author photo
By Bruce Sussman
Mon | Dec 3, 2018 | 8:26 AM PST

Marriott is already facing billions in lawsuits after disclosing a data breach involving 500 million of its customers.

Could the data breach be scarier than bed bugs for guests staying at Marriott Hotels? That's the claim of a lawsuit filed against Marriott in Portland, Oregon. 

"In days past, hotel customers had to worry about things like unwashed towels and bed bugs. In today’s digital age, the primary worry of hotel customers is the security of their card numbers and other sensitive personal information.

For the past four years, over 500 million customers expecting a comfortable worry-free stay at Marriott were instead exposed to one of the largest digital infestations in history."

That lawsuit seeks $12.5 billion in damages, which is $25 for each customer that is part of the breach.

The lead attorney is Michael Fuller of OlsenDaines, which also sued Equifax after its mega-breach. Celebrity attorney Mark Geragos is listed as co-counsel in both cases.

Another class action lawsuit against Marriott has been filed by Baltimore law firm Murphy, Falcon & Murphy, which is involved in high-profile cases including police shootings and the Equifax mega-breach.

Managing partner Hassan Murphy says this of the lawsuit against the hotelier:

"Marriott is one of the largest hotel chains in the world. That such a corporation would fail to properly safeguard the highly personal and sensitive information of its guests and customers is inexplicable.

 Even more egregious is the fact that Marriott did not discover this breach for nearly four years, and then for months after that discovery failed to tell its customers what had occurred. 

This conduct constitutes a significant breach of trust and confidence unparalleled in the hospitality industry."

What juries and judges look at in cybersecurity litigation

It appears this was another case of breach-by-acquisition since it was the Starwood brands database Marriott acquired in 2016 that was hacked. 

[More on a breach-by-acquisition: PayPal and FedEx are examples.]

In Marriott's case, was the hotel chain simply unlucky or was it negligent?

The answer will be decided in court. But what do juries consider in cybersecurity-related cases, and what do judges look at when it comes to cybersecurity lawsuits?

Nationally-known cybersecurity attorney Shawn Tuma of Spencer Fane told us during an interview at a SecureWorld cybersecurity conference that courts are looking for signs of reasonable cybersecurity. 

What is that, exactly? Cyberlaw attorney Tuma says, "You put the security program into place, you test it, mature it and evolve it. You're showing you did the best you could under the circumstances. It may not have been 100% right, but it was reasonable."

So was a breach that went undiscovered for several years reasonable? The courts will decide. And SecureWorld will report on the Marriott breach as more details emerge.