When choosing a dispute resolution mechanism, the list of advantages of arbitration are numerous and varied, ranging from efficiency to flexibility to expertise. No features, however, are as important as the crown jewels of arbitration: confidentiality and privacy. When a dispute is high stakes or touches upon sensitive issues of a personal, business, or even political nature, arbitration is arguably the best dispute resolution tool for preserving the confidentiality and privacy of the proceedings, the information shared, and the outcome. Although confidentiality and privacy are critical features of arbitration, the industry has only recently started to address the cybersecurity risks involved in the creation, collection, retention, and exchange of sensitive information, documents, and communications during the arbitral process. This progress towards cybersecurity maturity in arbitration is long overdue, but a welcome development in an industry where cyber risk is substantial and cyber resilience is imperative.

Cyber Risk Profile: The Vulnerabilities of Arbitration

As the digital revolution progresses, there is an increasing awareness of the risks of harm and disruption associated with a potential cyber attack or data breach. In the context of arbitration, and especially international arbitration, cyber risk is especially significant for a number of reasons. Most notably:

• Arbitration proceedings are highly confidential and involve issues and disclosures that the parties wish to remain private. In some cases, the very fact of the proceedings may not be disclosed in an effort to avoid financial loss or disruption.
• Privileged information is at stake, which might include sensitive and valuable data, or potentially harmful admissions.
• In international arbitration matters involving governments, highly sensitive political information and communications may be exchanged and, if disclosed, could have political or economic ramifications.

In addition to these heightened risks, the arbitration industry is especially vulnerable to cyber disruptions:

• Data Sharing: Parties often exchange sensitive data, documents, and communications, internally and externally, by email, cloud-based share drives, or even portable devices. In fact, arbitral tribunals have been increasingly moving towards completely digital document productions, relying on tools and technologies such as cloud-based storage to host and share data, especially in cross-border matters. While password protection is often employed, passwords are often shared via email, usually unencrypted and "in the clear", undermining their efficacy. Moreover, there are many actors intertwined in the arbitral process—the parties, counsel, government agencies, experts, witnesses, arbitral institutions, and the tribunal—and each is independently susceptible to a cyber attack or data breach that could impact all other parties involved.
• Government Involvement: In international arbitrations involving a government party with sophisticated cyber capabilities, there is a risk that the government could attempt to obtain evidence or strategic information from the opposing party through nefarious cyber activities. There is already precedent for this type of malicious behavior in several arbitrations including Turkey intercepting privileged correspondence in Libananco v.Republic of Turkey (ICSID ARB/06/8) and China's alleged hacking of the Permanent Court of Arbitration's website during a hearing in The Hague regarding a territorial dispute with the Philippines.
• Travel: Almost all arbitration matters, especially those with an international component, involve a certain amount of travel. Public Wi-Fi access, Bluetooth connectivity, and the possibility of lost, stolen, or confiscated electronic devices pose a serious information security threat.
• Prime Targets: Law firms, both in the United States and internationally, are quickly becoming prime targets for cyber attacks because they hold in their possession highly sensitive client data. These clients include multinational organizations, governments, and prominent public figures, all of which are prime targets for cyber attacks in their own right. But the protections that law firms have put in place, if any, are often largely inadequate, making them easier targets for cybercriminals seeking to retrieve this sensitive data. More than 100 law firms have reported data breaches in recent years, and yet many attorneys continue de-prioritizing cybersecurity and the protection of client data. These shortfalls are not intentional, but more likely the result of the ever-evolving nature of cybersecurity, the challenges of keeping cybersecurity measures current, and grappling with the practical requirements of implementation. Moreover, there is no one-size-fits-all approach upon which law firms and their clients may rely. Mid-size and smaller law firms, or law firms in developing countries, cannot be expected to expend the same resources on cybersecurity as much larger law firms, despite their possession of equally sensitive and confidential information.

This combination of heightened cyber risk and vulnerability is particularly dangerous. If arbitration is considered exceedingly susceptible to cyber attacks, it will quickly lose favor as the preferred dispute resolution mechanism for organizations relying on arbitration's assurance of confidentiality and privacy. The industry has long been in dire need of a move towards cyber resilience and, recently, several arbitration organizations have charted the path to get there.

Cyber Resilience: The March Forward

In recognition of the evolving threat landscape, the growing cyber risks, and the reality that arbitration might become a more frequent target for cyber attacks, industry professionals are acknowledging and addressing the cyber vulnerabilities of arbitration. One of the most recent examples of this is the release of the Cybersecurity Protocol for International Arbitration (2020) (the Protocol), prepared by representatives from the International Council for Commercial Arbitration (ICCA), the International Institute for Conflict Prevention & Resolution (CPR), and the New York City Bar Association (NYCBA). While other organizations, such as the International Bar Association's (IBA) Presidential Task Force on Cyber Security, had already released cybersecurity guidelines for the legal industry, the Protocol is unique in its focus on arbitration. The Protocol provides a helpful framework for determining reasonable information security measures necessary for arbitration matters, and is applicable to both international and U.S.-based arbitrations.

It bears noting that, more recently, the ICCA-IBA Joint Task Force on Data Protection in International Arbitration released a draft Roadmap which addresses the data protection issues that might arise during arbitration proceedings and how data protection principles may be applied to arbitration. While compliance with data protection laws is critical, it is only one piece of the overall cybersecurity puzzle, and applying general data protection principles can both complement and bolster a cybersecurity strategy.

In practice, every arbitration matter will require unique cybersecurity considerations tailored to the circumstances of the case. In order to develop an appropriate cybersecurity approach, follow these guiding steps:

• Cyber Risk Profile Analysis: Determine what the potential cybersecurity threats are to the arbitration, where the vulnerabilities are, and what the potential consequences of a data breach might be. As part of this analysis, consider the subject matter and sensitivity of the information that might be collected and shared (for example, particularly sensitive information may include intellectual property, trade secrets, and politically sensitive information, among others), as well as the procedural aspects of the arbitration (such as the likelihood of international travel).

• Cost-Benefit Analysis: Determine the existing cybersecurity capabilities of the parties and their ability to deploy cybersecurity measures to mitigate cyber risks, and analyze the cost and burden of additional cybersecurity measures against the risks of breach and sensitivity of the information at stake.

• Legal Analysis: Consider and comply with the applicable data protection laws and regulations from the outset of the arbitral process. This is particularly important in international arbitration, where parties must determine what national data protection laws and regulations apply and their impact on the processing of data over the course of the arbitration. Failure to comply with applicable laws can have serious consequences. For example, the European Union's General Data Protection Regulation (GDPR) has created a palpable panic across the industry due to its supranational impact and imposition of substantial punitive sanctions. Once it is finalized, the data protection guidance provided in the ICCA-IBA Roadmap will likely serve as a helpful tool in navigating the application of data protection laws to arbitration proceedings.
• Procedure: During the initial procedural conference, discuss and incorporate reasonable cybersecurity measures into the Terms of Reference or Procedural Order. This should include how to limit the disclosure of sensitive information, how sensitive information must be stored, shared, and destroyed, as well as other agreed-upon and legally required data protection measures. In case a cyber incident does occur, it is also imperative to define procedures for notifying affected parties and for mitigating the impacts of a cyber attack or data breach. Note that flexibility is key and the cybersecurity protocol in place should allow for amendments as needed in response to evolving case circumstances.
• Implementation: All parties must agree to strictly abide by the agreed-upon cybersecurity measures, as must the tribunal, witnesses, experts, and other third parties. Requiring any party who will receive sensitive data to first sign a certification of compliance with the applicable cybersecurity procedures is a helpful accountability tool.
• Remedies in Case of Breach: In case there is a cyber incident or data breach, be sure to adopt procedures that allocate costs to the party responsible for the incident, as well as the imposition of discretionary sanctions. Such provisions incentivize parties to comply with the cybersecurity measures put in place.

Perhaps in a legal practitioner's utopia, the sole focus during an arbitral proceeding would be the basics: the facts, law, and strategy. However, if advocates for arbitration as a dispute resolution mechanism want to preserve its highly confidential and private nature—which are arguably the most appealing features of arbitration—a true cybersecurity revolution that involves implementing more mature processes and practices is imperative. Cybersecurity must become a material consideration during the arbitral process. While progress is being made, the march towards cybersecurity maturity is only just beginning. The next step is for all arbitration users to familiarize themselves with the recommended cybersecurity frameworks and make cybersecurity a priority throughout the arbitral process if we hope to achieve a breakthrough in cyber resilience for the arbitration industry as a whole.

Randa Adra is a counsel in the New York office of Crowell & Moring, where she practices in the firm's international dispute resolution and litigation groups.