Carolina Mauro, May 2021
On 29 April 2021, the webinar “Cybersecurity and arbitration: implications of procedure and trends of substance” took place, organised by the Queen Mary University of London Distance Learning Networking Group and moderated by Viktor Rykov, international laywer at Nexign. The panel was comprised of Claire Morel de Westgaver, partner at Bryan Cave Leighton Paisner (BCLP) and co-chair of the Silicon Valley Arbitration and Mediation Center (SVAMC) Young Professionals, and Wendy Gonzales, founder of CyberArb.
SVAMC-YP promotes the use of arbitration and mediation to resolve high technology-related disputes and fosters the debate on the impact of technology on ADR proceedings, while CyberArb is a multidisciplinary initiative aiming to raise awareness about cybersecurity issues in international arbitration and to provide practical tools to fill the gap between the theory and the practice.
As experts in the field, the two panellists shared their insight knowledge and experience in a lively Q&As session:
Q. What are the currently available measures for arbitration stakeholders to enhance cybersecurity in arbitration proceedings?
A. Preliminarily, protecting the security of arbitral proceedings could be compared to keeping our house safe from outside intrusions: we do not only secure the front door but every window and back door too, and we do not let anyone in unless we trust them. As all arbitration participants are closely digitally interconnected, every one of them could potentially be the weak link. Thus, it is paramount that cybersecurity measures are put in place at all levels.
As for the available cybersecurity measures, it shall be understood that it is not possible to compile a definite list. Technology evolves constantly at fast pace, in parallel with increasingly sophisticated cyber-threats, so that a close list would become obsolete in a very short time. However, this has not prevented arbitral and professional institutions from attempting to provide guidance. As of today, the 2020 ICCA – New York City Bar Association – CPR Protocol on Cybersecurity in International Arbitration is perhaps the most useful tool in practice.
Furthermore, online dispute resolution (ODR) platforms already available on the market are ready to provide support to arbitration stakeholders on the most cybersecurity sensitive aspects of arbitral proceedings, such as the safe exchange of files and communications. SCC and CIAM have already developed their own in-house ODR platforms.
Q. Whose problem is it to comply with cybersecurity requirements, and what role for arbitral institutions in particular?
A. The general impression is that arbitral institutions, while nonetheless providing some guidance, leave the cybersecurity issues to the parties and the arbitrators to deal with. For example, the new 2021 LCIA Arbitration Rule 30A states that any specific information security measure – along with any means of processing personal data – should be considered at an early stage by the tribunal in consultation with the parties, and only “where appropriate” with the LCIA.
This means that parties and arbitrators are required to discuss and identify the likely cyber-threats and to come up with solutions to address them. However, this approach could be problematic when considering that arbitrators are not trained to be IT specialists. Moreover, such approach prevents the matter from being dealt with in a more systematic way.
As showed by the 2018 Bryan Cave Leighton Paisner (BCLP) International Arbitration Survey: Cybersecurity in International Arbitration, arbitrators seemingly feel nervous about taking the lead in the discussion on cybersecurity: 48% of the interviewed arbitrators responded that parties should do it instead.
As anticipated, however, cybersecurity requires a joint effort from all arbitration participants. Naturally, the degree of cybersecurity awareness differs from individual to individual based on background, education, experience, and even the workplace. A sole practitioner or a small or medium law office will not have the same resources as the big law firms or sophisticated parties’ in-house counsels, who usually benefit from dedicated training and policies put in place by the respective IT departments. However, even in the latter case, while internal compliance might be ensured, lack of proper training in the IT security field might cause problems when stakeholders make external communications among them.
Q. Is it not that cybersecurity adds more complications to arbitration proceedings?
A. It should be noted that cybersecurity is nothing else than the digital equivalent of (physical) information security. Security issues were routinely dealt with also at the time when documents were sent and stored physically. The very basic key principles, such as employers’ liability for acts or omissions of their employees, and the mandatory insurance coverage for regulated practitioners in the client’s interest, are still here to help. They only need to be adapted to the new way of doing business.
It is foreseeable that capacity to handle cybersecurity issues and the coverage of a dedicate insurance policy clause will soon become a material requirement to be considered for arbitration appointment. As there is a lack of professionals with mixed legal and tech expertise, this could actually become a great opportunity for younger practitioners.
In light of the above, the importance of undertaking good training in the area is self-evident.
Q. Who should take responsibility in case a cyber-breach actually occurs?
A. The ‘ugly truth’ of cybersecurity – which seems hard to accept for legal professionals – is that no service or platform provider can guarantee 100% information security. And so, if technical consequences of a breach cannot be entirely foreseen, arbitration stakeholders should at least anticipate the legal consequences of a breach and if possible.
For instance, contractual terms on liability could be included to anchor a potential claim for cyber-breach, stating e.g. that each party will be responsible to take reasonable steps to actively protect arbitration-related data. Moreover, an obligation to notify the occurred breach could be included – similarly to what the GDPR requires in the event of a personal data breach.
There are no rules in place at the moment, yet there is a general awareness of the need for them and actions are taken on multiple fronts. The EU Commission is pushing for the approval of its recent Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, aiming to provide more structured cybersecurity obligations and liabilities. ISO Working Groups are actively promoting training programmes for non-technical professionals and working on the creation of a cybersecurity certification system. The idea is that legal professionals could have their IT infrastructure and practices audited and receive a certificate of compliance with security standards and best practices. I In the event of a breach, liability could in some instances shift to the audit company.
Q. What happens to evidence obtained through cyber-attacks?
A. It is no news in the arbitration context that parties may rely on evidence obtained though hacking activities, however, what is of such evidence is still uncertain and depends very much on the applicable laws to the relevant arbitration proceeding.
Different jurisdictions have different laws and doctrines in place. For instance, the classic doctrine of the fruit of the poisoned tree is still relied on in the U.S. In contrast, the UK Court of Appeal refused to exclude evidence obtained by phishing in the recent Azima case. Interestingly, the Court dismissed the appeal on the basis that the concerned documents were relevant to the case and thus disclosable, so they should have been available at trial even if they were not hacked.
In contrast, the tribunal in the Libananco v. Turkey case refused to consider the hacked documents, as they consisted of privileged communications shared between the claimant and their counsels. Very recently, an entire tribunal was challenged for arguably having been compromised as a result of a cyber-attack concerning privileged communications in a multibillion-dollar ICC dispute over the sale of a Brazilian pulp maker.
Conclusion
The time is ripe for legal professionals to develop at least a basic understanding of cybersecurity matters. It has to be accepted that 100% security cannot be guaranteed and risks can only be mitigated. While the arbitration community attempts to come up with solutions, it is important that everyone use common sense when dealing with digital tools and adopt a more proactive approach in learning cybersecurity basic concepts and seek help from IT professionals when appropriate.