Over the past decade and especially during the pandemic, virtual methods of Dispute Resolution have witnessed herculean development in application of technology and cyber protocols. As the field of ADR develops, its terminology and conceptual framework require exploration and clarification, with special care taken to convey shared meaning between parties in conflict. Generally speaking, ADR describes a field of activity that has developed since the mid-1990s. Increase in e-commerce activities and its boom brought with it a wave of disputes resulting from online activity and further resolving these disputes online seemed to be a logical act of “fitting the forum to the fuss,” a long-held principle in the ADR field.

Effects of Cyberattacks in International Arbitration

Cyber intrusion and hacking isn’t a novel concept. “Security breaches are becoming prevalent in ADR that there is a new mantra in cybersecurity today: ‘It’s when and not if, a law firm or other entity will suffer a data breach.” The ones monitoring IT systems report dozens of attempted attacks on a regular basis. Arbitration participants too have not been immune. For instance, International Arbitrations are being conducted virtually through a software like Opus, which modernizes the international arbitration proceedings by enabling remote participation of arbitrators throughout the world. While virtual arbitrations like so are a blessing, it still doesn’t mitigate the risks for data breaches regarding all the classified documents that are uploaded and shared throughout the hearings. [1]

Some of the crucial elements with respect to cyber-attacks in arbitration have been identified as :

a. admissibility of illegally obtained documents,

b. authentication of documents,

c. sanctions,

d. the psychological impact on decision-making of inadmissible evidence, and

e. the arbitrator’s duty to report.

Admissibility

Arbitrators have broad discretion in dealing with evidence under applicable laws and institutional rules. Given this wide discretion and the binding nature of arbitral awards, tribunals generally admit evidence to avoid risking vacatur for failure to provide a full and fair opportunity to present the case, and then consider its credibility, weight and value. However, on a proper showing evidence may be excluded by the arbitral tribunal. Where it is demonstrated that evidence has been obtained illegally the arbitral tribunal is faced with a difficult choice. With the prevalence of cyber intrusions in today’s world, it is inevitable that tribunals will be increasingly required to address the question of whether they should admit illegally obtained evidence. However, no clear line of authority has developed to guide tribunals as to how they should treat illegally obtained evidence. Tribunals have arrived at different conclusions on the question. Illegally obtained evidence is not new, but it is likely to be more prevalent in this age of technology and big data. In the well-known Yukos award, which granted $50 billion in damages, the tribunal relied extensively on confidential diplomatic cables from the United States Department of State that had been illegally obtained and published on WikiLeaks. The tribunal provided no analysis of whether evidence illegally obtained should be admitted. Other published awards in investor state cases have specifically addressed the admissibility of evidence illegally obtained through cyber intrusion. The decisions appear to emphasize who committed the wrongful act, whether the documents are privileged, and whether the information revealed was material to the decision on the merits. Balancing the search for truth and other values is not new. It is just being presented in a new context in our digital world.

Authentication

A party may contend that the documents were “stolen” by hacking into their IT systems; thus, illegally obtained. That contention raises questions of admissibility discussed above. A party may contend that it no longer has the documents available for production because it was hacked. That contention raises questions of proof as with any assertion that documents no longer exist. Or illegally hacked emails might be posted publicly on WikiLeaks or some other platform on the web that is publicly available. Again, that raises a grave question of admissibility. Parties may contend that the emails were fabricated by a hacker and that they did not write them. That contention raises questions of authenticity. Authentication is not an issue frequently encountered in international arbitration. However, it is likely that with the prevalence of cyber intrusions and the ease with which it seems to be possible to intrude, arbitrators will likely be required to review an increasing number of objections to admissibility based on lack of authenticity.

Sanctions

At the ICCA Conference in 2018, a consultation draft of the Cybersecurity Protocol for International Arbitration was circulated for comment.[2] The Protocol is “intended to encourage participants in international arbitration to become aware of cybersecurity risks in arbitration and to provide guidance that will facilitate collaboration in individual matters about the cybersecurity measures that should reasonably be taken, in light of those risks and the individualized circumstances of the case to protect information exchange and the arbitral process.” Users of arbitration are entitled to expect that arbitrators will take at least basic security measures and it is anticipated that user expectations in this regard will increase in the coming years. Steps taken now can avoid problems in the future. Many measures can be taken that are neither expensive nor difficult. This is a subject that no arbitrator can safely ignore.

The question of what sanctions a tribunal has authority to impose, and when and how sanctions should be imposed, has been the subject of extensive discussion in recent years in the wake of the issuance of the 2013 International Bar Association Guidelines on Party Representation in International Arbitration (IBA Guidelines). Various proposals have been made as to who should be responsible for sanctioning counsel. Cyber intrusion brings that issue to the fore. Tribunals are appropriately concerned about guerrilla tactics, and consideration of remedies beyond the exclusion of evidence may be appropriate in cases of cyber intrusion. As the tribunal stated in Libananco: “The Tribunal attributes great importance to privilege and confidentiality, and if instructions have been given with the benefit of improperly obtained privileged or confidential information, severe prejudice may result. If that event arises the Tribunal may consider other remedies available apart from the exclusion of improperly obtained evidence or information.”

