Key Points
- Fourth Circuit points to SEC guidance on "less is more" approach to cybersecurity disclosures, while finding such disclosures did not violate federal securities laws.
- Omissions of data vulnerabilities were not actionable because the challenged statements were not false when made.
- Although investors argued statements about the "importance" of data security to Marriott were false and misleading, the statements were not actionable because the Court held that Marriott did not "assign a quality to Marriott's cybersecurity that it did not have."
- Marriott's "sweeping caveats" regarding cybersecurity risks ensured no investor could be misled regarding the risks outlined.
- Forward-looking generalized risk disclosures that cybersecurity issues "may" occur were not actionable even though some of those risks had been realized, because Marriott also disclosed it had experienced such challenges.
Summary
Although Marriott could have provided additional information to investors regarding its cybersecurity risks following a merger with Starwood, the federal securities laws did not require it to do so, and Securities and Exchange Commission (SEC) guidance advises companies against detailed disclosures that could compromise their cybersecurity efforts.
Even though Marriott had already experienced some cybersecurity incidents at the time some of the challenged statements were published, its general forward-looking disclosures of cybersecurity risks and...
