Tackling Cyber Security Threats in Arbitration – Have We Done Enough?

Keywords: cyber security, information security measures, hacking, data breach

Understanding the cyber-security threats

Phishing, data breaches, malware infection, ransomware and supply chain compromise are some common forms of cyber-security threats prevalent in the legal sector.[1] Law firms across nations have been targets of data breaches and phishing attacks.[2] The cyber-dependence during the Covid-19 pandemic has only amplified the risk of cyber-security threats. In May 2020, owing to ransomware attack within the Texas Judicial Branch, several websites and severs had to be disabled.

Arbitrations are not an exception to this trend. The variety of information technology used in arbitrations, including, e-mails, cloud storage, hearing room technologies and software for interpreting, translating, document presentation, provides a wide landscape for cyber-security threats. The presence of high-profile parties, significant amount of personal and commercially sensitive information, and constant transfer of such information between numerous participants in arbitration, makes arbitrations a lucrative target for cyber-attackers. 

Some known instances of cyber-security threats in arbitrations include, the hacking of Permanent Court of Arbitration’s website; the hacking of Government of Kazakhstan’s server and online leakage of privileged communications with its counsel, and, in Libanco v. Republic of Turkey, Turkey’s presentation of evidence, that it admittedly obtained by hacking in a separate criminal investigation.[3] 

Such cyber-security incidents in arbitration can lead to several economic, social, psychological harms for the parties, including, loss of personal/commercial data, money, intellectual property, reputation; fall in market value; potential regulatory actions.  Moreover, after a cyber-security incident, the participants may find it difficult to trust the arbitration and may also question any data that is presented for its authenticity. 

Lastly, cyber-security threats compromise parties’ expectation of having a private and confidential mode of dispute resolution.  Overall, the threats threaten the integrity of the arbitral process, impede public confidence in arbitrations and reduce its attractiveness.

Reckoning that cyber-security threats are a real risk for arbitrations, the present article seeks to analyse the available legal framework to tackle cyber-security threats. 

Legal framework to tackle cyber-security threats 

International Council for Commercial Arbitration, New York City Bar Association and International Institute for Conflict Prevention and Resolution (CPR) formed a Working Group that has released a Protocol on Cyber-security in International Arbitration, 2020 (“Protocol”). The Protocol provides a framework to incorporate and implement reasonable information security measures (“ISM”), i.e., technical and organizational measures, to be adopted in arbitrations to secure against cyber-security threats.

The Protocol prescribes that parties must exercise their autonomy to agree upon reasonable ISM. Thereafter, arbitral tribunal has final authority to determine the ISM applicable to arbitration. The Protocol further prescribes that the tribunal may depart from parties’ agreement, to raise or lower the standards of the ISM, based on, capabilities of arbitrators and institutions, interest of third parties, such as, witnesses, etc. and protection of legitimacy/integrity of arbitral process. Once the ISM is agreed upon, it is the duty of all the custodians, including, administering institution, fact/expert witnesses, service providers and any other participants having access to any arbitration-related information, to implement them. Furthermore, parties, arbitrators and administering institution have the responsibility to ensure that any person involved in the arbitration on their behalf are aware of and are following the duly agreed ISM. It must be noted that while determining ISM, regard must be given to the standards of security required by the applicable data protection regimes.[4] 

Analysing the cyber-security framework under the Protocol

Agreement and implementation of ISM

The procedure in the Protocol to agree and implement reasonable ISM may not play out as smoothly. Parties to an arbitration often vary in sizes, financial capabilities and associate different value/usefulness to a dispute. Depending upon the information exchanged in an arbitration, each party may expect a different level of security standard. Thus, it may be difficult for parties to reconcile their varying interests and agree upon a single set of ISM. 

Cost and time considerations may be raised by arbitrators who often function as single practitioners and may not have the access to comparable financial/human resources, including, comprehensive IT services and organizational processes, at the disposal of larger organizations.[5] Witnesses may also have similar cost-considerations in implementing the ISM.

