34 Ohio ST Jon Disp Resol 393
34 Ohio ST Jon Disp Resol 393
34 Ohio ST Jon Disp Resol 393
Citations:
-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information
Resolving Data Breach Dispute: Automated
Negotiation, E-Mediation, and Arbitration
Assisted by Technology
MIKI SOMEYA*
I. INTRODUCTION
Miki Someya received her Juris Doctor from the Ohio State University Moritz
College of Law in 2019. Ms. Someya received her Bachelor of Arts in Law from Rikkyo
University in Tokyo, Japan.
393
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
a. Automated Negotiation
b. E-Mediation
c. Arbitrationwith the Flexible Use of Technology
V. CONCLUSION
394
RESOLVING DATA BREACH DISPUTE
I. INTRODUCTION
' THOMAS J. SHAW, INFORMATION SECURITY AND PRIVACY: A PRACTICAL GUIDE FOR
GLOBAL EXECUTIVES, LAWYERS AND TECHNOLOGISTS 1 (Thomas J. Shaw ed., 2011).
2 See id
3 Id at 13.
' Heidi Daitch, 2017 Data Breaches - The Worst So Far, IDENTITYFORCE (Dec. 14,
2017), https://www.identityforce.com/blog/2017-data-breaches.
5 Id
6 Id
7 See, e.g., Griswold v. Connecticut, 381 U.S. 479, 485-86 (1965).
8 SHAW, supra note 1, at 23.
9 Id (citing International Association of Privacy Professionals (IAPP), Information
Privacy Certification Glossary of Common Privacy Terminology).
0 See Samuel D. Warren & Louis Brandeis, Right to Privacy, 4 HARv. L. REV. 193,
196-97 (1890).
" Id at 193.
395
OHIO STATE JOURNAL ON DISPUTE RESOLUTION
[Vol. 34:2 20191
considered the "most influential law review article of all." 12 Over thirty years
after it was written, in Kyllo v. United States, the Supreme Court cited this
article in their decision, not only in the majority opinion, but also in the
concurrence, and even in the dissent.13 Given that critical elements of privacy
are now largely stored electronically, information security has become a
fundamental element in protecting privacy.
Consumers provide a lot of information to companies," but they want
their personal information to be kept private. 5 At the same time, companies
have competitive and reputational interests in protecting their consumers'
data.1 6 No company wants a data breach, but even if they are cautious, as the
numbers and types of information breaches are increasing, and the risk and
challenges of securing their consumers' information also increases.
"
Electronically stored data is more vulnerable to attack: unlike consumer data
stored as hard copy documents, an employee may copy the data without
damaging the original, or the server may be hacked from the other side of the
earth.
When a breach happens, then the issue for these companies becomes
how to solve the disputes arising with their consumers, who expected their
information to be secured.' 8 The companies have a continuous obligation to
protect their consumers' privacy and prevent further breaches, but consumers
may ultimately take action to seek damages from the companies if their
information is breached. Companies have a statutory obligation, a common-
law based obligation, a regulatory obligation, and a contract-based obligation
to protect this information. 19 Thus a data breach can be a crime, tort,
396
RESOLVING DATA BREACH DISPUTE
2
regulatory and statutory violation, or contract breach claim. They may result
in class actions or other forms of costly litigation for the companies."
Because the companies already suffered losses from taking additional
measures to prevent further breaches and possible criminal and administrative
fines as outlined by law, resolving consumer claims effectively and efficiently
is crucial to minimizing the total losses of the company by the entire data
breach incident. Alternative dispute resolution ("ADR"), including negotiation,
mediation and arbitration, is an effective approach to settle disputes adequately
22
without the costs and publicity of the court system. The use of an online
dispute resolution forum may make ADR even more cost and time efficient for
these companies, especially in small claims and international disputes. It also
allows fairer and faster solution to consumers.
Part I of this paper will explain the background of data breach disputes.
It will also explain what a data breach is, why a data breach is a concern, and
why the companies should be prepared to resolve any data breach disputes that
arise. Part II will explain why alternative dispute resolutions are suitable to
resolve a data breach dispute. This section will focus on how to avoid class
action lawsuits, and how arbitration can be a better alternative to class action
lawsuits for both the companies and consumers. Lastly, Part III will explain
how the use of technology can make this dispute resolution more streamlined
and fair. It will explain what Online Alternative Dispute Resolution (OADR)
is, how it is suitable to resolve a data breach dispute, and finally, it will suggest
how to design the online dispute resolution system for data breach incidents.
