Data breaches are an all-too-familiar issue, affecting businesses of all sizes and across all industries. Beyond dealing with the operational and reputational impacts and other resulting fallouts of a data breach, businesses also face enhanced class action litigation risk.

A recent high-profile case serves as a valuable reminder that companies should consider reliance upon a well-established mechanism of mitigating class action litigation risk. In In re Marriott International, Inc., Consumer Data Security Breach Litig., 78 F.4th 677 (4th Cir. 2023), the Fourth Circuit Court of Appeals reversed the district court’s certification order in a data breach class action dispute due to the effect of a class action waiver signed by all putative class members. The Marriott decision demonstrates how class action waivers can be utilized as a core strategy for mitigating heightened data breach litigation risks.

Fourth Circuit Vacates Certification Order Due to Potential Applicability of Class Action Waiver Defense

In November 2018, Marriott experienced a widely publicized cybersecurity breach that resulted in the exposure of nearly 400 million customers’ personally identifying information, making it one of the largest data breaches in United States history. As is customary with data breach events today, the company was hit with a wave of class action litigation in the immediate aftermath of the security incident. On May 3, 2022, the United States District Court for the District of Maryland granted certification to eight classes of putative plaintiffs, encompassing millions of class members spanning six states, who were purportedly impacted by the breach. Marriott appealed.

On appeal, the Fourth Circuit held that the district court erred by certifying classes against Marriott without first addressing the company’s class action waiver defense, which centered on the company’s contention that every member of its rewards program agreed to resolve disputes against it only “individually [and] without any class action” pursuant to the company’s rewards program terms & conditions. According to Marriott, the district court could not certify a class without first addressing its contention that the putative class members were bound by terms and conditions which included a waiver of class action rights, thus barring the entirety of the class action against Marriott. The Fourth Circuit agreed, finding that the district court erred in certifying classes of putative plaintiffs against Marriott without first considering the effect of the class action waiver. The Fourth Circuit vacated the lower court’s certification order and remanded the case back to the district court to address the enforceability of the class action waiver and plaintiffs’ contention that Marriott had waived the defense.


As the Marriott decision demonstrates, reliance on class action waivers can be an effective mechanism to mitigate data breach class action litigation risk.

As a practical matter, class action waivers are typically included in terms and conditions alongside arbitration clauses, the validity and enforceability of which are often at issue. Therefore, it is important to work with experienced counsel to ensure that your terms and conditions, including any class action waiver and arbitration clause, are thoughtfully crafted in a manner that mitigates risk associated with data breaches and litigation that may result therefrom. Companies that do not have these provisions in their terms and conditions should consult with counsel and consider adopting them, and companies that do have them in place should re-visit them periodically to ensure that they align with shifting risks, litigation trends and best practices.