Search

Hospitality & Retail -

New York

Are mandatory arbitration provisions recognized in your state? If so, are there any limitations to its enforcement?

Contract Based Mandatory Arbitration

Arbitration provisions in New York are governed under both Federal and State Law. At the federal level, arbitration is governed by the Federal Arbitration Act of 1925 (“FAA”).[i] Whereas, New York’s specific arbitration law is codified in Article 75 of New York’s Civil Practice Law & Rules (“CPLR”). Mandatory arbitration provisions are recognized in New York State with few employment related exceptions.

Under CPLR § 7515(a)(2), mandatory arbitration provisions are prohibited where, as a condition to the enforcement of the contract or obtaining remedies under the contract, the parties must submit to mandatory arbitration to resolve any allegation or claim of discrimination in violation of laws prohibiting discrimination.[ii] However, CPLR § 7515 is unenforceable to the extent it is inconsistent with federal law per CPLR § 7515(b)(i) & (iii).[iii]

The FAA reigns supreme over the enforceability of arbitration agreements in contracts “involving commerce.” The Supreme Court declared that state laws prohibiting the arbitration of particular categories of claims are at odds with the scope of the FAA, the conflicting rule is displaced by the FAA.[iv]

Pre 2022, several federal district courts held that CPLR § 7515 was preempted by the FAA in employment contracts involving commerce.[v]

The federal “Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act,” which applies to claims or disputes arising on or after March 3, 2022, makes CPLR § 7515 “consistent with federal law” to the extent a discrimination case is based on sexual assault or sexual harassment.[vi] The amendment also grants the option of choosing court over arbitration to the named representative of a class or in a collective action alleging sexual misconduct notwithstanding any predispute joint-action waiver.[vii]

However, the amended FAA does not currently apply to other types of discrimination claims such as those based on race, religion, ethnicity or age. Therefore, it is likely that new case law will continue to enforce mandatory arbitration agreements in those areas through the preemption of CPLR § 7515.

Mandatory Arbitration Generally

While there is no definitive statewide mandate for arbitration, there are some State and Federal Courts in New York which have enacted mandatory arbitration programs.

With regard to matters subject to the jurisdiction of State Courts in the State of New York, Part 28 of the Rules of the Chief Judge prescribe “Alternative Methods of Dispute Resolution by Arbitration.”[viii]  Pursuant to Section 28.2, the Chief Administrator may establish in any trial court in any county the arbitration program authorized by this Part.

In each county where such an arbitration program is established, and to the extent directed by the Chief Administrator, civil actions for a sum of money only, except those commenced in small claims parts and not subsequently transferred to a regular part of court, that are noticed for trial or commenced in the Supreme Court, County Court, the Civil Court of the City of New York, a District Court or a City Court, on or after the effective date of the order where recovery sought for each cause of action is $6,000 or less, or $10,000 or less in the Civil Court of the City of New York, or such other sum as may be authorized by law, exclusive of costs and interest, shall be heard and decided by a panel of arbitrators. The Chief Administrator may also, at any time, upon the establishment of the program in any particular court or county or thereafter, provide for the submission to arbitration of actions, seeking recovery of such sums, which are pending for trial in those courts on the effective date of the order.

In addition, upon stipulation filed with the clerk of the court where the action was commenced or, if the case was transferred, the clerk of the court to which it has been transferred, any civil action for a sum of money only, pending or thereafter commenced in such courts, including actions removed to a court of limited jurisdiction from the Supreme Court pursuant to CPLR 325(d), regardless of the amount in controversy, shall be arbitrated, and in any such action the arbitration award shall not be limited to the amounts provided in subdivision (b) of this section, or to the monetary jurisdiction of the court. Any stipulation pursuant to this section may set forth agreed facts, defenses waived or similar terms, and to that extent shall replace the pleadings.

With regard to matters subject to the jurisdiction of Federal Courts in the State of New York, each Federal District Court in the State of New York may set its own rules for mandatory arbitration.

