34 Ohio ST Jon Disp Resol 393

Download as pdf or txt
Download as pdf or txt
You are on page 1of 31

DATE DOWNLOADED: Tue Mar 22 07:47:08 2022

SOURCE: Content Downloaded from HeinOnline

Citations:

Bluebook 21st ed.


Miki Someya, Resolving Data Breach Dispute: Automated Negotiation, E-Mediation, and
Arbitration Assisted by Technology, 34 OHIO St. J. oN Disp. Resol. 393 (2019).

ALWD 7th ed.


Miki Someya, Resolving Data Breach Dispute: Automated Negotiation, E-Mediation, and
Arbitration Assisted by Technology, 34 Ohio St. J. on Disp. Resol. 393 (2019).

APA 7th ed.


Someya, M. (2019). Resolving data breach dispute: automated negotiation, e-mediation,
and arbitration assisted by technology. Ohio State Journal on Dispute Resolution,
34(2), 393-[iv].

Chicago 17th ed.


Miki Someya, "Resolving Data Breach Dispute: Automated Negotiation, E-Mediation, and
Arbitration Assisted by Technology," Ohio State Journal on Dispute Resolution 34, no.
2 (2019): 393-[iv]

McGill Guide 9th ed.


Miki Someya, "Resolving Data Breach Dispute: Automated Negotiation, E-Mediation, and
Arbitration Assisted by Technology" (2019) 34:2 Ohio St J on Disp Resol 393.

AGLC 4th ed.


Miki Someya, 'Resolving Data Breach Dispute: Automated Negotiation, E-Mediation, and
Arbitration Assisted by Technology' (2019) 34(2) Ohio State Journal on Dispute
Resolution 393

MLA 9th ed.


Someya, Miki. "Resolving Data Breach Dispute: Automated Negotiation, E-Mediation, and
Arbitration Assisted by Technology." Ohio State Journal on Dispute Resolution, vol.
34, no. 2, 2019, pp. 393-[iv]. HeinOnline.

OSCOLA 4th ed.


Miki Someya, 'Resolving Data Breach Dispute: Automated Negotiation, E-Mediation, and
Arbitration Assisted by Technology' (2019) 34 Ohio St J on Disp Resol 393

-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information
Resolving Data Breach Dispute: Automated
Negotiation, E-Mediation, and Arbitration
Assisted by Technology
MIKI SOMEYA*

I. INTRODUCTION

UI. THE GROWING RISK OF DATA BREACHES


A. Definition of a Data Breach
1. YAHOO DATA BREACH
2. ANTHEM DATA BREACH
3. TARGET DATA BREACH
4. EQUIFAXDATA BREACH
B. Increasing Risk of Legal Actions
C. European GeneralDataProtectionsRegulation-New Obligation
to Notify of a PersonalData Breach

III. ALTERNATIVE DISPUTE RESOLUTION FOR DATA BREACH DISPUTES


A. MandatoryArbitration Clauses and Waiver of Collective Action
1. AVOID COLLECTIVE ACTION
2. INDIVIDUAL ARBITRATION CAN STILL REDUCE THE COST OF
ATTORNEY'S FEE
B. Is an Arbitration ClauseAgainst the Interest of the Consumers?

IV. UTILIZING ONLINE DISPUTE RESOLUTION SYSTEMS FOR A DATA


BREACH CASE
A. Online Dispute Resolution System
1. WHAT ONLINE ALTERNATIVE DISPUTE RESOLUTION CHANGES
AND WHAT IT DOES NOT
2. GENERAL BENEFIT TO ALL OF THE PARTIES
3. BENEFITS TO CONSUMERS
4. RISKS AND ISSUES WITH ONLINE DISPUTERESOLUTION
B. Keeping Relationshipswith Consumers-The Three Step System
1. EXISTING OADRS
2. THREE-STEP DISPUTERESOLUTION SYSTEM FOR DATA BREACH

Miki Someya received her Juris Doctor from the Ohio State University Moritz
College of Law in 2019. Ms. Someya received her Bachelor of Arts in Law from Rikkyo
University in Tokyo, Japan.

393
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

a. Automated Negotiation
b. E-Mediation
c. Arbitrationwith the Flexible Use of Technology

V. CONCLUSION

394
RESOLVING DATA BREACH DISPUTE

I. INTRODUCTION

Digital information is everywhere, and effective use of digital


information is fundamental to life today.' Corporations store almost all data
electronically, and these intangible assets, such as information and intellectual
2
property, are the most valuable assets of these companies. One of the most
important assets that companies hold is consumer personal information.
Avoiding a data breach must always be the first priority, but companies also
need to be ready to resolve a data breach dispute as soon as it happens. This
paper will analyze effective ways to resolve data breaches utilizing technology.
With the growing use of technology, companies are facing the greatest
risk of data breach in history. The increase of available information in digital
3
form contributes to the growth of cybercrime. 2017 was, so far, the worst
year for data breach.4 Major companies came under attack, such as Yahoo,
which announced the largest data breach in history, and Equifax which
5
announced its most serious data breach incident in history. The Equifax
breach on September 2017 affected approximately 143 million consumers, and
6
Yahoo reported that their incident in 2013 affected more than 1 billion people.
7
Right to privacy is a fundamental right of the people, and there can
be no privacy without information security.' The modern concept of privacy
is defined as "'[t]he [sic] appropriate use of personal information under the
circumstances. What is appropriate will depend on context, law, and the
individual's expectations; also, the right of an individual to control the
9
collection, use, and disclosure of their personal information."' Warren and
Brandeis first suggested the idea of a right to privacy in 1890.10 Warren and
Brandeis referred to privacy as the right to be let alone." This article is

' THOMAS J. SHAW, INFORMATION SECURITY AND PRIVACY: A PRACTICAL GUIDE FOR
GLOBAL EXECUTIVES, LAWYERS AND TECHNOLOGISTS 1 (Thomas J. Shaw ed., 2011).
2 See id
3 Id at 13.
' Heidi Daitch, 2017 Data Breaches - The Worst So Far, IDENTITYFORCE (Dec. 14,
2017), https://www.identityforce.com/blog/2017-data-breaches.
5 Id
6 Id
7 See, e.g., Griswold v. Connecticut, 381 U.S. 479, 485-86 (1965).
8 SHAW, supra note 1, at 23.
9 Id (citing International Association of Privacy Professionals (IAPP), Information
Privacy Certification Glossary of Common Privacy Terminology).
0 See Samuel D. Warren & Louis Brandeis, Right to Privacy, 4 HARv. L. REV. 193,
196-97 (1890).
" Id at 193.

395
OHIO STATE JOURNAL ON DISPUTE RESOLUTION
[Vol. 34:2 20191

considered the "most influential law review article of all." 12 Over thirty years
after it was written, in Kyllo v. United States, the Supreme Court cited this
article in their decision, not only in the majority opinion, but also in the
concurrence, and even in the dissent.13 Given that critical elements of privacy
are now largely stored electronically, information security has become a
fundamental element in protecting privacy.
Consumers provide a lot of information to companies," but they want
their personal information to be kept private. 5 At the same time, companies
have competitive and reputational interests in protecting their consumers'
data.1 6 No company wants a data breach, but even if they are cautious, as the
numbers and types of information breaches are increasing, and the risk and
challenges of securing their consumers' information also increases.

"
Electronically stored data is more vulnerable to attack: unlike consumer data
stored as hard copy documents, an employee may copy the data without
damaging the original, or the server may be hacked from the other side of the
earth.
When a breach happens, then the issue for these companies becomes
how to solve the disputes arising with their consumers, who expected their
information to be secured.' 8 The companies have a continuous obligation to
protect their consumers' privacy and prevent further breaches, but consumers
may ultimately take action to seek damages from the companies if their
information is breached. Companies have a statutory obligation, a common-
law based obligation, a regulatory obligation, and a contract-based obligation
to protect this information. 19 Thus a data breach can be a crime, tort,

12 DANIEL J. SOLOVE & PAUL M. SCHWARTZ, INFORMATION


PRIVACY LAW 11 (6th ed.
2018).
" Id (referring to Kyllo v. United States, 533 U.S. 27 (2001)).
14 See, e.g., Todd Haselton, How to Find Out What Google Knows About You and
Limit the Data It Collects, CNBC (Nov. 20, 2017, 11:50 AM),
https://www.cnbc.com/2017/11/20/what-does-google-know-about-me.html (Google
knows name, gender, birthdate, the website you visited, where you work and live, and a lot
more information about us).
15 SHAW, supra note 1, at 1.
16 Id
" Id. This paper focuses primarily on the data breach by external crime, such as
hacking, or accident, but does not consider the case of companies' malicious, intentional,
or gross-negligent data breach. This paper does not discuss the definition of "gross-
negligent" in the context of data breach.
IS Although the data breach can happen in a Business-to-business situation
and
administrative agencies are often involved in the resolution of data breach incident, this
paper will focus on the dispute between companies and consumers.
19 Id at 109.