20 Id
21 Id. at 144.
22 See Anjanette H. Raymond, Yeah, But Did You See the Gorilla? Creating and
397
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
The largest breach in the history of the internet was the data breach of
the Yahoo accounts in 2013. Yahoo reported a breach incident on October 9,
2017.30 At least 1 billion user accounts, or possibly every single Yahoo
account -- three billion users in total -- were impacted by the breach. 3 1
Although the incident happened in 2013, Yahoo did not even make an initial
announcement until 2016, and still did not accurately announce how many
people were actually affected until Verizon acquired Yahoo's assets and made
those disclosures in 2017.32 Even after undertaking thorough investigations
for four years, who was actually behind this incident is still unknown.33
The cost of Yahoo's data breach became clear through the asset
398
RESOLVING DATA BREACH DISPUTE
acquisition of Yahoo by Verizon. The breach actually forced Yahoo to cut its
34
sales price by $350 million. ' Furthermore, the $350 million loss does not
3
2. ANTHEMDATA BREACH
The data breach incident of Target was one of the largest data breaches
to a U.S. retailer.4 1 Credit card and debit card information of up to 40 million
customers was stolen. Target reached an $18.5 million settlement, with a
42
good portion of the settlement money going to 47 states and the District of
Columbia as part of a settlement with state attorney generals, including $1.4 43
million of the settlement going to California, and $635,000 to New York.
After everything was settled, Target announced that total cost of the data
34 Fredric Paul, We Finally Know How Much a Data Breach Can Cost, NETWORK
WORLD (Feb. 21, 2017, 6:54 AM),
https://www.networkworld.com/article/3172402/security/we-finally-know-how-much-a-
data-breach-can-cost.html.
3 Id
36 Id
3 Record Data Breach Settlement in Anthem Class Action, HUNTON & WILLIAMS
2
(June 26, 2017), https://www.huntonprivacybog.com/ 017/06/26/record-data-breach-
settlement-anthem-class-action/.
38 Id
39 Id
40 Id
41 Target Pays Millions to Settle State Data Breach Lawsuits, REUTERS (May 23,
2017), http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/.
42 Id
43 Id ; Rachel Abrams, Target to Pay $18.5 Million to 47 States in Security Breach
Settlement, N.Y. TIMES (May 23, 2017),
https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html. In
addition to the monetary settlement, Target agreed to tighten its digital security. Id
399
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
4. EQUIFAxDATA BREACH
The breach of Equifax is still considered by far, the worst data breach
case ever. Equifax, one of the three largest credit agencies in the U.S.
announced a data breach incident on September 7, 2017.45 Because of the
sensitivity of the stolen data-including Social Security numbers, driver's
license numbers, name, birth dates, and addresses-this incident is considered
one of the worst breaches ever. 46 Equifax announced that in total, 145.5
million U.S. consumers and 8,000 Canadian citizens were impacted by this
incident.4 7 Approximately 109,000 credit card numbers were stolen and
182,000 people's personal identification information was accessed.4 8
The impact of this breach was significant to the company. After the
announcement of the incident, Equifax's stock price decreased by more than
18%, from $143 to $116.49 That was the largest single-day drop since August
20, 1999.50 Based on past incidents, a financial analyst, Shlomo Rosenbaum,
estimated the gross cost for this incident may have been around $325 million."
Equifax later admitted that its security organization was aware of the
vulnerability at the time of the incident in March 2017.52 Although the
company claims it took efforts to identify and patch the vulnerability, the
incident happened before it could fix the issue.
4 Id.
4s Daitch, supra note 4; 2017 Cybersecurity Incident & Important Consumer
Information, Consumer Notice, EQUIFAX,
https://www.equifaxsecurity2O17.com/consumer-notice/ (last visited Feb. 17, 2018).
' Daitch, supra note 4; 2017 Cybersecurity Incident, supra note 45.
47 Equifax Announces Cybersecurity Firm Has Concluded Forensic Investigation of
Cybersecurity Incident, EQUIFAx (Oct. 2, 2017), https://investor.equifax.com/news-and-
events/news/2017/10-02-2017-213238821#.
48 Id
49 Andrew Nusca, Equifax Stock Has Plunged 18.4% Since
It Revealed Massive
Breach, FORTUNE (Sept. 11, 2017, 1:14 PM), http://fortune.com/2017/09/11/equifax-stock-
cybersecurity-breach/.
" See Tae Kim, Equifax Shares Plunge the Most in 18 Years as Street Says Breach
Will Cost Company Hundreds of Millions, CNBC (Sept. 8, 2017, 10:35 AM),
https://www.cnbc.com/201 7 /0 9 /0 8 /equifax-plunges-as-breach-will-cost-company-
hundreds-of-millions.html.
51 Id
400
RESOLVING DATA BREACH DISPUTE
These cases show how detrimental a data breach incident can be to the
business involved. The incident immediately decreases a company's value,
causes long-term consumer losses, requires extra legal costs for investigations
and implementation of defenses for possible legal actions, and consumers may
demand damages. Companies must take measures to prevent data breach
incidents, but when it happens, the companies must also take actions to
minimize the overall loss.
