Cybercrime has become a regular feature of global news. The question is not if another attack will happen, but when. Prominent examples include the leak of millions of attorney-client documents from law firms Appleby and Mossack Fonseca, and the “Petya” attack, which brought DLA Piper’s system to a standstill.
Arbitration is also at risk. Parties, arbitrators, counsel and institutions may be compromised, and the consequences could be serious for the target and the arbitral community as a whole. We explore the risks and consequences in our article Is our imagination failing us? Call for cybersecurity guidelines in international arbitration.
As the first measure, we advocate a documented assessment of cybersecurity risks at the outset of each arbitration. A bespoke audit helps to avoid both an inadequate cyber security system and a more expensive and complicated system than is necessary.
Better yet, the arbitral community should get on a front foot and devise guidelines for preventing and minimising the impact of cybersecurity breaches. Just this week, the International Council for Commercial Arbitration (ICCA) launched a Working Group on Cybersecurity in Arbitration, with the New York City Bar Association and the International Institute for Conflict Prevention & Resolution.
The challenge is to issue rules that are useful, even though cybersecurity needs can be situation-specific. The rules should be general enough to capture the likely scenarios and to set standards that are adequate, but not unnecessarily onerous and expensive to implement.
The guidance may cover the following:
- A definition of assets vulnerable to attack. These should capture, for example, commercially valuable information (such as parties’ trade secrets and IP and assets) that may be easily monetised (bulk customer details), as well as communications between:
- the party and its counsel;
- tribunal members of tactical and strategic sensitivity; and
- arbitral institute members, for example, in relation to arbitrators’ disclosures of interest and independence, or draft award.
- A definition of a data security threat. This should capture unlawful access, use, alteration, destruction, disclosure and ransom demands, as well as a description of possible attack vectors (customised attacks designed to target specific data, spear phishing to gain access to credentials and so on). The rules should also describe the consequences of an attack, such as release of data into the public domain, defacement of a website, deleting of data that has evidentiary weight in the arbitration, and denial of service (IT systems rendered unusable). Mishandling of data through inadvertence or failure to adhere to protocols must also be identified and mitigated.
Threat identification will always be a dynamic process and step, as threat actor motives and exploits evolve and mutate constantly. A non-exhaustive list of top data security threats to arbitral data and proceedings, derived from law enforcement and other authoritative sources, will be extremely valuable for parties and tribunals carrying out or reviewing assessments.
- How end-users (counsel, institutions and arbitrators) must safeguard assets and the standard required, perhaps a “reasonable endeavours” standard. Concrete practices should be identified, for example, designation of a lead individual responsible for supervising data security on the matter, with the requirement to carry out and document training of persons with access to systems storing or handling sensitive data. That individual should also supervise and oversee:
- agreed systems and methods to store and transmit electronic documents safely;
- circumstances requiring two-factor authentication;
- what constitutes appropriate password protection;
- minimally acceptable technical measures (such as use of antivirus and malware software); and
- encryption of data at rest (that is, servers and external storage devices) or in transit.
- How end-users must act in the event of a cyber attack and mitigate its impact. For example, if one of the stakeholders in an arbitration reports a breach, it may be desirable to require other stakeholders to examine their IT system to check whether it has been compromised as well, in order to establish the extent of the impact.
- What consequences flow from a breach of cybersecurity obligations. These may include an obligation to compensate for reputational damage, operational costs in remedying issues and damages sought by third parties affected by the breach, such as customers whose personal data has been leaked.
- Whether evidence obtained through a data breach is admissible in arbitration. The issue arose in Libananco v Turkey, in which Turkey admitted to surveying Libananco’s and its counsel’s emails.
- Dispute resolution mechanism for dealing with breaches of the rules. For example, good faith discussions, failing which the dispute will be arbitrated.