The United States District Court for the Eastern District of New York is the only Federal District Court in New York with a mandatory Arbitration program.[ix] Arbitration is mandatory for where money damages do not exceed $150,000.00. The results are binding unless one of the parties requests a trial de novo.

The United States District Court for the Western District of New York does not have a mandatory Arbitration program, but all new civil cases filed in, or transferred to, the Court are referred automatically to ADR/Mediation, unless expressly exempt by the ADR Plan.[x]

The United States District Court for the Southern District of New York does not have a mandatory Arbitration program, but all civil cases other than social security, habeas corpus, and tax cases are eligible for ADR/Mediation, whether assigned to Manhattan or White Plains.  The Board of Judges may, by Administrative Order, direct that certain specified categories of cases shall automatically be submitted to the mediation program. The assigned District Judge or Magistrate Judge may issue a written order exempting a particular case with or without the request of the parties.  [xi]

The United States District Court for the Northern District of New York does not have a mandatory Arbitration program, but it has adopted a mandatory ADR/Mediation program.  This mandatory ADR/Mediation plan applies to civil actions pending as well as newly filed actions, except as otherwise indicated herein.  The Local Rules for voluntary mediation will apply only to Pro Se Cases that proceed through the Assisted Mediation Program.  The following categories of action are exempt from automatic referral to the Mediation program: (1) Habeas Corpus and extraordinary writs; (2) applications to vacate a sentence; (3) social security appeals; (4)  bankruptcy appeals; (5) cases implicating issues of public policy, exclusively or predominantly; (6) IRS summons enforcement actions; (7) government foreclosure actions; (8) civil asset forfeiture; (9) prisoner civil rights actions; (10) civilian Pro Se actions; and (11) any action to enforce a government summons, subpoena or civil investigative demand. [xii]

What is your state’s law, if any, regarding gift cards, subscription services and loyalty programs?

On December 10, 2021, New York State Governor, Kathy Hochul, signed legislation (S.3467-B/A.4629-C) serving to prohibit gift card fees and limiting the expiration date of gift cards.  This bill protects consumers by prohibiting all fees on gift cards and prohibiting gift cards that decline in value over time.  In addition, to further eliminate loss of value to consumers, this bill prohibits expiration dates on gift cards and gift certificates that occur earlier than nine years from the date of issuance and allows for redemption when the remaining balance is less than five dollars.[xiii]

On February 9, 2021, New York State enacted a strict law regarding the provision of automatic renewal and continuous service clauses in paid subscription or purchasing agreements with consumers.  New York General Business Law §§ 527 and 527-a broadly govern any contract for goods or services with “any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes” in which a “plan or arrangement in which a paid subscription or purchasing agreement is automatically renewed at the end of a definite term for a subsequent term,” or in which a “plan or arrangement in which a subscription or purchasing agreement continues until the consumer cancels the service.” In addition to this new law, New York General Obligations Law § 5-903 is an existing law applicable to service contracts for service, maintenance, or repair to or for any real property with auto-renewal periods greater than one (1) month. [xiv]

On December 10, 2022, New York State Senate Bill No. S133B came into effect.  New York State Senate Bill No. S133B serves to amend New York General Business Law § 520-e to give consumers a set grace period to use their credit card reward points when certain changes (e.g., modification, cancellation, closure, or termination) are made to a “reward, loyalty, or other incentive program.”  Under the new law, credit card companies must “inform credit card holders within 45 days if their account or rewards program is modified, cancelled, closed or terminated. Unless the customer has engaged in fraud or misuse of the account, holders will then have 90 days to redeem or exchange their rewards points.”[xv]

What is your state’s law, if any, regarding safeguarding consumer credit card or other private data (i.e., cyber security)?

The Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT), which was signed into law on July 25, 2019 and which became effective March 21, 2020 mandates that all employers, individuals or organizations, regardless of size or location which gather “private information” take reasonable cybersecurity precautions to protect such data by implementing an information security program.

