Fourth Circuit Vacates Class Certification In Marriott Data Breach Class Action

We report on a significant recent development in the Marriott data breach putative class action litigation. Following oral argument on May 3, 2023, the Fourth Circuit just issued its decision vacating the district court’s largely unprecedented decision (from May 2022) which certified certain classes that potentially could have included millions of former Starwood Preferred Guest members. In short, the Fourth Circuit found the district court erred on an important threshold issue by failing to rule on the enforceability of the class action waivers agreed by putative class members as part of the Terms & Conditions agreed for the Starwood Preferred Guest Program. In support of its certification decision, the district court had ruled that the class action waiver issue could be evaluated at the later “merits stage” of the litigation, but the Fourth Circuit disagreed, insisting that a ruling on the class action waiver before class certification “is the only approach consistent with the nature of class actions and the logic of class waivers.” As the Fourth Circuit found this threshold issue to be dispositive, it refrained from ruling on the other significant substantive issues on appeal, including whether the novel “Overpayments” damages theory certified by the district court satisfies the requirements for class certification (e.g., typicality, predominance, and ascertainability), or whether, as Marriott asserts, the theory requires individualized inquiries which preclude certification. 
Naturally, the Fourth Circuit’s decision is very positive news for Marriott (and other data breach class action defendants), but we anticipate there will be significant additional litigation and appellate activity on the certification issue moving forward in light of its importance and the significant potential class size at issue. Most immediately, we anticipate the plaintiffs will seek reconsideration of the decision, or perhaps even a petition to the Supreme Court, both of which are unlikely to be accepted. Given the importance and largely unprecedented nature of class certification in consumer data breaches, we anticipate the Supreme Court will wish to take up the issue at some point in the near future, but given the limited procedural basis of the Fourth Circuit’s decision, the Supreme Court may wish to wait until more of the substantive issues are decided in this matter, or another matter(s) with a more complete procedural posture. Moreover, it remains unclear how the district court in the Marriott litigation will rule regarding the enforceability of the class action waiver on remand. Such waivers are not always enforced by courts, including in the Fourth Circuit (See, e.g., Weckesser v. Knight Enterprises S.E., LLC, 735 F. App'x 816 (4th Cir. 2018); Degidio v. Crazy Horse Saloon and Restaurant, Inc., No. 17-1145, 2018 U.S. LEXIS App 1178 (4th Cir. Jan. 18, 2018), despite support from the U.S. Supreme Court (See, e.g., AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011); American Express Corp. v. Italian Colors Restaurant, 570 U.S. 333 (2013). It remains possible that the district court rules against enforceability, whether based upon the plaintiffs’ arguments that Marriott waived the defense or on other fact-dependent grounds similar to the two prior Fourth Circuit decisions listed above; either way, we anticipate further subsequent appeals by the parties.
We will continue to closely monitor and share significant developments. In the meantime, if you or your team would like to speak about this ruling or how it may impact your class action data breach landscape, please let us know.

article hero image