Technology Resources for Arbitration Practitioners - Cyber security and data privacy
Technology Resources for Arbitration Practitioners
Cyber security and data privacy
Maintaining the security and privacy of documents and information exchanged in international arbitration proceedings has been a major topic of discussion among arbitration practitioners over the course of the last several years. The conversations have centred mainly on protecting data as it is exchanged between and among counsel and arbitrators.
To date, no single ‘gold standard’ of cybersecurity protection has emerged. Instead, various arbitral institutions, organisations and practitioners, including the IBA, have developed protocols or guidelines intended to make practitioners aware of key security weaknesses and measures that may protect against such weaknesses. In addition, many of the categories of technology discussed above incorporate security and privacy features.
The appropriate level of security and privacy protection always depends on the nature of the arbitration, sensitivity of the data exchanged and applicable local law requirements. The general guidance that has emerged as a result of the arbitration-related protocols for cybersecurity listed below includes a consideration of the following security measures:
At the outset of the arbitration, parties may wish to consult with the tribunal regarding the methods that will be used to transmit arbitration filings, exhibits and confidential information to the tribunal and opposing counsel. Parties may wish to consider avoiding transmission by email and instead using secure file transfer sites and/or cloud-based technologies.
Encrypting documents prior to sending them can enhance the security of files transferred across internet connections.
Parties may wish to require a password to access the documents they have transferred to the tribunal. Most protocols recommend that the password be transmitted separately from the underlying documents.
Parties and/or the tribunal may wish to commit to enhancing the security of their email accounts or other methods for accessing arbitration data through the implementation of multi-factor authentication methods.
Parties and/or the tribunal may wish to consider requiring in an initial procedural order or otherwise that parties, counsel and tribunal members commit to updating the malware and security controls on their personal devices.
Parties and/or the tribunal may wish to consider requiring in an initial procedural order or otherwise that the parties, counsel and tribunal members have the ability to wipe or destroy the information on their personal devices from a remote location in the event that the device is lost or stolen.
The following is a non-exhaustive list of guidelines and protocols that may assist in establishing cybersecurity guidelines for an arbitration:
- Cybersecurity Guidelines by the IBA’s Presidential Task Force on Cybersecurity
- ICC Commission Report on Information Technology in International Arbitration (PDF)
- Draft Cybersecurity Protocol for International Arbitration (International Council for Commercial Arbitration (ICCA), Association of the City Bar of New York, International Institute for Conflict Prevention and Resolution) (PDF)