Boilerplate Arbitration Language Not Working In Large Breaches
Marriott had to back down on arbitration language that was included when victims of its breached signed up for fraud monitoring service with its selected provider Kroll WebWatcher. When signing up with the WebWatcher service victims of the breach were unsure if using the complimentary fraud monitoring service would waive their right to pursue legal claims in court through a class action case. Many contracts include standard language of waivers by default and these provisions can be used to prevent a victim from pursuing legal action against a company. However, as we learn experience more and more breach claims, and the courts start to relax its stance on class actions not being able to be certified based on a lack of “damages” these types of binding provisions will lose favor. Especially, for a company concerned about repetitional damage associated with their breach.
Marriott eventually stated that it would not enforce the provision, allowing claims, including class action claims, to be pursued unimpeded. Equifax did the same thing under pressure from vitims of its 2017 breach. I suspect this trend will continue as consumers get more educated about their rights and start to flex their muscle to force companies to answer for their inability to safeguard sensitive data.
It is often said, by me at least, that the only thing that will get companies to pay attention to their cybersecurity shortcomings is class action law suits. They have to feel the pain. Get ready!