"There's no silver bullet solution with cyber security, a layered defence is the only viable defence."- James Scott
One of the core reasons why parties choose to resolve their disputes through arbitrations as opposed to through court proceedings is the promise of confidentiality. It provides parties a private forum to resolve disputes au contraire court proceedings. However, the promise of confidentiality is marred by despicable attempts of cyber criminals trying to break the sanctity of the forum. This modern threat specifically targets the legal sector. Despite the underlying threat, legal professionals, parties and arbitral tribunals continue to rely on unsecure platforms like 'clouds' and repositories as basic as the 'google drive' as well as unencrypted emails. To prevent a series of unfortunate events from shaping up, several guidelines and regulations have been released. These include, inter alia, the General Data Protection Regulation, IBA Cybersecurity Guidelines1, Cybersecurity Protocol2, and the public consultation draft of the ICCA-IBA Roadmap to Data Protection in International Arbitration3.
Despite the general assumption, it is not uncommon for cyber hackers to target various cogs in an international arbitration. Reasons for the same are manifold:
Primarily, high-stake international arbitrations often involve parties that are themselves prominent targets of cybersecurity attacks, e.g. multi-national groups, governments or state entities, public figures and/or NGOs. Further, disputes submitted to international arbitration more often than not require evidence of facts which are restrained from public domain and which might have the potential to influence politics and financial markets. Moreover, international arbitrations involve parties from various jurisdictions that operate from a variety of locales. Parties are usually being represented by large and often cross-border legal teams/firms. Lastly, in-house lawyers, counsel and arbitrators tend to travel extensively and work from multiple places. These factors augment the risk of being hacked by electronic means as well theft of physical data. The following may be targeted:
Legal Teams - More often than not, the law firms, legal counsels, teams etc. are at significant risk to an attack. Law firms, particularly, pose as a soft target for hackers. A study released by Logic Force4 - a cybersecurity consulting firm, revealed major firms had been imperilled to hacking attempts. In Libananco v Republic of Turkey5, Turkey admitted to have intercepted Libananco's correspondence with its counsel and third parties, for a separate criminal investigation. Despite being at risk of grave exposure, most law firms are not amply prepared to cope with these risks. According to the LogicForce Survey, 95% of firms were not fully compliant with their own data governance and cybersecurity policies and only 23% had an adequate cyber-attack insurance policy in place.6
Arbitrators and Arbitral Institutions - Arbitrators attempt at securing cybersecurity to their best possible ability. However, arbitrators may or may not have access to sophisticated IT support. As a cache of sensitive data, arbitral institutions are also highly exposed to cybersecurity risks. In July 2015, the website of the Permanent Court of Arbitration in Hague was hacked during a hearing of a sensitive maritime border dispute between China and the Philippines. Despite the risks involved, many arbitration institutions continue to rely upon relatively insecure storage and communication systems. Moreover, institutional rules tend to be silent on cybersecurity and allow communications and transfer of data between the parties and the tribunal by any unencrypted electronic means.
In the light of the current scenario, institutions should be technologically updated to serve the needs of the parties. Presently, most arbitrations are being undertaken remotely through electronic and digital means and 'paperless' proceedings are on the rise. Procedural guidelines and rules need to be framed in order to adequately address the cybersecurity concerns.
An example of the same is the HKIAC 2018 Administered Arbitration Rules7, wherein files may be uploaded "to any secured online repository that the parties have agreed to use" as a recognised means of communication. Another notable example is the LCIA 2020 Arbitration Rules8 that incorporate new provisions on data protection, cybersecurity and regulatory issues wherein the tribunal may consider whether security measures are to be adopted for the protection of physical/electronic information and personal data shared. Further, Principles 11 and 12 of the Cybersecurity Protocol authorise the tribunal to determine the appropriate cybersecurity measures. Passing on the baton in order to achieve cyber security, the IBA Guidelines contain several recommendations for legal teams which are worth-mentioning. They include the following:
- password encryption with multi-factor authentication,
- a cybersecurity policy,
- implementing endpoint protections,
- ensuring the use of secure networks,
- encrypting data and devices,
- vendor and third-party provider risk management, and
- staff training about the importance of cybersecurity and common threats.
Since there is no collective approach to maintaining confidentiality in arbitrations, a certain degree of special care is also required while drafting the arbitration clauses so as to ensure confidentiality in the dealings and interests of the parties. An array of contradicting opinions on various aspects of confidentiality exist, namely:
- Whether confidentiality extends to commercially sensitive information and awards or to any/all information relating to proceedings?
- Whether witnesses are obligated to maintain confidentiality and to what extent?
- Whether confidentiality must be maintained during court proceedings arising out of arbitration?
Though the institutional rules favour confidentiality, the ICC Rules do not provide for the same per se, leaving all confidentiality issues at the tribunal's mercy. Due to the inconsistencies in domestic laws and institutional rules, parties must protect their interests by having specific confidentiality provisions in arbitration agreements.
The outbreak of the COVID-19 pandemic has given further impetus to virtual hearings. Due to the ease and increased efficiency, the trend of remote hearings is likely to continue. Many arbitral institutions have also introduced their own guidelines to manage and support the conduct of virtual hearings such as usage of access-controlled video conferencing platform/ software with an authentication process, usage of encrypted communications, clear identification of data storage facilities, as well as robust administrative controls in order to maintain the security and integrity of data.
The ease and efficiency of arbitration necessitates that concerns related to data security threats be addressed through innovative means. Parties must also partake in increasing security by clearly providing for confidentiality protection required by effective drafting of the arbitration clause. Different arbitral institutions fail to provide a uniform standard, due to the prevailing competition in arbitration business. Since parties often choose a generic arbitration clause to avoid focusing on contingent future disputes, a uniform confidentiality protection mechanism is the need of the hour. Further, adoption of various guidelines by the tribunal would considerably minimise the chances of data leaks.
1. Available at: https://www.ibanet.org/LPRU/cybersecurity-guidelines.aspx
4. Available at: https://www.logicforce.com/reports/detail/cybersecurity-q1
5. ICSID ARB/06/8
7. Article 3.1(e), Available at: https://www.hkiac.org/sites/default/files/ck_filebrowser/PDF/arbitration/2018_hkiac_rules.pdf
8. Article 30A, Available at: https://www.lcia.org/Dispute_Resolution_Services/lcia-arbitration-rules-2020.aspx
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.