Arbitration and COVID-19: Cybersecurity and data protection

In this, the second in our series of articles on arbitration's adaptation to the effects of COVID-19, we provide guidance as to how best to mitigate cybersecurity risks in international arbitration. The first article in our series covered key considerations for conducting virtual hearings and can be found here.

Impact of COVID-19 on cybersecurity in arbitration

International arbitration has been moving online for some time and the impact of COVID-19 has significantly helped hasten this transition. Parties are increasingly communicating exclusively online, filing and exchanging documents electronically, storing documents online, conducting interlocutory hearings via telephone or videoconference and now, conducting full hearings virtually.

While this swift transition has many positives, it raises concerns with respect to cybersecurity. This risk is increased where parties and tribunals use technologies unfamiliar to them and work from home on unsecured networks. The cybersecurity risks are exacerbated in the current climate as hackers use COVID-19 as "bait" to launch cyber-attacks on new and vulnerable remote working infrastructure and hijack video conference calls.

Cybersecurity breaches in international arbitration have the potential both to affect the integrity of the arbitral process and expose confidential and commercially sensitive information. It is therefore vital that the arbitral community be alive to cybersecurity at all stages in the arbitral process.

Here we provide a quick overview and links to the current guidance on cybersecurity in international arbitration and practical tips based on our own experience of conducting arbitrations online.

Guidance on cybersecurity 

The arbitration community has published guidance on data protection and cybersecurity. Most notable is the recent protocol published by the International Council for Commercial Arbitration, the New York City Bar Association and the International Institute for Conflict Prevention: the ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2020). The protocol sets out 14 principles together with explanatory commentary and examples that provide guidance on establishing reasonable cybersecurity measures. 

Other guidance includes the International Bar Association's Presidential Task Force's Guidelines on Cyber Security and the ICC's Note on Information Technology in International Arbitration. 

The Working Group on LegalTech Adoption in International Arbitration has also recently released a protocol for online case management in international arbitration.

Some arbitral institutions have also updated their procedural rules to include tougher provisions on cybersecurity and data protection,¹ and have introduced secure digital platforms for the management of case materials.² Guidance as to the conduct of virtual hearings³ and online communications have also been published.⁴

Best practice and tips

1. At the beginning of any arbitration, parties should first consider cybersecurity measures within their own "camp". For example, ensure that email communications between the client and lawyers are secure; that any data storage is secure; and put in place protocols with third parties such as experts and other witnesses. If possible, involve IT personnel in these discussions.
2. Parties should then consider cybersecurity measures in relation to the arbitration as a whole, and incorporate those measures into their procedural order. Consider all participants to the arbitration including, for example, the tribunal, the institution, witnesses, experts and translators. Particular attention should be paid to the different jurisdictions involved in the arbitration – especially if there are marked differences as to risk.
3. The procedural order should cover all potential risks in an arbitration. For example, communication, data storage, exchange of data and documents, storage of data and documents, and a protocol concerning the use of mobile electronic equipment and video conferencing.
4. The procedural order could also specify how liability will be apportioned for any potential security breach, and the consequences for the responsible party. For example, the tribunal might allocate costs or impose sanctions on the responsible party (which will also incentivise compliance).
5. Consider using an online case management platform as a secure end-to-end platform for the entire arbitration. Such a platform can be provided by a third party provider or the parties themselves. A number of institutions also offer online platforms – so check the available options before reaching a decision (and incurring cost).
6. If possible, avoid the use of data sharing platforms which have not been set up specifically for the arbitration, (i.e. generic use of Dropbox or Google Drive), as access to information stored on these platforms is often uncontrolled and can be vulnerable to hacking. If it is necessary to use these platforms, ensure access is password protected.
7. If communicating via email, ensure that all participants to the proceedings use secure email addresses. Avoid providers such as Gmail, Hotmail or Yahoo.
8. If a videoconferencing or teleconferencing platform is to be used (for example to conduct witness interviews or a virtual hearing), consider the options available and the security offered. Also ensure that a protocol is established to mitigate any risks – for example, setting up a separate, secure, internet connection in particular jurisdictions might be advisable.
9. Avoid using personal drives to send or store confidential information, for example to print on a home device. Confidential information should only be stored on a secure network.

Authors: Myfanwy Wood, Lucy McKenzie

1. See the HKIAC's Administered Arbitration Rules 2018 and the ICC's Note on Information Technology in International Arbitration.
2. See the SCC's Case management platform for arbitration; AAA WebFile platform; WIPO eADR online docket system; Russian Arbitration Centre's Online System of Arbitration.
3. See the Seoul Protocol on Video Conferencing in International Arbitration; ACICA Online Arbitration Guidance Note; HKIAC Guidance for Virtual Hearings; AAA-ICDR Virtual Hearing Guide; and the Africa Arbitration Academy Protocol on Virtual Hearings in Africa.
4. See the CIArb Guidance Note on Remote Dispute Resolution Proceedings; ICC Guidance Note on Possible Measures Aimed at Mitigating the Effects of the COVID-19 Pandemic.