eDiscovery Assistant

In re Marriott Int'l, Inc. Customer Data Sec. Breach Litig.

2020 WL 6536919 (D. Md. 2020)

November 5, 2020

Download PDF

To Cite List

Summary

The parties are in dispute over access to the NDS database, which contains information about the cyberattack. The court has recommended an evidentiary hearing to resolve the factual disputes and has identified a series of questions that must be answered to arrive at the facts needed to settle the controversy. The court has also recommended a protocol for the hearing, including that each party will designate no more than two witnesses to testify at the hearing. The court has determined that it is necessary to examine the NDS database to determine the breach's scope and its source.

Additional Decisions

IN RE: MARRIOTT INTERNATIONAL CUSTOMER DATA SECURITY BREACH LITIGATION

MDL No. 19-2879

United States District Court, D. Maryland

Signed

Filed November 05, 2020

Facciola, John M., Special Master

REPORT AND RECOMMENDATION

The Nature of the Controversy

*1 At issue between the parties is access to the NDS database. Marriott has indicated that it will reopen the database and search four tables for information plaintiffs want once plaintiffs provide it with the credit card numbers plaintiffs “believe were involved in the cyberattack.” Letter of October 20, 2020.

The plaintiffs insist that this is inadequate and that the Court “compel Marriott to search the entire NDS database” to answer plaintiffs’ demands and then provide plaintiffs with access to the database itself. Letter of October 6, 2020.

The Need for a Hearing

I have become familiar with this controversy because of a futile effort I made to resolve it. The parties differ as to the fundamental facts regarding the significance and evidentiary value of this database's contents. That conflict is irreconcilable.

The Federal Rules of Civil Procedure do not provide specific guidance on how factual controversies encountered during discovery are to be resolved. But all would have to agree that to choose one party's version of the facts without an opportunity for both parties to present evidence which is subject to adversarial testing is not affording the parties due process of law.

I recommend, therefore, that this Court resolve fundamental factual disputes as to the NDS database after an evidentiary hearing before it grants or denies plaintiffs’ demands.

The Questions Presented

I should begin with what I believe are the questions that must be answered to arrive at the facts needed to settle this controversy.

They are as follows:

• Did the hacker exfiltrate more than the four tables of data Marriott has been willing to produce?

• Is it possible to confirm or deny that the hackers accessed other data besides these four tables?

• Has Marriott admitted that hackers accessed other data beyond what was discussed in a report by Verizon about the hack?

• Is it impossible, as plaintiffs claim, for Marriott to even know the full extent of what the hackers copied or viewed without reviewing the entire NDS database?

• Is it necessary for plaintiffs to examine the NDS database to determine the breach's scope and its source?

• Did Crowdstrike examine the NDS database to determine the source and scope of the breach?

• Were Marriott, Starwood, and Accenture aware of critical security deficiencies, and, if they were, why does that knowledge bear on granting plaintiffs access to the NDS database?

• Can plaintiffs confirm what specific information was potentially compromised without searching the NDS database?

• Did the Verizon report only evaluate whether the payment card was accessed and exfiltrated?

• Has Marriott admitted that more than payment card data, such as passport numbers, were exfiltrated?

• What evidence supports the assertion that the key to the de-encryption of crucial data is, as plaintiffs assert, in the NDS database?

• Is it true, as plaintiffs claim, that that “[U]nless Plaintiffs obtain the payment card numbers that Marriott collected and stored in the NDS Database, however, Marriott will argue that Plaintiffs cannot prove that those payment card numbers were part of the breach.”? Letter of October 6, 2020.

*2 • Is it, therefore, true that the only way to ascertain definitively whether fraudulent use of the cards was related to the breach is by ascertaining the cards that Marriott knows were exfiltrated from the NDS database?

• What will be needed in terms of time, personnel, and expense to bring the NDS back into a functioning state to meet plaintiffs’ asserted needs?

• Is it true that the hacker only exported four guest reservation database tables which are identified as:

GUEST_MASTER_PROFILE (main guest reservation information) - CONSUMPTION_ROOM_TYPE (guest reservation room preferences) -

RESERVATION_ROOM_SHARER (additional guest reservation information) - PP_MASTER (passport encryption values/information)

• Were three of the four databases in the NDS server, analyzed in the PFI report, not designed to hold payment card data?

• Was NDS one of the “in-scope database servers and databases” analyzed in the PFI report?

• Does the asserted evidence of “hacking on 480 systems across 58 locations” (Letter of October 5, 2020) bear on the legitimacy of plaintiffs’ access to the NDS database?

Recommended Protocol

I recommend that counsel meet and confer to ascertain whether they can arrive at stipulated answers to each of these questions. If they can, they should file a joint document that contains the questions and their stipulated joint answers. I recommend an evidentiary hearing to answer the questions if they cannot agree on the answer. I also recommend that the following protocol govern the hearing.

• Each party will designate no more than two witnesses to testify at the hearing who have sufficient scientific expertise and knowledge to answer the questions presented.

• Instead of the report required by Fed. R. Civ. P 26(A)(2)(B), the parties will ask each witness to answer each of these questions briefly in writing and exchange those writings with each other no less than one week before the hearing. The witnesses shall declare that their answers are true under penalty of perjury.

• If the witness declines to answer any of these questions because of a lack of knowledge, neither party may ask that witness any questions about that question at the hearing.

• The hearing will be held by video conference on an agreed-upon date.

• The parties will prepare for the Court a transcript of the hearing to be filed in this case's docket.

• Plaintiffs will call their witnesses first because someone has to. Their going first will not be deemed as an admission that they have a burden of proof as to any question.

Counsel may believe that additional questions have to be answered to make the necessary findings of fact. In that event, counsel should feel free to agree to additional questions that they think should also be answered and see if they can arrive at stipulated answers to them. If they cannot agree, counsel for either party should submit to the Court any additional questions concerning the NDS database that counsel believes are crucial to resolving their dispute as to this database. The party proposing the additional questions must elicit answers to those questions from the witnesses it calls.

Schedule

*3 I also recommend that counsel meet and confer and propose to the Court a mutually agreeable schedule, subject to the Court's approval, to complete the protocol I recommend.