Program focused on the coming wave of data privacy and security disputes between businesses, the legal claims and defenses asserted in these cases and the key role of ADR in resolving these disputes.
Where there is a breach, companies need to examine who owned the data, who had custody of the data and the source of the breach.
USCIB’s Arbitration Committee hosted a luncheon with Squire Patton Boggs on October 3 focusing on arbitrating B2B data breach disputes. As data breaches are increasingly more common, business-to-business (“B2B”) disputes arising from security incidents between companies are also on the rise. The luncheon program focused on the coming wave of data privacy and security disputes between businesses, the legal claims and defenses asserted in these cases and the key role of ADR in resolving these disputes.
Divided into two panels, the first panel, which was moderated by USCIB General Counsel, Nancy M. Thevenin, focused on the business problem of data breach disputes. Speaker, Nancy Saltzman, former executive vice president, general counsel and company secretary of EXL Service, advised businesses to review their new and old contracts for data breach provisions and risk allocations. Where there is a breach, companies need to examine who owned the data, who had custody of the data and the source of the breach. Saltzman explained that a breach can occur internally within one’s own company via human or system error or externally via hacking.
Edward Chang of Cyber Risk Management at Travelers described how a breach may release a company’s sensitive information or personally identifiable information of its customers. Chang explained that in terms of insurance, this is a fast moving field with about 70 different issuers that provide coverage for B2B data breaches. He specified that there are four basic schemes for coverage: (a) incident response; (b) business interruption losses; (c) fraud and business email compromise; and (d) liability. Both speakers agreed that it is not uncommon for companies to quickly go through $10 million worth of coverage where a breach occurs.
The second panel, moderated by Frederic Fucci, an independent arbitrator with Fucci Law & ADR, PLL and chair of the Transactional Lawyers Subcommittee focused on how alternative dispute resolution (ADR), as opposed to litigation, was an effective means of resolving these disputes. Speaker Joseph V. DeMarco, founder and principal at DeVore & DeMarco LLP, emphasized that the confidentiality of mediation and arbitration was a key advantage. Speaker, Gary L. Benton, FCIArb, FCCA, an independent arbitrator with Gary Benton Arbitration and founder of the Silicon Valley Arbitration & Mediation Center, added that with ADR, the parties can select neutrals with the technical expertise to effectively resolve data breach disputes.
To conclude, the program emphasized the importance for businesses to focus on and negotiate the data breach provisions of any contract in which they are providing access to their data and to consider obtaining insurance to protect against data breaches. The program also emphasized using ADR to resolve these disputes. For example, using the standard ICC arbitration clause followed by provisions for the place of arbitration, applicable law, number of arbitrators with required expertise and language would be a sufficient starting place.