In re Marriott Int'l, Inc. Customer Data Sec. Breach Litig.
In re Marriott Int'l, Inc. Customer Data Sec. Breach Litig.
2022 WL 822925 (D. Md. 2022)
March 18, 2022
Facciola, John M., Special Master
Summary
The plaintiffs are seeking additional discovery from Marriott International concerning the company's amendment to its California Consumer Privacy Act statement. The court has determined that this discovery is not relevant to the issues presently before the court and has requested that the parties provide a shortened briefing schedule on a motion to compel. The plaintiffs' expert cannot value class members' personal information on a classwide basis, and the California regulation requiring a good faith value estimate does not change this fact.
Additional Decisions
In re: Marriott International Customer Data Security Breach Litig.
MDL No. 19md2879
United States District Court, D. Maryland
Signed March 18, 2022
Facciola, John M., Special Master
THIS DOCUMENT RELATES TO THE CONSUMER TRACT REPORT AND RECOMMENDATION OF THE SPECIAL MASTER
Introduction
*1 By an email dated March 14, 2022, the plaintiffs’ counsel brought to my attention a discovery matter and asked me to schedule briefing so that the matter could be resolved by the hearing on April 22, 2022
I now also have letters from all counsel about the matter which, in my view, set out their positions sufficiently. I have decided that I will dispense with any additional briefing and provide the Judge with this Report and Recommendation in the interest of the expedition plaintiffs seek.
The statute and the regulations
Marriott is subject to the California Consumer Privacy Act (CCPA). A provision of that statute provides, in pertinent part,:
(b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably related to the value provided to the business by the consumer's data.
Calif. Civil Code § 1798.125
The Attorney General of California has promulgated extensive regulations to guide enforcement of the CCPA. Section W of the definitions of the terms used in those regulations provides:
(w) “Value of the consumer's data” means the value provided to the business by the consumer's data as calculated under section 999.337.
Final Text of Proposed Regulations, available at https://oag.ca.gov/privacy/ccpa/regs (hereafter “Regs.”)
Section 999.337 of those regulations provides, in turn,:
A business offering a financial incentive or price or service difference subject to Civil Code section 1798.125 shall use and document a reasonable and good faith method for calculating the value of the consumer's data. The business shall consider one or more of the following:
(1) The marginal value to the business of the sale, collection, or deletion of a consumer's data.
(2) The average value to the business of the sale, collection, or deletion of a consumer's data.
(3) The aggregate value to the business of the sale, collection, or deletion of consumers’ data divided by the total number of consumers.
(4) Revenue generated by the business from sale, collection, or retention of consumers’ personal information.
(5) Expenses related to the sale, collection, or retention of consumers’ personal information.
(6) Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference.
(7) Profit generated by the business from sale, collection, or retention of consumers’ personal information.
(8) Any other practical and reasonably reliable method of calculation used in good faith.
Regs.
The Attorney General explains the reason for subsection (w) of the regulations as follows:
Subsection (w) was added to define “value of the consumer's data” as the “value provided to the business by the consumer's data as calculated under section 999.337.” This definition was added in response to the CCPA's amendment by AB 1355 (Assem. Bill No. 1355, approved by Governor, October 11, 2019 (2019-2020 Reg. Sess.)) to clarify that the relevant value for determining the permissibility of price or service differences under Civil Code section 1798.125 is the “value provided to the business by the consumer's data” in the calculation of the value of the consumer's data.
*2 Final Statement of Reasons at 5, available at https://oag.ca.gov/privacy/ccpa/regs (emphasis original)
The Report at Issue
The CCPA requires a company subject to the CCPA to file a report that complies with the statute and regulations just quoted.
On March 8, 2022, counsel for Marriott advised counsel for the plaintiffs that it had amended its report on February 28, 2022. In that report, Marriott stated that “the value of a member's Personal Information[1] to Marriott International, solely for the purposes of the CCPA and pursuant to the valuation options mandated by the CCPA regulations, to be on average approximately $.42 per consumer in 2021.” Letter of Plaintiffs’ Counsel to Marriott's Counsel, Lisa M. Ghannoum, dated March 10, 2022.
The discovery demanded
The plaintiffs insist that this report should trigger a new round of discovery in which Marriott will (1) supplement its responses to the plaintiffs’ interrogatories 33 and 36; (2) produce documents “as to how it [Marriot] reached the valuation of $.42 per consumer” and (3) “provide the name of the most relevant individual who can sit for a limited fact deposition into the CCPA's Statement valuation.” Id. at 2.