396
RESOLVING DATA BREACH DISPUTE

2
regulatory and statutory violation, or contract breach claim. They may result
in class actions or other forms of costly litigation for the companies."
Because the companies already suffered losses from taking additional
measures to prevent further breaches and possible criminal and administrative
fines as outlined by law, resolving consumer claims effectively and efficiently
is crucial to minimizing the total losses of the company by the entire data
breach incident. Alternative dispute resolution ("ADR"), including negotiation,
mediation and arbitration, is an effective approach to settle disputes adequately
22
without the costs and publicity of the court system. The use of an online
dispute resolution forum may make ADR even more cost and time efficient for
these companies, especially in small claims and international disputes. It also
allows fairer and faster solution to consumers.
Part I of this paper will explain the background of data breach disputes.
It will also explain what a data breach is, why a data breach is a concern, and
why the companies should be prepared to resolve any data breach disputes that
arise. Part II will explain why alternative dispute resolutions are suitable to
resolve a data breach dispute. This section will focus on how to avoid class
action lawsuits, and how arbitration can be a better alternative to class action
lawsuits for both the companies and consumers. Lastly, Part III will explain
how the use of technology can make this dispute resolution more streamlined
and fair. It will explain what Online Alternative Dispute Resolution (OADR)
is, how it is suitable to resolve a data breach dispute, and finally, it will suggest
how to design the online dispute resolution system for data breach incidents.

II. THE GROWING RISK OF DATA BREACHES

A. Definition of a Data Breach

The definition of "breach" differs in different states, but most states


define a data breach as "the unauthorized acquisition of and access to
unencrypted or unredacted computerized data that results in the compromise
of the security, confidentiality, or integrity of personal information maintained
23
by the person or business experiencing the breach." Some states also require
24
the breached data to be material.

20 Id
21 Id. at 144.
22 See Anjanette H. Raymond, Yeah, But Did You See the Gorilla? Creating and

Protectingan Informed Consumer in Cross-Border Online Dispute Resolution, 19 HARV.


NEGOT. L. REv. 129, 133 (2014).
23 SHAW, supra note 1, at 64.
24 Id.

397
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

In the European Union, the European General Data Protection


Regulation (GDPR) Art. 4(12) defines a personal data breach as "a breach of
security leading to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data transmitted, stored or
otherwise processed." 25
The costs associated with a data breach causes massive losses for
businesses. In 2009, the average cost per incident of a data breach in the U.S.
was over $6 million, with the cost of each single breach recorded estimated at
$204.26 Worldwide, over $1 trillion was lost due to data breaches in 2009
alone.2 7
Companies have obligations to protect data from unauthorized use by
several different sources, including statute and common law.28 Thus the data
breach could amount to a crime, tort, regulatory violation, or contract breach
claim. 29 The following examples of past incidents show just how adverse the
effects of a single data breach can be to a company.

1. YAHOO DATA BREACH

The largest breach in the history of the internet was the data breach of
the Yahoo accounts in 2013. Yahoo reported a breach incident on October 9,
2017.30 At least 1 billion user accounts, or possibly every single Yahoo
account -- three billion users in total -- were impacted by the breach. 3 1
Although the incident happened in 2013, Yahoo did not even make an initial
announcement until 2016, and still did not accurately announce how many
people were actually affected until Verizon acquired Yahoo's assets and made
those disclosures in 2017.32 Even after undertaking thorough investigations
for four years, who was actually behind this incident is still unknown.33
The cost of Yahoo's data breach became clear through the asset

25 Miriam H. Wugmeister et al., Breach Notification Is Coming to the EU, MORRISON


FOERSTER (Nov. 2, 2017), https://www.mofo.com/resources/publications/171102-breach-
notification-eu.html.
26 SHAW, supra note
1, at 13.
27 Id
28 Id. at 109.
29 Id.
30 Daitch, supra note 4.
31 Daitch, supra note 4.
32 Selena Larson, Every Single Yahoo Account
Was Hacked - 3 Billion in All, CNN
TECH (Oct. 4, 2017, 6:36 AM),
http://money.cnn.com/2017/ 10/03/technology/business/yahoo-breach-3-billion-
accounts/index.html?iid=E L.
3 Daitch, supra note 4.

398
RESOLVING DATA BREACH DISPUTE

acquisition of Yahoo by Verizon. The breach actually forced Yahoo to cut its
34

sales price by $350 million. ' Furthermore, the $350 million loss does not
3

include other losses, such as the loss of customers, business disruption,


36
regulatory fines, and legal fees.

2. ANTHEMDATA BREACH

The data breach incident of Anthem is so far the highest recorded


37
amount of settlement for a data breach lawsuit. Anthem, the nation's second
largest health insurance company, announced a data breach incident in 2015
38
affecting more than 78 million people. Following class action lawsuits,
39
Anthem reached a $115 million settlement. The settlement amount also
40
included up to $38 million in attorneys' fees.

3. TARGET DATA BREACH

The data breach incident of Target was one of the largest data breaches
to a U.S. retailer.4 1 Credit card and debit card information of up to 40 million
customers was stolen. Target reached an $18.5 million settlement, with a
42

good portion of the settlement money going to 47 states and the District of
Columbia as part of a settlement with state attorney generals, including $1.4 43
million of the settlement going to California, and $635,000 to New York.
After everything was settled, Target announced that total cost of the data

34 Fredric Paul, We Finally Know How Much a Data Breach Can Cost, NETWORK
WORLD (Feb. 21, 2017, 6:54 AM),
https://www.networkworld.com/article/3172402/security/we-finally-know-how-much-a-
data-breach-can-cost.html.
3 Id
36 Id
3 Record Data Breach Settlement in Anthem Class Action, HUNTON & WILLIAMS
2
(June 26, 2017), https://www.huntonprivacybog.com/ 017/06/26/record-data-breach-
settlement-anthem-class-action/.
38 Id
39 Id
40 Id
41 Target Pays Millions to Settle State Data Breach Lawsuits, REUTERS (May 23,
2017), http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/.
42 Id
43 Id ; Rachel Abrams, Target to Pay $18.5 Million to 47 States in Security Breach
Settlement, N.Y. TIMES (May 23, 2017),
https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html. In
addition to the monetary settlement, Target agreed to tighten its digital security. Id

399
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

breach was $202 million."

4. EQUIFAxDATA BREACH

The breach of Equifax is still considered by far, the worst data breach
case ever. Equifax, one of the three largest credit agencies in the U.S.
announced a data breach incident on September 7, 2017.45 Because of the
sensitivity of the stolen data-including Social Security numbers, driver's
license numbers, name, birth dates, and addresses-this incident is considered
one of the worst breaches ever. 46 Equifax announced that in total, 145.5
million U.S. consumers and 8,000 Canadian citizens were impacted by this
incident.4 7 Approximately 109,000 credit card numbers were stolen and
182,000 people's personal identification information was accessed.4 8
The impact of this breach was significant to the company. After the
announcement of the incident, Equifax's stock price decreased by more than
18%, from $143 to $116.49 That was the largest single-day drop since August
20, 1999.50 Based on past incidents, a financial analyst, Shlomo Rosenbaum,
estimated the gross cost for this incident may have been around $325 million."
Equifax later admitted that its security organization was aware of the
vulnerability at the time of the incident in March 2017.52 Although the
company claims it took efforts to identify and patch the vulnerability, the
incident happened before it could fix the issue.

4 Id.
4s Daitch, supra note 4; 2017 Cybersecurity Incident & Important Consumer
Information, Consumer Notice, EQUIFAX,
https://www.equifaxsecurity2O17.com/consumer-notice/ (last visited Feb. 17, 2018).
' Daitch, supra note 4; 2017 Cybersecurity Incident, supra note 45.
47 Equifax Announces Cybersecurity Firm Has Concluded Forensic Investigation of
Cybersecurity Incident, EQUIFAx (Oct. 2, 2017), https://investor.equifax.com/news-and-
events/news/2017/10-02-2017-213238821#.
48 Id
49 Andrew Nusca, Equifax Stock Has Plunged 18.4% Since
It Revealed Massive
Breach, FORTUNE (Sept. 11, 2017, 1:14 PM), http://fortune.com/2017/09/11/equifax-stock-
cybersecurity-breach/.
" See Tae Kim, Equifax Shares Plunge the Most in 18 Years as Street Says Breach
Will Cost Company Hundreds of Millions, CNBC (Sept. 8, 2017, 10:35 AM),
https://www.cnbc.com/201 7 /0 9 /0 8 /equifax-plunges-as-breach-will-cost-company-
hundreds-of-millions.html.
51 Id

52 Equifax Releases Details on Cybersecurity Incident, Announces Personnel


Changes, EQUIFAX (Sept. 15, 2017), https://investor.equifax.com/news-and-
events/news/2017/09-15-2017-224018832#

400
RESOLVING DATA BREACH DISPUTE

These cases show how detrimental a data breach incident can be to the
business involved. The incident immediately decreases a company's value,
causes long-term consumer losses, requires extra legal costs for investigations
and implementation of defenses for possible legal actions, and consumers may
demand damages. Companies must take measures to prevent data breach
incidents, but when it happens, the companies must also take actions to
minimize the overall loss.

