CYBERSECURITY CASE WATCH X2 - Nat'l Sec. Comm'n on Artificial Intelligence & Marriott
Elec. Privacy Info. Ctr. v. Nat'l Sec. Comm'n on Artificial Intelligence, C.A. 1:19-cv-02906 (D.D.C. 2020)
Investors and developers of Artificial Intelligence were just granted an enormous gift of information by the Electronic Privacy Information Center, which persuaded the United States District Court for the District of Columbia to open the meetings, records, and schedule of National Security Commission on Artificial Intelligence to the public. While this makes the same materials open to malicious actors, white hats in the industry will hopefully outpace the latter.
On June 1, 2020, District Court Judge Trevor McFadden ordered the National Security Commission on Artificial Intelligence to provide timely notice of its meetings to the public, make them open to the public, and make its records available for public inspection and copying under §10 of the Federal Advisory Committee Act (“FACA”).
Congress formed the National Security Commission on Artificial Intelligence (the “Commission”) as part of the executive branch “to review advances in artificial intelligence, related machine learning developments, and associated technologies[,]" with a focus on national security and defense (John S. McCain National Defense Authorization Act for Fiscal Year 2019 ("2019 NDAA"), Pub. L. No. 115-232, § 1051(a)(1), 132 Stat. 1636, 1962 (2018)). Intended as a temporary organization, the Commission’s 15 members are "appointed for the life of the Commission" and are "Federal employees.”
Under FACA, certain federal advisory bodies are subject to forward-looking publication requirements, such as giving notice of their meetings, opening them to the public, and proactively making their records publicly available. The Court previously held that the Commission is an agency subject to FOIA. EPIC v. Nat'l Sec. Comm'n on Artificial Intelligence ("NSCAI"), 419 F. Supp. 3d 82, 83 (D.D.C. 2019).
With FOIA exposure, the Commission argued that it cannot be contemporaneously subject to FACA’s disclosure obligations. However, Judge McFadden held that “like Janus [a two-faced Roman god], the Commission does indeed have two faces, and that Congress obligated it to comply with FACA as well as FOIA.”
The Electronic Privacy Information Center ("EPIC"), which sued to enforce the Commission's obligations under both FOIA and FACA, successfully lifted the veil of secrecy under which the Commission operated since its inception. Until Judge McFadden’s opinion, only the President and Congress reviewed the Commission’ work. Originally set to expire in October, Congress extended the Commission for an additional year and now, with EPIC’s efforts, the Public will have access to the Commission’s operations, meetings, and findings.
In Re: Marriott International, Inc., Customer Data Security Breach Litigation, Consumer Actions, MDL No. 19-md-2879 (S.D.M.D., 2020).
The Southern District of Maryland taught all Plaintiff attorneys’ in the states of California, Florida, Georgia, Maryland, Michigan, New York, and Oregon how to plead specific claims for damages in response to data breaches, while highlighting a gap in Illinois’ otherwise very consumer-friendly cybersecurity laws. And, as this case develops, it will set new due diligence standards for cybersecurity assessments during mergers and acquisitions.
On November 30, 2018, Marriott, the largest hotel chain in the world, confirmed that it suffered one of the largest data breaches in history, which originated in its Starwood guest reservation database. Internal investigations found that the breach occurred for more than four years, from approx. July 2014 to September 2018; meaning it was ongoing before and after Marriott's acquisition of Starwood.
During the four-year data breach, “the hackers allegedly stole names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, communication preferences, payment card numbers, payment card expiration dates, and tools needed to decrypt cardholder data. Further, several files that the hackers exfiltrated were deleted, so Marriott does not fully know how much data was stolen.”
Plaintiffs are consumers who allegedly provided their personal information to Marriott to stay at a Marriott property or use Marriott's services and argue that Marriott failed to conduct a due diligence analysis of Starwood's cybersecurity before and after the merger. Plaintiffs further claim that Marriott is liable under theories of tort, contract, and statutory duties in various states. Defendants argued a lack of standing (right to sue) and asked the court to dismiss the claims. While the Court granted Defendants' motion to dismiss the negligence under Illinois law the remaining tort, contract, and statutory claims survived.
The court held that the Plaintiffs adequately alleged injury-in-fact in the form of losses from identity theft, imminent threat of identity theft, costs spent mitigating the harms from the data breach, loss of the benefit-of-their-bargain, and loss of value of their personal information, all of which were “fairly traceable” to Defendants' conduct. Plaintiffs also adequately alleged their respective tort, contract, and statutory claims under the laws of California, Florida, Georgia, Maryland, Michigan, New York, and Oregon.
The negligence claims failed under Illinois law because the Plaintiffs’ damages did not result from personal injuries or physical damage to tangible property and applicable case law did not support a finding that Marriott, as a retailer, owed the Plaintiffs a duty to protect personal information against cyber-attacks. The reaction from Illinois, which is a leader in cybersecurity laws that promote consumer recovery, will be interesting to watch.