The plaintiffs insist that this information is “unquestionably relevant to this lawsuit.” Id. They claim that Marriott's February 28, 2022 amendment to its CCPA report “is at odds with its arguments” that Dr. Prince, the plaintiffs’ expert, cannot value the class members personal information on a class wide basis. Thus, the discovery it seeks “is relevant to determine how Marriott was able to arrive at a valuation for its customers’ Personal Information-a process that Marriott's experts have criticized as unreliable when Plaintiffs did so.” Id.
Analysis
Marriott has responded to this letter raising several objections. Letter of Gilbert S. Keteltas to the plaintiffs’ counsel, dated March 14, 2022.
In my view, the most significant is that the discovery is irrelevant to the issues presently before the Court pertaining to the admissibility of Dr. Prince's opinion that he can (1) derive an inherent value of the plaintiffs’ PPI and (2) that his derivation of the damages suffered by the plaintiffs from the loss of that value can support this case proceeding as a class action.
I am familiar with Dr. Prince's report, and I presided over his deposition. The plaintiffs summarize his theory and its relation to their claim that this case should proceed as a class action aptly as follows:
Professor Prince has also measured the market value of the information that Marriott and Accenture allowed the attackers to steal. Professor Prince's straightforward measure allows the jury to award damages formulaically to all class members (or none) based on the value of the data that was stolen. Professor Prince will explain to the jury: (1) the market prices for which one can legitimately offer and sell personal information; (2) the market for sensitive personal and financial information on the Dark Web; and (3) the prices for which personal data is sold on third-party markets. A jury can apply this objective, market based analysis to determine all class members’ losses.
*3 ECF 858-1 at 45–46(footnotes omitted)
Since that is so, Marriott's report to California of what the regulations describe as (4) “[r]evenue generated by the business from sale, collection, or retention of consumers’ personal information and (7) [p]rofit generated by the business from sale, collection, or retention of consumers’ personal information” have nothing to do with Professor Prince's valuation theories or how the revenue and profit Marriott derives from that data supports the plaintiffs’ claim for class-wide relief.
California understands that companies like Marriott sell their customers’ PII to third parties. Suppose it does and intends to offer its customers some consideration for the right to sell it. In that case, California levels the playing field by forcing Marriott to disclose to them the revenue it generates from doing so. That Marriott generates revenue in a certain amount from the sale of its customers’ PII has nothing to do with what that PII is selling for on the Dark Web and the price that stolen PII will bring in the current market. The plaintiffs’ demand for discovery based on what Marriott reported as “the value of a member's Personal Information to Marriott” (Letter of the plaintiffs’ counsel, supra, at 1-2)(emphasis added) fails the fundamental requirement that it be relevant to the issues presently before the Court. F. R. Civ 26(b)(1). I, therefore, recommend that it not be permitted.
Attachment
EMAIL DATED: March 15, 2022
Dear Judge Facciola,
An issue only recently arose in the pending class action against Marriott and we are writing to request your guidance on how to present this issue to the Court. As it has bearing on the forthcoming Daubert and class certification hearings, we need to move quickly.
On March 8, 2022, Marriot informed us—for the first time—that it updated its Privacy Policy to provide consumers with a disclosure pursuant to the California Consumer Privacy Act that provides the “value of a member's Personal Information.” Marriott's letter is attached to this email. Consistent with the CCPA and California Code of Regulations § 99.337, Calculating the Value of Consumer Data (operative August 14, 2020) (link), Marriott's Privacy Policy now contains the following provision as of February 28, 2022:
We estimate the value of a member's Personal Information to Marriott International, solely for purposes of the CCPA and pursuant to the valuation options mandated by the CCPA regulations, to be on average approximately $0.42 per consumer in 2021. This estimate is not specific to any individual consumer and varies per consumer. We have based this good-faith estimate on the value that arises from our commercial relationships and the collection and retention of the Personal Information of consumers who have voluntarily signed up and chosen to remain in the Program. The value of Program benefits to members varies significantly as individual members take advantage of Program benefits to varying degrees.
(link). As your recent Report and Recommendation acknowledges, one premise of Plaintiffs’ theory for damages “is that the plaintiffs’ personal data (called PII in this case) had an inherent value.” ECF No. 992 at 2. Marriott and its experts have disputed this. We now know, however, that Marriott can and has ascribed value to this data—a position that has changed since the filing of this case (as prior versions of its CCPA disclosure did not contain such a valuation (link)).