B. Increasing Risk of Legal Actions

The current standard among federal courts is to deny most of the data
breach cases on a standing basis. To establish standing in federal courts for a
data breach case, plaintiffs must show, among other things, that they have
suffered an "injury in fact" that is "concrete and particularized" and "actual or
imminent, not conjectural or hypothetical."" Plaintiffs need to prove that the
data breach actually caused some harm, such as unauthorized use of a credit
card which the customer had to pay for, not just the mere fact that the credit
card information was stolen.5 4 The actual harm does not always happen, and
it is hard to prove. Therefore, many lawsuits regarding data breach are brought
as class actions, though many of these lawsuits are dismissed for lack of
standing."
In Clapper v. Amnesty Int'l USA, the Supreme Court held for the
plaintiffs and established standing in federal courts based on U.S. Const. Art.
III, requiring that an injury must be "concrete, particularized, and actual or
imminent." 6 Section 702 of the Foreign Intelligence Surveillance Act of
198757 allows the Attorney General and Director of National Intelligence to
58
acquire foreign intelligence information. The plaintiffs in Clapper are the
persons whose work requires them to engage in sensitive international
communication with people who they believe are likely targets of surveillance
under Section 702 of the Foreign Intelligence Surveillance Act, and they
59
complained that the law is unconstitutional. The plaintiffs asserted that they
could establish standing when there is an objectively reasonable likelihood that

53 SOLOVE & SCHWARTZ, supra note 12, at 952 (citing Friends of the Earth, Inc. v.
Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167 (2000)).
5 C.f Id.
55 Id. at 972.
56 Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013) (Breyer, J., Ginsburg, J.,
Sotomayor, J., and Kagan, J. dissenting).
57 Foreign Intelligence Surveillance Act, 50 U.S.C. § 1181(a) (2018).
58 Clapper, 568 U.S. at 401.
59 Id

401
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 2019]

their communication will be acquired at some point in the future. 60 However,


the Court decided the threatened injury must be "certainly impending to
constitute injury in fact." 61 For this particular case, the Court concluded that
the argument relied on a speculative chain of theory, and eventually dismissed
the case for lack of standing. 62
Based on Clapper, many courts have also denied standing to plaintiffs
in data breach cases when plaintiffs claim an injury due to an increased risk of
future harm or expenditures they had to take to reduce the risk of a future
harm. 63 However, some courts recently have held differently.
In Remiias v. Neiman Marcus Group, LLC, the Seventh Circuit
admitted the standing of plaintiff when the claim was based on future risk and
their mitigation costs. "4 In Remijas, hackers attacked Nieman Marcus, a
luxury department store, and approximately 350,000 credit card numbers of
customers had been exposed to the hackers' malware. 65 The customers
brought the action as a class action, and the complaint included a concrete risk
of harm for the people whose cards were hacked but had not yet experienced
fraudulent charges in addition to the 9,200 fraudulent charges which had
already been incurred.' The issue was whether the plaintiffs had standing
under Clapper's requirement that injury either already had occurred or was
certainly impending. 67 The plaintiffs claimed that they must spend time and
money mitigating the risks from this data breach, such as replacing the card
and monitoring their credit score.68
The court in Remijas distinguished the case from Clapper, because in
Remijas, the plaintiffs' data was certainly compromised and over nine
thousand people already suffered fraudulent use, unlike the Clapper case in
which it was not clear whether plaintiffs were subject to surveillance by
government. 69 Thus, the court distinguished the Remijas plaintiffs' claim from
the Clapper plaintiffs' claim, which was based on a chain of events that was
both "highly attenuated" and "highly speculative." 7 0 The Court mentioned

60 Id at 410.
61 Id
62 Id
See, e.g., Beck v. McDonald, 848 F.3d 262 (4th Cir.
63
2017); SOLOvE & SCHwARTZ,
supra note 12, at 962.
" Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 696-97 (7th Cir. 2015).
65 Id at689-90.
6 Id at 690-92.
67 Id at692.
68 Id at 692-93.
69 Id at 693 (citing In re Adobe Sys., Inc.
Privacy Litig., 66 F. Supp. 3d 1197, 1214
(N.D. Cal. 2014)).
70 Id at 692-93.

402
RESOLVING DATA BREACH DISPUTE

that in this case injury will occur in "objectively reasonable likelihood,"


requiring the plaintiffs to wait for the threatened harm to materialize which
will create a different problem: "[T]he more time that passes between a data
breach and an instance of identity theft, the more latitude a defendant has to
argue that the identity theft is not 'fairly traceable' to the defendant's data
breach" which will make it difficult for the consumer to recover against the
defendant.7 1 The Seventh Circuit decided that the injuries were sufficient to
satisfy the standing requirement, and that the plaintiffs should not have to wait
to have class action standing. 72 The Seventh Circuit is constantly following
Remijas,73 and some other circuits, including the Ninth Circuit, have also
74
followed this line of reasoning.
This circuit split may lead to an increased number of class actions
lawsuits. The cases which had originally been dismissed for a lack of standing
may possibly come to trial on this issue, especially in the Seventh and Ninth
Circuit, and other circuits may come to follow them. Then, if the plaintiffs can
prove an "objectively reasonable likelihood" of injury, the companies will
have to be ready to actually settle these cases, instead of relying on the case
being dismissed at summary judgement.

C. European General Data Protections Regulation New


Obligation to Notify of a PersonalData Breach

Starting on May 25, 2018, based on the GDPR, all companies subject
to EU regulations will have a duty to notify the local data protection authority
75
("DPA") of any personal data breach. The GDPR requires the notification to
76
DPA within 72 hours of the entity "becoming aware" of a breach. This is a
significant departure from the notification requirement in most other countries,
where the standard is "without undue delay" or "as soon as reasonably
practical."7 7 In addition to the notice to DPA, the GDPR requires notice to

"' Id
72 Id at 697.
7 See, e.g., Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016).
74 See, e.g., In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 U.S. Dist.
LEXIS 140212 (N.D. Cal. 2017).
75 Wugmeister et al., supra note 25. The exception is when the breach is "unlikely
to
result in a risk to the rights and freedoms of individuals." Id
76Id
SId; the attitude to notice in other OECD countries varies. Cf Personal Information
Protection and Electronic Documents Act S.C. 2000, c.5, http://laws-
lois.justice.gc.ca/eng/acts/P-8.6/FullText.html (Canada's Personal Information Protection
and Electronic Documents Act will likely be amended to require notification to affected

403
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

individuals if the breach has a high risk to the rights and freedoms of
individuals, such as a risk of discrimination, identity theft, or fraud.7 8
GDPR Art. 33(3) requires the notification to the DPA to include 1) a
description of the nature of the personal data breached, 2) the name and contact
details of the data protection officer or other contact point in the company
where more information can be obtained, 3) a description of the likely
consequences of the personal data breach, and 4) a description of the measures
taken or proposed to be taken by the controller to address the personal data
breach. 79
Because the GDPR requires such a detailed notice provided within 72
hours, unless the companies are always prepared to report the data breach
incidents, the company will not have the time to take measures to deal with
these issues adequately. For example, Equifax announced a breach on
September 7, 2017 although the report later revealed that the company was
aware of suspicious traffic on July 29, 2017.80 Equifax took over a month to
investigate and plan how to deal with the issue. 81 Considering the
international nature of its business, Equifax will likely be subject to the GDPR,
and if the GDPR is effective, then Equifax would have had to give notice to
DPA and the victims of data breach within three days. Because companies will
have limited time to plan how to protect themselves from future losses after
the breach occurs, the companies must be ready to deal with a data breach
incident before it happens. This paper will not discuss the details of the EU
regulations and instead focuses on US law, but even US companies should be
aware of the aspects of these EU regulations as many businesses are
international in nature.

individuals "as soon as feasible" when the breach creates a real risk of significant harm to
an individual. This provision is not yet in force). Australia passed mandatory data breach
notification law in 2017. Office of the Australian Information Commission, Australian
Govervment, Mandatory Data Breach Notification (Apr. 7, 2017)
<https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-
notification>.
78 Commission Regulation 2016/679, 2016 O.J. (L 119), 1 arts. 9-10; Wugmeister et
al., supra note 25.
79 Commission Regulation 2016/679, 2016 O.J. (L 119), 1 arts. 33(3).
80 Equifax Releases Details, supra note 52.
"' See id (Equifax noticed potential breach on July 29, 2017, contacted a
cybersecurity firm on August 2, 2017, and released the result of investigation on
September 15, 2017).