Thus, at the outset, where a case involves sensitive information, requiring expensive and time-consuming ISM to be implemented, the parties must be careful in their selection of arbitrators/institutions/service providers who will be able to meet high security standards.  Similarly, where parties expect arbitrations to involve sensitive material, like, trade secrets, it may be efficient to at least include minimum standards of ISM while crafting the arbitration clause. 

Adoption of ISM may be approached as an additional procedural matter to be negotiated between parties, just as parties negotiate terms of reference, timelines, sole arbitrator appointment, etc. In order to reconcile any differences, participants must analyse if any alternative, less expensive, ISM can be incorporated.[6] 

However, in case of a deadlock between the parties, the tribunal will have to carefully balance the benefits of the ISM with its costs, including factors like, the value of the dispute and sensitivity of information.[7] In doing so, tribunal must remember underlying considerations of fairness. ICC Commission Report on Information Technology provides, “no party should be allowed to insist on a particular IT solution in order to make the proceedings more difficult or expensive for another party”.[8] Accordingly, if the proposed ISM puts unreasonable burden on a party, it must be denied. Lastly, parties should be responsible for the cost considerations of witnesses in implementing ISM.

It must be noted that the content of ISM prescribed in the Protocol is not personalised to needs of differently sized entities involved in an arbitration. As a result, there is a need to re-think/tailor the ISM prescribed in the Protocol from the perspective of small/medium-sized entities. Until then, in negotiating ISM, guidance may be taken from International Bar Association’s, Cybersecurity Guidelines, 2018 (“Guidelines”). Cognizant of the cost and time considerations of single practitioners and small/medium sized enterprises, the Guidelines categorise the requirement of each cyber-security measure (both technical and organizational processes) vis-a-vis differently sized organizations. Thus, for instance, while ISM of ‘malware defences’ are expected to be implemented by organizations of all sizes and single practitioners; ISM of ‘strictly managing access control’ is expected to be implemented by large-sized organizations but optional for single practitioner. 

Knowledge-gap

The parties and arbitrators may not be well-aware of the cyber risks, available security standards and the rationale behind them and the manner of tailoring the security standards to suit an arbitration profile. The technical jargon used in ISM may also hinder the comprehension and implementation of the ISM. The casual attitude of participants to address cyber-security threats, often owing to lack of awareness, may make it further difficult to agree upon ISM.

This issue of knowledge-gap must be addressed in an inter-disciplinary manner. At the outset, there is a need to initiate dialogue on the importance of cyber-security measures in arbitration. It may be commercially and competitively beneficial to arbitral institutions to resolve such knowledge-gap issues.[9] Institutions may, at a cost, either have training sessions for participants or provide trained IT experts that could assist in determining the ISM suitable to each arbitration profile. For instance, the AAA-ICDR has initiated a cyber-security training course for arbitrators on its panels. The AAA-ICDR Cybersecurity Checklist may also serve as a good starting point for cyber-security related discussions.

Furthermore, the arbitral community should develop practical guidance on the ISM indicated in the protocol. For example, the protocol mentions availing encrypted e-mail and share-file services as a technical ISM. An indicative list of venders that provide such services, may further assist the arbitral participants. Some institutions have even gone a step further and are providing such technical ISM in-house. International Chamber of Commerce’s ‘NetCase’ service for encrypted communications between participants is a case in point.

Violation of ISM 

The Protocol does not prescribe a liability regime for violation of ISM. Although, it provides a limited recourse by empowering the tribunal to impose costs or sanctions on the parties in case of violation of ISM. Participants may have associated remedies regarding implementation of information security measures within applicable national laws. 

The Protocol states that parties are free to make agreements that allocate liability for violation of ISM. Thus, subject to applicable law and public policy considerations, parties may consider incorporating indemnity and limited liability clauses for violation of ISM agreed between arbitral participants.[10]

Cyber-security incident

Similarly, the Protocol does not prescribe a comprehensive remedy for a cyber-security incident. It provides a limited recourse by empowering the tribunal to impose costs or sanctions on the parties in case of cyber-security incident.