The current standard among federal courts is to deny most of the data
breach cases on a standing basis. To establish standing in federal courts for a
data breach case, plaintiffs must show, among other things, that they have
suffered an "injury in fact" that is "concrete and particularized" and "actual or
imminent, not conjectural or hypothetical."" Plaintiffs need to prove that the
data breach actually caused some harm, such as unauthorized use of a credit
card which the customer had to pay for, not just the mere fact that the credit
card information was stolen.5 4 The actual harm does not always happen, and
it is hard to prove. Therefore, many lawsuits regarding data breach are brought
as class actions, though many of these lawsuits are dismissed for lack of
standing."
In Clapper v. Amnesty Int'l USA, the Supreme Court held for the
plaintiffs and established standing in federal courts based on U.S. Const. Art.
III, requiring that an injury must be "concrete, particularized, and actual or
imminent." 6 Section 702 of the Foreign Intelligence Surveillance Act of
198757 allows the Attorney General and Director of National Intelligence to
58
acquire foreign intelligence information. The plaintiffs in Clapper are the
persons whose work requires them to engage in sensitive international
communication with people who they believe are likely targets of surveillance
under Section 702 of the Foreign Intelligence Surveillance Act, and they
59
complained that the law is unconstitutional. The plaintiffs asserted that they
could establish standing when there is an objectively reasonable likelihood that
53 SOLOVE & SCHWARTZ, supra note 12, at 952 (citing Friends of the Earth, Inc. v.
Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167 (2000)).
5 C.f Id.
55 Id. at 972.
56 Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013) (Breyer, J., Ginsburg, J.,
Sotomayor, J., and Kagan, J. dissenting).
57 Foreign Intelligence Surveillance Act, 50 U.S.C. § 1181(a) (2018).
58 Clapper, 568 U.S. at 401.
59 Id
401
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 2019]
60 Id at 410.
61 Id
62 Id
See, e.g., Beck v. McDonald, 848 F.3d 262 (4th Cir.
63
2017); SOLOvE & SCHwARTZ,
supra note 12, at 962.
" Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 696-97 (7th Cir. 2015).
65 Id at689-90.
6 Id at 690-92.
67 Id at692.
68 Id at 692-93.
69 Id at 693 (citing In re Adobe Sys., Inc.
Privacy Litig., 66 F. Supp. 3d 1197, 1214
(N.D. Cal. 2014)).
70 Id at 692-93.
402
RESOLVING DATA BREACH DISPUTE
Starting on May 25, 2018, based on the GDPR, all companies subject
to EU regulations will have a duty to notify the local data protection authority
75
("DPA") of any personal data breach. The GDPR requires the notification to
76
DPA within 72 hours of the entity "becoming aware" of a breach. This is a
significant departure from the notification requirement in most other countries,
where the standard is "without undue delay" or "as soon as reasonably
practical."7 7 In addition to the notice to DPA, the GDPR requires notice to
"' Id
72 Id at 697.
7 See, e.g., Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016).
74 See, e.g., In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 U.S. Dist.
LEXIS 140212 (N.D. Cal. 2017).
75 Wugmeister et al., supra note 25. The exception is when the breach is "unlikely
to
result in a risk to the rights and freedoms of individuals." Id
76Id
SId; the attitude to notice in other OECD countries varies. Cf Personal Information
Protection and Electronic Documents Act S.C. 2000, c.5, http://laws-
lois.justice.gc.ca/eng/acts/P-8.6/FullText.html (Canada's Personal Information Protection
and Electronic Documents Act will likely be amended to require notification to affected
403
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
individuals if the breach has a high risk to the rights and freedoms of
individuals, such as a risk of discrimination, identity theft, or fraud.7 8
GDPR Art. 33(3) requires the notification to the DPA to include 1) a
description of the nature of the personal data breached, 2) the name and contact
details of the data protection officer or other contact point in the company
where more information can be obtained, 3) a description of the likely
consequences of the personal data breach, and 4) a description of the measures
taken or proposed to be taken by the controller to address the personal data
breach. 79
Because the GDPR requires such a detailed notice provided within 72
hours, unless the companies are always prepared to report the data breach
incidents, the company will not have the time to take measures to deal with
these issues adequately. For example, Equifax announced a breach on
September 7, 2017 although the report later revealed that the company was
aware of suspicious traffic on July 29, 2017.80 Equifax took over a month to
investigate and plan how to deal with the issue. 81 Considering the
international nature of its business, Equifax will likely be subject to the GDPR,
and if the GDPR is effective, then Equifax would have had to give notice to
DPA and the victims of data breach within three days. Because companies will
have limited time to plan how to protect themselves from future losses after
the breach occurs, the companies must be ready to deal with a data breach
incident before it happens. This paper will not discuss the details of the EU
regulations and instead focuses on US law, but even US companies should be
aware of the aspects of these EU regulations as many businesses are
international in nature.
individuals "as soon as feasible" when the breach creates a real risk of significant harm to
an individual. This provision is not yet in force). Australia passed mandatory data breach
notification law in 2017. Office of the Australian Information Commission, Australian
Govervment, Mandatory Data Breach Notification (Apr. 7, 2017)
<https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-
notification>.
