DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Fourth Circuit Decision in Marriott Data Breach Case Kicks the Can Down the Road

Posted on August 25, 2023 by Dissent

Cindy Cohn of EFF writes:

When a company that collected your personal data negligently fails to secure it, you should have accountability and relief—including standing to sue. 

EFF and our friends at Electronic Privacy Information Center filed an amicus brief in late November pointing this out to the U.S. Court of Appeals for the Fourth Circuit in a case arising from the 130 million consumer records stolen from Marriott in 2018.  We detailed the science and evidence demonstrating that people impacted by such data breaches run the risk of identity theft, ransomware attacks and increased spam, along with corresponding increased anxiety, depression and other psychological injuries. 

The Fourth Circuit’s decision last week didn’t address our arguments; instead it just kicked the can down the road. The appeals court found that the trial court had not properly considered whether consumers had waived their rights to bring a class action by joining Marriott’s loyalty programs— those programs that advertise huge benefits to loyal customers but put the costs you pay (like decreased ability to sue) into the fine print that no one reads. 

We strongly disagree with the suggestion that any Marriott customer meaningfully agreed to waive a class action here. Few if any customers read a hotel loyalty program’s fine-print terms and conditions, much less knowingly waive their right to bring a class action if the company negligently lets their data fall into the hands of thieves. We hope that on remand, the trial court will reject Marriott’s poorly-taken waiver argument, and we can get back to trying to ensure that consumers have real accountability when companies fail to protect the data they increasingly extract from us.  

This decision highlights one of EFF’s criticisms of the proposed American Data Privacy and Protection Act last year. One of the reasons we did not support the bill was that it failed to override bogus waivers such as this.  Privacy laws need to be strong and not full of holes that leave us without protection because of a single click or some tiny fine print that no one reads. We need a strong data privacy law that prohibits waivers and mandatory arbitration requirements letting companies sidestep users’ basic legal rights.  

We’ll keep watching this important case and standing up for your rights both in the courts and in Congress.  

This article was originally published at EFF,

Category: Business SectorCommentaries and AnalysesOf NoteU.S.

Post navigation

← Rackspace’s costs to deal with ransomware attack top $10 million
A Brazilian phone spyware was hacked and victims’ devices ‘deleted’ from server →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers
  • Lyrix Ransomware Targets Windows Users with Advanced Evasion Techniques
  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report