Newly released protocol provides guidance for addressing information security in international arbitration

March 2020  |  SPOTLIGHT  |  RISK MANAGEMENT

Financier Worldwide Magazine

March 2020 Issue

International arbitration has long offered participants the benefit of maintaining confidentiality in resolving high-stakes disputes. Like virtually all modern activity, however, arbitration has become increasingly digital and thus potentially vulnerable to cyber attacks and information security breaches. The threat extends not only to the information of the disputing parties and their counsel, but also to the internal deliberations and draft decisions of arbitrators themselves, which can be highly sensitive. Reports of high-profile breaches, as well as the proliferation of data protection regulations, has caused the international arbitration community to increasingly focus on maintaining the security of the information exchanged in the course of an arbitration. A new resource providing guidance on how to address information security issues in international arbitration is now available.

On 21 November 2019, the Working Group on Cybersecurity in International Arbitration released the 2020 Edition of the ‘Cybersecurity Protocol in International Arbitration’, providing a framework for determining reasonable information security measures for individual arbitration matters and seeking to increase awareness about information security in international arbitrations. The Protocol is the culmination of two years of work by the Working Group, which includes representatives from the International Council for Commercial Arbitration (ICCA), the New York City Bar Association and the International Institute for Conflict Prevention & Resolution (CPR).

While arbitration is not uniquely vulnerable to data breaches, neither is the process immune to increasingly pervasive cyber attacks against corporations, law firms, government agencies and individuals. The Working Group recognised that the credibility and integrity of any dispute resolution process depends on maintaining a reasonable degree of protection over the information exchanged during the process. While the Protocol was drafted with international commercial arbitrations in mind, it also may be a useful reference for domestic arbitration matters and investor-state arbitrations.

Information security and data protection issues are closely connected, largely because there is increasing regulation around the globe governing the processing of personal data. Adherence to the Protocol may facilitate compliance with data protection legal regimes such as the General Data Protection Regulation (GDPR) in Europe or the Lei Geral de Proteção de Dados Pessoais (LGPD) in Brazil, but the Protocol focuses on mitigating information security risks in the context of international arbitration and not on achieving compliance with such regimes. It explicitly does not supersede applicable legal or other binding obligations, and implementation of the Protocol does not guarantee compliance with data protection regimes.

The Protocol recognises that there is no one-size-fits-all solution for every arbitration. Rather, it provides a risk-based framework for parties and arbitrators to determine appropriate measures in the context of each case. It includes a series of 14 principles establishing a standard of reasonableness and sets out a series of factors to be considered in determining what information security measure are reasonable in a particular matters. It provides guidance on how such measures should be applied and suggests procedural steps to implement them.

As discussed in the Protocol, factors that may influence the determination of what measures are reasonable in a particular matter include: (i) the nature of the information expected to be exchanged in the arbitration, including any confidential commercial information and personal data; (ii) the potential cyber security threat based on the identity of the parties, and the nature and size of their dispute; (iii) the resources of the parties, including the existing digital infrastructure of the arbitral participants and any potential technical impediments to implementing cyber security measures; and (iv) the severity of the potential consequences of a cyber attack, which may vary depending on the value of the information to third parties, the nature, type and amount of personal data being processed and whether it is legally regulated, potential embarrassment or damage caused by public disclosure of the information, and whether and how the information could be misused by a third party (e.g., politically, for extortion purposes, for insider trading purposes or to obtain a competitive advantage).

During its consultation with the international arbitration community in connection with the development of the Protocol, the Working Group encountered two different schools of thought. A number of practitioners and arbitrators expressed a desire to be told exactly how to address information security issues in international arbitration. At the same time, others strongly believed that the Protocol should be high level and process-based because of the differences in what may be required in a particular arbitration and the constantly evolving nature of the threats to information security.

While the Working Group was of the latter view, it also sought to respond to those who felt a need for more specific guidance. To that end, the Protocol includes five schedules that contain detailed guidance on appropriate baseline security measures, a checklist of risk factors that can be used to assess the risk profile of a particular arbitration, examples of information security measures, sample language for incorporating into an arbitration clause or procedural order, and a bibliography of additional resources.

Schedule A, addressing ‘General Cybersecurity Practices’, highlights steps each participant – parties, counsel, arbitrators, witnesses and experts, among others – should consider taking to make sure that information in their possession remains secure. These steps may include creating access controls through strong passwords with multifactor authentication, guarding digital perimeters using measures such as firewalls, anti-virus and anti-spyware software, operating system updates and other software patches, making routine back-ups, and being mindful of public internet use. Because cyber security is a shared responsibility of all participants in the arbitration process who are digitally interdependent, the Protocol recognises that the “security of information ultimately depends on the responsible conduct and vigilance of individuals”. As it notes, “any individual actor can be the cause of a cyber security breach; [m]any security breaches result from individual conduct rather than a breach of systems or infrastructure”.

The Protocol also emphasises party autonomy while empowering tribunals to make rulings in the event of conflict or superseding interests. It recommends that information security be addressed as early as practicable in the international arbitration process, ordinarily no later than the first case management conference and before the parties begin their exchange of information. In some cases, however, such as where the arbitration demand itself contains sensitive information, it may be necessary for parties and arbitral institutions to address this issue at the very outset of the proceeding. Arbitrators themselves will need to make sure that they are conversant in basic information security practices in order to meet the expectations of parties that have long been focused on protecting their confidential business information.

Best practices will continue to evolve as developments in technology, security threats and the regulatory landscape become increasingly complicated. Arbitral institutions are also beginning to address this issue in their own infrastructure, internal procedures, arbitral rules and the training of arbitrators they appoint. The Working Group therefore expects that the Protocol will be a living document, and updated editions will be issued to reflect user experience and other developments in this dynamic area.

Lea Haber Kuck is a partner at Skadden, Arps, Slate, Meagher & Flom LLP. She can be contacted on +1 (212) 735 2978 or by email: lea.kuck@skadden.com.

© Financier Worldwide

BY

Lea Haber Kuck

Skadden, Arps, Slate, Meagher & Flom LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.