404
RESOLVING DATA BREACH DISPUTE

III. ALTERNATIVE DISPUTE RESOLUTION FOR DATA BREACH


DISPUTES

As discussed above, a single data breach incident costs millions of


dollars for the companies to resolve. The main costs are the notification costs,
82
fines, settlement or litigation awards, and the loss of customers. Notification
costs and fines are hard to reduce as they are statutory requirements. However,
the amount of an award can be reduced by utilizing arbitration, and the loss of
customers may be also mitigated by effective use of dispute resolution
83
processes. The U.S. Supreme Court is strongly favorable to arbitration. In
Mitsubishi Motors Corp., the U.S. Supreme Court stated that under the
Arbitration Act, as a matter of federal law, "any doubts concerning the scope
of arbitrable issues should be resolved in favor of arbitration" whatever the
problem at hand is." Therefore, the arbitration clause will likely be enforced
if the company includes it in an agreement.

A. Mandatory Arbitration Clauses and Waiver of Collective


Action

1. AVOID COLLECTIVE ACTION

As outlined previously, most cases have been dismissed on standing


grounds due to lack of injury, because the loss resulting from a data breach for
an individual consumer is usually minimal or nothing at all. Therefore, if the
method of dispute resolution is individual arbitration, not collective action,
those who suffer minimal or no injury will not likely be capable of suing the
company. It is already common practice for the companies to include
arbitration clauses and explicitly bar class actions - so called class action
waivers.85
86
In AT&T Mobility LLC v. Concepcion, the Supreme Court upheld

82 See infra Section II(B).


83 DANIEL C.K. CHOW & THOMAS J. SCHOENBAUM, INTERNATIONAL BUSINESS
TRANSACTIONS: PROBLEMS, CASES, AND MATERIALS 594 (3d ed. 2015) (citing Scherk v.
Alberto-Culver Co., 417 U.S. 506 (1974); Mitsubishi Motors Corp. v. Soler Chrysler-
Plymouth, Inc., 473 U.S. 614 (1985); Vimar Seguros y Reaseguros, S.A. v. M/V Sky Reefer,
515 U.S. 528 (1995)).
" Mitsubishi Motors Corp, 473 U.S. at 626 (quoting Moses H. Cone Mem'1 Hosp. v.
Mercury Constr. Corp., 460 U.S. 1, 24-25 (1983)).
" Jean R. Stemlight, As Mandatory Binding Arbitration Meets the Class Action, Will
the Class Action Survive?, 42 WM. & MARY L. REv. 1, 6 (2001).
86 AT&T Mobility LLC v. Concepcion, 563 U.S. 333, 344 (2011).

405
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

the enforceability of mandatory individual arbitration.87 The contract between


consumers and AT&T provided for arbitration of all disputes between the
parties, and required all actions to be in individual capacity." Although the
Ninth Circuit denied to compel arbitration, the Supreme Court decided Section
2 of the Federal Arbitration Act ("FAA") 89 prohibits States from the
conditioning enforceability of certain arbitration clauses on the availability of
class arbitration procedures. ' The Supreme Court is so favorable to
arbitration that once the parties have a mandatory arbitration clause, it will
likely be enforced, including a mandatory individual arbitration clause. As
discussed in Part-III below, once the class action can be avoided, arbitration,
negotiation, or mediation will likely work to resolve the dispute. Even if the
companies have an arbitration clause, the silence on the issue of collective
action can possibly be understand as allowing the arbitration as a class-wide
arbitration. Therefore, companies should explicitly limit collective action in
arbitrations, not only class action litigation. 91

2. INDIVIDUAL ARBITRATION CAN STILL REDUCE THE COST


OFA TTORNEY'S FEE

The largest cost which can be reduced through arbitration is the


attorney's cost. For example, in the case of Home Depot Data Breach, the
attorneys' costs were $18 million out of the whole $24 million settlement
award.92 Arbitration is generally quicker and cheaper than litigation. 93 The
key to reduce the cost is to reduce the time it takes for the dispute resolution
process. The longer it takes, the higher the cost. Arbitration is quicker than
litigation in two ways. First, the process is flexible, and second, an appeal is
extremely limited.94 The hearing is usually quicker than litigation because the
parties do not need to repeat their arguments when the arbitratorsmake it clear

87 Id. at 351-52.
88 Id at 336.
89 Federal Arbitration Act, 9 U.S.C. § 2 (1925).
90 AT&T Mobility LLC, 563 U.S. at 336, 352; see also DIRECTV, Inc. v. Imburgia,
136 S. Ct. 463 (2015).
91 See Stolt-Nielsen S.A. v. AnimalFeeds Int'l Corp., 559 U.S. 662 (2010).
9 Kat Greene, Home Depot Data Breach Attys Seek $18M Fees on $27M Deal, LAW
360 (Aug. 23, 2017, 9:54 PM), https://www.law360.com/articles/957195/home-depot-
data-breach-attys-seek- I 8m-fees-on-27m-deal.
9 Wilko v. Swan, 346 U.S. 427, 431 (1953). At the time the Arbitration Act was
established, the reports of both Houses on the Act stressed the need for avoiding the delay
and expense of litigation. Id.
" See, e.g., United Paperworkers Int'l Union v. Misco, Inc., 484 U.S. 29, 29 (1987).

406
RESOLVING DATA BREACH DISPUTE

95
that they understand the essence of the dispute. The discovery stage can be
96
entirely eliminated or greatly reduced. The arbitration agreement can limit
97
the power of arbitrators to award punitive damages as well. Avoiding
collective action and using arbitration can greatly reduce the overall cost of
the dispute resolution, both in terms of process and the amount of award.

B. Is an Arbitration Clause Against the Interest of the


Consumers?

Arbitration has been criticized from the consumer protection


perspective. However, the convenience and cost-saving aspects of internet
communications can make arbitration an even more attractive and affordable
98
alternative for resolving the claims between companies and consumers.
The Consumer Financial Protection Bureau (CFPB) determined that
arbitration clauses actually do more harm than good, and it decided to ban
arbitration clauses for financial institutions." CFPB stated that arbitration
clauses make it "nearly impossible for people to take companies to court when
things go wrong." 100 On July 10, 2017, CFPB announced a new rule to ban
10
companies from using mandatory arbitration clauses. ' However, Congress
disapproved the ban, and on November 1, 2017, the president signed the joint
resolution.102 Therefore, this rule is no longer effective, and now only useful
03
for reference purposes.

95 FAYE FANGFEI WANG, ONLINE DISPUTE RESOLUTION: TECHNOLOGY, MANAGEMENT


AND LEGAL PRACTICE FROM AN INTERNATIONAL PERSPECTIVE 27 (2009).
' But see Sean T. Camathan, Discovery in Arbitration?,10(4) Bus. L. TODAY (2001),
https://apps.americanbar.org/buslaw/blt/bltmarO lcarnathan.html.
97 Jessica Jia Fei, Award of Punitive Damages, 2003 STOCKHOLM ARBITRATION
REPORT 2003 20, 23 (2003).
98 Amy J. Schmitz, "Drive-Thru" Arbitration in the Digital Age: Empowering
Consumers Through Binding ODR, 62 BAYLOR L. REv. 178, 202 (2010).
99 Brian Fung, Equifax Finally Responds to Swirling Concerns over Consumers'
Legal Rights, WASH. POST (Sept. 10, 2017), https://www.washingtonpost.com/news/the-
switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-
website/?utm_ term=.e00c03eecea6.
100 CFPB Issues Rule to Ban Companiesfrom Using Arbitration Clauses to Deny
Groups of People Their Day in Court: Financial Companies Can No Longer Block
Consumers from Joining Together to Sue over Wrongdoing, CONSUMER FINANCE
PROTECTION BUREAU (July 10, 2017), https://www.consumerfinance.gov/about-
us/newsroom/cfpb-issues-rule-ban-companies-using-arbitration-clauses-deny-groups-
people-their-day-court/.
101 Id.
102 Id.
103 Id

407
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

However, whether a class action lawsuit brought in court always


serves the best interest of the consumer is questionable. As a result of
arbitration, attorneys receive a large amount of the award in attorney's fees,
but class members rarely receive a significant benefit from the agreed to
settlement.' 04 For example, in the data breach of Target, Target eventually paid
around $18.5 million to 47 states to settle the case with state attorney generals,
and about $10 million to 40 million individuals in a class action. 105 This is
worth approximately $0.25 for each person. 106 On the other hand, the
attorneys received up to $6.75 million in fees. 107 The consumers do not
receive a substantial benefit, and sometimes no benefit at all from the class
action suits. 108
On the other hand, class action suits may provide a strong incentive
for the companies to be careful and take additional measures to avoid a data
security breach in the first place.' 09 This may be true, but companies already
have enough incentives to be careful with personal data without these class
action lawsuits. According to a study, one data breach incident costs up to $4
million without including the civil judgement award and legal fees." 0 More
significant than this one-time cost, after a breach, many businesses have lost

104 SOLOVE & SCHWARTZ, supra note 12, at 972.


10s Rachel Abrams, Target to Pay $18.5 Million to 47 States in Security Breach
Settlement, N.Y. TIMES (May 23, 2017),
https://www.nytimes.com/201 7 /05/ 2 3/business/target-security-breach-settlement.html;

Charles Riley & Jose Pagliery, Target Will Pay Hack Victims $10 Million, CNN TECH.
(Mar. 19, 2015), http://money.cnn.com/2015/03/19/technology/security/target-data-hack-

settlement/index.html.
106 Id (because the settlement amount would be distributed based on amount of
damage, this is not the exact amount each victim receives).
107 Id
108 See Mizuho Horitsu Jimusyo, Examples and Standards and Prices of Civil
Liability (Amount of Compensation) of Leakage / Leakage of PersonalInformation (Mar.
13, 2014), https://www.mc-law.jp/kigyohomu/9055/ (translation by author). The average
compensation companies voluntarily pay to all victims for the breach of name and address
has been around ¥500 (around $5) in Japan, and most consumers do not take further action.
Id Without any claim, consumers are getting more money than class action in the U.S.,
and both consumers and companies save attorneys' fees and time. Id
109 SOLOVE & SCHWARTZ, supra note 12, at 972-73.
10 David Ellis, How Much Does a Data Breach Cost Your Organization?:A Data
Breach May Cost You More than You Think, SEC. METRICS BLOG (Oct. 17, 2016),
http://blog.securitymetrics.com/2016/10/-how-much-does-a-data-breach-cost.html.