*4 Plaintiffs sought discovery from Marriott on this very issue. On December 31, 2020, Plaintiffs servedomnibus interrogatories on Marriott. The relevant interrogatories stated: (1) “Does Marriott believe that its customers’ Personal Information has monetary or other value, and, if so, how does Marriott value it”? and (2) “Identify and describe all statements Marriott [has] made—either publicly or privately—concerning the value of its customers’ Personal Information?” Omnibus ROGs Nos. 33 & 36. These interrogatories were served after the effective date of Section 99.337. Additionally, Plaintiff served omnibus document requests on Marriott, which sought “[d]ocuments sufficient to show Marriott's gross revenue and profits attributable to the sale, sharing, storage, or acquisition of Personal Information of PCD,” which was served on October 8, 2019. Omnibus RFP No. 37.
We were quite surprised to see that Marriott has now ascribed value for its customers’ personal information given its prior stance, particularly after discovery has closed in this matter, after expert reports were finalized, and less than two weeks before the Court's Daubert hearing. Two days after receiving Marriott's letter, on March 10, 2022, we asked Marriott to supplement its discovery and potentially provide a deposition. Marriott has refused to do so. We believe this information could be highly relevant to the Court in upcoming hearings.
We brought this issue to you immediately after confirming with Marriott that we are at an impasse. Given the importance of determining the value of personal information to the Daubert issues and Plaintiffs’ motion for class certification, we would like to request the Court's guidance on how to handle this new development. Although it is likely too late to get this information prior to the Daubert hearing, we would propose a shortened briefing schedule on a motion to compel so that this can be presented to Judge Grimm prior to Plaintiffs’ class certification hearing set for April 20, 2022.
Thank you for your guidance,
Amy Keller
March 10, 2022
VIA E-MAIL
Lisa M. Ghannoum
Baker & Hostetler LLP
127 Public Square, Suite 2000
Cleveland, OH 44114
Re: In re Marriott International Customer Data Security Breach Litig., MDL No. 19-md-2879 (D. Md.)
Counsel:
We write in response to Marriott's March 8, 2022 letter disclosing Marriott's amended California Consumer Privacy Act Statement to seek limited discovery about Marriott's valuation of its customers’ Personal Information.
Background
On September 10, 2019, the Plaintiffs served requests for production of documents on Marriott. This included a request for “documents sufficient to show Marriott's gross revenue and profits attributable to the sale, sharing, storage, or acquisition of Personal Information or PCD in each year during the relevant time period.” 2nd Set of RFPs, No. 8.
On December 31, 2020, Plaintiffs served omnibus interrogatories on Marriott. The relevant interrogatories stated: (1) “Does Marriott believe that its customers’ Personal Information has monetary or other value, and, if so, how does Marriott value it”? and (2) “Identify and describe all statements Marriott [has] made—either publicly or privately—concerning the value of its customers’ Personal Information?” See Omnibus ROGs Nos. 33 & 36. The Interrogatories’ instructions said “the obligation to answer these interrogatories is continuing pursuant to Rule 26(e) of the Federal Rules of Civil Procedure. If at any time after answering these interrogatories you discover additional information that will make your answers to these interrogatories more complete or correct, amend your answer as soon as reasonably possible.” Id. at Instruction No. 10. See also Fed. R. Civ. P. 26(e)(1)(A) (“A party who has ... responded to an interrogatory ... must supplement or corrects its disclosure or response: (A) in a timely manner if the party learns that in some material respect the disclosure or response is incomplete or incorrect, and if the additional or corrective information has not otherwise been made known to the other parties during the discovery process or in writing.”).
*5 On March 8, 2022, counsel for Marriott informed Plaintiffs for the first time that it had amended its California Consumer Privacy Act Statement on February 28, 2022 (the “CCPA Statement”). That Statement says, “the value of a member's Personal Information to Marriott International, solely for purposes of the CCPA and pursuant to the valuation options mandated by the CCPA regulations, to be on average approximately $0.42 per consumer in 2021.” (emphasis added).
Plaintiffs’ Requested Discovery
Plaintiffs seek limited discovery into Marriott's valuation of $0.42 per consumer as stated in its CCPA Statement. Specifically, Plaintiffs request that: (1) Marriott supplement its interrogatory responses to interrogatories 33 and 36; (2) Marriott produce relevant documents related to how it reached the valuation of $0.42 per consumer; and (3) that Marriott provide the name of the most relevant individual who can sit for a limited fact deposition into the CCPA Statement's valuation.
