Late last year, hotel giant Marriott International disclosed a data breach that began in 2014 and affected approximately 500 million Marriott and Starwood Preferred guest accounts. A variety of hotel guest information including names, birth dates, passport numbers, encrypted credit card information, and other sensitive data was reportedly obtained by hackers. In response, Marriott has offered those guests affected by the data breach a free one-year subscription to fraud monitoring service Kroll WebWatcher. The terms and conditions of the WebWatcher service contain a mandatory arbitration clause that also includes a collective action waiver.
A Federal Trade Commission webpage describing the Marriott data breach states:
The company set up an informational website, https://answers.kroll.com, and a call center, 877-273-9481, to answer questions. It says affected customers also can sign up for a year of free services that will monitor websites that criminals use to share people’s personal information. Marriott says the service will alert customers if their information shows up on the websites, and will also include fraud loss reimbursement and other services.
In December, a proposed class action lawsuit including plaintiffs from each of the 50 states was filed against Marriott in the United States District Court for the District of Maryland. In their complaint, attorneys for the putative class claim WebWatcher’s arbitration provision creates uncertainty amongst data breach victims regarding whether using the complimentary fraud monitoring service would waive their right to “pursue legal claims in court through a class action vehicle.” Since Hiteshew v. Marriott was filed, however, Marriott International has apparently agreed not “to enforce the WebWatcher arbitration and class action waiver” against putative class members.
In 2017, a similar situation occurred in response to a data breach at consumer credit reporting agency Equifax. Although the company offered nearly 143 million affected consumers a free one-year subscription to fraud monitoring service TrustedID, a public backlash followed because the terms and conditions of the monitoring service included an arbitration clause and class action waiver. Equifax later amended the TrustedID terms to state:
NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT
In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.
Unfortunately, large data breaches like those at Marriott and Equifax are becoming all too common. It will be interesting to see how companies choose to incorporate arbitration provisions into their future breach policies as well as how consumers and the courts react.
Photo by: Michal Mrozek on Unsplash