March 23, 2020

Raising Awareness for Data Protection with the New Cybersecurity Protocol for International Arbitrations

Glen Harrison & Gtyis Pabedinskas

Arbitration has become a largely digital process following advances in technology over the past decade, reflected by the 2018 International Arbitration Surveyconducted by Queen Mary University of London in partnership with White & Case. While this has led to greater efficiency in arbitral proceedings, it has also increased the possibility of parties becoming targets of cyber-attacks.^[1]Compromised information can include sensitive personal and commercial data and could damage the reputations of the involved parties, undermine confidentiality, integrity, and availability of digital information, and reduce the effectiveness of the arbitral process.

These concerns are not merely hypothetical. Parties are well-advised to apply security measures to ensure that the data that they share and manage remains confidential. A lack of cybersecurity measures places both tribunals and parties at risk, potentially leading to the production of illegally obtained evidence, and expose parties to extortion risk.

In response, a two-year project conducted by a working group consisting of the International Council for Commercial Arbitration, the New York City Bar Association and the International Institute for Conflict Prevention & Resolution published the Cybersecurity Protocol for International Arbitration (2020) (the Protocol) in November 2019, with the intention of providing guiding principles for practitioners looking to ensure that their digital data are protected. 

Protocol Objectives

The Protocol is a set of guidelines to help companies understand what steps they should take to protect their information and ensure digital security in the arbitration process. The Protocol has two main objectives: 

1. Provide a Framework: The Protocol is designed as a checklist of options, recommending steps parties can opt for, as opposed to a strict guideline, to help parties determine suitable information security measures based on specifics of their proceeding;
2. Increase Awareness: This is a general goal of increasing the awareness of the need for cybersecurity in international arbitration.

To fulfill these objectives, the Protocol sets out fourteen principles that are meant to help practitioners apply a standard set of cybersecurity measures during the arbitration process. The Protocol recognizes that there is no “one-size fits all” solution to implementing cybersecurity measures (Principle 1) and factors such as the risk profile, the cost and burdens, and the efficiency of the entire process should be reviewed when selecting the measures to be used in a given case (Principle 6). It is also recommended that parties try to agree on reasonable security measures, with each other and with the tribunal (Principle 9), and that cybersecurity should be addressed as early as possible in the arbitral process (Principle 10). The tribunal holds the power to decide on the applicable measures that parties should use; however, the tribunal should normally defer to any agreement of the parties (Principle 11).

The Protocol does not replace current legislation, such as the Personal Information Protection and Electronic Documents Act in Canada. Instead, as illustrated by Turner & Gill, the Protocol acts as “soft law”, helpful in guiding parties to use alongside legislation when selecting uniform security measures. Parties may use the Protocol to ensure that they select cybersecurity measures that comply with any legislation they might face.

Room for Expansion 

While it represents a progressive step in establishing measures to help mitigate the risks of cyber-attacks, the Protocol intentionally leaves itself open for expansion based on future developments in cybersecurity and feedback from users. Law firms are now recognizing cybersecurity as an important issue to incorporate in their business practice.^[2]These cybersecurity threats often evolve faster than legislation is enacted to address them. Recognizing this, the Protocol has been drafted in a way that allows it to be readily amended as new issues arise.

It will be interesting to observe over the next few years how effective the Protocol will prove to be. Currently, it appears to be a useful tool for parties and tribunals to use to build stronger cybersecurity measures. However, its effectiveness will depend entirely on how diligently these parties apply it in practice, and how quickly the Protocol drafters and the whole international arbitration community are able to adapt to rapidly changing technology and associated threats. 

CJCA blog posts represent the individual opinions and perspectives of their authors. The Canadian Journal of Commercial Arbitration does not maintain or publish a collective or institutional view on any legal or political issue.