The March Towards Cybersecurity Maturity in Arbitration
This progress towards cybersecurity maturity in arbitration is long overdue, but a welcome development in an industry where cyber risk is substantial and cyber resilience is imperative.
March 13, 2020 at 02:10 PM
9 minute read
When choosing a dispute resolution mechanism, the list of advantages of arbitration are numerous and varied, ranging from efficiency to flexibility to expertise. No features, however, are as important as the crown jewels of arbitration: confidentiality and privacy. When a dispute is high stakes or touches upon sensitive issues of a personal, business, or even political nature, arbitration is arguably the best dispute resolution tool for preserving the confidentiality and privacy of the proceedings, the information shared, and the outcome. Although confidentiality and privacy are critical features of arbitration, the industry has only recently started to address the cybersecurity risks involved in the creation, collection, retention, and exchange of sensitive information, documents, and communications during the arbitral process. This progress towards cybersecurity maturity in arbitration is long overdue, but a welcome development in an industry where cyber risk is substantial and cyber resilience is imperative.
|Cyber Risk Profile: The Vulnerabilities of Arbitration
As the digital revolution progresses, there is an increasing awareness of the risks of harm and disruption associated with a potential cyber attack or data breach. In the context of arbitration, and especially international arbitration, cyber risk is especially significant for a number of reasons. Most notably:
- Arbitration proceedings are highly confidential and involve issues and disclosures that the parties wish to remain private. In some cases, the very fact of the proceedings may not be disclosed in an effort to avoid financial loss or disruption.
- Privileged information is at stake, which might include sensitive and valuable data, or potentially harmful admissions.
- In international arbitration matters involving governments, highly sensitive political information and communications may be exchanged and, if disclosed, could have political or economic ramifications.
In addition to these heightened risks, the arbitration industry is especially vulnerable to cyber disruptions:
- Data Sharing: Parties often exchange sensitive data, documents, and communications, internally and externally, by email, cloud-based share drives, or even portable devices. In fact, arbitral tribunals have been increasingly moving towards completely digital document productions, relying on tools and technologies such as cloud-based storage to host and share data, especially in cross-border matters. While password protection is often employed, passwords are often shared via email, usually unencrypted and "in the clear", undermining their efficacy. Moreover, there are many actors intertwined in the arbitral process—the parties, counsel, government agencies, experts, witnesses, arbitral institutions, and the tribunal—and each is independently susceptible to a cyber attack or data breach that could impact all other parties involved.
- Government Involvement: In international arbitrations involving a government party with sophisticated cyber capabilities, there is a risk that the government could attempt to obtain evidence or strategic information from the opposing party through nefarious cyber activities. There is already precedent for this type of malicious behavior in several arbitrations including Turkey intercepting privileged correspondence in Libananco v.Republic of Turkey (ICSID ARB/06/8) and China's alleged hacking of the Permanent Court of Arbitration's website during a hearing in The Hague regarding a territorial dispute with the Philippines.
- Travel: Almost all arbitration matters, especially those with an international component, involve a certain amount of travel. Public Wi-Fi access, Bluetooth connectivity, and the possibility of lost, stolen, or confiscated electronic devices pose a serious information security threat.
- Prime Targets: Law firms, both in the United States and internationally, are quickly becoming prime targets for cyber attacks because they hold in their possession highly sensitive client data. These clients include multinational organizations, governments, and prominent public figures, all of which are prime targets for cyber attacks in their own right. But the protections that law firms have put in place, if any, are often largely inadequate, making them easier targets for cybercriminals seeking to retrieve this sensitive data. More than 100 law firms have reported data breaches in recent years, and yet many attorneys continue de-prioritizing cybersecurity and the protection of client data. These shortfalls are not intentional, but more likely the result of the ever-evolving nature of cybersecurity, the challenges of keeping cybersecurity measures current, and grappling with the practical requirements of implementation. Moreover, there is no one-size-fits-all approach upon which law firms and their clients may rely. Mid-size and smaller law firms, or law firms in developing countries, cannot be expected to expend the same resources on cybersecurity as much larger law firms, despite their possession of equally sensitive and confidential information.