Participants may have a remedy against cyber-security incident under the applicable national laws. For instance, under some data protection regimes, data subjects may have right to claim compensation as a private remedy.[11] However, standard of awarding a compensation varies between nations.[12] Moreover, many countries do not yet have a comprehensive data protection regime in force yet.[13] Countries that have a data protection regime may exclude its applicability to arbitrations.[14]  

Apart from such uncertainty of remedy under applicable laws, it must be noted that an enterprise requires substantial finances to recover from a cyber-security incident. In order to mitigate the financial impact of cyber-security incident, participants may consider alternative recourses than those under the data protection laws. Purchasing a cyber-insurance policy may be useful for covering post-incident expenses, including, forensic investigations, business losses, law suits. Subject to applicable law and public policy requirements, parties may consider contractual liability clauses (such as indemnities) for allocating some of the losses suffered as a result of cyber-security incident as a possible remedy.[15] The Parties may also craft the cyber-insurance policies to cover such indemnities.

Post-incident action plan

Article 18 of the UNCIRTAL Model Law prescribes, “the parties shall be treated equally, and each party shall be given full opportunity to present his case”. This principle forms a part of the broader mandatory principle of ‘due process’ that requires disputes to be settled in a fair and proper manner.

After a cyber-security incident data may be lost or destroyed. This loss may hamper a party’s ability to fully present its case. In case copies are not available, internal remedies such as allowing older versions or related notes of the lost data should be considered so that the fairness is maintained, and the incident does not disadvantage a party. 

Thus, there is a need to come up with an action plan to deal with the cyber-security incidents, so that post the incident, the fair trial rights of parties are not compromised. Admissibility of hacked evidence is another similar issue that must be considered.[16]

Conclusion

Cyber-security threats are no more a futuristic possibility but a tangible risk for arbitrations. The Protocol is the first concrete step to address such risks. However, the arbitral community must develop upon the gaps in the Protocol, especially with regards to – (i) aligning differently placed organizations on a single set of ISMs, and (ii) remedies to a cyber-security incident. Institutions should take the lead to address knowledge-gaps and assist participants with technical ISMs. Overall, there is a need to initiate a dialogue to increase awareness of cyber-security concerns and ways to tackle them. This article is one such humble attempt at the same.

ENDNOTES

[1] These terms have a distinctive meaning. Following sources may be useful to understand these cyber-security threats – U.K. National Cyber Security Centre, The cyber threat to UK legal sector, July 19, 2018, available at, https://www.ncsc.gov.uk/report/-the-cyber-threat-to-uk-legal-sector–2018-report; National Initiative for Cybersecurity Career and Studies, Cybersecurity glossary, available at, https://niccs.us-cert.gov/about-niccs/cybersecurity-glossary.

  [2] PWC U.K., Law Firms’ Survey, 2019, p. 26, available at, https://www.pwc.co.uk/industries/law-firms/pwc-law-firms-survey-report-2019.pdf; BBC, Chris Baraniuk, Cyber criminals ‘hacked law firms’, available at, March 21, 2016 https://www.bbc.com/news/technology-35933246; The National Law Review, “Panama Papers” Law Firm Announces Its Closure Due to Fallout from Massive Data Breach, March 15, 2018, available at https://www.natlawreview.com/article/panama-papers-law-firm-announces-its-closure-due-to-fallout-massive-data-breach.

  [3] ICC Guest Blog, Christian Albanesi and Marie-Isabelle Delleur, The issue of cybersecurity in legal practice November 12, 2018, available at, https://iccwbo.org/media-wall/news-speeches/guest-blog-issue-cybersecurity-legal-practice/.