As Marriott concedes by sending the CCPA Statement to Plaintiffs, this information is unquestionably relevant to this lawsuit. First, Marriott's regulatory disclosure of its valuation of customer Personal Information is at odds with its arguments in this litigation that Plaintiffs’ expert cannot value Class Members’ Personal Information on a classwide basis. See, e.g., Defendants’ Mot. to Exclude Dr. Prince's Opinions at 3-10; Report of Catherine Tucker, Sept. 7, 2021, at Section III. At a minimum, discovery into the CCPA Statement is relevant to determine how Marriott was able to arrive at a valuation for its customers’ Personal Information—a process that Marriott's experts have criticized as unreliable when Plaintiffs did so.
Second, the requested discovery is part of Plaintiffs’ prior discovery requests. As such, Marriott has an ongoing obligation under the Federal Rules to update its prior responses which made no mention of any dollar figure related to how Marriott values Personal Information. See ROG Response No. 33 (“Subject to its objections, Marriott responds that it is a hospitality company and customers’ Personal Information has value to Marriott. Marriott requests Personal Information from its guests to provide exceptional customer service, to meet guests’ needs while traveling, and to communicate with guests about a stay, among other customer-focused reasons.”). Marriott should amend its response to Interrogatory to include this valuation, but it also must provide information regarding how the $0.42 per customer figure was derived.
Finally, Plaintiffs seek a limited deposition of the relevant individual from Marriott to understand the processes that Marriott undertook to determine that its customers’ Personal Information is worth $0.42 per customer to Marriott. We are willing to limit this deposition to two hours.
Please let us know by the end of this week whether Marriott will agree to produce this information. Plaintiffs are available to meet and confer about these issues.
Sincerely,
Amy E. Keller (D. Md. Bar No. 20816)
DICELLO LEVITT GUTZLER LLC
Ten North Dearborn Street, Sixth Floor
Chicago, Illinois 60602
Tel. 312-214-7900
akeller@dicellolevitt.com
James J. Pizzirusso (D. Md. Bar No. 20817)
HAUSFELD LLP
888 16th St., NW, Suite 300
Washington, D.C. 20006
Tel. 202-540-7200
jpizzirusso@hausfeld.com
Andrew N. Friedman (D. Md. Bar No. 14421)
COHEN MILSTEIN SELLERS & TOLL PLLC
*6 1100 New York Avenue, NW, Suite 500
Washington, D.C. 20005
Tel. 202-408-4600
afriedman@cohenmilstein.com
VIA E-MAIL
James J. Pizzirusso
Hausfeld LLP
888 16th St., NW, Suite 300
Washington, DC 20006
jpizzirusso@hausfeld.com
Amy E. Keller
DiCello Levitt Gutzler LLC
Ten North Dearborn Street, Sixth Floor
Chicago, Illinois 60602
akeller@dicellolevitt.com
Andrew N. Friedman
Cohen Milstein Sellers & Toll PLLC
1100 New York Avenue, NW, Suite 500
Washington, DC 20005
afriedman@cohenmilstein.com
Re: In re Marriott International Customer Data Security Breach Litig., MDL No. 19-md-2879 (D. Md.)—CCPA Statement
Dear Counsel:
Months after the close of discovery, you ask Marriott to provide supplemental discovery—including the production of documents, supplemental interrogatory responses, and a deposition. This requested discovery concerns Marriott's amendment to its California Consumer Privacy Act statement to fulfill the requirements of a California regulation that took effect on August 20, 2020. Marriott does not have a duty to provide the discovery you seek.
1. Marriott's responses do not require supplementation.
You begin your letter by asking us to produce documents pursuant to a withdrawn discovery request. Specifically, your letter references a September 10, 2019, request by plaintiffs that Marriott produce “documents sufficient to show Marriott's gross revenue and profits attributable to the sale, sharing, storage, or acquisition of Personal Information or PCD in each year during the relevant time period.” But because plaintiffs did not coordinate its requests with the other tracks, plaintiffs withdrew those requests and replaced them with omnibus and individual track requests that did not include the request you cite.[1] We are not required to answer, let alone supplement, withdrawn requests.
