Privacy and cybersecurity continue to be hot topics for financial services firms in 2018.  Securities broker-dealers are already seeing investor claims alleging breach of privacy and loss of data protection rights.  Traditionally, securities broker-dealers have favored resolving investor claims through binding arbitration, frequently through the dispute resolution process at FINRA.  But are FINRA arbitration agreements enforceable as to privacy claims?  And are FINRA arbitrators equipped to handle these claims?

1. Are privacy claims subject to arbitration under the Federal Arbitration Act?

Yes, if the language of the arbitration clause is broad enough to cover the claims.  While this is a developing area, the public policy favoring arbitration appears to include privacy claims.  For instance, earlier this year, the Southern District of New York found that an on-line agreement requiring the arbitration of “[a]ny claim or controversy” required arbitration of the plaintiff’s privacy claims.  Bernardino v. Barnes & Noble Booksellers Inc., No. 1:17-cv-04570, U.S. Dist. LEXIS 15812 (January 31, 2018).  Likewise, in California, a contract requiring the parties to arbitrate “any claim or dispute arising out of or any way related to this Agreement” was broad enough to require arbitration of privacy claims.  Brinkley v. Monterey Financial Services, 242 Cal. App. 4th 314, 350-354 (2015).  On the flip side, if broker-dealers prefer not to arbitrate claims of cyber theft, invasion of privacy or unauthorized use of data (and instead want to keep those claims in court where statutory defenses may be the basis for an early motion to dismiss), privacy claims can be carved out of an otherwise broad arbitration agreement.  Bell v. Blizzard Entertainment, No. 2:12-cv-9475 (C.D. Cal. April 3, 2013).
Broker-dealers should review the language in their arbitration agreements to confirm that they cover privacy claims and otherwise conforms to the firm’s objectives.  Additionally, broker-dealers should keep in mind that, in the absence of language in an arbitration agreement, FINRA Rule 12200 likely requires the arbitration of privacy claims where the dispute arises in connection with the business activities of the member or associated person.

2. Are arbitration agreements enforceable where the client agreed to arbitration by clicking a box on an on-line application, rather than signing a paper form? 

Yes, if the arbitration agreement was clearly stated.  As broker-dealers increasingly go paperless, it is important that on-line agreements contain enforceable arbitration provisions. Broker-dealers should ensure that any arbitration agreement contained within an online form is clearly labeled and conspicuous. Courts are more likely to enforce arbitration agreements entered on-line when the page forces a customer to affirmatively click that they accept the terms of the agreement and the page provides a link to the full terms of the arbitration agreement or the arbitration rules.

3. Does FINRA train arbitrators on privacy law and cybersecurity claims? 

As far as we are aware, no.  But FINRA has listed cybersecurity as an area of focus for 2018.  Not only will the standard of care be a hotly contested issue, the existence and amount of damages will break new ground, particularly now that the Ninth Circuit has recently reaffirmed that a substantial risk of identity theft in the future is sufficient to state a claim for relief.  Stevens v., Inc. (In re, Inc., Customer Data Sec. Breach Litig., 2018 U.S. App. Lexis 5841, *3 (March 8, 2018).  We urge FINRA to consider adding a privacy, cybersecurity and e-discovery module to its arbitrator training curriculum to better serve public investors and member firms as these issues percolate to the top of the docket.  Although there have been only a handful of FINRA arbitration awards centering on these issues, we anticipate that the number of claims will increase as the investing public becomes increasingly sensitive to data security and privacy issues.

– Keesal, Young & Logan Securities Litigation Group and Cybersecurity and Privacy Group

This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.