27 November, 2019
The International Council for Commercial Arbitration (ICCA) has released a protocol focusing on cybersecurity in international arbitration, intended to provide guidance to practitioners to assess cybersecurity and data protection risks.
Arbitration expert Alexander Shchavelev of Pinsent Masons, the law firm behind Out-Law, said the protocol was needed to raise awareness of the issues, which were long ignored by the arbitration community.
"Practical experience shows that often only little attention is paid to the issues of cybersecurity and data protection in the day to day conduct of international arbitrations. With a few exceptions, all concerned seem to follow the saying of 'what you don't know won't hurt you' and give practicability priority over security, at least until it does hurt," Shchavelev said.
"Arbitrators continue to use conventional web-based email services such as Gmail or Yahoo even in sensitive multimillion arbitrations, counsel continue to communicate by means of unencrypted email and even the parties seem not to care much about this. At the same time, law firms are increasingly becoming targets of cyber criminals and data protection authorities worldwide intensify their efforts in enforcing data privacy and protection obligations," Shchavelev said.
The protocol (80 page / 867KB PDF) was jointly developed by the ICCA, the New York City Bar Association and the International Institute for Conflict Prevention and Resolution. Its publication follows a working group and consultation process(3 page / 89KB PDF).
The protocol includes guidance on how to assess security risks and ways to improve security practices. It is mainly designed for use in international commercial arbitrations, but according to its authors, could also be used in domestic arbitrations and investor/state disputes.
Under the framework set out in the document, parties and the arbitral tribunal are expected to look at the risk profile of an arbitration no later than the first case management conference, and consider the security measures which should be applied. It suggests that the tribunal would be able to allocate the costs of any information security breaches among the parties. However, the protocol does not establish any liability. It is anticipated that the protocol will evolve over time in light of new regulations, threats and technology.
Although use of the protocol could also help practitioners comply with data protection regimes such as the EU's General Data Protection Regulation, the focus is on mitigating security risks. In order to address data protection in more detail, the ICCA established another task force in cooperation with the International Bar Association. Shchavelev said that cybersecurity and data protection issues present in international arbitration are interwoven and should be discussed together.
"Cyber security and data privacy equally concern everyone involved in the arbitration process: parties, their counsel, arbitrators and arbitral institutions. Processing and transporting personal data will inevitably affect arbitration proceedings at all stages," Shchavelev said.
"In an international setting, the web of applicable laws and regulations may be very complex and require mutual education and cooperation for the benefit of all concerned.
"The benefit of the protocol and similar publications is at least, that they raise the level of awareness and move these topics into the centre of attention, providing some practical guidance for day-to-day application of the various rules," Shchavelev said.
For further information, please contact:
Dr. Alexander Shchavelev, Pinsent Masons