This combination of heightened cyber risk and vulnerability is particularly dangerous. If arbitration is considered exceedingly susceptible to cyber attacks, it will quickly lose favor as the preferred dispute resolution mechanism for organizations relying on arbitration's assurance of confidentiality and privacy. The industry has long been in dire need of a move towards cyber resilience and, recently, several arbitration organizations have charted the path to get there.
|Cyber Resilience: The March Forward
In recognition of the evolving threat landscape, the growing cyber risks, and the reality that arbitration might become a more frequent target for cyber attacks, industry professionals are acknowledging and addressing the cyber vulnerabilities of arbitration. One of the most recent examples of this is the release of the Cybersecurity Protocol for International Arbitration (2020) (the Protocol), prepared by representatives from the International Council for Commercial Arbitration (ICCA), the International Institute for Conflict Prevention & Resolution (CPR), and the New York City Bar Association (NYCBA). While other organizations, such as the International Bar Association's (IBA) Presidential Task Force on Cyber Security, had already released cybersecurity guidelines for the legal industry, the Protocol is unique in its focus on arbitration. The Protocol provides a helpful framework for determining reasonable information security measures necessary for arbitration matters, and is applicable to both international and U.S.-based arbitrations.
It bears noting that, more recently, the ICCA-IBA Joint Task Force on Data Protection in International Arbitration released a draft Roadmap which addresses the data protection issues that might arise during arbitration proceedings and how data protection principles may be applied to arbitration. While compliance with data protection laws is critical, it is only one piece of the overall cybersecurity puzzle, and applying general data protection principles can both complement and bolster a cybersecurity strategy.
In practice, every arbitration matter will require unique cybersecurity considerations tailored to the circumstances of the case. In order to develop an appropriate cybersecurity approach, follow these guiding steps:
- Cyber Risk Profile Analysis: Determine what the potential cybersecurity threats are to the arbitration, where the vulnerabilities are, and what the potential consequences of a data breach might be. As part of this analysis, consider the subject matter and sensitivity of the information that might be collected and shared (for example, particularly sensitive information may include intellectual property, trade secrets, and politically sensitive information, among others), as well as the procedural aspects of the arbitration (such as the likelihood of international travel).
- Cost-Benefit Analysis: Determine the existing cybersecurity capabilities of the parties and their ability to deploy cybersecurity measures to mitigate cyber risks, and analyze the cost and burden of additional cybersecurity measures against the risks of breach and sensitivity of the information at stake.
- Legal Analysis: Consider and comply with the applicable data protection laws and regulations from the outset of the arbitral process. This is particularly important in international arbitration, where parties must determine what national data protection laws and regulations apply and their impact on the processing of data over the course of the arbitration. Failure to comply with applicable laws can have serious consequences. For example, the European Union's General Data Protection Regulation (GDPR) has created a palpable panic across the industry due to its supranational impact and imposition of substantial punitive sanctions. Once it is finalized, the data protection guidance provided in the ICCA-IBA Roadmap will likely serve as a helpful tool in navigating the application of data protection laws to arbitration proceedings.
- Procedure: During the initial procedural conference, discuss and incorporate reasonable cybersecurity measures into the Terms of Reference or Procedural Order. This should include how to limit the disclosure of sensitive information, how sensitive information must be stored, shared, and destroyed, as well as other agreed-upon and legally required data protection measures. In case a cyber incident does occur, it is also imperative to define procedures for notifying affected parties and for mitigating the impacts of a cyber attack or data breach. Note that flexibility is key and the cybersecurity protocol in place should allow for amendments as needed in response to evolving case circumstances.
- Implementation: All parties must agree to strictly abide by the agreed-upon cybersecurity measures, as must the tribunal, witnesses, experts, and other third parties. Requiring any party who will receive sensitive data to first sign a certification of compliance with the applicable cybersecurity procedures is a helpful accountability tool.
- Remedies in Case of Breach: In case there is a cyber incident or data breach, be sure to adopt procedures that allocate costs to the party responsible for the incident, as well as the imposition of discretionary sanctions. Such provisions incentivize parties to comply with the cybersecurity measures put in place.
Perhaps in a legal practitioner's utopia, the sole focus during an arbitral proceeding would be the basics: the facts, law, and strategy. However, if advocates for arbitration as a dispute resolution mechanism want to preserve its highly confidential and private nature—which are arguably the most appealing features of arbitration—a true cybersecurity revolution that involves implementing more mature processes and practices is imperative. Cybersecurity must become a material consideration during the arbitral process. While progress is being made, the march towards cybersecurity maturity is only just beginning. The next step is for all arbitration users to familiarize themselves with the recommended cybersecurity frameworks and make cybersecurity a priority throughout the arbitral process if we hope to achieve a breakthrough in cyber resilience for the arbitration industry as a whole.
Randa Adra is a counsel in the New York office of Crowell & Moring, where she practices in the firm's international dispute resolution and litigation groups.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Senate Judiciary Dems Release Report on Supreme Court Ethics
- 2Senate Confirms Last 2 of Biden's California Judicial Nominees
- 3Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 4Tom Girardi to Surrender to Federal Authorities on Jan. 7
- 5Husch Blackwell, Foley Among Law Firms Opening Southeast Offices This Year
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250