408
RESOLVING DATA BREACH DISPUTE

up to 40% of their revenue from customers after the customers have lost
confidence in their brand."1 Losing $4 million and 40% of their revenue,
along with losing customers in the long term, are enough of an incentive for
most companies to be careful to protect from a data breach. Few companies,
if any, are willing to take the risk of having a data breach incident occur. Most
companies invest money and time to prevent any data breach, but yet data
breaches still occur. The dispute resolution is not really a possible method to
prevent data breaches, but instead should focus on protecting consumers from
any damages they may sustain.
Even if the companies have arbitration clauses, they may be forced by
public pressure to waive arbitration clauses when the breach is serious in
nature and the class action seems appropriate for general public policy
concerns. Equifax originally had arbitration clauses in their term of use
agreements." 2 However, after the incident, Equifax announced that it would
not apply any of the arbitration clauses or class action waivers in their
agreements against the consumers for claims related to the cybersecurity
incident." 3 Companies have no obligation to waive arbitration clauses which
consumers agreed on, but this Equifax incident showed that consumers, along
with the media, are strong enough to pressure the company to waive it when it
is necessary. Companies make these decisions by considering their future
customer relationships and reputation, not only in the short term of the ensuing
dispute. Also, as stated above, if the collective action is what the consumers
want, but not necessarily the litigation, class-wide arbitration is still possible.
In general, class actions do not benefit the consumers, who are the
victim of the data breaches. Because companies have enough incentive to be
careful when dealing with data, having arbitration clauses does not increase a
company's protections from data breach incidents. Arbitration clauses may

" Id
1z Brian Fung, Equifax Finally Responds to Swirling Concerns over Consumers'
Legal Rights, WASH. POST (Sept. 10, 2017), https://www.washingtonpost.com/news/the-
switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-
website/?utmterm=.e00c03eecea6. The original arbitration clause states as follows:
Agreement to resolve all disputes by binding individual
arbitration. Please read this entire section carefully because it
affects your legal rights by requiring arbitration of disputes
(except as set forth below) and a waiver of the ability to bring
or participate in a class action, class arbitration, or other
representative action. Arbitration provides a quick and cost
effective mechanism for resolving disputes, but you should be
aware that it also limits your rights to discovery and appeal.
Id.
113 Id

409
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

sometimes be waived by companies when it is necessary. Arbitration clauses


are therefore not an absolute escape for these companies. As is described in
Part II-B below, by using technology, alternative dispute resolution, including
arbitration, has the potential to be even more favorable for the consumers than
the court system.

IV. UTILIZING ONLINE DISPUTE RESOLUTION SYSTEMS FOR A DATA


BREACH CASE

Arbitration is still a quite costly and time-consuming process


compared to other forms of dispute resolution, such as negotiation or
mediation. The use of arbitration must be reserved to the dispute which truly
requires the comprehensive, systematic dispute resolution form. Although the
company may avoid a large number of claims by insisting on individual
arbitrations and barring small claims, it is not in the best interest of the
company. Avoiding a dispute will save money in the short-term, but saving its
relationship with the consumers is also a concern worth considering in the
long-term interest of the company's business. Negotiation and mediation will
likely be able to resolve a majority of these data breach cases, and utilizing
this technology will make the process even smoother and less expensive,
which is favorable to both the companies and the consumers.

A. Online Dispute Resolution System

Merely saving on a one-time cost is not the goal of the companies. As


discussed above, data breach incidents will cause massive customer loss.
Therefore, keeping relations with the consumers should also be the focus of a
dispute resolution after the occurrence of a data breach incident. When the
class action waiver works, companies will likely be able to focus on resolving
the dispute with the individuals who actually suffered an injury, instead of
paying a few cents to every victim, and paying millions of dollars to the
attorneys. Also, by saving these costs of plaintiffs' attorneys' fees, the
companies may utilize more resources to focus on consumer care.
Considering the modern nature of a business, which is interstate and
international, OADR will likely serve the interests of both the consumers and
the companies. Online arbitrationwill likely work for individuals who suffered
significant injury, and online mediation or negotiation will likely work for
other customers who only suffered minimal losses. The feeling of "being heard"

410
RESOLVING DATA BREACH DISPUTE

1 4
is key to building long-term customer relationships, and utilizing online
dispute resolution will likely allow companies to communicate more
effectively with each individual consumer with lower costs compared to class
action lawsuits.
Here, the suggestion is to create a three-step dispute resolution system
for privacy breach cases: 1) automated negotiation, 2) e-mediation, and 3)
arbitration with the flexible use of technology.

1. WHAT ONLINE ALTERNATIVE DISPUTE RESOLUTION


CHANGES AND WHAT IT DOES NOT

OADR is the ADR forum which wholly or partially uses information


technology, including the internet, email, and other technologies, as a medium
5
to conduct the proceeding." OADR not only uses technology as an assistive
tool; in OADR, all communications can be done electronically and no face-to-
face meetings are required between the parties. 116 The internet allows
businesses to reach customers all over the world with less cost and time
expended,"' but once a dispute arises, the costs may actually be relatively
high because of the nature of an online business, such as the fact it may have
greater distances and a larger number of consumers than non-internet
businesses.
OADR is not used to change the approach of the dispute resolution,
but it essentially changes the venue of the dispute resolution process. 118
Information technology is just one of many useful tools for supporting dispute
resolution. 1 9 OADR does not change much of the process, but it instead takes
advantage of another form of communication rather than face-to-face
negotiations. 2 0 Arbitrators still need to have consent from both of the parties
to an arbitration, and mediation is still voluntary and non-binding on the

114 Stephen Shander, Three Ways to Ensure Your CustomerIs Heard, D!GITALIST MAG.
20
(Oct. 24, 2017), http://www.digitalistmag.com/customer-experience/ 17/10/24/3-ways-
375
to-ensure-customer-is-heard-0543 0.
15 But cf Haitham A. Haloush & Basher H. Malkawi, Internet Characteristicand
Online Alternative Dispute Resolution, 13 HARv. NEGOT. L. REv. 327, 327-28 (2008)
(Haloush and Malkawi limited the purpose of OADR to resolve commercial disputes that
arise from use of the internet, but in this paper, the OADR is not limited to the dispute arise
from use of the internet); Schmitz, supra note 98, at 181.
116 ARNO R. LODDER & JOHN ZELEZNIKOW, ENHANCED DISPUTE RESOLUTION
THROUGH THE USE OF INFORMATION TECHNOLOGY 72 (2010).
"7 Haloush & Malkawi, supra note 115, at 329.
118 Id. at 332.
119 LODDER & ZELEZNIKOw, supra note 116, at 12.
120 Haloush & Malkawi, supra note 115, at 332.

411
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

parties. 12 1
Some scholars even suggest that the internet is not simply a new
channel of communication, but that cyberspace is a community itself.1 22
Because the internet changes the nature of the business, the dispute resolution
system also needs to change for the business to be effective. The cyberspace
community needs its own dispute resolution system different from an offline
community. Dispute resolution is one of the earliest forms of human endeavor,
and the form of the dispute resolution keeps improving as the society
changes. 123 The 21st Century is the time to create an effective dispute
resolution system for the cyberspace, and the OADR is one of the possible
solutions.