78 Commission Regulation 2016/679, 2016 O.J. (L 119), 1 arts. 9-10; Wugmeister et
al., supra note 25.
79 Commission Regulation 2016/679, 2016 O.J. (L 119), 1 arts. 33(3).
80 Equifax Releases Details, supra note 52.
"' See id (Equifax noticed potential breach on July 29, 2017, contacted a
cybersecurity firm on August 2, 2017, and released the result of investigation on
September 15, 2017).
404
RESOLVING DATA BREACH DISPUTE
405
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
87 Id. at 351-52.
88 Id at 336.
89 Federal Arbitration Act, 9 U.S.C. § 2 (1925).
90 AT&T Mobility LLC, 563 U.S. at 336, 352; see also DIRECTV, Inc. v. Imburgia,
136 S. Ct. 463 (2015).
91 See Stolt-Nielsen S.A. v. AnimalFeeds Int'l Corp., 559 U.S. 662 (2010).
9 Kat Greene, Home Depot Data Breach Attys Seek $18M Fees on $27M Deal, LAW
360 (Aug. 23, 2017, 9:54 PM), https://www.law360.com/articles/957195/home-depot-
data-breach-attys-seek- I 8m-fees-on-27m-deal.
9 Wilko v. Swan, 346 U.S. 427, 431 (1953). At the time the Arbitration Act was
established, the reports of both Houses on the Act stressed the need for avoiding the delay
and expense of litigation. Id.
" See, e.g., United Paperworkers Int'l Union v. Misco, Inc., 484 U.S. 29, 29 (1987).
406
RESOLVING DATA BREACH DISPUTE
95
that they understand the essence of the dispute. The discovery stage can be
96
entirely eliminated or greatly reduced. The arbitration agreement can limit
97
the power of arbitrators to award punitive damages as well. Avoiding
collective action and using arbitration can greatly reduce the overall cost of
the dispute resolution, both in terms of process and the amount of award.
407
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
Charles Riley & Jose Pagliery, Target Will Pay Hack Victims $10 Million, CNN TECH.
(Mar. 19, 2015), http://money.cnn.com/2015/03/19/technology/security/target-data-hack-
settlement/index.html.
106 Id (because the settlement amount would be distributed based on amount of
damage, this is not the exact amount each victim receives).
107 Id
108 See Mizuho Horitsu Jimusyo, Examples and Standards and Prices of Civil
Liability (Amount of Compensation) of Leakage / Leakage of PersonalInformation (Mar.
13, 2014), https://www.mc-law.jp/kigyohomu/9055/ (translation by author). The average
compensation companies voluntarily pay to all victims for the breach of name and address
has been around ¥500 (around $5) in Japan, and most consumers do not take further action.
Id Without any claim, consumers are getting more money than class action in the U.S.,
and both consumers and companies save attorneys' fees and time. Id
109 SOLOVE & SCHWARTZ, supra note 12, at 972-73.
10 David Ellis, How Much Does a Data Breach Cost Your Organization?:A Data
Breach May Cost You More than You Think, SEC. METRICS BLOG (Oct. 17, 2016),
http://blog.securitymetrics.com/2016/10/-how-much-does-a-data-breach-cost.html.
408
RESOLVING DATA BREACH DISPUTE
up to 40% of their revenue from customers after the customers have lost
confidence in their brand."1 Losing $4 million and 40% of their revenue,
along with losing customers in the long term, are enough of an incentive for
most companies to be careful to protect from a data breach. Few companies,
if any, are willing to take the risk of having a data breach incident occur. Most
companies invest money and time to prevent any data breach, but yet data
breaches still occur. The dispute resolution is not really a possible method to
prevent data breaches, but instead should focus on protecting consumers from
any damages they may sustain.
Even if the companies have arbitration clauses, they may be forced by
public pressure to waive arbitration clauses when the breach is serious in
nature and the class action seems appropriate for general public policy
concerns. Equifax originally had arbitration clauses in their term of use
agreements." 2 However, after the incident, Equifax announced that it would
not apply any of the arbitration clauses or class action waivers in their
agreements against the consumers for claims related to the cybersecurity
incident." 3 Companies have no obligation to waive arbitration clauses which
consumers agreed on, but this Equifax incident showed that consumers, along
with the media, are strong enough to pressure the company to waive it when it
is necessary. Companies make these decisions by considering their future
customer relationships and reputation, not only in the short term of the ensuing
dispute. Also, as stated above, if the collective action is what the consumers
want, but not necessarily the litigation, class-wide arbitration is still possible.