Under the SHIELD Act, “private information” includes the following data:

  • Personal information, such as name, number or other identifier, in combination with any one or more of the following data elements,

(1) Social security number;

(2) Driver’s license number or non-driver identification card number;

(3) Account number, credit or debit card number, in combination with any required security code, access code, [or] password or other information that would permit access to an individual’s financial account;

(4) Account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or

(5) Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are 24 used to authenticate or ascertain the individual’s identity; or

  • A username or e-mail address in combination with a password or security question and answer that would permit access to an online account.

Private information under the SHIELD Act includes information where either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired). However, private information does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.

The SHIELD Act further broadly mandates that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

Compliance with the SHIELD Act requires implementation of a data security program which includes reasonable administrative, technical and physical safeguards which may include the following:

Coordination of the security program by one or more designated employees;

Workforce cybersecurity training, and selection of contracted capable service providers to maintain appropriate safeguards;

Identification of foreseeable external and insider risks in connection with the assessment of current safeguards;

Risk assessments of network, software design and information processing, transmission and storage, implementation of measures to detect, prevent and respond to system failures, and regular testing and monitoring of the effectiveness of key controls; and

Detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information.

Small businesses (fewer than 50 employees, less than three million dollars in gross revenues in each of last three fiscal years, or less than five million dollars in year-end total assets) are permitted to scale the data security program to their size, complexity, the nature of the business activities and the nature and sensitivity of the information gathered.

Compliance with the SHIELD Act by organizations that are covered by the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations can be achieved by complying the respective act.

Failure to implement a compliant information security program will be enforced exclusively by the New York State Attorney General and no right of private enforcement action exists. Compliance violations by either an organization and/or and individual can result in both injunctive relief as well as civil penalties of up to $5,000 for each violation.

What is your state’s law, if any, regarding the collection and handling of financial information?

In New York State, financial data cybersecurity is governed by The New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation (23 NYCRR 500), enacted on February 16, 2017, which includes requirements for all covered financial institutions and financial services companies to develop and implement an effective cybersecurity program to assess their cybersecurity risk and develop a plan to proactively address them. See 23NYCRR500_0.pdf

Under the Cybersecurity Regulation, covered financial institutions and financial services companies include all entities required to operate under NYDFS licensure, registration, charter or who are otherwise NYDFS-regulated, as well as their third-party vendors and service providers. Generally, covered financial institutions and financial services companies include but are not strictly limited to the following types of organizations:

  • State-Chartered Banks
  • Licensed Lenders
  • Private Bankers
  • Foreign Banks licensed to operate in New York
  • Mortgage Companies
  • Insurance Companies
  • Service Providers

Exemptions to the Cybersecurity Regulation are limited and include, organizations with less than 10 employees and have less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets.

  • Cybersecurity requirements under the Cybersecurity Regulation include the following:
  • Set a cybersecurity policy;
  • Appoint a Chief information Security Officer;
  • Perform penetration testing and vulnerability assessments;
  • Capability to perform a financial transaction audit;
  • Manage access privileges;
  • Ensure application security;
  • Perform a risk assessment;
  • Develop a third-party service provider security policy;
  • Limit data retention;
  • Monitor authorized users and train personnel;
  • Encrypt non-public information;
  • Create an incident response plan;

The Cyber Security Regulation includes a reporting mandate that requires that a covered entity shall notify NYDFS within 72 hours after becoming aware that a reportable cybersecurity incident has occurred that has a reasonable likelihood of materially affecting the normal operation of the covered entity or that affects nonpublic information. Reportable cybersecurity incidents include, but are not limited to: (1) any cybersecurity event of which notice is provided to any government or self-regulatory agency; (2) any cybersecurity event involving the actual or potential unauthorized tampering with, or access to or use of, nonpublic information.

