Construction Laborers Pension Trust Southern CA v. Marriott International, Inc. ( 2022 )

                                          PUBLISHED
UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT
No. 21-1802
In re: MARRIOTT INTERNATIONAL, INC.
------------------------------
CONSTRUCTION              LABORERS        PENSION       TRUST   FOR   SOUTHERN
CALIFORNIA,
Plaintiff - Appellant,
and
DENNIS MCGRATH; PETER MILLER,
Plaintiffs,
v.
MARRIOTT INTERNATIONAL, INC.; ARNE M. SORENSON; KATHLEEN
KELLY OBERG; BAO GIANG VAL BAUDUIN; BRUCE HOFFMEISTER;
STEPHANIE C. LINNARTZ; MARY K. BUSH; FREDERICK A. HENDERSON;
LAWRENCE W. KELLNER; AYLWIN B. LEWIS; GEORGE MUNOZ,
Defendants - Appellees.
------------------------------
CHAMBER OF COMMERCE OF THE UNITED STATES OF AMERICA,
Amicus Supporting Appellee.
Appeal from the United States District Court for the District of Maryland, at Greenbelt.
Paul W. Grimm, District Judge. (8:19-md-02879-PWG)
Argued: March 10, 2022                               Decided: April 21, 2022
Before AGEE, RUSHING, and HEYTENS, Circuit Judges.
Affirmed by published opinion. Judge Heytens wrote the opinion, in which Judge Agee
and Judge Rushing joined.
ARGUED: Carol C. Villegas, LABATON SUCHAROW LLP, New York, New York, for
Appellant. Jason J. Mendro, GIBSON, DUNN & CRUTCHER LLP, Washington, D.C.,
for Appellees. ON BRIEF: Ross M. Kamhi, David Saldamando, LABATON
SUCHAROW LLP, New York, New York, for Appellant. Jeffrey S. Rosenberg,
Washington, D.C., Adam H. Offenhartz, Laura K. O’Boyle, Andrei F. Malikov, GIBSON,
DUNN & CRUTCHER LLP, New York, New York, for Appellees. Tara S. Morrissey,
Paul Lettow, UNITED STATES CHAMBER LITIGATION CENTER, Washington, D.C.;
Judson O. Littleton, Daniel J. Richardson, SULLIVAN & CROMWELL LLP,
Washington, D.C., for Amicus Chamber of Commerce of the United States of America.
2
TOBY HEYTENS, Circuit Judge:
Following a major data breach targeting servers owned by Marriott International,
various investors alleged that Marriott and its executives violated federal securities laws
by omitting material information about data vulnerabilities in their public statements.
Because the investors have not adequately alleged that any of Marriott’s statements were
false or misleading when made, we affirm the district court’s dismissal of the complaint.
I.
In 2016, Marriott merged with Starwood Hotels and Resorts Worldwide. In doing
so, “Marriott subsumed all of Starwood and its operations, including Starwood’s computer
systems, reservation software, and databases, as well as all the sensitive personal
information in those databases.” JA 578.
Two years later, Marriott learned that malware had impacted approximately 500
million guest records in the Starwood guest reservation database, resulting in the second
largest data breach in history. Soon after, the Construction Laborers Pension Trust for
Southern California (the investor) filed a putative class action against Marriott and nine of
its officers and directors, alleging that Marriott’s failure to disclose severe vulnerabilities
in Starwood’s IT systems rendered 73 different public statements false or misleading in
violation of Section 10(b) of the Securities Exchange Act of 1934 and Securities and
Exchange Commission Rule 10b-5. The investor also brought a claim for secondary
liability against the executives under Section 20(a) of the 1934 Act.
The district court granted Marriott’s motion to dismiss with prejudice, concluding
that the complaint “failed to adequately allege a false or misleading statement or omission,
3
a strong inference of scienter, and loss causation,” which doomed the claim under Section
10(b) and Rule 10b-5 as well as the secondary liability claim. JA 1317. The investor
appealed, dropping its challenge to 55 of the statements while maintaining its challenge to
the other 18. We review the grant of a motion to dismiss de novo, accepting the complaint’s
factual allegations as true and drawing all reasonable inferences in favor of the plaintiff.
KBC Asset Mgmt. v. DXC Tech. Co., 

