Cybersecurity threats in arbitration are real: Why take a risk?
By Anca M Sattler
As we become more and more dependent on technology and rely on digital records and information to conduct our business, the risks of being hacked or suffering a cyber-attack are ever increasing. The risk of exposure is high in arbitration settings as well, where many parties are involved and security levels of protection vary significantly with each individual receiving information. Protecting data and information may seem like a daunting task when one weak link can undermine any security measures taken by other parties.
Cybersecurity is a real threat in today’s digital world and it often goes ignored or readily dismissed. The hackers are no longer interested just in the information they can collect and sell on the black market. Increasingly sophisticated cyber attackers are looking for ways to capitalize on human reactions, needs and fears. Regardless of the motivations hackers will have, whether financial gain, a coup d’état or simply ideological motivations, they lurk in the dark waiting to explore our vulnerabilities to their gain. Hacking into a hospital’s system, shutting down their entire network and demanding ransom before releasing the system is just one of many examples. Imagine the panic, the fear and the devastating consequences that such a cyberattack can create.(1)
Such threats and risks are not much different in an arbitration or litigation setting, especially where the parties are involved in complex and sensitive disputes. Arbitrations between private parties are rarely publicized thus making those arbitrations less of a target for ill-intentioned individuals. However, international arbitrations involve parties that are already potential targets for cybersecurity attacks, such as multi-national corporations or NGOs. In addition, when public entities or governments are a party to international disputes, the existence of such arbitrations is highly publicized. In such cases, parties often exchange sensitive, confidential financial or business information, trade secrets or personal information. These types of arbitrations also transcend national borders thus exposing the transfer and storage of information to differing laws and varying levels of security. All of these factors contribute to an increase in the risks for cybersecurity attacks. A case in point is the hacking of the Permanent Court of Arbitration’s (PCA) website during a hearing of a sensitive maritime border dispute between China and the Philippines, where hackers placed malicious code on the PCA website, infecting the computers of diplomats, lawyers and others who visited the website, which caused the PCA to temporarily take the website down.(2)
Parties resort to arbitration with expectations that their disputes will remain out of the public eye, in the hope they will avoid releasing confidential information, trade secrets or sensitive business and financial information. Parties and arbitral tribunals are most often bound by confidentiality agreements and sometimes even the fact that the arbitration is taking place is kept secret. Recognizing the threat and the need to bring awareness, the International Council for Commercial Arbitration (ICCA) in association with the New York City Bar Association and the International Institute for Conflict Prevention & Resolution (CPR) has recently launched a Working Group on Cybersecurity in Arbitration.(3) The Working Group will consider the possible impact of cybersecurity in international arbitration in view of the current practices and existing duties, aiming to establish voluntary cybersecurity protocols for use in international arbitral proceedings.
But the protections do not necessarily need to come from international entities that oversee arbitral proceedings. Sophisticated parties to arbitration would have clauses in their agreements that provide for mutual covenants with respect to confidentiality and safeguarding each other’s confidential and proprietary information during the proceedings. The arbitral institutions, members of the arbitral tribunal and their support staff, counsel, the parties, experts, translators or other service providers could all have access to confidential information while the arbitration is ongoing. It only takes one of these persons to lack the adequate security measures, for hackers to be able to gain access to the information.
Understanding the threat and taking the necessary steps to avoid exposure is crucial. The challenge is in ensuring that all entities that have access to and hold information pertinent to the arbitral proceedings will safeguard the confidential information and secure it from any cyberattacks. It is not merely the information technology team that is responsible for the security of information; it is every individual within the organization or institutions involved.
Arbitrators are often individuals that are not affiliated with a larger institution that benefits from cybersecurity policies and protections in place. Parties to the arbitration must ensure that their arbitrators will be capable of securing all information that is transmitted to or accessed by them and will have the adequate safeguarding protections in place.
Most law firms and legal practitioners already have security policies and protocols in place to minimize the chances that a cyberattack would disrupt their practice or that any confidential or privileged information can fall into the wrong hands. Legal practitioners also endeavour to ensure the safeguarding of such information when it is transferred during the arbitration process and being accessed across platforms.
While we all dread remembering so many passwords or using the two-steps authentication process, we must remember the hacker lurking in the dark behind us, waiting for that split-second opportunity to exploit our weakness to their advantage.
Best Practice Tips:
- Ensure all agreements that call for arbitration as a dispute resolution mechanism also call for the protection of confidential information during the arbitral proceedings.
- Ensure the institution administering the arbitration and the chosen rules of arbitration offer adequate protections for safeguarding sensitive information and for the integrity of their information systems and networks.
- Likewise, when securing the services of arbitrators, experts or translators, ensure they each have access to information over secure networks and are all bound by agreements with respect to the protection of sensitive information.
(1) In 2016, the Ottawa Hospital was the subject of a cyberattack where the attackers did not steal any information, but locked down the hospital’s computer systems demanding money to reopen them. See: http://www.cbc.ca/news/canada/ottawa/hospital-cyber-attack-1.3489388 . More recently, a global cyberattack targeted vulnerabilities in 100 countries, including a hospital in Oshawa. See: https://www.thestar.com/news/canada/2017/05/13/ontario-health-ministry-on-high-alert-amid-global-cyberattack.html
(2) Permanent Court of Arbitration Website Goes Offline, With Cyber-Security Firm Contending That Security Flaw Was Exploited in Concert With China-Philippines Arbitration, Jul 23, 2015, by Luke Eric Peterson. See: https://www.iareporter.com/articles/permanent-court-of-arbitration-goes-offline-with-cyber-security-firm-contending-that-security-flaw-was-exploited-in-lead-up-to-china-philippines-arbitration/
(3) ICCA Launches Working Group on Cybersecurity in Arbitration, November 20, 2017. See: https://www.cpradr.org/news-publications/press-releases/2017-11-20-icca-launches-working-group-on-cybersecurity-in-arbitration
Anca Sattler is an associate at Dentons Canada LLP practicing in Ottawa. She has experience in international investment arbitration and commercial litigation. She is also a member of Dentons’ Privacy and Cybersecurity Group.