Enforcement under the Cyber Security Regulation is relegated to the NYDFS and specific penalties for violations were not enumerated. However, penalties can be severe as in May 2023 lending group One Main Financial Group LLC was fined $4.25 million for violating the regulation by using default passwords and having lax oversight of third-party vendor security practices. Superintendent Adrienne A. Harris Announces $4.25 Million Cybersecurity Settlement With OneMain Financial Group LLC | Department of Financial Services (ny.gov)

On November 1, 2023, the NYDFS formally adopted amendments to Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Cybersecurity Regulation”) and the requirements went into effect on December 1, 2023. rf_fs_2amend23NYCRR500_text_20231101.pdf

The Amended Cybersecurity Regulation adopted the term “Cybersecurity Incident” to align with the term’s usage in other laws and regulations, and which is defined a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:

(1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;

(2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or

(3) results in the deployment of ransomware within a material part of the covered entity’s information systems.

The Amended Cybersecurity Regulation clarifies the 72 hour notification requirement to overtly require notification to NYDFS for incidents that occur at affiliates and third-party service providers, with a continued obligation to update DFS with “material changes or new information previously unavailable.” The 72-hour reporting requirement is further clarified to only be triggered after the covered entity determines that a reportable cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider, regardless of the potential impact upon the covered entity.

The Amended Cybersecurity Regulation further explicitly requires reporting of ransomware events regardless of the impact the event has on the covered entity’s operations, as well as the reporting of extortion payments within 24 hours of payment. Thereafter, within 30 days of payment, the covered entity must provide DFS with the following:

(1) Written description of the reasons payment was necessary;

(2) Description of alternatives to payment considered;

(3) All diligence performed to find alternatives to payment; and

(4) All diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.

The Amended Cybersecurity Regulation also added a section to the rule describing how its process for determining penalties for violations will account for cooperation in investigations, history of prior offenses, and other factors.

[i] See, 9 U.S.C.A.

[ii] See, CPLR § 7515

[iii] See, CPLR § 7515(b)(i) & (iii)

[iv] See, AT & T Mobility LLC v. Concepcion, 2011, 563 U.S. 333, 341, 131 S.Ct. 1740, 1747, 179 L.Ed.2d 742

[v] See, Rollag v. Cowen Inc., 2021 WL 807210 (S.D.N.Y.2021) (federal discrimination claim based on parental status (FMLA)); Gilbert v. Indeed, Inc., 513 F.Supp.3d 374 (S.D.N.Y.2021) (federal and state sexual harassment claims); Whyte v. WeWork Companies, Inc., 2020 WL 3099969 (S.D.N.Y.2020) (state racial and gender discrimination claims). See also Wyche v. KM Systems, Inc., 2021 WL 1535529 (E.D.N.Y.2021).

[vi] See, 9 U.S.C.A. § 404(1)

[vii] See, 9 U.S.C.A. § 402(a)

[viii] See, http://ww2.nycourts.gov/rules/chiefjudge/28.shtml#02

[ix] See, https://www.nyed.uscourts.gov/arbitration

[x] See, https://www.nywd.uscourts.gov/alternative-dispute-resolution

[xi] See, https://www.nysd.uscourts.gov/programs/mediation-adr

[xii] See, https://www.nynd.uscourts.gov/sites/nynd/files/general-ordes/GO47_3.pdf

[xiii] See, https://www.governor.ny.gov/news/governor-hochul-signs-package-legislation-protect-credit-and-gift-card-holders

[xiv] See, https://www.nysenate.gov/legislation/laws/GBS/527-A

[xv] See, https://www.nysenate.gov/legislation/bills/2021/S133

For More Information:

Download New York - 2024 H&R Compendium

Lester Schwab Katz & Dwyer, LLP

New York, NY, United States

(212) 964-6611

[email protected]


Visit Firm Website

Robert N. Dunn

[email protected]


Compendia

Past Compendia

Contact us today at 312 642-ALFA (2532) or fill out the form to inquire about membership or seek help finding an ALFA International lawyer to assist your company with its legal needs.

Contact Us Today