In general, class actions do not benefit the consumers, who are the
victim of the data breaches. Because companies have enough incentive to be
careful when dealing with data, having arbitration clauses does not increase a
company's protections from data breach incidents. Arbitration clauses may
" Id
1z Brian Fung, Equifax Finally Responds to Swirling Concerns over Consumers'
Legal Rights, WASH. POST (Sept. 10, 2017), https://www.washingtonpost.com/news/the-
switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-
website/?utmterm=.e00c03eecea6. The original arbitration clause states as follows:
Agreement to resolve all disputes by binding individual
arbitration. Please read this entire section carefully because it
affects your legal rights by requiring arbitration of disputes
(except as set forth below) and a waiver of the ability to bring
or participate in a class action, class arbitration, or other
representative action. Arbitration provides a quick and cost
effective mechanism for resolving disputes, but you should be
aware that it also limits your rights to discovery and appeal.
Id.
113 Id
409
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
410
RESOLVING DATA BREACH DISPUTE
1 4
is key to building long-term customer relationships, and utilizing online
dispute resolution will likely allow companies to communicate more
effectively with each individual consumer with lower costs compared to class
action lawsuits.
Here, the suggestion is to create a three-step dispute resolution system
for privacy breach cases: 1) automated negotiation, 2) e-mediation, and 3)
arbitration with the flexible use of technology.
114 Stephen Shander, Three Ways to Ensure Your CustomerIs Heard, D!GITALIST MAG.
20
(Oct. 24, 2017), http://www.digitalistmag.com/customer-experience/ 17/10/24/3-ways-
375
to-ensure-customer-is-heard-0543 0.
15 But cf Haitham A. Haloush & Basher H. Malkawi, Internet Characteristicand
Online Alternative Dispute Resolution, 13 HARv. NEGOT. L. REv. 327, 327-28 (2008)
(Haloush and Malkawi limited the purpose of OADR to resolve commercial disputes that
arise from use of the internet, but in this paper, the OADR is not limited to the dispute arise
from use of the internet); Schmitz, supra note 98, at 181.
116 ARNO R. LODDER & JOHN ZELEZNIKOW, ENHANCED DISPUTE RESOLUTION
THROUGH THE USE OF INFORMATION TECHNOLOGY 72 (2010).
"7 Haloush & Malkawi, supra note 115, at 329.
118 Id. at 332.
119 LODDER & ZELEZNIKOw, supra note 116, at 12.
120 Haloush & Malkawi, supra note 115, at 332.
411
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
parties. 12 1
Some scholars even suggest that the internet is not simply a new
channel of communication, but that cyberspace is a community itself.1 22
Because the internet changes the nature of the business, the dispute resolution
system also needs to change for the business to be effective. The cyberspace
community needs its own dispute resolution system different from an offline
community. Dispute resolution is one of the earliest forms of human endeavor,
and the form of the dispute resolution keeps improving as the society
changes. 123 The 21st Century is the time to create an effective dispute
resolution system for the cyberspace, and the OADR is one of the possible
solutions.
121 Id at 340.
122 Id at 330-31.
123LODDER & ZELEZNIKOW, supra note 116, at 1 (the extreme
example of the
improvement would be the trial by combat to trial by neutral third person).
124 Id at 13.
125 Id at 96.
126 HUNTON & WILLIAMS, supra
note 37.
127 Lynn A. Epstein, Alternative Dispute Resolution in the
Twenty-First Century:
Cyber E-Mail Negotiation vs. TraditionalNegotiation: Will Cyber Technology Supplement
TraditionalMeans ofSettling Litigation?, 36 TULSA L.J. 839, 845 (2001).
128 Id
412
RESOLVING DATA BREACH DISPUTE
incidents.
Flexibility is one of the benefits of ADR, and the use of the internet
allows the parties to make the process even more flexible. By using the internet,
parties may have flexible scheduling and asynchronous communication, in
addition to real-time dialogue. 129 In OADR, all parties-neutrals, claimant,
13 0
and the respondent-can be in different places. For some procedures, they
do not even need to be online at the same time. The reduced time for travel
and cost associated with travel will be an advantage for all the parties.' 3 1
3. BENEFITS TO CONSUMERS
413
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
1. EXISTING OADRs
135 Id at 67-70.
136 Sebastian Stefanov, eBay: Prepare for Online
Dispute Resolution (OADR),
WEBiNTERPRET (Mar. 7, 2016), https://webinterpret.com/us/blog/ebay-prepare-for-online-
dispute-resolution-OADR/); see also 2013 O.J. (L 165) 1, available at http://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013R0524&from=EN.
137 Debi Miller-Moore, OADR at the AAA: Online Dispute Resolution
in Practice, 38
U. TOL. L. REv. 395, 395 (2006).
138 Id at 397.
139 Id at401.
140 Id
414
RESOLVING DATA BREACH DISPUTE
141
of online dispute resolution for cyberspace disputes. eBay established an
online dispute resolution system for a dispute involving the non-delivery of
142
goods, misrepresentation, unsatisfactory service, etc. It offers an automated
negotiation platform, and refers those disputes not resolved through the
43
automated negotiation to online mediation.