2. GENERAL BENEFIT TO ALL OF THE PARTIES

One of the main benefits of OADR is how it can reduce costs. 24


High costs is one of the major reasons that prevents participants from
achieving better outcomes.' 2 5 As the examples of past incidents showcased, a
data breach can cost millions of dollars for companies to resolve fully. The
damage caused cannot be reduced, but dispute resolution can reduce the costs
and may significantly save money for the companies. For example, for the
Anthem's incident, $38 million out of the total settlement amount of $115
million was for the plaintiff's "attorneys" fees. 12 6 OADR is time-saving and
also greatly reduces the time used for travel, if it requires travel at all. 12 7 This
helps cut unnecessary costs for dispute resolution, and as a result makes it
easier for consumers to hire attorneys and reduces the overall settlement fee
for the companies. That may allow companies to pay more to the victims.
Especially when multiple parties are involved, which is almost always the case
in data breach disputes, the benefit of cost avoidance is enhanced to an
exceptional degree. 2 8 In addition to that, the companies may invest the
money saved to improve their technology and prevent future data breach

121 Id at 340.
122 Id at 330-31.
123LODDER & ZELEZNIKOW, supra note 116, at 1 (the extreme
example of the
improvement would be the trial by combat to trial by neutral third person).
124 Id at 13.
125 Id at 96.
126 HUNTON & WILLIAMS, supra
note 37.
127 Lynn A. Epstein, Alternative Dispute Resolution in the
Twenty-First Century:
Cyber E-Mail Negotiation vs. TraditionalNegotiation: Will Cyber Technology Supplement
TraditionalMeans ofSettling Litigation?, 36 TULSA L.J. 839, 845 (2001).
128 Id

412
RESOLVING DATA BREACH DISPUTE

incidents.
Flexibility is one of the benefits of ADR, and the use of the internet
allows the parties to make the process even more flexible. By using the internet,
parties may have flexible scheduling and asynchronous communication, in
addition to real-time dialogue. 129 In OADR, all parties-neutrals, claimant,
13 0
and the respondent-can be in different places. For some procedures, they
do not even need to be online at the same time. The reduced time for travel
and cost associated with travel will be an advantage for all the parties.' 3 1

3. BENEFITS TO CONSUMERS

The OADR will empower consumers by giving them access to dispute


resolution. Consumers have had limited resources because of the costs
associated with traditional dispute resolution, such as travel costs, time
expended, and legal costs of traditional face-to-face dispute resolution
processes. 3 2 Arbitration clauses are often used to prevent all litigation for
consumers, and that is clearly unfair to consumers. However, by utilizing
technology, it can allow consumers to make a claim, and still allow the
companies to minimize their costs associated with dispute resolution. OADR
will allow fast, flexible, convenient, and often comfortable scheduling and
communications.133

4. RISKS AND ISSUES WITH ONLINE DISPUTE RESOLUTION


13 4
Security is a core issue with OADR. OADR systems are not free
from hacking or other types of information breach risks. The risk of
information breach during data breach dispute resolution is possible. However,
not using technology is not a practical response. Even if the court handles
many things manually, lawyers are still using email and other forms of
technology to communicate with clients and the opposing parties. Email is not
a secure form of communication, and always has inherent risks for information
breach. Therefore, the security risk of OADR is not significantly greater than
the traditional forms of dispute resolution. Parties need to be careful to choose
which platform to use, and also need to take appropriate measures to avoid

129 Schmitz, supra note 98, at 181-82.


130 WANG, supra note 95, at 28.
131 Id
132 Schmitz, supra note 98, at 182.
,3 Id. at 183.
14 WANG, supra note 95, at 78.

413
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

further information breaches, but it is not a reason not to use OADR.

B. Keeping Relationships with Consumers-The Three Step


System

1. EXISTING OADRs

As explained in Part III-A, OADR does not dramatically change the


nature of each dispute resolution method. It simply changes the venue of the
dispute resolution. The parties will have all the benefits of each method even
if the parties utilize OADR. It only intends to make the process more
convenient.
A number of other organizations, such as the American Arbitration
Association ("AAA") and Cybersettle, are providing OADR platforms for the
parties to use when it is needed. 3 5 The EU also has its own online dispute
resolution system for consumers to use. 136 How to choose the platform is a
separate issue, but by using these platforms, companies can use online dispute
resolution systems when the data breach happens without maintaining its own
system.
AAA has been using online conflict management process since
1995.137 AAA's online system, "Webfile," allows the parties to complete
numerous parts of arbitration or mediation online, including filing a claim,
selecting an arbitrator or mediator, communicating with the parties, and
uploading and downloading documents. 138 Webfile also created a rapid
alternative dispute resolution system for a member of the National Research
Exchange ("NRE") when AAA entered into an exclusive agreement with
NRE.' 39 This allows the parties to conduct most of their mediation and
arbitration processes online, and aims to resolve the disputes within two
weeks.1 40
The online dispute system of eBay is considered a successful example

135 Id at 67-70.
136 Sebastian Stefanov, eBay: Prepare for Online
Dispute Resolution (OADR),
WEBiNTERPRET (Mar. 7, 2016), https://webinterpret.com/us/blog/ebay-prepare-for-online-
dispute-resolution-OADR/); see also 2013 O.J. (L 165) 1, available at http://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013R0524&from=EN.
137 Debi Miller-Moore, OADR at the AAA: Online Dispute Resolution
in Practice, 38
U. TOL. L. REv. 395, 395 (2006).
138 Id at 397.
139 Id at401.
140 Id

414
RESOLVING DATA BREACH DISPUTE

141
of online dispute resolution for cyberspace disputes. eBay established an
online dispute resolution system for a dispute involving the non-delivery of
142
goods, misrepresentation, unsatisfactory service, etc. It offers an automated
negotiation platform, and refers those disputes not resolved through the
43
automated negotiation to online mediation.
OADR has already been used in numerous situations. Then the
question becomes whether it is suitable for data breaches, and how to design
the system specifically for a data breach case.

2. THREE-STEP DISPUTE RESOLUTION SYSTEM FOR DATA


BREACH

The eBay model has been successful, and this model will likely be
able to be applied to data breach contexts. Most of the data breach claims are
as small as non-delivery of goods claims. Therefore, the negotiation and
mediation would often be sufficient to resolve these claims. eBay customers
and sellers are all over the world; similarly, the victims of data breach are all
over the world. This interstate and international feature of the disputes makes
data breach especially suitable to online dispute resolution. However, because
a data breach is not something that happens regularly, unlike non-delivery
claims, using a third-party platform will likely be more practical than
maintaining their own system. Also, when the data breach happens, consumers
lose trust in their service. So, using a third-party platform will provide some
assurances to consumers.
The advantage of the eBay system is that it implements a three-step
dispute resolution. When the negotiation does not solve the issue, it refers the
dispute to mediation. However, there is still a risk that the parties cannot agree
to a resolution at mediation. By adding arbitration, whose award is binding
and enforceable in most countries,1 as a third step, the dispute resolution
system will become complete. By having the following three-step dispute
resolution agreement, the companies will likely be able to keep the relationship
with their consumers while reducing unnecessary costs. Although the
agreement is a key part of ADR, this paper will not discuss how to create an
effective contract that mandates consumers to follow this step.

141 WANG, supra note 95, at 65.


142 Id
143 Id.
144 CHOW & SCHOENBAUM, supra note 83, at 592-93.

415
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vo\. 34:2 20191

a. Automated Negotiation

The cost of resolving a dispute is obviously reduced significantly if


the parties can reach settlement without involving outside professionals.14 1
Automated negotiation will allow the parties to resolve a small claim without
having attorneys involved, especially when the claim involves only a relatively
small amount.
Automated negotiation is the system which the parties can submit a
monetary figure as a settlement proposal, and then the computer compares the
offer and the demand and reaches a settlement for the arithmetic mean.'4 For
example, if the victim of data breach only suffers mitigation cost, such as
replacement of credit card and credit monitoring for a few months, but not
actual injury, such as fraudulent use of credit card, the cost will likely be less
than $100.147 This would be significantly more money for consumers than
class actions, but if the company does not have to pay for attorneys, the
company will likely pay less in total than in class actions. It is also in the
interest of the companies to let the consumers take measures to avoid identity
theft, because it is cheaper for the companies to reimburse a small amount of
cost than paying the full damage of the identity theft.
This is significantly cheaper, as it does not involve a third party but
a platform. It also allows companies to communicate with individual victims
without using a lot of the resources required for face-to-face negotiation.
Unless the breached data included sensitive information, such as medical
records or social security numbers, the actual damage should be minimal and
most consumers will likely agree with a resolution at this point.

b. E-Mediation

When parties cannot agree with resolution by negotiation, having a


third party is useful. E-mediation is just an online form of traditional

14 Trish O'Sullivan, Developing an Online


Dispute Resolution Scheme for New
Zealand Consumers Who Shop Online-Are Automated Negotiation Tools the Key to
Improve Access to Justice?, 24 INT'L J.L. INFO. TECH. 22, 27 (2016).
46 WANG, supra note 95, at 32.
" Credit card replacement fee is often free, and credit monitoring costs around $10
per month. See Allie Johnson, Credit CardMonitoring Services: Pros, Cons and How to
Pick One, CREDITCARDS.COM (Feb. 24, 2011), https://www.creditcards.com/credit-card-
news/pros-cons-credit-monitoring-services-1282.php; Allie Johnson, Replacing Lost
Credit Card? Want It Fast? Expect to Pay, CREDITCARDS.CoM (Sept. 21, 2016),
https://www.creditcards.com/credit-card-news/credit-debit-card-replacement-costs-fee-
survey I267.php.