  [4] For instance, Article 32 of EU GDPR requires implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Although the requirement to implement ISM overlaps between data protection laws and the Protocol, the purpose of implementing ISM differs. The ISM requirements under Protocol are for the purpose of mitigating security threats and thereby protecting the integrity and privacy of arbitrations. While implementing ISM may facilitate compliance with standards of security expected under data protection laws, it is not the purpose and focus of the Protocol.

  [5] Publications, ADR Institute of Canada, Anca M Sattler, Cybersecurity threats in arbitration are real: Why take a risk?, available at, https://adric.ca/adr-perspectives/cybersecurity-threats-in-arbitration-are-real-why-take-a-risk/.

  [6] Protocol on Cyber-security in International Arbitration, 2020

  [7] International Chamber of Commerce, ICC Commission on Arbitration and ADR, Information Technology in International Arbitration, October 2017, available at, https://iccwbo.org/publication/information-technology-international-arbitration-report-icc-commission-arbitration-adr/.

  [8] Ibid.

[9] In a survey titled ‘Cybersecurity in International Arbitration: Don’t be the weakest link’ conducted by Bryan Cave Leighton Paisner, 68% of the subjects stated that they were ‘more likely to use the arbitration rules of an institution that was able to provide advice and assistance on appropriate data security measures’. Bryan Cave Leighton Paisner ‘Cybersecurity in International Arbitration: Don’t be the weakest link’, February 6, 2019, available at, https://www.bclplaw.com/en-US/insights/bclp-annual-arbitration-survey.html

[10] DLA Piper Blogs, John McKinlay, Ross McKean, Linzi Penman, UK: Liability Limits For GDPR In Commercial Contracts – The Law And Recent Trends, February 7, 2019, available at, https://blogs.dlapiper.com/privacymatters/uk-liability-limits-for-gdpr-in-commercial-contracts-the-law-and-recent-trends/.

  [11] See, Article 82(1) EU General Data Protection Regulation, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. Data protection regime has been argued to be applicable to arbitrations Thus, remedies should be available for breach of obligations. See, David Rosenthal, Complying with the General Data Protection Regulation (GDPR) in International Arbitration – Practical Guidance, Kluwer International Law, 2019, available at, https://www.rosenthal.ch/downloads/Rosenthal-ArbitrationGDRP.pdf; Kathleen Paisley, It’s All About the Data: The Impact of the EU General Data Protection Regulation on International Arbitration, 41 Fordham International Law Journal 4, 2018, available at, https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=2707&context=ilj. 

[12] Cearta.ie, Eoin O’Dell, Compensation for non-material damage pursuant to Article 82 GDPR, March 6, 2020, available at, https://inforrm.org/2020/03/10/compensation-for-non-material-damage-pursuant-to-article-82-gdpr-eoin-odell/.

[13] India, Pakistan are examples which do not have such a comprehensive regime yet.

[14] For instance, Switzerland: “Switzerland is currently revising the DPA along similar lines as the GDPR. However, contrary to the GDPR, the Federal Council has suggested that the scope of the current draft bill should be interpreted to exclude proceedings of arbitral tribunals with their seat in Switzerland.”, David Rosenthal, Supra Note 14.

[15] Supra Note 13.

  [16] Edna Sussman, Cyber Attacks: Issues Raised in Arbitration, 11 New York Dispute Resolution Lawyer 2, 2018, available at, https://sussmanadr.com/wp-content/uploads/2018/12/cyber-intrusion-NYSBA-fall-2018-Sussman-2.pdf.

Saniya Mirani is an associate at one of the leading law firms in India. She has experience in Dispute Resolution, Corporate and Funds practice areas. An alumnus of the West Bengal National University of Juridical Sciences, Saniya has won multiple accolades including the prestigious Williem C. Vis. Moot Court Competition (2017). 

The views and opinions expressed in the article are those of the author(s) solely and do not reflect the of official position of the institution(s) with which the author(s) is /are affiliated. Further, the statements of the author(s) produced herein should not be construed as legal advice.