Coronavirus, smart working and digital communications systems: general problems and threats arising at companies' level and within the law firms
The state of emergency related to the spread of COVID-19, which has caused an unexpected global move of law firms, clients and institutions to remote working procedures, is likely to produce an increase of malware attacks. Indeed, despite the digitalisation process and the considerable amount of money invested by law firms in cybersecurity and safety nets, most of the players in the legal market, as well as their clients, are not prepared to manage properly the new situation, especially considering its massive scale and the uncertainty regarding how much it will last. At the same time, we can forecast an increase of litigation and arbitration procedures due to the number of contractual breaches related to the emergency, a move towards online dispute resolution, and a rise of hearings and discovery in a remote mode. For these reasons, we thought about writing this article, which includes an analysis of possible risks, a consideration of current practices in the arbitration field and some suggestions regarding how to manage this state of uncertainty.
Over the past few years, many information systems of international companies have been violated, and malware spread across telephone operators, utilities, hospitals, public institutions, small enterprises and professionals. Law firms, not surprisingly, have been one of the favourite targets of cyberattacks. According to the NCSC (National Cyber Security Centre) in 2017 cybercriminals have stolen more than £11m client money taken from UK firms. In particular, 60% of legal firms reported attacks in 2017; up from 42% in 2014. Regarding the United States, CNA Professional Counsel bulletin shows that 80 percent of the largest firms have experienced a cyber breach. Hackers have been able to appropriate and exploit very sensitive data, such as those involving mergers and acquisitions, patents or, in general, connected with companies, employees, legal disputes with customers. Reputable firms like Cravath Swaine & Moore, Weil Gotshal & Manges, and DLA Piper have all had dramatic experiences with hackings, and Mossack Fonseca had to shut down completely its offices after the Panama Papers data breach. Even the world of arbitration was affected in 2015, when the Permanent Court of Arbitration in the Hague, the Philippines' Department of justice, and the law firm representing the Philippine State, during an arbitration between China and Philippines, were hacked.
In the last years, many institutions highlighted the necessity of intervening significantly on the matter. As an example, the American Bar Associaton (ABA) created a dedicated task force and released in 2019 a cybersecurity report focusing on four critical areas (incident awareness, incident response plans, encryption, and cyber insurance). We suggest every professional, as well as every IT department of law firms and institutions to take note of the indicated measures. We would also like to stress the work of IBA, whose focus on cybersecurity has produced a set of useful best practices which operate mainly along three broad areas: technology, organisational processes and staff training. The recommendation part is quite detailed and takes into account various forms of security measures, training, size and awareness.
For instance, these are some of the generally suggested practices related to the technology area: i) keeping system software always updated; ii) implementing endpoint protection, meaning the protection of computers and other internet-connected devices that have access to the firm's network; iii) securing internet connections through a virtual private network VPN if staff is working remotely; iv) providing mandatory security settings. If a personal device is used in any way for business purposes, trying to ensure the separation between personal and firm data through sandboxed environment; v) choosing secure web browsing and email and, if possible, do not operate on free web-based email accounts (eg, Gmail and Hotmail); vi) implementing (i) data retention, (ii) automatic deletion or archiving of the oldest emails and files, (iii) database backup technology that automatically backs up data daily, (iv) audit and automatic alert system whenever pre-defined suspicious activity occurs; vii) encrypting data to individuals who do not have the encryption password; viii) strictly managing access to documents and assets that should be ensure only to users who effectively need these documents to conduct their professional duties; ix) scanning removable devices such as flash drives or memory cards.
Cybersecurity and arbitration:a need for protection
Unlike judicial proceedings, usually characterised by public hearings and reports accessible by third parties, arbitrators resolve disputes between parties in a confidential way. This element makes the field even more appealing for hackers intending to steal sensitive data. Among the various risks:
- economic loss for parties, arbitrators, institutions, witnesses or other persons/entities whose commercial information or personal data is compromised;
- reputational damage to arbitral institutions, arbitrators and counsels, as well as to the system of arbitration overall;
- potential liability under applicable laws and other regulatory frameworks;
- unauthorized use of private corporate information and consequent alteration of stock markets;
- adverse media coverage;
- breaches of attorney-client confidentiality;
- possibility of facing significant data recovery costs.
The 2020 ICCA Protocol
The 2020 edition of the Protocol was released by a working group composed of ICCA (International Council for Commercial Arbitration), New York Bar Association, and the International Institute for Conflict Prevention and Resolution (CPR). It follows the Consultation Draft Protocol released at the ICCA congress in 2018 and represents in this moment the main reference on the matter, at least from the arbitration perspective.
The Protocol stresses the presence of "increasingly pervasive cyberattacks", and the necessity of assessing security risks and identifying available measures that may be implemented. However, it does not aim to be "a one-size-fits-all" solution, acknowledging the necessity of a case-by-case analysis. For this reason, the 14 principles do not design a set of prescriptive rules, opting to provide a framework for parties and institutions, and to increase awareness about information security1.