OADR has already been used in numerous situations. Then the
question becomes whether it is suitable for data breaches, and how to design
the system specifically for a data breach case.
The eBay model has been successful, and this model will likely be
able to be applied to data breach contexts. Most of the data breach claims are
as small as non-delivery of goods claims. Therefore, the negotiation and
mediation would often be sufficient to resolve these claims. eBay customers
and sellers are all over the world; similarly, the victims of data breach are all
over the world. This interstate and international feature of the disputes makes
data breach especially suitable to online dispute resolution. However, because
a data breach is not something that happens regularly, unlike non-delivery
claims, using a third-party platform will likely be more practical than
maintaining their own system. Also, when the data breach happens, consumers
lose trust in their service. So, using a third-party platform will provide some
assurances to consumers.
The advantage of the eBay system is that it implements a three-step
dispute resolution. When the negotiation does not solve the issue, it refers the
dispute to mediation. However, there is still a risk that the parties cannot agree
to a resolution at mediation. By adding arbitration, whose award is binding
and enforceable in most countries,1 as a third step, the dispute resolution
system will become complete. By having the following three-step dispute
resolution agreement, the companies will likely be able to keep the relationship
with their consumers while reducing unnecessary costs. Although the
agreement is a key part of ADR, this paper will not discuss how to create an
effective contract that mandates consumers to follow this step.
415
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vo\. 34:2 20191
a. Automated Negotiation
b. E-Mediation
416
RESOLVING DATA BREACH DISPUTE
417
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191
resolution. When the negotiation does not resolve the dispute, mediation
should be the next step. Most claims will likely be resolved at this point. When
the complete dispute resolution system is required, either individually or class-
wide, arbitration is a better alternative than litigation. By having this three-
step dispute resolution system, the companies can resolve most of the claims
through negotiation or mediation with very low costs, and a focus on
arbitration, which will most likely involve complex issues and greater injury
<claims. That will reduce the cost for dispute resolution by limiting the need for
attorneys, and by utilizing technology, companies may provide consumers
better opportunities to be heard than traditional, off-line dispute resolution
systems.
V. CONCLUSION
418
OHIO STATE JOURNAL ON
DISPUTE RESOLUTION
VOLUME 34
IssuE 3
THE OHIO STATE UNIVERSITY MORITZ COLLEGE OF LAW
,
OFFICERS OF ADMINISTRATION
Michael V. Drake B.A M.D Presidentofthe University
Bruce A McPheron, B.S., MSS, Ph.D., Executive Vice President and Prowst ofthe University
Alan C. Michaels, AB., I.D., Dean ofthe College and EdwinM Cooperman Chair in Law
Daniel P. Tokaj, AB., J.D., Assoc. Deanfor Faculty, Charles W Ebersold & Florence Whitomnb Ebersold Prof. ofLaw, Senior Fellow a/Elecion Law atMontz
Kathy S. Northern, BA., J.D., Assoc. DeanforAdmnissions, DirectorofDiversity andnclusin, and RobertM Duncan/Jones ED 'sig edAssoc Prof a/Law
Paul Rose, BA, J.D.,Assoc. DeanforAcademic Afairs, RabertJ. Wakins/Procter& Gamble Professor oLaw and Exective irector aLaw, Finance and
Governace Prog.
I[ura Fernandez, B.S., J.D., Assist. Deanfor International and Gmduate Afairs andAdjunct Prof
Sara A. Sampson, B.S., M.S., J.D., Assist Dean formnonnation Services, Director ofLaw libry, and Senior Lecturer
Darren NealyBA., J.D., Assist DeanforAcademicAffairs and Adjunct Prof
Michael States, BA., .D., Assist Dean/orAdmissions & FinancialAid
FACULTY EMERITI
Mary Beth Beazley, BA, J.D. David A. Goldberger, B.A, J.D. Nancy H. Rogers, B.A, JD.
Michael Braunstein, B.A, J.D. Lawrence R Herman, AB, LL.B. Michael D. Rose, BA, JD., LLM.
Sanford N. Caust-Ellenbogen, MCR.P., J.D. Lous A. Jacobs, A.B., JD., LL. M Allan J. Samasky, BA, MA, J.D.
Albert L. Clovis, B.A, MA, LLB. Bruce S. Johnson, BA, 1D., M.LS Gregory M. Travalio, BA, J.D., LLM.
Sharon L Davies, B.A., J.D. Michael Kindred, B.A, J.D., M.CL Vinacee F. Verdun, B.A., J.D.
Joshua Dressler, BA., J.D. Joan M. Krauskop, AB., JD. Douglas J. Whaley, B.A., J.D.
