Cyberattacks in today’s digital world are becoming increasingly common and international arbitration has not remained unaffected. To the contrary, international arbitration can be highly susceptible to cyberattacks. This is explained by its very nature and underlying principles, namely privacy, confidentiality, procedural flexibility and the involvement of multiple players and sensitive data.
In 2015, for instance, the website of the Permanent Court of Arbitration was hacked during an arbitration between China and the Philippines over a sensitive maritime border dispute. The same is true for the legal sector in general, as evidenced by the ‘Panama Papers’ leak, which involved the release of millions of encrypted attorney-client documents in the possession of a Panama-based law firm.
In light of such events, during the New York Arbitration week, the 2020 edition of the Protocol on Cybersecurity in International Arbitration was released. This Protocol is the result of a joint two-year effort of the International Council for Commercial Arbitration, the International Institute for Conflict Prevention and Resolution and the New York City Bar. Its aim is to increase awareness of cybersecurity matters in the arbitration community and to help arbitration participants adopt appropriate measures to mitigate potential risks.[1]
In the same vein, in 2018, the International Bar Association had published its own set of Cybersecurity Guidelines. Their goal is to assist firms in protecting themselves from breaches of data security and potential liability, as well as in keeping their operations running in case of a cyberattack.
What Are the Consequences of Cybersecurity Breaches in International Arbitration?
The impact of a cyberattack will vary based on the particular circumstances of each case. However, in general, it may result, inter alia, in:
- an increase of the overall cost of an international arbitration and economic loss to any participant whose information is compromised;[2]
- additional delays and frustration of the arbitral proceedings, as it may give rise to a number of practical issues, such as the admissibility of hacked evidence, the allocation of additional costs, potential questioning of the impartiality and independence of the arbitrators (which may at times be warranted), as well as disagreements in terms of the appropriate measures to be adopted to remedy the breach;
- reputational damage from adverse media coverage of the incident, especially to arbitrators, institutions and counsel;[3]
- potential contractual and/or tortious liability under the relevant applicable laws, mainly for breach of cybersecurity requirements imposed by the numerous data protection regimes currently in place across the globe.[4] For example, a failure to deploy appropriate security measures may lead to prosecution, fines and regulatory sanctions under the General Data Protection Regulation, applicable in Europe or the General Data Protection Law, applicable in Brazil.[5]
What Is the Best Approach to Mitigate the Risk of Cyberattacks in International Arbitration?
Effective cybersecurity mandates the active and ongoing participation of all arbitration participants, namely parties, counsel, arbitrators, administering institutions (if any), experts, witnesses and any other individual who may be involved in the arbitration process.[6]
In particular, arbitral institutions, due to their administering role, are fit to employ cybersecurity strategies in a centralized way that would enable them to capture the growing sophistication of cyberattacks. In turn, arbitrators can decide on ‘extra layers of protection’, embodied in procedural orders and tailored to the needs of each individual case.
It is to be noted, nevertheless, that the significance of cybersecurity should not be exaggerated. Over-expensive measures in situations where the risks of cyber intrusion are not substantial may be counterproductive.
Consequently, the best approach would be for all participants in international arbitration to give cybersecurity concerns a sound consideration by recognizing their role as part of a shared sense of collective responsibility, especially where attacks might seem forthcoming, but addressing the issue should not become an end in itself.
[1] Foreword to the 2020 Protocol, para. I.
[2] Commentary to Principle 1(d) of the Protocol.
[3] Ibid.
[4] Ibid.
[5] Commentary to Principle 4(b) of the Protocol.
[6] S. Cohen and M. Morril, Introductory Note to TDM Special Issue Cybersecurity in International Arbitration (2019).