Marriott Likely Faces a Bunch of Shareholder Lawsuits of a Different Kind

Every time there is a breach of a publicly traded company there are shareholder lawsuits, but in addition to all of the normal shareholder lawsuits, Marriott (and maybe Starwood) will likely face a whole different class of lawsuits.

When Marriott and Starwood merged in 2016 creating a hotel chain with 6,500 properties and over a million rooms, one assumes that they did a lot of due diligence.

The breach that Marriott announced this past week, according to the announcement, started when hackers burrowed into Starwood’s systems in 2014 – two years before the breach.

The very high level details of the breach are –

About 500 million customers data breached
Over 300 million of those customers breached included credit card information
Marriott says the data was bundled up and encrypted and the hackers were getting ready to copy the data off the Marriott servers. How do they know that the hackers didn’t already do this one time, two times or more in the last four years?
Marriott says the credit card data was encrypted but they don’t know if the hackers stole the encryption keys also

This brings up a lot of questions that Marriott shareholders would like to know the answers to –

Did Starwood know about the hack before the merger and forget to mention it to Marriott? If true, the SEC won’t be happy and people could face criminal charges.
Did Marriott know about the hack at the time of the merger but not tell their shareholders at the time that they voted to approve the merger? Likely Marriott shareholders would say they overpaid for Starwood under those circumstances.
If Marriott did not know about the hackers, why not? Based on information released so far, it would appear that no one knew about it at the time of the merger. If true then it would seem that their due diligence was inadequate. Companies usually do a decent job of financial due diligence but sometimes do a poor job of cyber due diligence.
Why, in the past two years, did Marriott not figure out that hackers were in there?
Who is going to cover the costs of the breach – Marriott or Starwood? After all, it happened on Starwood’s watch

Bottom line is that it appears that whatever pre-merger cyber due diligence they did, it was not adequate.

That oopsie is going to cost shareholders and the insurance companies hundreds of millions of dollars.

Based on last week’s Pennsylvania Supreme Court decision and the fact that some significant number of customers likely live in Pennsylvania, expect a negligence lawsuit in that state based on that decision, separate from other lawsuits.

What does this mean for businesses who are considering acquiring or merging with another company?

I suggest that it means that businesses REALLY, REALLY need to up the cyber due diligence that they do before acquiring a company or agreeing to a merger.

Companies should consider hold-backs in case surprises are discovered after the closing. This was discovered two years after the close and that is probably at the extreme edge of any hold-back clause.

Even if all of the costs are covered by insurance, which I would bet would be about a 0% chance, the distraction for officers of the company for the next 3-5 years, based on other breaches, is going to be significant. There will be state investigations, SEC investigations, FTC investigations and who knows what other three letter agencies. Since Marriott is a multinational, other governments are going to get into the act. The British Information Commissioner’s Office has opened an investigation and other governments may follow. Not to mention all of the consumer and shareholder lawsuits.

In this case the hackers only took personal information. MAYBE? They could just as easily take trade secrets.

In the case of the Yahoo-Verizon merger, the breach was discovered before the close and Yahoo shareholders took what is likely to be a half billion dollar punch to the gut. In this case, Starwood is likely going to come out smelling like a rose and laughing as they count their billions while Marriott shareholders get to deal with a very large pile of poop on the floor.