Howard P. Fink, B.A., LL.B. John B.Qu ey, AB., M.A., LL.B Charles E. Wilson, B.S , J.D
Gordon E. Gee, BA, Ed.D, J.D. Rhonda R fvera, B.A , M.PA, J.I
FACULTY
Amna Akbar, B.A, J.D Assoc. Prof ofLaw L Camille H ' BA, J.D., Carter C Kissell Prof ofLaw
Douglas A Berman, A.A., JD., Newton D. Baker-Baker & Hostetler Chair in Mohamed S. Heal, BA, M.A LLB., LLM., SJ.D, Assist Prof oflaw
Law Dennis D. Hirsch., BA., J.D., A;rot ofLaw, Director ofProg on Data and
Micah Berman, B.A, J.D.,Assoc. Pof ofPublicHealth and Law Govwrnance
Gregory A. Caldeira, B.A AM., Ph.D., Disinguished Univ. Prof, Ann and Stephanie R Hoffer, B.S., J.D., LLM., Po. ofLaw
D. tl DreherChairin PoL Comnm. andPolicy Thinking andProf of Steven F. Hueher, A.B., J.D., C William O' eill Professor in Law and
Law Judicial Adminisnnon, Senior Fellow ofElection Law at Monitz and
Cinnamon P. Cadame, B.A., B.C.L., M.S., J.D., Alumni Society Designated Director ofClical Prog.
ProfessorofLaw Creola Johnson, B.S J.D., President's Club Prof ofLaw
MarthaChamallas B.A, J.D.,RobertJ L Chairin Law Kimb Jordan, B.5., J.D., Clinical Prof of Law andDirectorofJuscefor
Bryan HI Choi, A.B., JD., Assist Prof. alaw adEngineering
Danel C.K. Chow, BA, J.0., Fronk E. & Virginia H Bazler Chair in Klhrmine S. K ,BA, MA, D. Assoc. Clinical Prof ofLaw and
Business Law Directora/Acadenac Support hog
Holly Coats, BA, J.D., VisitingAssist Prof a/Law Katrina J. Lee, B.A., J.D., lnicalProf a/Law
Amy J. Cohen, B.A., J.D.,JohnC. Slai/V SaterPro ofLaw Deborah Jones Meritt, AB.DJohn DeaverDnko-Baker and Hostetler
Sarah Rudolph Cole, BA, J.D.,John W. BncerProf a/Law and Directorof Clvir in Law
Prog. on Dispute Resolution Dale A Oesterle, BA., M.P.P., J.D., J. Gilbert Reese Chair in Contract Law
Ruth Colker, A.B., J0., Disinguished Univ. Profand Grxce FernHeck Efihimis Parasidis, B.A M .BE, J.D, Prof of Law and Public Health
Faust Chairin Constitutional Law Anne Ralph, B.A.,J.D., bcnial Prof ofLaw
Olwyn Conway, BA, J.D., Assist ClinicalProf ofLaw Courtlyn Roser-Jones, BA., J.D., LL ., Assist Prof ofLaw
Elizabeth Egen Cooke, BA, J.D., ClinicalProf a/Law Guy A. Rub, B.A LLB., MA, LLM SJ.D., Profoflaw
Ellen E. Deason, BA, M.S., J.D., Joanue W. MwplClases of1965 and Dakota Rudesill, .A,J.D., Assist Pro ofLaw
1973 Prof ofLaw Colleen Gaity Settineri, B.S., BA., J ., Assist Clinial Prof of Law
Terri L Ens, BA., J D., Clinical ProfofLaw, Senior Fellow ofElectionLaw Peter M. Shane, AB., J.D., Jacob E Davis & Jacob E Davis 1I Chair in Law
at Moritz Ric Simmons, BA, MA, J.D., ChiefJusice 7hotnesJ Moyer Prof for die
Katherine Hunt Federle, B A., J.D., LL M., Josepi S Plat-Porter Wright Administmtion ofJustice anddie le ofLaw
Morris& Arthur Prof ofLaw andDirectoroftheCenterfor Marc S. Spndelman,B.A.,J.D.,Isadore&IdaT perProf ofLaw
Intenaviscil4naryLaw andPolic Studres Todd A Starker, B A, MB A, J.D ClinicalPro ofLaw
Edward B. Foly A JD, Cas W. Ebersold & FlorenceWhitonnb David Stebenne, BA, MA, J.D, P.D., Prof. ofH r and Law
Ebersold Clairin (onstltutiOnal law and Director of Election Law at JoseJh B. Stulhe% B.A, J.D., M.A, Ph.D., ida E Moritz Chair in
Moritz lternatinveDispute Resolution
William Froehlich, B.A., J.D., Langdon Fellow in Dispute Resolution Chrisopher J. Walker BA, M.P.P, J.D., Assoc. Prof ofLaw, Director of
Larry T. Garvin, BA., B.S., M.S., J.D., Lawrene D. S Prof/alaw Washington D.C Prog ., oPrr
AnrGlogower, BA., J.D., LLM., Assist Pro oflaw Paige L. Wilson, BA., J.D., Assist Clinical Prof of law
Arthur F. Greenbaum, BA., J.D., James W.Socknessy Prof afLaw
ADJUNCT FACULTY
Karim Ali Tod Friedman Rebecca Monroe Reid Wilson
Elizabeth L. Anstaett Gates Garrity-Rokous Norman Nadorff Stephanie Ziegler
Stephen Anway Paul Gatz Ryan O'Rourke
Susan Anidar Franz Geiger Mao Palmer
David T. Ball Peter Glenn-Applegate Frank M. Placenti
Jordan Berman David W. Grauer Matt Richardson
Allison Binkley Gary Greenwald Michael Robertson
Amy Bittner Robb Hen Dan D. Sandman
Ben Bodamer Hon. John E. Hoffman Jr. Hon. Edmund A. Sargs
Joseph Boeckman Melissa Jackson Hon. Jennifer L Sargus
Edward Bratm Daniel J. KayneJessica Kim Edward M. Segelken
Joseph M. Caliguri MaryaC. Kolman Scott V. Simpson
JeffChilcoat James KL. Lawrence Rob Solomon
Hon R. Guy Cole Jr. Shem B. Lzear Douglas Squires
Daniel Conway George Limbert Carter Stewart
Matt Cooer Emma MacGuidwin Hon. Jeffrey S. Sutton
Lorenzo Corte Hon. Algenon L. Marbley Justin Thompson
Jonathan E. Coughlan Greg Mathews Katrima Thomon
Samir Dahman lngnd Mattson Hon. Chelsey MVascu
Rick Daley Patrick McCarthy Hon. Michael H. Watson
Scott E. Failor Hon. Stephen L. McIntosh Robert Weiler
Lauma Fernandez Richard M. Mescher Suzanne Whisler
Benjamin Flowers Robert J. Miller Geoff Wilcox
OHIO STATE JOURNAL ON
DISPUTE RESOLUTION
EDITOR-IN-CHIEF
KISHALA SRIVASTAVA
ASSOCIATE EDITORS
MATTHEW CARPENTER BRIANNA PENN ABBEY ZELLER
STAFF EDITORS
ALI ANDERSON HALLIE ISRAEL SARA SAMS
JASON BROWN HAYLEY KICK KATY SCRUPPI
JAMIE CARDENAS MAX KNUDSEN SARAH SIEWE
ANNA CRISP MITCH LAING MICHAEL STASH
THOMAS DONADLO ZACHARY MARIA JOSEPH TRAMMELL
DYTIESHA DUNSON JUSTIN MCCUEN JENNIFER TRESSLER
KRYSTINA GARABIS CLAIRE MCGAGH MICHAEL WALSH
JOSHUA GMEREK JACK MYERS FEI YU
DINU GODAGE NICHOLAS PASQUARELLO
ANNA GRUSHETSKY BRIANNA RIPPIN
FACULTY ADVISORS
Sarah Rudolph Cole & Joseph B. Stulberg
EDITORIAL AND GENERAL OFFICES: Located at 55 West 12th Avenue, Columbus, Ohio
43210-1391. The JDR can be contacted by phone at (614) 292-7170, by facsimile at (614)
292-3442, and by email at osu-jdr(aosu.edu. Information may also be obtained online at
http://moritzlaw.osu.edu/jdr.
SUBSCRIPTIONS: Domestic, $50.00 per volume; $15 per regular issue. Foreign, $60.00 per
volume; $20.00 per regular issue. Members of the ABA Section of Dispute Resolution receive
a special discounted rate of 50% off the standard subscription price. Please enclose check with
order made payable to the Ohio State Journal on Dispute Resolution. All subscriptions are for
the volume year and will be renewed automatically unless the subscriber provides timely
notice of cancellation. All business or subscription inquiries, and changes of address should be
directed to the Business Editor, Ohio State Journal on Dispute Resolution, 55 West 12th
Avenue, Columbus, Ohio 43210-1391.
SINGLE ISSUES: Issues in the current volume and Volume 33 are available from the JDR for
$15.00 domestic and $20.00 international. Back stock, reprint, and microform editions of the
JDR are available through William S. Hein & Co., Inc., 1285 Main Street, Buffalo, New York,
14209-1987. The William S. Hein & Co. can be contacted by phone at (800) 828-7571 or by
facsimile at (716) 883-8100.
SUBMISSIONS: The JDR welcomes the submission of unsolicited manuscripts, articles, and
book reviews for possible publication. The text and footnotes of all manuscripts should be
double spaced. Please send submissions in hard copy to Ohio State Journal on Dispute
Resolution, 55 West 12th Avenue, Columbus, Ohio 43210-1391 or electronically in MS Word
format to osu-idr(aosu.edu. Manuscripts will not be returned.
CITATION: Please cite to the JDR as follows: 34 OHIO ST. J. ON DisP. RESOL. (2019).