US 4th Circuit Decertifies Marriott Data Breach Classes

The U.S. Court of Appeals for the Fourth Circuit reversed a prior ruling that had allowed tens of millions of Marriott guests to sue as a class over a 2018 data breach involving the reservation database of its affiliate, Starwood. The court found that Marriott’s guest contracts contained a valid class action waiver, which precluded class certification against the company, and ruled that Marriott had not waived this defense despite participating in multidistrict litigation. The breach, first detected in 2018, exposed personal data including names, birth dates, and payment information. The plaintiffs alleged Marriott failed to provide adequate data security, but the court emphasized the enforceability of the contract's individual dispute resolution clause. Additionally, the court reversed the recertification of class claims against Accenture, linked to the breach, as those claims were dependent on the Marriott damages classes. Marriott welcomed the ruling, which is seen as a significant development in the long-running litigation over the breach.