Cybersecurity in arbitration proceedings: protecting electronic documents and information

Over the last 8 years BCLP’s International Arbitration Group has conducted a number of surveys to obtain the views of users of international arbitration on issues affecting the arbitration process¹. This year we wanted to consider the issue of cybersecurity.

Electronic documents and other information are introduced into international arbitration proceedings in vast quantities. Are participants in those proceedings sufficiently aware of the need to protect that data against unauthorised access by third parties, and should more be done to promote risk assessment and the taking of active steps to enhance data security?

There has been a dramatic increase in cyber-attacks on corporates, governments and international organisations. Law firms and arbitration proceedings are not immune from these threats. Disputes referred to international arbitration have characteristics that can lead to an increased level of risk and adverse commercial consequences in the event of a data security breach. These developments have led to debate about the need for reasonable cybersecurity measures in individual arbitration proceedings, and how best to go about initiating and organising those measures.

We would like to obtain the views of our professional colleagues on this topic by requesting their responses to our survey questions. All responses will be treated as confidential.

A report and editorial on the results of the survey will be circulated to all participants.

If you have any queries in relation to the questions posed, please contact Carol Mulcahy or George Burn.

¹Perceived Conflicts of Interest; Delay in the Arbitration Process; Document Production in Arbitration; Choice of Seat; The Use of Tribunal Secretaries; Are We Getting There? Diversity on Arbitral Tribunals; Unilateral Arbitrator Appointments

Question Title

* 1. Please indicate the nature of your involvement in international arbitration. Please tick as many boxes as appropriate.

As counsel

As arbitrator

As a party to the dispute

Work at an arbitral institution

As academic

As expert witness

Other

Question Title

* 2. In what region/s do you work? Please tick as many boxes as appropriate.

Central and South Asia

East and South East Asia

Asia (other)

Australasia

Middle East

North America

Latin America and the Caribbean

Western Europe

Eastern Europe (including Russia and CIS)

North Africa

West Africa

East Africa

Other

Question Title

* 3. In your opinion, is cybersecurity in international arbitration an important issue? Please tick one box.

Yes

Don't Know

Question Title

* 4. In your opinion, on a scale of 1 to 5, how desirable is it for parties to an arbitration to consider at an early stage in the proceedings whether it is appropriate to put in place reasonable security measures to protect electronic documents and other information in the arbitration from unauthorised access? (1 means you consider it very desirable; 5 means you do not consider it desirable at all)

Clear

i We adjusted the number you entered based on the slider’s scale.

Question Title

* 5. In your opinion, who should take the lead in initiating discussions on the need for data security measures? Please tick one box.

The parties

The arbitrator/s

The supervising institution (if there is one)

Don’t know

No need for discussion on cybersecurity

Question Title

* 6. Which of the following data security/mitigation steps to protect electronic documents/information have been agreed between the parties or imposed by the tribunal in an arbitration in which you have been involved? Please tick as many boxes as appropriate.

Restricting the use of emails for sending electronic documents and other information

Transfer of electronic documents by use of a secure shared portal platform or similar

Provision of screen-viewable–only documents

Use of complex passwords/ or multi-factor authentication to access electronic documents/information

Encryption

Restricting access to particular categories of electronic documents/other information to a limited number of individuals who have a demonstrated need to access that material (confidentiality clubs)

Restricting access to hard copies only of particular categories of document (usually kept in a single location)

Redaction of electronic documents before they are introduced in to the arbitration

Agreement to limit use of public internet for mobile devices

Verification that all participants to the arbitration have in place appropriate firewalls, antispyware and/or antivirus software

Data preservation policies that limit retention of documents/other information in electronic form after the arbitration is over

Agreed notification procedures to be followed in the event of a data security breach

None of the above

Question Title

* 7. In your opinion, which of the following data security steps to protect electronic documents/information is it desirable to adopt in an arbitration? Please tick as many boxes as appropriate.

Restricting the use of emails for sending electronic documents and other information

Transfer of electronic documents by use of a secure shared portal platform or similar

Provision of screen-viewable–only documents

Use of complex passwords/ or multi-factor authentication to access electronic documents/information

Encryption

Restricting access to particular categories of electronic documents/other information to a limited number of individuals who have a demonstrated need to access that material (confidentiality clubs)

Restricting access to hard copies only of particular categories of document (usually kept in a single location)

Redaction of electronic documents before they are introduced in to the arbitration

Agreement to limit use of public internet for mobile devices

Verification that all participants to the arbitration have in place appropriate firewalls, antispyware and/or antivirus software

Data preservation policies that limit retention of documents/other information in electronic form after the arbitration is over

Agreed notification procedures to be followed in the event of a data security breach

None of the above

Question Title

* 8. In your opinion, which of the following factors should be taken into account when deciding on the nature of measures (if any) that should be put in place to protect the security of electronic documents/other information in an individual arbitration? Please tick as many boxes as appropriate.

