REUTERS | Rafael Marchante

Plenty of phish in the sea: cybersecurity and the revised IBA Rules on Evidence

It is a trite but a true observation that the flexibility inherent to arbitration proceedings allows parties, tribunals and institutions alike to react swiftly to the challenges faced as a result of the COVID-19 pandemic, by resorting to the tools afforded by technology.

For instance, videoconferencing tools are certainly not “new” compared to other technologies, but their use has become considerably more widespread as a result of months of lockdown and travel restrictions. No doubt, readers will be all too familiar with the extensive discussions surrounding “remote” or “virtual” hearings. Furthermore, in a number of proceedings, parties and tribunals have agreed to do away with hardcopies of submissions and evidence, meaning that the proceedings were conducted largely electronically.

As arbitral proceedings become increasingly reliant on electronic and digital means, the concerns related to cybersecurity risks and data protection have also become more pressing. These issues are particularly important in a setting that often involves high-value disputes, confidential and proprietary information, and where most exchanges are (generally) unencrypted. The involvement of multiple participants, namely the parties themselves, their counsel, the arbitrators and arbitral institutions, also render the risks associated with cyberattacks particularly acute. In particular, arbitral institutions, which are effectively large data repositories (with sensitive commercial information), are prime targets for cyberattacks.

Of course, the discussion on cybersecurity and data protection in international arbitration predates the challenges that arose as a result of the pandemic. Already in 2017, the ICC highlighted in a report that, as a result of new technologies, parties and arbitrators had to grapple with new issues, in particular cybersecurity concerns. The International Bar Association (IBA) also issued guidelines on cybersecurity, addressed at law firms, in 2018.

It remains nonetheless a welcome development that, in the context of the 2020 revision of the IBA Rules on the Taking of Evidence in International Arbitration (IBA Rules), the IBA specified that, when consulting the parties on evidentiary issues, a tribunal must consider, to the extent applicable, the treatment of any issues of cybersecurity and data protection (article 2(2)(e), IBA Rules).

Considering that the IBA Rules are widely used in international arbitrations and have been historically well received by both common law and civil law practitioners, it is encouraging that the revised version of the rules addresses this issue. In its commentary to the revised IBA Rules, the IBA indicated that article 2(2)(e) was added “to highlight the advisability of considering data protection issues, including issues of data privacy and cybersecurity, at an early stage”.

The IBA also invites parties and tribunals to take guidance from other resources, such as the ICCA-IBA Roadmap to Data Protection in International Arbitration (Data Protection Roadmap) and the ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (Cybersecurity Protocol).

The Data Protection Roadmap was adopted specifically with a view to encouraging arbitration professionals to consider their compliance risks following the entry into force of the EU General Data Protection Regulation (GDPR) in May 2018. The Data Protection Roadmap uses the laws of the EU, Brazil, India and the State of California as prime examples to give context to its recommendation. The Data Protection Roadmap describes the main data protection principles that potentially apply to international arbitrations (together with an explanatory commentary and examples) and addresses how these principles may apply during the various stages of an international arbitration (as well as how they may affect the participants to the arbitral process).

The Cybersecurity Protocol is first meant “to provide a framework to determine reasonable information security measures for individual arbitration matters”. This procedural and practical guidance aims at assisting practitioners identify and assess security risks and available measures. Its goal is also “to increase awareness about information security in international arbitrations”. The Cybersecurity Protocol sets out 14 principles, which provide high-level guidance to parties, tribunals and institutions. The drafters deliberately did not adopt a one-size-fits all recommendation, as the appropriate measures “may vary significantly based on the facts and circumstances of the case, as well as evolving threats and technology”.

Although not mentioned in the commentary to the revised IBA Rules, another tool which may prove useful to those involved in arbitral proceedings is the Protocol for Online Case Management in International Arbitration, issued by the Working Group on LegalTech Adoption in International Arbitration in November 2020.

This protocol was issued in response to the increasingly widespread use of an online case management platform, where data relating to the arbitral process can be stored and managed. It therefore provides guidance to arbitral participants for developing “efficient, safe and consistent procedures if adopting a shared online case management platform in their arbitration proceedings”. In this context, paragraphs 24 to 26 of the protocol debate the pros and cons of using online platforms as a repository, noting that platforms can help “reduce security and privacy risks when users transfer data through the platform rather than by email”.

As the above shows, the arbitration community has not remained idle in addressing the increased risks associated with cyberattacks and data breaches resulting from the increased digitalisation of the arbitral process. In this context, the new article 2(2)(e) of the IBA Rules constitutes a welcome development, considering the widespread use of the IBA Rules in arbitral proceedings. It can be hoped that those involved in international arbitration procedures will be more acutely aware of the cybersecurity risks they face and the various tools at their disposal. In particular, greater awareness of the Cybersecurity Protocol and of the Data Protection Roadmap should be encouraged.

On a more practical level, it might be advisable for parties and tribunals to set out, at the outset of the proceedings (for example, in the first procedural order), a specific framework on cybersecurity. In particular, it would be advisable to consider (in general terms) how the participants would respond to a data breach if and when one arises. This would firstly allow the participants to identify potential security vulnerabilities and, secondly, allow them to react swiftly to mitigate the consequences of a data breach.

Share this post on: