by Arijit Sanyal
The Chartered Institute of Arbitrators (‘CIArb”) has come up with its fifteenth guideline aimed at providing a framework for the use of technology in international arbitration. The CIArb Framework Guideline on the use of Technology in International Arbitration (the Guidelines) consists of non-binding procedural guidelines dealing with general practices vis-à-vis the use of
technology in international arbitration under Part I of the Guidelines (discussed in a previous blog here) and certain specific practices under Part II of the Guidelines. Titled, “Guidance on Cybersecurity in International Arbitration”, Part II of the Guidelines is anchored around best practices and implementation mechanisms, to aid not just the institutions, but the parties and the panel(s) as well, should the need ever arise.
PART II of Guidelines
While Part I of the Guidelines is aimed at framing certain rules for aiding institutions while using technology, Part II of the Guidelines are aimed at meeting specific ends i.e., best practices to avoid data breaches of any kind.
Guideline 7: Standard Security Measures
The Guideline permits the parties to implement certain standard security measures without professional support or prohibitive costs (Guideline 7.1). While the Guidelines are silent in terms of an implementation mechanism, it can be inferred from the language that the parties have the discretion to decide and apply such measures, that they deem fit. The Guideline contains a non-exhaustive list of measures that parties may consider, which includes directions for the creation of unique and complex passwords accompanied by multi-factor authentication (Guideline 7.2.i), ensuring the devices are updated with antivirus and other data protection software (Guideline 7.2.ii). The Guideline recommends that the parties should avoid using open access internet connections on devices containing confidential data (Guideline 7.2.iii), a recommendation, which
has been put forth keeping in mind the risks of a data breach in high-profile disputes.
The Guideline recommends the parties to transmit encrypted or password-protected soft copies when such transmission involves confidential information (Guideline 7.2.iv). By suggesting this in the Guidelines, the drafting committee has given special emphasis to data flow, which would allow the parties to ascertain the stage at which the breach occurred, if any, to take the necessary steps to mitigate the risks associated with such a breach. The Guidelines also suggest that the hardcopies be stored in secured locations, when they are not in use (Guideline 7.2.v). The inclusion of recommendations concerning storage and transmission is an essential step as arbitral institutions often employ third-party service providers for the said purposes. As the third-party service providers generally have access to information, a lot of which may be confidential,
Guideline 7.2 on the whole provides for a suggestive roadmap that the parties may consider and apply with modifications suited to their case.
Guideline 8: Analysis of Assets and Data that need to be protected
The Guideline emphasises that the parties should agree upon such assets and data which require protection at an early stage of the arbitration and that they may reach such an agreement by consulting technical support teams (Guideline 8.1). The Guideline has given common examples to describe “assets” mentioned under Guideline 8.1. These include documents, computers, mobile phones, networks and other smart devices (Guideline 8.2). The Guideline has introduced the concept of risk-profiling of arbitration proceedings by taking into consideration those factors which have the potential to cause a breach during the proceedings (Guideline 8.3). The factors include, but are not limited to the value of the dispute, importance of the value of the dispute to the parties (Guideline 8.3.i) and whether or not governments, high-ranking government officials, or transnational corporations are involved in the said dispute (Guideline 8.3.ii).
In order to ensure that the parties are not able to use undue influence to select a seat having weak data protection laws, the Guidelines recommend that the location of the parties should be considered (Guideline 8.3.iii). This Guideline has been primarily included to profile the seat’s data protection laws and the probability of servers getting compromised so that the parties can make a sound decision and select a seat where the probability of the breach is less. Additionally, this Guideline may also be used by arbitral institutions to offer seat profiles to the parties to any dispute, for the parties to opt for a secure seat and one that would secure their proceedings in the event of a data breach. The Guideline recommends that the parties should duly consider whether the dispute concerns high-profile issues such as the environment, human rights, cryptocurrencies or intellectual property (Guideline 8.3.iv), whether the subject matter of the dispute concerns critical sectors such as power, energy, infrastructure, and banking (Guideline 8.3.v), and whether the involvement of a large number of participants would lead to a higher risk of human error (Guideline 8.3.vi).
Guideline 9: Institutional Support
Institutional support happens to be one of the crucial aspects of arbitral proceedings. Without institutional support, it may not be possible for parties to manage their case in the best possible way. With the expertise of the concerned institution coming into play, parties can resolve procedural difficulties without hampering the arbitral proceedings. The Guidelines have
considered this aspect and have emphasised institutional support for efficient and secure use of technology during international arbitral proceedings.
The Guidelines have suggested that parties should consider the highly secure and bespoke services provided by some of the arbitral institutions and can consult them to communicate, share and store documents and other information related to the arbitral proceedings (Guideline 9.1). The Guidelines suggest that the parties may consider using these secured facilities for
organising video conferences or hearings, to ensure that the necessary steps are being taken to secure the arbitral process. The Guidelines have also provided flexibility to the parties by allowing them to either be consistent with the measures adopted by the tribunals or by introducing a few measures from their end which will have precedence over the measures
adopted by the institution. However, the Guidelines have struck the right balance between autonomy and information security, by suggesting the parties to consult the institution before introducing measures from their end.
Guideline 10: Management of Data
Data transmission in relation to arbitral proceedings is mostly digital today, which increases the risks regarding potential cyber threats. Consequentially, it becomes necessary to preserve the integrity of the data being used, which can be achieved by employing effective measures. The Guidelines have dealt with various aspects of data management in order to facilitate responsible and secure data management by parties to an arbitral process.
The Guideline, for instance, urges the parties to have sufficient backups which are encrypted, in the event their primary devices are stolen, lost or damaged in course of proceedings (Guideline 10.1). Due emphasis has been given to access to data by suggesting measures such as using complex passwords (Guideline 10.2.1), and multi-factor authentication (Guideline 10.2.2), which will ensure that data related to the arbitral process is secured and can only be accessed by parties related to a particular arbitral process.
The Guideline suggests that while transmitting secure data, secure file sharing services, as opposed to regular emails, shall be used, as the latter is prone to cyberattacks (Guideline 10.3). When the use of emails cannot be avoided, the Guideline suggests securing the same by encrypting the email (Guideline 10.3.1), setting up cloud-computing for transferring a large amount of data (Guideline 10.3.2), and by recognising and avoiding phishing scams by carefully examining sender details, the content of the email, wording etc. (Guideline 10.3.3). Lastly, the Guideline highlights that parties should avoid using the public internet, and even when they do, it should be done through the use of a VPN in order to eliminate the risks of a data breach (Guideline 10.3.4).
Guideline 11: Access to Device and Hard Copies
The Guideline has ensured that while focusing on cyberspace and the risks associated with it, one does not ignore the perils associated with having hard copies or physical devices. Accordingly, the Guideline recommends that parties should ensure the safety of the location where devices and/or hard copies are physically stored (Guideline 11.1). Security of devices and hard copies should be enhanced by placing them under authorised access only (Guideline 11.2). Reading of confidential information (Guideline 11.3) and printing them should be avoided in public places (Guideline 11.4). Lastly, those sets of documents which are not in use anymore should be disposed of safely so that sensitive data does not end up in the wrong hands (Guideline 11.5).
While the ultimate authority to incorporate these changes lies with the parties Parts I and II of the Guideline have spearheaded the reforms with regards to the use of technology and cybersecurity in arbitration proceedings. Keeping in mind the needs of different parties, best practices have been drawn up, so that parties can secure their proceedings and data on one hand and do not have to spend a fortune on the other. As the Guidelines are hopefully the first of many more initiatives in the domain of cybersecurity and data protection, parties should actively engage with institutions and other stakeholders to consider and incorporate the same, as the Guidelines will only evolve once they are put to use. This will not only help the stakeholders in assessing the utility of the Guidelines but will ensure that foreseeable risks can be avoided by way of possible amendments to the Guidelines. Parties may consider implementing the suggestions of the Guidelines in their procedural orders or they may have a checklist to follow during the proceedings. The checklist can be provided to the parties by the arbitral institution, and the parties can suggest additions to the same during the first case management conference. A draft
procedural order can be improved through the use of guidelines and as the parties deem fit, keeping in mind the subject matter and surrounding circumstances of their dispute.