, 607 (4th Cir. 2021).
II.
To state a claim under Sections 10(b) and 20(a) of the Securities Exchange Act of
1934 and SEC Rule 10b-5, a plaintiff must first allege a “material misrepresentation or
omission by the defendant.” Stoneridge Inv. Partners, LLC v. Scientific-Atlanta, Inc., 

, 157 (2008); see Yates v. Municipal Mortg. & Equity, LLC, 

, 894 n.8
(4th Cir. 2014) (“Section 20(a) liability is derivative of [Section] 10(b).”); see also 15
U.S.C. §§ 78j(b), 78t(a); 

.10b-5. The plaintiff must identify “a factual
statement or omission—that is, one that is demonstrable as being true or false.” Longman
v. Food Lion, Inc., 

, 682 (4th Cir. 1999). The challenged statement or omission
must also be about something consequential—or, as the law puts it, “material.” 

 And the
plaintiff must allege that the defendant either said something that is “false” or left
something out that renders “misleading” the “public statements” the defendant made. 

That last point is critical to this case: Not all material omissions are actionable.
Although investors would surely prefer to know everything about a company, Section 10(b)
and Rule 10b-5 “do not create an affirmative duty to disclose any and all material
information.” Matrixx Initiatives, Inc. v. Siracusano, 

, 44 (2011). Rather,
4
“[d]isclosure is required . . . only when necessary ‘to make . . . statements made, in the
light of the circumstances under which they were made, not misleading.’ ” 

 (quoting 

.10b-5(b)). In other words, an omission is actionable only if—absent the fact
omitted—“a reasonable investor, exercising due care, would gather a false impression from
a statement, which would influence an investment decision.” Phillips v. LCI Int’l, Inc., 

, 613 (4th Cir. 1999). As a result, “companies can control what they have to
disclose” by “controlling what they say to the market.” Matrixx Initiatives, 

.
On appeal, the investor focuses on three categories of statements: statements about
the importance of protecting customer data; privacy statements on Marriott’s website; and
cybersecurity-related risk disclosures. Because the complaint failed to adequately allege
that any of the challenged statements was false or rendered any of Marriott’s public
statements misleading, the district court correctly held that the investor has not stated a
valid claim under Section 10(b) and Rule 10b-5. For that same reason, the district court
also correctly held that the investor has not stated a valid claim under Section 20(a). See
Yates, 744 F.3d at 894 n.8.
A.
The first set of statements the investor challenges involves the importance of data
protection to Marriott’s business. For example, in SEC submissions, Marriott repeatedly
stated that “the integrity and protection of customer, employee, and company data is critical
to us as we use such data for business decisions and to maintain operational efficiency.”
JA 782, 811, 835. By “failing to disclose . . . the vulnerable state of Starwood’s IT systems,”
5
the investor insists, these statements “creat[ed] the misleading impression that Marriott was
securing and protecting the customer data acquired from Starwood.” Investor Br. 52–53.
We are unpersuaded. The “basic problem” with the complaint on this point is that
“the facts it alleges do not contradict [Marriott’s] public disclosures.” Teachers’ Ret. Sys.
of La. v. Hunter, 

, 182 (4th Cir. 2007). Indeed, the investor’s whole theory of
the case turns on those statements being true—i.e., that data integrity is “critically
important to Marriott and its investors.” Investor Br. 4. 1
Reiterating this basic truth is neither misleading nor creates the false impression the
investor suggests. The investor relies heavily on district court decisions concluding that
“statements touting the strength or quality of an important business operation are false, and
thus actionable, when those operations are, in reality, deficient.” In re Equifax Inc. Sec.
Litig., 

