Technology Resources for Arbitration Practitioners - Cyber security and data privacy
Maintaining the security and privacy of documents and information exchanged in international arbitration proceedings has been a major topic of discussion among arbitration practitioners over the course of the last several years. The conversations have centred mainly on protecting data as it is exchanged between and among counsel and arbitrators.
To date, no single ‘gold standard’ of cybersecurity protection has emerged. Instead, various arbitral institutions, organisations and practitioners, including the IBA, have developed protocols or guidelines intended to make practitioners aware of key security weaknesses and measures that may protect against such weaknesses. In addition, many of the categories of technology discussed above incorporate security and privacy features.
The appropriate level of security and privacy protection always depends on the nature of the arbitration, sensitivity of the data exchanged and applicable local law requirements. The general guidance that has emerged as a result of the arbitration-related protocols for cybersecurity listed below includes a consideration of the following security measures:
At the outset of the arbitration, parties may wish to consult with the tribunal regarding the methods that will be used to transmit arbitration filings, exhibits and confidential information to the tribunal and opposing counsel. Parties may wish to consider avoiding transmission by email and instead using secure file transfer sites and/or cloud-based technologies.
Encrypting documents prior to sending them can enhance the security of files transferred across internet connections.
Parties may wish to require a password to access the documents they have transferred to the tribunal. Most protocols recommend that the password be transmitted separately from the underlying documents.
Parties and/or the tribunal may wish to commit to enhancing the security of their email accounts or other methods for accessing arbitration data through the implementation of multi-factor authentication methods.
Parties and/or the tribunal may wish to consider requiring in an initial procedural order or otherwise that parties, counsel and tribunal members commit to updating the malware and security controls on their personal devices.
Parties and/or the tribunal may wish to consider requiring in an initial procedural order or otherwise that the parties, counsel and tribunal members have the ability to wipe or destroy the information on their personal devices from a remote location in the event that the device is lost or stolen.
The following is a non-exhaustive list of guidelines and protocols that may assist in establishing cybersecurity guidelines for an arbitration:
- Cybersecurity Guidelines by the IBA’s Presidential Task Force on Cybersecurity
- ICC Commission Report on Information Technology in International Arbitration (PDF)
- Draft Cybersecurity Protocol for International Arbitration (International Council for Commercial Arbitration (ICCA), Association of the City Bar of New York, International Institute for Conflict Prevention and Resolution) (PDF)
Disclaimer: Due to the very nature and dynamics of the subject of this guide, the examples should not be considered exhaustive, and merely represent a sample of the potential applications available. There are numerous other vendors that provide similar services and products to the ones described, and the presence of any particular vendor or product in this guide does not reflect any qualitative judgment about the suitability or capability of that vendor or product. The goal is to periodically update and edit the guide to reflect new technological advances, and add new or delete obsolete, applications, programs or vendors. The IBA Arb40 Subcommittee does not endorse or recommend any particular technology, vendor, software or program listed below, nor can it vouch for the security, cost or appropriateness of any of the listed technology, which must be assessed by practitioners on a case-by-case basis. The descriptions of particular programs, software and vendors were not provided by the vendors themselves, and the IBA Arb40 Subcommittee takes no responsibility for errors in those descriptions. All technology should be thoroughly explored and vetted by the arbitration practitioner prior to use.