Moreover, in every discovery response we served Marriott objected to plaintiffs’ open-ended “relevant time period” and made clear that it would only provide discovery “through March 1, 2019.”[2] Plaintiffs objected to Special Master Facciola that the March 1, 2019 cutoff was “arbitrarily selected” and that information after that time period could be relevant only to the question whether “Marriott has adopted practices that would detect a data breach.” The Special Master responded that “he would permit a limited amount of discovery on remedies if the case got to that point.”[3]
*7 The discovery you now seek involves an estimate required by a regulation that post-dates the end of the relevant time period by more than a year and an estimate by Marriott that post-dates the end of the relevant time period by three years. And the estimate concerns only Bonvoy Program (not SPG Rewards) data from the past twelve months. Marriott has no duty to provide additional discovery on this irrelevant information.
Marriott's interrogatory responses do not require supplementation either. As you note, in response to Interrogatory No. 33 Marriott stated, “it is a hospitality company and customers’ Personal Information has value to Marriott.” Marriott had no valuation methodology to disclose, and in any event, you didn't press the issue. The fact that California has subsequently mandated that businesses with loyalty programs estimate value to the business using one of several prescribed methodologies does not render Marriott's original response to Interrogatory No. 33 inaccurate or incomplete.
You also had all the information at your disposal to learn about the amendment without our courtesy notice. While you conspicuously do not mention Interrogatory No. 35, Marriott's response to that interrogatory identified the webpage where the California CCPA statement is hosted. Our response also noted that the page was “updated from time to time and is publicly available,” and explained that the burden of identifying responsive information on that page was substantially the same for plaintiffs as for Marriott.
And as to Interrogatory No. 36, even applying the incorrect assumption that Marriott has a never-ending duty to “describe all statements Marriott has made ... concerning the value of its customers’ Personal Information,” Marriott did just that in its letter to you this week.
2. Plaintiffs’ expert cannot value class members personal information on a classwide basis, and Marriott's compliance with a California regulation requiring a good faith value estimate does not change that fact.
As we previously explained, Marriott made and provided the estimated valuation of California Bonvoy member data “to Marriott” solely because California law required it. The estimates required by California thus relate only to value to Marriott. They have nothing to do with the value of a consumer's data to the consumer—which is the only thing that matters in this case.
Your assertion that Marriott's California disclosure “is at odds with its arguments in this litigation” belies your understanding of the California regulations. In finalizing the regulation, California's Office of Attorney General (OAG) “clarif[ied] that the relevant value for determining the permissibility of price or service differences under Civil Code section 1798.125 is the ‘value provided to the business by the consumer's data.’ ”[4] Moreover, OAG expressly rejected public comments that the “[c]alculation method for the value of the consumer's data should be based on the value of the data to the consumer or related to the respective consumer rights rather than value to the business.”[5] And OAG also rejected regulatory language that referred to “average” or “typical” consumers.[6]
In short, Marriott's discovery responses do not require supplementation and Marriott sees no reason in your letter to provide the information you request.
*8 Sincerely,
/s/ Gilbert S. Keteltas
Gilbert S. Keteltas
Partner
Judge Facciola,
Please let us know if there's anything further you need from us on this issue. As we said below, we believe that this is an important matter that bears upon the issues we'll be discussing with Judge Grimm on Monday.
Thank you, once again, for all of your help in this case.
Amy
Amy E. Keller
DICELLO LEVITT GUTZLER
312.214.7900
Footnotes
Hereafter “PII”
See Joint Status Report, Sept. 30, 2019, p. 3 (ECF 459); Letter from G. Keteltas, Sept. 11, 2019 (“Marriott will not respond to these uncoordinated requests and asks for the parties’ immediate commitment to withdraw their requests and coordinate.”).
Marriott Response to Omnibus Document Requests, Nov. 11, 2019, p. 7. See also Marriott Defendants Response to Consumer Plaintiffs’ First Set of Requests for Production of Documents, Nov. 13, 2019, p. 6; Marriott Defendants’ Responses to Consumer, Financial Institution, and Government Track's Omnibus Interrogatories, p. 4 (objecting to responses outside “the time period January 1, 2014 through March 1, 2019.”).
Memorialization of Status Call with Special Master Facciola on February 4, 2021, p. 3.
Final Statement of Reasons, June 1, 2020, p. 5 (available at https://oag.ca.gov/privacy/ccpa/regs).
FOR Appendix A, No. 839, p. 280.
FSOR Appendix A, No. 1, p. 1.