Among the various principles, we would point out number 9, which encourages agreements between the parties on cybersecurity matters. This relates to the fact that parties are in the best position to evaluate which kind of measures have to be taken, and they can determine the factors that are likely to impact the risk profile of the arbitration (e.g. subject matter, value, participants, language etc.). We also highlight principles 10 and 11, which focus on the role of the Tribunal, both in terms of ordering specific measures (such as limiting the disclosure of confidential information and personal data), and raising the issue of information security as early as possible.
On a critical note, the Protocol lacks specific liability standards and does not prescribe to which extent disclosure has to be limited, or how to communicate confidential information. Even the compliance with data protection regimes, such as EU GDPR, is supported, but not guaranteed. As mentioned in the introduction "the focus of the Protocol is on mitigating information security risks and not on achieving compliance with such regimes. The Protocol does not supersede applicable legal or other binding obligations, and implementation of the Protocol does not guarantee compliance with data protection regimes".
So, how can arbitrators - but also parties and their advisers – modify, store and transmit sensitive documents worldwide in a secure manner?
The obvious answer would be by promoting the use of platforms specifically designed for the arbitration field. These platforms, using specific access criteria, systems of encryption and the possibility of monitoring the parties seeking access to the database, may provide an opportunity to ensure more security for the sharing of sensitive data. However, that would be just a good beginning. Indeed, it is also possible to identify sensitive needs in relation to i) training of cybersecurity experts specialized in the arbitration field ii) definition of protection and control policies, strategies, and programmes, to protect data, networks, and systems (iii) management of situations, events and people in the presence of cyber-attacks (iv) creation of a culture of cybersecurity in companies, law firms and arbitral institutions2.
As imaginable, these interventions are hard to realize, because of issues such as the following ones:
- difficulty to identify codified rules and procedures aiming to regulate the transfer of information and, upon the party's request, the cancellation of sensitive data;
- e-mails and consumer-oriented cloud-based services, even if generally considered unsafe, are widely used in the field;
- most of arbitration practitioners and parties lack basic technological knowledge in relation to data protection;
- the approach of the various arbitral institutions regarding cybersecurity matters tend to be quite variable;
- an investment in cybersecurity is a fixed cost for parties and institutions, which can hardly be charged to the clients;
- because of the confidentiality element and the willingness to avoid bad publicity arising from a cyberattack, it is quite difficult to rely on consistent and high-quality data on data breaches.
Another aspect that should be evaluated in relation to cybersecurity and arbitration provisions is the mandatory aspect of trainings, platforms, and protocols. Do we want to consider cybersecurity practices as a mandatory element in procedures, like for example in banking transactions, or as an optional element? Usually protocols are intended to be applied by common agreement between the parties or following a decision by the arbitral Tribunal, providing flexibility and taking into account the individual circumstances of each case. Maybe, at this moment, it could be necessary to insist on uniform practices and mandatory application of safety standards.
With reference to the organisational processes and the necessity for a staff training system, it is significant that the vast majority of successful cyberattacks are due to human error. For this reason, we highlight the crucial role of organisational solutions that law firms and institutions should implement, as the following:
- defining roles and responsibilities. Between them, there is the activity (and responsibility) of a designated cybersecurity officer who enforces the firm's cybersecurity policies;
- implementing protection protocols and cybersecurity policy documents;
- conducting risk assessments and periodic system testing;
- considering and evaluating legal and regulatory data protection obligations, operating in the jurisdiction of the firm and in the jurisdictions of the third-party contractors that the firm or the institution engages;
- assessing contractual obligations with vendors and third parties and, where possible, require that such vendors and third parties adhere to minimum cybersecurity standards;
- subscribing to cyber-liability insurances to cover the costs related to a data breach like, for example, notification expenses, litigation, loss of income, regulatory fines and penalties;
- never underestimating training and testing with regard to the (i) common forms of cyberattacks, (ii) methods on how to deal with such attacks and (iii) applicable cybersecurity policies, procedures and guidelines of the firm/institution.
Even though parties' and Tribunals' autonomy is a crucial element of arbitration procedures, there is a risk that the excessive freedom in managing sensitive data could lead to dangerous outcomes. The credibility of any dispute resolution mechanism depends on the trust placed in it by the parties. It is undeniable that, especially in these times of emergency and remote work, we need an extraordinary level of data protection, as well as a better internal and external intervention on cyberattacks, to allow the smooth functioning and the good reputation of arbitral procedures. The number of malwares is growing substantially year after year and is likely to increase. It is urgent to consider investment in security as a necessity, and not just an option, because the possible consequences of an underestimation of these issues could be dramatic from a social, economic, and juridical perspective.
1 On that note, we highlight the detailed setlist indicated in Schedule A, which provides good indications regarding measures that can be taken by the parties
2 CINI, Cybersecurity National Lab, "The future of Cybersecurity in Italy: Strategic focus areas. Projects and Actions to better defend our country from cyber attacks", 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.