Gargi Chaudhuri and James Masella, III of Patterson Belknap Webb & Tyler LLP write:
On April 21, 2022, the United States Court of Appeals for the Fourth Circuit affirmed the dismissal by the United States District Court for the District of Maryland of allegations that Marriott International had violated federal securities laws by omitting from its public filings material information pertaining to cybersecurity vulnerabilities.[1] This blog post examines the facts underlying the decision and the holding’s implications for comparable securities fraud claims.
[…]
In April 2022, the Fourth Circuit affirmed the District Court’s dismissal of the securities fraud complaint. In so doing, the Circuit explained that the allegations in the Complaint—even if true—simply suggest that Defendants made statements about “the importance of data protection to Marriott’s business,” not statements that “overrepresent[ed] the extent to which it was securing and protecting the customer data.”[19] In other words, “Marriott’s public statements about the importance of data protection did not assign a quality to Marriott’s cybersecurity that it did not have.”[20] The Circuit also agreed with the District Court that accompanying disclosures about possible investor risks, including risks relating to data privacy, provided sufficient notice to reasonable investors.
Read their recap and analysis at JDSupra.