416
RESOLVING DATA BREACH DISPUTE

mediation.148 By using technology, such as video-conferencing systems,


parties can have greater flexibility and reduce the cost of traveling. It will
likely empower the consumers and help to keep the relationship with the
consumers by giving the individual claimant the opportunity to be heard by
the companies. The benefit of mediation is that the resolution is created by the
149
parties while having a third party as a facilitator.
Third parties are involved, and consumers may have an attorney at
this point, but mediation is still cheaper than comprehensive arbitration or
litigation. Mediation also has a high success rate of 80%-85%.150 Considering
most people will likely agree with the resolution through negotiation, and over
80% of the remaining disputes will be resolved by mediation, most cases will
be resolved by this point.

c. Arbitration with the Flexible Use of Technology

The benefit and suitability of arbitration to a data breach dispute is


discussed in Part II. Whichever the form of arbitration is, individual or class-
wide, the largest benefit of arbitration is the enforceability and limited
appeal. 15 In addition to all the benefits of arbitration discussed above, the
arbitration will likely end the dispute definitively. Unlike negotiation and
mediation, the third party will make a decision, and unlike the court procedure,
it usually does not entail a lengthy appeal process. As the example of AAA
showed, use of technology can make the arbitration process even smoother.
By using video conferencing technology, the parties can reduce their travel
costs. Although completely online arbitration is not common yet, effective use
of arbitration will make the process cheaper and quicker. As an example of
arbitration assisted by technology, the arbitration clause of Amazon states
"[Consumers] may choose to have the arbitration conducted by telephone, [or]
1 52
based on written submission" in addition to in-person arbitration. For the
companies which conduct business all over the world, having the choice to
remotely conduct arbitration saves time and costs.
In short, automated negotiation is the best first step in dispute

14 WANG, supra note 95, at 32.


149 Id at 28.
15 Id
151 CHOW & SCHOENBAUM, supra note 83, at 592-93, 619 (discussing that arbitral
awards are enforceable in the U.S. under the Federal Arbitration Act and "in more than 130
countries because of New York Arbitration Convention").
152 Conditions of Use, AMAZON,
https://www.amazon.com/gp/help/customer/display.httml?nodeId=508088 (last visited Feb.
17, 2018).

417
OHIO STATE JOURNAL ON DISPUTE RESOLUTION [Vol. 34:2 20191

resolution. When the negotiation does not resolve the dispute, mediation
should be the next step. Most claims will likely be resolved at this point. When
the complete dispute resolution system is required, either individually or class-
wide, arbitration is a better alternative than litigation. By having this three-
step dispute resolution system, the companies can resolve most of the claims
through negotiation or mediation with very low costs, and a focus on
arbitration, which will most likely involve complex issues and greater injury
<claims. That will reduce the cost for dispute resolution by limiting the need for
attorneys, and by utilizing technology, companies may provide consumers
better opportunities to be heard than traditional, off-line dispute resolution
systems.

V. CONCLUSION

Data breach incidents are an increasing concern for companies. One


incident can result in millions of dollars in losses and long-term losses of
customers. In addition to the increasing risk of a data breach incident itself,
companies are facing greater risks of class action for data breach incidents in
certain circuits. Although taking measures to avoid a data breach is the best
practice, and the companies should always take the appropriate measures to
protect the data they have, companies must also be prepared to deal with the
dispute following a data breach incident.
In order to minimize the impact of a data breach, the companies should
minimize the unnecessary costs. Class-action waiver clauses and arbitration
clauses will allow companies to reduce the amount of an award or settlement
by reducing the fees for plaintiffs' attorneys. At least for a data breach incident,
there are enough incentives for companies to protect consumers' data without
class action, so mandatory arbitration will not likely harm the consumers.
For the data breach dispute, a three-step dispute resolution system
would be the most effective solution. This is a stepped system starting with
negotiations, then mediation, and lastly arbitration.Arbitration is better in this
context than litigation, but still quite costly and a time-consuming process
compared to the other forms of dispute resolution. A majority of data breach
disputes will likely be able to be resolved by negotiation or mediation. By
utilizing automated negotiation and e-mediation, the companies can greatly
reduce the costs of dispute resolution while ensuring consumers an
opportunity to be heard. When arbitration is necessary, the use of technology
can make the dispute resolution process cheaper and quicker.

418
OHIO STATE JOURNAL ON
DISPUTE RESOLUTION

VOLUME 34
IssuE 3
THE OHIO STATE UNIVERSITY MORITZ COLLEGE OF LAW

,
OFFICERS OF ADMINISTRATION
Michael V. Drake B.A M.D Presidentofthe University
Bruce A McPheron, B.S., MSS, Ph.D., Executive Vice President and Prowst ofthe University
Alan C. Michaels, AB., I.D., Dean ofthe College and EdwinM Cooperman Chair in Law
Daniel P. Tokaj, AB., J.D., Assoc. Deanfor Faculty, Charles W Ebersold & Florence Whitomnb Ebersold Prof. ofLaw, Senior Fellow a/Elecion Law atMontz
Kathy S. Northern, BA., J.D., Assoc. DeanforAdmnissions, DirectorofDiversity andnclusin, and RobertM Duncan/Jones ED 'sig edAssoc Prof a/Law
Paul Rose, BA, J.D.,Assoc. DeanforAcademic Afairs, RabertJ. Wakins/Procter& Gamble Professor oLaw and Exective irector aLaw, Finance and
Governace Prog.
I[ura Fernandez, B.S., J.D., Assist. Deanfor International and Gmduate Afairs andAdjunct Prof
Sara A. Sampson, B.S., M.S., J.D., Assist Dean formnonnation Services, Director ofLaw libry, and Senior Lecturer
Darren NealyBA., J.D., Assist DeanforAcademicAffairs and Adjunct Prof
Michael States, BA., .D., Assist Dean/orAdmissions & FinancialAid

FACULTY EMERITI
Mary Beth Beazley, BA, J.D. David A. Goldberger, B.A, J.D. Nancy H. Rogers, B.A, JD.
Michael Braunstein, B.A, J.D. Lawrence R Herman, AB, LL.B. Michael D. Rose, BA, JD., LLM.
Sanford N. Caust-Ellenbogen, MCR.P., J.D. Lous A. Jacobs, A.B., JD., LL. M Allan J. Samasky, BA, MA, J.D.
Albert L. Clovis, B.A, MA, LLB. Bruce S. Johnson, BA, 1D., M.LS Gregory M. Travalio, BA, J.D., LLM.
Sharon L Davies, B.A., J.D. Michael Kindred, B.A, J.D., M.CL Vinacee F. Verdun, B.A., J.D.
Joshua Dressler, BA., J.D. Joan M. Krauskop, AB., JD. Douglas J. Whaley, B.A., J.D.
Howard P. Fink, B.A., LL.B. John B.Qu ey, AB., M.A., LL.B Charles E. Wilson, B.S , J.D
Gordon E. Gee, BA, Ed.D, J.D. Rhonda R fvera, B.A , M.PA, J.I