, 1220 (N.D. Ga. 2019); see Investor Br. 53, 57–58. But even
assuming we agreed with those decisions (a point we need not decide), Marriott made no
such representation. Instead, as the district court here explained, Marriott’s public
statements about the importance of data protection did not “assign a quality to Marriott’s
cybersecurity that it did not have.” JA 1361. “[I]ndeed, unlike the statements found to be
1
Marriott’s statement that data security was “critically important” to it also amounts
to little more than puffery. See Dunn v. Borta, 

, 431 (4th Cir. 2004) (“[T]he
judiciary has long distinguished between mere puffing statements utilizing opinion and
exaggeration to pitch a sale, on the one hand, and factual statements that constitute
fraudulent misrepresentations, on the other.”). “[P]uffery will often not be actionable”
under the securities fraud laws, Longman, 

, and as we explain, we will not
treat Marriott’s puffery any differently.
6
actionable in Equifax, Marriott made no characterization at all with respect to the quality
of its cybersecurity, only that Marriott considered it important.” 

Nor could a reasonable reader of Marriott’s public statements have understood the
company to be overrepresenting the extent to which it was “securing and protecting the
customer data” (Investor Br. 52–53), especially when taken together with the other
statements Marriott made in the same SEC filing. The reason is straightforward: Marriott’s
SEC submission discloses the key risks that the investor alleges made Starwood’s systems
vulnerable. The company, Marriott repeatedly warned, may “fail[ ] to keep pace with
developments in technology”; its systems “may not be able to satisfy” the “information,
security, and privacy requirements” imposed by laws and regulations; and there were risks
of “significant theft, loss, or fraudulent use of ” company and customer data and
“[b]reaches in the security of our information systems.” See, e.g., JA 784–85.
B.
The investor’s arguments about a series of privacy statements Marriott posted on
various websites fail for similar reasons. On its own website, Marriott stated that it “seek[s]
to use reasonable organizational, technical and administrative measures to protect”
personal data, while noting that “no data transmission or storage system can be guaranteed
to be 100% secure.” JA 804, 851. Starwood’s website, in turn, said that the company
“recognize[d] the importance of information security”; was “constantly reviewing and
enhancing our technical, physical, and logical security rules and procedures”; and that its
“web sites and servers have security measures in place to help protect your personal data.”
7
JA 828. At the same time, the Starwood site cautioned that “ ‘guaranteed security’ does not
exist either on or off the Internet.” 

Again—even assuming all of the complaint’s factual allegations are true—none
demonstrates that the challenged privacy statements were false or misleading. Indeed, the
complaint concedes that Marriott devoted resources and took steps to strengthen the
security of Starwood’s systems. And “[t]he fact that a company has suffered a security
breach does not demonstrate that the company did not place significant emphasis on
maintaining a high level of security.” Equifax, 357 F. Supp. 3d at 1221 (quotation marks
omitted).
The remaining privacy statements were accompanied by such sweeping caveats that
no reasonable investor could have been misled by them. For example, Marriott’s assurance
that “personal data will be kept in a form which enables [us] to identify you for no longer
than it is necessary for the purposes for which we collected and use your data” specifically
noted that “some types of information may be stored indefinitely due to technical
constraints.” JA 827. And despite high-level representations on Marriott’s website that the
company “certified” its compliance with certain privacy frameworks (JA 851), Marriott’s
risk disclosures to the SEC—the content actually directed to investors—specifically
warned that the company’s systems “may not be able to satisfy” the “increasingly
demanding” and “changing” legal and regulatory requirements. See, e.g., JA 784.
C.
We also disagree with the investor’s assertion that Marriott’s cybersecurity risk
disclosures were materially misleading because they “warned of risks that had already
8
materialized.” Investor Br. 65–66. To be sure, “[a] generic warning of a risk will not suffice
when undisclosed facts on the ground would substantially affect a reasonable investor’s
calculations of probability.” Singer v. Reali, 