The IBA Guidelines empower the tribunal to address “misconduct” by a party representative after giving the parties notice and a reasonable opportunity to be heard. Misconduct is broadly defined by the IBA Guidelines to include “breach of the present guidelines, or any other conduct that the arbitral tribunal determines to be contrary to the duties of a party representative.” The nature of the “misconduct” intended to be covered has not been established but, certainly, cyber intrusion would fall into that category. In determining the remedy, the tribunal is to consider the nature and gravity of the misconduct, the good faith of the party representative, the extent to which the party representative knows about or participated in the misconduct, the potential impact of a ruling on the rights of the parties, the need to preserve the integrity and fairness of the arbitral proceedings, and the enforceability of the award. These considerations clearly outline the matters to be considered in deciding whether to impose a sanction on a party for cyber intrusions, if it is concluded that the tribunal has authority to do so.

Duty to Report

Cyber intrusion is a crime in jurisdictions globally. Violations of privacy laws are also implicated. What, if any, is the arbitrator’s duty to report a cyber-crime? And to whom? Local authorities? Counsel’s bar association? The administering institution? While arbitrators must first consider whether they are under any legal or ethical obligation that requires them to take action, the resolution of the question presents the tension between reporting wrongdoing and the confidentiality of the arbitration proceeding. The question of when an arbitrator has a duty to report is likely to be a continuing discussion not only in the context of cyber intrusions but also in connection with other unlawful acts.

What Is the Best Approach to Mitigate the Risk of Cyberattacks in International Arbitration?

Effective cybersecurity mandates the active and ongoing participation of all arbitration participants, namely parties, counsel, arbitrators, administering institutions, appointed experts, witnesses and any other individual who may be involved in the arbitration process.

In particular, arbitral institutions, due to their administering role, are fit to employ cybersecurity strategies in a centralized way that would enable them to capture the growing sophistication of cyberattacks. In turn, arbitrators can decide on ‘extra layers of protection’, embodied in procedural orders and tailored to the needs of each individual case. It is to be noted, nevertheless, that the significance of cybersecurity should not be exaggerated.[3] Over-expensive measures in situations where the risks of cyber intrusion are not substantial may be counterproductive. Consequently, the best approach would be for all participants in international arbitration to give cybersecurity concerns a sound consideration by recognizing their role as part of a shared sense of collective responsibility, especially where attacks might seem forthcoming, but addressing the issue should not become an end in itself.[4]

Embodying best international practice standards

Since the revelation of leak of the Panama Papers, the world of the rich and powerful has been reeling. A single cyberattack against Mossack Fonseca, a quiet Panamanian law firm, shocked the world. The attacker absconded with an immeasurable amount of information, consisting of millions of documents, emails, and other information. So, what are the key takeaways from this herculean cyber security breach?[5]

Firstly, the most urgent cybersecurity task for any organization is to ensure that admins have applied all security patches to their organization’s personal software as well as the web interface. The organization’s patching regimen should be prompt and thorough. The most diligent of patch regimens, after all, still have their weaknesses: there is always an interval of time between the discovery of a vulnerability and the availability of a patch, giving attackers an opening.

Secondly, automatic updates can cause their own issues, especially in complex enterprise environments and other situations that require high availability. While keeping software up to date is an essential defensive move, organizations must also be extremely mindful about their Data Lineage. Data lineage implies knowing who has access to your data and when. This sets forth an example as to how law enforcement agencies handle their evidences on record. Any software team of the organization must also know what people are doing with the information and in particular, how they are securing it.

Thirdly, the important takeaway from the Mossack Fonseca breach is to put your eggs in multiple baskets. Never give anyone access to more than a specific portion of your sensitive data. Furthermore, the more sensitive the data, the more you need to divide it up. Such compartmentalization of sensitive information has been an important governmental intelligence tool for centuries, as only people with a ‘need to know’ have access to sensitive information. However, in the corporate environment, such compartmentalization requires a new level of segmentation technology. This segmentation approach is extremely subjective in nature and will differ from organization to organization depending on their needs, hence the chances are that not all of your sensitive information is locked away inside secure areas within your network. Much of it may be in the cloud or in the hands of third parties. You can’t prevent all attacks from succeeding in such complex environments, but you can surely mitigate the damage through proper segmentation.

Conclusion

With cyber security, the Tribunal as well as the parties have the peace of mind of having unauthorized access to their network or data is protected. Both end users, organizations and their employees benefit. However it isn’t just detection that strengthens cyber security, it’s also about the prompt mitigation and response.

[1] Cyber Intrusion as the Guerrilla Tactic: An Appraisal of Historical Challenges in an Age of Technology and Big Data by E. Sussman – Transnational Dispute Management

[2] Consultation draft on Cyber Security Protocols for International Arbitration collated by ICCA, New York City Bar and International Institute for Conflict Prevention and Resolution

[3] Cybersecurity in International Arbitration by Aceris Law LLC on 30/01/2020

[4] Consultation draft on Cyber Security Protocols for International Arbitration collated by ICCA, New York City Bar and International Institute for Conflict Prevention and Resolution

[5] Forbes Magazine – Cyber Security lessons learned from ‘Panama Papers’ breach by Jason Bloomberg