The level of sensitivity/commercial value of the documents/information likely to be introduced into the arbitration

The consequences for a party/the parties if someone were to gain unauthorised access to the documents/information

The level of risk of unauthorised data access that each party to the arbitration is willing to tolerate

The cost (if any) of implementing the proposed measures

The technical knowledge/resources of those involved in the arbitration

The financial resources of those involved in the arbitration

The identity of the parties and whether they are likely to attract cyber- attack

The extent to which the proposed security measures may hinder the ability of a party to present its case

None of these factors

Question Title

* 9. In your opinion, to be effective, who of the following would need to observe any security measures agreed/imposed? Please tick as many boxes as appropriate.

The parties

The arbitrator/s

Any secretary to the arbitral tribunal

Any arbitral institution involved

Fact witnesses

Expert witnesses

Data hosting agencies

Other third parties such as interpreters, transcription services etc.

Question Title

* 10. In your opinion, on a scale of 1 to 5 (1 is very easy; 5 is very difficult), how easy or difficult would it be to obtain an agreement to observe security measures (and ensure compliance) from the following:

	1	2	3	4	5
Arbitrators	Arbitrators 1	Arbitrators 2	Arbitrators 3	Arbitrators 4	Arbitrators 5
Parties to the arbitration	Parties to the arbitration 1	Parties to the arbitration 2	Parties to the arbitration 3	Parties to the arbitration 4	Parties to the arbitration 5
Arbitral institutions	Arbitral institutions 1	Arbitral institutions 2	Arbitral institutions 3	Arbitral institutions 4	Arbitral institutions 5
Expert witnesses	Expert witnesses 1	Expert witnesses 2	Expert witnesses 3	Expert witnesses 4	Expert witnesses 5
Fact witnesses	Fact witnesses 1	Fact witnesses 2	Fact witnesses 3	Fact witnesses 4	Fact witnesses 5
Data hosting agencies	Data hosting agencies 1	Data hosting agencies 2	Data hosting agencies 3	Data hosting agencies 4	Data hosting agencies 5
Third party service providers	Third party service providers 1	Third party service providers 2	Third party service providers 3	Third party service providers 4	Third party service providers 5

Question Title

* 11. In your opinion, where parties cannot agree on the nature of appropriate data protection measures, should an arbitral tribunal have the power to impose measures on them? Please tick one box

Yes

Depends on the facts of the case

Don’t know

Question Title

* 12. In your opinion, should the arbitral tribunal have power to impose sanctions on a party that breaches data security measures that have been agreed or ordered? Please tick one box

Yes

Don't Know

Question Title

* 13. In your opinion, how should any additional cost burden of security measures ordered by an arbitral tribunal be addressed? Please tick one box

Each party should bear its own costs (and that of its witnesses/experts) and the parties should share costs incurred by the arbitral tribunal

The costs should be included in each party’s costs of the arbitration/the tribunal’s costs of the reference and be allocated for payment by one or other party in the normal way at the end of the arbitration

Allocation of costs should be determined on a case by case basis

None of these

Don’t know

Question Title

* 14. In your opinion, which of the following resources would be useful in order to improve cybersecurity in international arbitration? Tick as many boxes as are appropriate.

Arbitration institutions to have a staff member within the secretariat experienced in data security measures and able to assist the parties/tribunal in deciding on appropriate security measures for an individual arbitration

Arbitration institutions to make compulsory the use of a secure platform hosted by the institution in which all communications and data sharing/storage would take place. The platform to have a discrete secure area for communication between members of the tribunal, and between the tribunal and the institution

Arbitration institutions or other organisations to offer cybersecurity training to arbitrators

Arbitration institutions or other organisations to impose/offer cybersecurity certification to arbitrators

None of the above

Don't know

Question Title

* 15. Would you be more or less likely to use the arbitration rules of an institution that was able to provide advice and assistance on appropriate data security measures for the arbitration? Please tick one box.

More likely

Less likely

Would make no difference

Don't know

Question Title

* 16. Would you (or where appropriate, your client) be willing to pay a higher fee to/incur an additional cost with an arbitration institution that provided advice and assistance on appropriate data security measures and/or provided a secure platform (or similar) on which all communications and data sharing/storage took place? Please tick one box.

Yes

Don't know

Question Title

* 17. In your opinion is the need to consider cybersecurity measures in an individual arbitration an administrative matter best handled by the supervising arbitral institution (assuming there is one) or a procedural matter best handled by the arbitral tribunal after hearing submissions from the parties? Please tick one box

An administrative matter for the institution

A procedural matter for the tribunal

Other

Don’t know

Question Title

* 18. Has there been a breach of security (i.e. someone was able to obtain unauthorised access to electronic documents/other information in the arbitration) in any arbitration in which you have been involved? Please tick one box

Yes

Don't know

Question Title

* 19. Please enter your email address here if you would like to receive a copy of the report.

Email Address