, 442 (4th Cir. 2018) (quotation
marks omitted). For that reason, warning of “risks that ‘could’ or ‘may’ occur” might be
misleading to a reasonable investor where the defendant “knew that those risks had
materialized,” but only if the risk disclosures “speak[ ] entirely of as-yet-unrealized risks
and contingencies and do not alert[ ] the reader that some of these risks may already have
come to fruition.” In re Alphabet, Inc. Sec. Litig., 

, 703–04 (9th Cir. 2021)
(quotation marks omitted). In contrast, a risk disclosure’s forward-looking statements do
not “constitute[ ] misleading omissions about current or past challenges” when “the
disclosure also acknowledge[s] that the company had already experienced the sort of
challenges that it would have to overcome in order to achieve its stated objective.” 

(quotation marks and citation omitted). 2
The investor argues that Marriott twice warned generally about events that could
occur when it knew those events had in fact already occurred. Although we construe the
complaint’s allegations about the underlying facts in the light most favorable to the
investor, we must first “strip[ ] . . . allegations of mischaracterizations and exaggeration,
[and] focus on whether the exact statement in its true context constitutes a material
2
Such risk disclosures generally also lack materiality because “[t]hey are not meant
to educate investors on what harms are currently affecting the company,” so “a reasonable
investor would be unlikely to infer anything” from them about the company’s current state
of affairs. Bondali v. Yum! Brands, Inc., 

, 491 (6th Cir. 2015).
9
representation.” Phillips, 

. And, when we do so, we conclude the investor
has failed to identify any statement that was false or misleading when made.
For example, the investor takes issue with Marriott’s warning that its “systems . . .
may not be able to satisfy” the “changing requirements” of “the payment card industry”
(see, e.g., JA 784), arguing that Marriott “warned only generally of the possibility that
Marriott would not be able to comply with the requirements of the payment card industry”
after “the Board knew that Starwood was not . . . compliant” with the Payment Card
Industry Data Security Standards (PCI DSS). Investor Br. 66–67. But the investor’s
assertion that Marriott and its executives were “aware that they were not satisfying [PCI
DSS] requirements” (Investor Br. 67) is not supported by the investor’s own allegations.
According to the complaint, Marriott’s consultant reported that Starwood’s “[b]rand
standards did not mandate PCI compliance,” not that Starwood’s systems were, in fact, not
compliant. JA 705 (emphasis added). At most, the consultant’s report informed Marriott
only that Starwood’s systems might not satisfy PCI DSS requirements—which is what
Marriott stated in its risk disclosures.
The investor also argues that, despite having “actual knowledge of the Data
Breach,” Marriott’s SEC disclosures from November 6, 2018 “warned generally of the risk
that Marriott could face disruptive cyber security incidents,” such as “[e]fforts to hack or
circumvent security measures” and “attempts to affect the integrity of our data.” Investor
Br. 67 (citing JA 859–60). But Marriott’s “disclosure also acknowledged that the company
had already experienced the sort of challenges” being discussed. Alphabet, 1 F.4th at 703–
04 (quotation marks and citation omitted). Specifically, after learning of the breach,
10
Marriott updated its disclosure to state: “[W]e have experienced cyber-attacks, attempts to
disrupt access to our systems and data, and attempts to affect the integrity of our data, and
the frequency and sophistication of such efforts could continue to increase.” JA 860. This
admission ensured that forward-looking warnings did not “constitute[ ] misleading
omissions about current or past challenges.” Alphabet, 1 F.4th at 703–04 (quotation marks
omitted).
*      *       *
Marriott certainly could have provided more information to the public about its
experience with or vulnerability to cyberattacks, but the federal securities laws did not
require it to do so. Indeed, the SEC advises companies against “mak[ing] detailed
disclosures that could compromise [their] cybersecurity efforts—for example, by providing
a ‘roadmap’ for those who seek to penetrate a company’s security protections.” SEC
Statement and Guidance on Public Company Cybersecurity Disclosures, 

, 8169 (Feb. 26, 2018). Even as alleged here, Marriott provided sufficient information
to ensure its statements were neither false nor misleading. The judgment of the district
court is therefore
AFFIRMED.
11