No Vacancy: Monitoring Service for Marriott Data Breach Victims Limits Access to Justice

Note: Marriott reported today that the private data of upwards of 500 million customers may have been breached. This hack follows other breaches this year at Macy’s Inc., Sears Holdings Corp., Kmart and Best Buy Co., Inc., among others.

November 30, 2018 – Statement of Remington A. Gregg, Counsel for Civil Justice and Consumer Rights, Public Citizen’s Congress Watch Division.

Advertisement

We need a strong federal law that allows individuals who have been harmed by data breaches to hold companies accountable.

Not only are people wondering if their sensitive information has been compromised and is up for sale on the dark web, but the monitoring service, Kroll, that Marriott hired to alert customers if their data was stolen includes a jury waiver and class-action ban in its terms of service. This requires customers who later have claims against the monitoring service to file in Davidson County, Tenn. This attempt to keep customers from joining together if they have claims against the company and forcing them to sue in Tennessee repeats blunders of the Equifax consumer catastrophe. There, too, the monitoring service chosen by Equifax tried to impose restrictions on consumers’ ability to bring claims in the future.

Kroll should immediately revise its terms of service to allow those impacted to sue in convenient locations, should disputes arise, and without restrictions on the ability to join together with similarly situated consumers.

Still, the biggest duty falls on Marriott. As the company moves to mitigate a data breach that speaks to its own failures to properly protect the personal, sensitive data it collects from customers, it must affirmatively guarantee that its already victimized customers are not victimized again by unfair contract terms that limit their right to recovery in the event of misconduct by Kroll.