FACULTY
Amna Akbar, B.A, J.D Assoc. Prof ofLaw L Camille H ' BA, J.D., Carter C Kissell Prof ofLaw
Douglas A Berman, A.A., JD., Newton D. Baker-Baker & Hostetler Chair in Mohamed S. Heal, BA, M.A LLB., LLM., SJ.D, Assist Prof oflaw
Law Dennis D. Hirsch., BA., J.D., A;rot ofLaw, Director ofProg on Data and
Micah Berman, B.A, J.D.,Assoc. Pof ofPublicHealth and Law Govwrnance
Gregory A. Caldeira, B.A AM., Ph.D., Disinguished Univ. Prof, Ann and Stephanie R Hoffer, B.S., J.D., LLM., Po. ofLaw
D. tl DreherChairin PoL Comnm. andPolicy Thinking andProf of Steven F. Hueher, A.B., J.D., C William O' eill Professor in Law and
Law Judicial Adminisnnon, Senior Fellow ofElection Law at Monitz and
Cinnamon P. Cadame, B.A., B.C.L., M.S., J.D., Alumni Society Designated Director ofClical Prog.
ProfessorofLaw Creola Johnson, B.S J.D., President's Club Prof ofLaw
MarthaChamallas B.A, J.D.,RobertJ L Chairin Law Kimb Jordan, B.5., J.D., Clinical Prof of Law andDirectorofJuscefor
Bryan HI Choi, A.B., JD., Assist Prof. alaw adEngineering
Danel C.K. Chow, BA, J.0., Fronk E. & Virginia H Bazler Chair in Klhrmine S. K ,BA, MA, D. Assoc. Clinical Prof ofLaw and
Business Law Directora/Acadenac Support hog
Holly Coats, BA, J.D., VisitingAssist Prof a/Law Katrina J. Lee, B.A., J.D., lnicalProf a/Law
Amy J. Cohen, B.A., J.D.,JohnC. Slai/V SaterPro ofLaw Deborah Jones Meritt, AB.DJohn DeaverDnko-Baker and Hostetler
Sarah Rudolph Cole, BA, J.D.,John W. BncerProf a/Law and Directorof Clvir in Law
Prog. on Dispute Resolution Dale A Oesterle, BA., M.P.P., J.D., J. Gilbert Reese Chair in Contract Law
Ruth Colker, A.B., J0., Disinguished Univ. Profand Grxce FernHeck Efihimis Parasidis, B.A M .BE, J.D, Prof of Law and Public Health
Faust Chairin Constitutional Law Anne Ralph, B.A.,J.D., bcnial Prof ofLaw
Olwyn Conway, BA, J.D., Assist ClinicalProf ofLaw Courtlyn Roser-Jones, BA., J.D., LL ., Assist Prof ofLaw
Elizabeth Egen Cooke, BA, J.D., ClinicalProf a/Law Guy A. Rub, B.A LLB., MA, LLM SJ.D., Profoflaw
Ellen E. Deason, BA, M.S., J.D., Joanue W. MwplClases of1965 and Dakota Rudesill, .A,J.D., Assist Pro ofLaw
1973 Prof ofLaw Colleen Gaity Settineri, B.S., BA., J ., Assist Clinial Prof of Law
Terri L Ens, BA., J D., Clinical ProfofLaw, Senior Fellow ofElectionLaw Peter M. Shane, AB., J.D., Jacob E Davis & Jacob E Davis 1I Chair in Law
at Moritz Ric Simmons, BA, MA, J.D., ChiefJusice 7hotnesJ Moyer Prof for die
Katherine Hunt Federle, B A., J.D., LL M., Josepi S Plat-Porter Wright Administmtion ofJustice anddie le ofLaw
Morris& Arthur Prof ofLaw andDirectoroftheCenterfor Marc S. Spndelman,B.A.,J.D.,Isadore&IdaT perProf ofLaw
Intenaviscil4naryLaw andPolic Studres Todd A Starker, B A, MB A, J.D ClinicalPro ofLaw
Edward B. Foly A JD, Cas W. Ebersold & FlorenceWhitonnb David Stebenne, BA, MA, J.D, P.D., Prof. ofH r and Law
Ebersold Clairin (onstltutiOnal law and Director of Election Law at JoseJh B. Stulhe% B.A, J.D., M.A, Ph.D., ida E Moritz Chair in
Moritz lternatinveDispute Resolution
William Froehlich, B.A., J.D., Langdon Fellow in Dispute Resolution Chrisopher J. Walker BA, M.P.P, J.D., Assoc. Prof ofLaw, Director of
Larry T. Garvin, BA., B.S., M.S., J.D., Lawrene D. S Prof/alaw Washington D.C Prog ., oPrr
AnrGlogower, BA., J.D., LLM., Assist Pro oflaw Paige L. Wilson, BA., J.D., Assist Clinical Prof of law
Arthur F. Greenbaum, BA., J.D., James W.Socknessy Prof afLaw

ADJUNCT FACULTY
Karim Ali Tod Friedman Rebecca Monroe Reid Wilson
Elizabeth L. Anstaett Gates Garrity-Rokous Norman Nadorff Stephanie Ziegler
Stephen Anway Paul Gatz Ryan O'Rourke
Susan Anidar Franz Geiger Mao Palmer
David T. Ball Peter Glenn-Applegate Frank M. Placenti
Jordan Berman David W. Grauer Matt Richardson
Allison Binkley Gary Greenwald Michael Robertson
Amy Bittner Robb Hen Dan D. Sandman
Ben Bodamer Hon. John E. Hoffman Jr. Hon. Edmund A. Sargs
Joseph Boeckman Melissa Jackson Hon. Jennifer L Sargus
Edward Bratm Daniel J. KayneJessica Kim Edward M. Segelken
Joseph M. Caliguri MaryaC. Kolman Scott V. Simpson
JeffChilcoat James KL. Lawrence Rob Solomon
Hon R. Guy Cole Jr. Shem B. Lzear Douglas Squires
Daniel Conway George Limbert Carter Stewart
Matt Cooer Emma MacGuidwin Hon. Jeffrey S. Sutton
Lorenzo Corte Hon. Algenon L. Marbley Justin Thompson
Jonathan E. Coughlan Greg Mathews Katrima Thomon
Samir Dahman lngnd Mattson Hon. Chelsey MVascu
Rick Daley Patrick McCarthy Hon. Michael H. Watson
Scott E. Failor Hon. Stephen L. McIntosh Robert Weiler
Lauma Fernandez Richard M. Mescher Suzanne Whisler
Benjamin Flowers Robert J. Miller Geoff Wilcox
OHIO STATE JOURNAL ON
DISPUTE RESOLUTION

Volume 34 2018-2019 Issues I-V

EDITOR-IN-CHIEF
KISHALA SRIVASTAVA

EXECUTIVE EDITOR CHIEF MANAGING EDITOR


ANDREA WITTE AVERIE BORNHORST

MANAGING EDITORS ARTICLES EDITORS MA YHEW-HITE EDITORS


KIMBERLY DESPAS CHRIS STEPHENS NICOLE MAYO
JOHN DEVER KANDIS SARGEANT MIKI SOMEYA,
ALI NAJAF
KRISTIN PETERSON NOTE & COMMENT EDITORS
KATHERINE ZDENEK EMILY JOHNSON SYMPOSIUM EDITORS
JOSHUA MCCARROLL AYESHA COTTON
MICHAELA SMITH ABIGAIL RIFFEE

MARKETING EDITOR BIBLIOGRAPHY EDITOR BUSINESS EDITOR


DAVID HABA NORA MARGARET ANDERSON MATTHEW HARRIS

ASSOCIATE EDITORS
MATTHEW CARPENTER BRIANNA PENN ABBEY ZELLER

STAFF EDITORS
ALI ANDERSON HALLIE ISRAEL SARA SAMS
JASON BROWN HAYLEY KICK KATY SCRUPPI
JAMIE CARDENAS MAX KNUDSEN SARAH SIEWE
ANNA CRISP MITCH LAING MICHAEL STASH
THOMAS DONADLO ZACHARY MARIA JOSEPH TRAMMELL
DYTIESHA DUNSON JUSTIN MCCUEN JENNIFER TRESSLER
KRYSTINA GARABIS CLAIRE MCGAGH MICHAEL WALSH
JOSHUA GMEREK JACK MYERS FEI YU
DINU GODAGE NICHOLAS PASQUARELLO
ANNA GRUSHETSKY BRIANNA RIPPIN

FACULTY ADVISORS
Sarah Rudolph Cole & Joseph B. Stulberg

Publishedby Students at The Ohio State UniversityMoritz College of Law


The Ohio State Journal on Dispute Resolution (JDR) is the official law journal of the
American Bar Association Section of Dispute Resolution. The JDR, which is published three
to four times a year, serves as an exchange of information between scholars, who develop and
comment upon theoretical models of dispute resolution, and practitioners, who are involved in
implementing models as actual arbitrators, mediators, and judges. The opinions and
conclusions of the articles published in this issue are those of the authors and do not
necessarily reflect the position of the JDR or The Ohio State University.

EDITORIAL AND GENERAL OFFICES: Located at 55 West 12th Avenue, Columbus, Ohio
43210-1391. The JDR can be contacted by phone at (614) 292-7170, by facsimile at (614)
292-3442, and by email at osu-jdr(aosu.edu. Information may also be obtained online at
http://moritzlaw.osu.edu/jdr.

SUBSCRIPTIONS: Domestic, $50.00 per volume; $15 per regular issue. Foreign, $60.00 per
volume; $20.00 per regular issue. Members of the ABA Section of Dispute Resolution receive
a special discounted rate of 50% off the standard subscription price. Please enclose check with
order made payable to the Ohio State Journal on Dispute Resolution. All subscriptions are for
the volume year and will be renewed automatically unless the subscriber provides timely
notice of cancellation. All business or subscription inquiries, and changes of address should be
directed to the Business Editor, Ohio State Journal on Dispute Resolution, 55 West 12th
Avenue, Columbus, Ohio 43210-1391.

SINGLE ISSUES: Issues in the current volume and Volume 33 are available from the JDR for
$15.00 domestic and $20.00 international. Back stock, reprint, and microform editions of the
JDR are available through William S. Hein & Co., Inc., 1285 Main Street, Buffalo, New York,
14209-1987. The William S. Hein & Co. can be contacted by phone at (800) 828-7571 or by
facsimile at (716) 883-8100.

SUBMISSIONS: The JDR welcomes the submission of unsolicited manuscripts, articles, and
book reviews for possible publication. The text and footnotes of all manuscripts should be
double spaced. Please send submissions in hard copy to Ohio State Journal on Dispute
Resolution, 55 West 12th Avenue, Columbus, Ohio 43210-1391 or electronically in MS Word
format to osu-idr(aosu.edu. Manuscripts will not be returned.

CITATION: Please cite to the JDR as follows: 34 OHIO ST. J. ON DisP. RESOL. (2019).

COPYRIGHT INFORMATION: Copyright © 2019 by the Ohio State Journal on Dispute


Resolution. Please direct copyright inquiries to Editorial and General Offices address listed
above.

You might also like