had actual knowledge of the data breach were false and misleading. Evidence revealed that while Marriott learned in September 2018 that cyber criminals installed webshells, VPN tools, and malware on Starwood's systems, including a Remote Access Trojan ("RAT") - a program that allows attackers to access, surveil, and gain control over a computer, it was not until November 2018 that Marriott learned that encrypted files containing guests' personal information were removed. Further, Plaintiff, despite being given three chances to amend its complaint, failed to allege facts to show that a reasonable investor would be misled by statements released by the Company that its merger or due diligence into Starwood was “successful.” The Court ultimately found that the Plaintiff failed to allege that Marriott made material omissions regarding data security or that its statements of optimism contained material omissions.
Curiosity begs the question of whether Marriott’s’ cost in defending the MDL suits, even the dismissed claims described above, have surpassed the $24M GDPR fine yet.