In their reporting on multidistrict litigation consolidating more than 80 class action cases against Marriott International related to a 2014 data breach, The Wall Street Journal spoke with partner Kenneth K. Dort for context on third-party liability.
In the article “Accenture Faces Lawsuit Over Marriott Data Breach,” the publication reports on a complaint filed July 24 against Marriott by customers of the hotel chain that also accuses consulting firm Accenture of a “failure to maintain adequate security controls to detect and neutralize known and obvious security threats” in Starwood Hotels’ reservation system, which Accenture managed. Marriott acquired Starwood in 2016.
Hackers infiltrated the Starwood database in 2014, two years before Marriott purchased the company. Passport numbers, payment card information and other personal data from up to 383 million Starwood customers were exposed. Marriott publicly revealed the breach last November.
In The Wall Street Journal, Dort notes that lawsuits over corporate data breaches usually don’t name third-party service providers as defendants, in part because their contracts with customers often limit their liability.