The question is probably if it is state of the art to encrypt passport numbers. If yes, then Marriot could be fine with a similiar argument of "the company knowingly violated its duty to ensure data security".