Maryland Cases March 29, 2022: In re Marriott Int'l Customer Data Sec. Breach Litig.

Case Description

1

REPORT AND RECOMMENDATION OF THE SPECIAL MASTER

John M. Facciola Special Master J.

The Controversy

Kevin T. Poindexter ("Poindexter") has written a report that is an exhibit to Defendants' Opposition to Plaintiffs Motion for Class Certification. ECF No. 885. The parties have been battling for months over whether paragraphs 22 to 39, which are sealed, should be made public.

The Poindexter Report

Poindexter engaged in what he calls "locating and operating open-source intelligence." Expert Report Poindexter at par. 2, Exhibit I to Defendant's Opposition to Plaintiff's Motion for Class Certification. ECF No. 885 (Hereafter "Report77). To put it more simply, he searches the publicly available internet for information about people. Id. at par. 15.

He explained that the internet contains a "vast'' amount of data about individuals that is generated by social media platforms, real estate records, civil/criminal court records, government documents, and employment databases. Id. at 10. Individuals can make this information available purposefully, or malefactors can steal it and use it without their permission. Poindexter searched the internet to find the personal data of the bellwether plaintiffs.

2

The Results

In paragraph 21 of his report, Poindexter summarizes what he found as follows:

• Over 50% of the plaintiffs had publicly available email addresses.

• More than 75% of the plaintiffs had publicly available phone numbers.

• More than 66% of the plaintiffs had publicly available social media profiles.

• Employment information was publicly available for 50% of the plaintiffs.

• Over 40% of the plaintiffs' dates of birth were publicly available.

Report at par. 21.

Poindexter also reports the following:

I was able to find personal information for more than half of the plaintiffs who were impacted in publicly available data breaches from other security incidents, and the plaintiffs had passwords that were potentially exposed through these incidents.

Id.

In paragraphs 40 to 43, Poindexter provides his conclusions as follows:

• Poindexter is confident that he found the plaintiffs' personal information using search terms consisting of their names and addresses.

• 55% of the plaintiffs have been involved in other security incidents in which their names, usernames/aliases, email addresses, home addresses, phone numbers, and/or passwords had been exposed and are now publicly available.

• There is a vast amount of personal information publicly and readily available about the plaintiffs, including their names, addresses, dates of birth, usernames and passwords, potential relatives, civil and criminal legal records, and employment information.

• This information came from a variety of free, easily accessible sources, none of which are attributed to the Starwood security incident.

3

Thus, the public record in this case already provides detailed information about what Poindexter did and a summary of what he found. In a letter to me, Marriott's counsel explains its significance. That Poindexter's finding that the plaintiffs' personal information is already publicly available presents a defense to the merits of the plaintiffs' claim. It shows that any alleged theft of their data by the aforementioned breach did not harm them. Additionally, the presence of the information defeats the motion for class certification because "different plaintiffs have different pieces of information in the public domain." Letter to the Special Master (undated) at 1.

The Battle

As noted, there is a battle over paragraphs 22-39 of Poindexter's report. In those sections, Poindexter describes the information he found about the plaintiffs. Specifically, he provided in his report the following information on each plaintiff:

1. Name

2. Age

3. Date of birth

4. Mailing address

5. Email address

6. Phone number

7. Potential relatives (including names and ages)

8. Social media or other application accounts (e.g., Instagram, Facebook, Twitter, Linkedln)

9. Employment records

10. Voter registration records (and/or political affiliation derived from these)

11. Civil and/or criminal legal records

12. Data breaches that potentially impacted the plaintiffs' information

13. Passwords stored in plain text

Report at 21.

Thus, if Marriott has its way, we will also learn that Susie Smith is twenty-seven years old, lives in Chicago, and has a certain phone number and email address. She has a Facebook

4

account, works at a car dealership, votes as a Democrat, was a plaintiff in a Title VII action, and has an brother named Vergil. She previously suffered a data breach on her computer other than the one referenced in this case .

The information should not be unsealed.

I see no purpose whatsoever in the disclosure of this information. One of the central purposes of access to court records is to permit the public to evaluate the integrity and validity of the judicial process. Courthouse News Serv. v. Schaefer, 2 F. 4th 318, 321 (4th Cir. 2021). Given what is already on the public record, the public has all of the information needed to understand how Judge Grimm will deal with the plaintiffs' motion to find his report inadmissible and for class certification, insofar as the judge finds Poindexter's report relevant when he issues his decisions. Disclosure of the information in paragraphs 22 to 39 does not add an iota to that public understanding. And, frankly, I cannot divine any other reason to disclose it now.

I appreciate that Marriott claims that unless paragraphs 22-39 are unsealed, the public does not know that the plaintiffs' personal information is "otherwise publicly available." Letter of Marriott's counsel to the Special Master at 3.

That is wrong. All the public needs to do is to read the first 21 paragraphs of Poindexter's report, the unsealed portion of the parties' pleadings that discuss it, and this report and recommendation, and it will learn what Poindexter found.

What Poindexter found is already public claims Marriott. But, as the plaintiffs point out, with a bit of sarcasm, if it is easy to find what Poindexter found why did Marriott need Poindexter? Letter of the plaintiffs' counsel to the Special Master, dated March 4, 2022, at 4.

More to the point, this is not a situation where a party is foolishly trying to seal a newspaper article. It is a collection of intimate details about the plaintiffs' lives, which are already scattered over the internet. Although it may be technically "public," I see no reason for

5

this Court to require the disclosure of that information when the details have nothing to do with the issues presently before the Court and will lead to the collection of those intimate details in one place on the internet (i.e., the Court's docket). Perhaps a given case may require that, but not this one.

I hasten to add that there is nothing permanent about any of this. I am dealing only with the disclosure of this information between now and the Judge's resolution of the motion for class certification. What happens after that remains to be seen. Meanwhile, I find that unsealing paragraphs 22-39 of the Poindexter report would be an abuse of discretion, and I recommend that they remain sealed.