On June 3, 2025, the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, ruled in favor of Marriott International, overturning a previous decision that permitted a class action lawsuit from tens of millions of guests affected by the 2018 data breach of Starwood’s reservation database. The court determined that the guests' contracts included valid waivers against class action claims, thereby preventing the certification of class lawsuits against Marriott.
Background of the Data Breach
The cyberattack, which began in 2014 and went undetected until 2018, exposed sensitive customer information, including payment card data. Marriott acquired Starwood in 2016, inheriting the vulnerabilities that led to the breach. The plaintiffs argued that Marriott failed to provide sufficient data security, which would have influenced their decision to book rooms.
Legal Implications
A Maryland federal judge initially ruled that Marriott had waived the right to enforce the class action waiver by participating in consolidated proceedings. However, the appeals court disagreed, emphasizing the enforceability of the contractual waivers. The U.S. Chamber of Commerce supported Marriott in the appeal, highlighting the broader implications for consumer contracts and class action litigation.
Expert Analysis
This ruling underscores the critical importance of clear contractual terms and the enforceability of class action waivers. For consumers, it serves as a reminder to thoroughly review service agreements. For businesses, it highlights the necessity of robust cybersecurity measures and transparent communication with customers regarding data protection.
