Column

Cybersecurity Risks for Mediators and Arbitrators

Despite almost daily reports of privacy breaches and thefts of confidential information, the role of mediators and arbitrators in protecting this information has received relatively little attention in the professional community.

That is rapidly changing.

Now, almost every continuing education session I go to has some discussion on this topic.

Are the mediators and arbitrators in the room complying with privacy laws? This means PIPEDA compliance for those who work in Canada and – more crucially – the new(ish) European General Data Protection Regulation (GDPR) which affects anyone who collects information relating to EU citizens.

This was brought home again recently when I was talking to someone in Toronto who casually mentioned that he is a EU citizen, though a resident of Canada. Even so, any personal information I have about him is also subject to the GDPR, making me subject to potential penalties if I misuse or fail to protect it! Scary thought…

These days most of us prefer to get mediation briefs and related materials electronically. This means measures must be taken to protect confidential information provided by the parties, when it is first delivered and throughout the time it is in the mediator’s possession.

The same applies to arbitration communications, pleadings and evidence.

An article by Stephanie Cohen and Mark Morril, both the New York based arbitrators, entitled A Call to Cyberarms: The International Arbitrator’s Duty to Avoid Digital Intrusion, published in the Fordham International Law Journal in 2017, makes a strong argument that arbitrators must assume responsibility for digital security of the cases they adjudicate. [Volume 40, Issue 3, 981]

“Cyberbreaches of the arbitral process, including intrusion into arbitration-related data and transmissions, pose a direct and serious threat to the integrity and legitimacy of the process. This article posits that the arbitrator, as the presiding actor, has an important, front-line duty to avoid intrusion into the process.”

Cybersecurity has naturally attracted attention in the high-stakes world of international commercial arbitration, where state actors and commercial rivals may be extremely interested in getting their hands on arbitration documents and evidence.

Cohen and Morril refer to reported attacks on arbitral institutions, counsel and parties. International investor-state arbitrations are potential targets. They also cite examples such as the attacks on sports arbitration and anti-doping agencies related to the Rio and Sochi Olympic Games.

But it is something that should concern every mediator or arbitrator, regardless of the nature of the disputes they handle.

Cohen and Morril cite the ABA/AAA Code of Ethics for Arbitrators in Commercial Disputes, which requires an arbitrator to be competent and to uphold the integrity and fairness of the arbitration process, as well as the IBA Rules of Ethics for International Arbitrators which include a general requirement that international arbitrators be “competent”.

In Canada, the ADR Institute of Canada Code of Ethics requires members to “uphold the integrity and fairness of the arbitration and mediation processes” and to be “faithful to the relationship of trust and confidentiality inherent in the office of arbitrator or mediator.”

As lawyers we also have professional duties of competence and confidentiality that arguably include data security and personal privacy.

(Working in Ontario, I find it interesting that the Ontario Rules of Professional Conduct don’t include the provisions in the Federation of Law Societies of Canada Model Code which require lawyers to maintain “adequate” facilities and equipment as part of the standard of competence: see Commentary 5 of s. 3.2-1.)

Nevertheless, I think there is an expected standard of competence for mediators and arbitrators, even if that standard is not always clear.

I’d wager all of us have had the sinking feeling of having an email go to unintended recipients through a hasty “reply all.” Or maybe the email program’s automated address feature inserts an incorrect, but similar, name or email address and the user hits “send” without noticing it.

Beyond simple email security, we also have a responsibility to take reasonable steps to ensure that data on our office computers and laptops is secure.

It is said that any system can be made completely secure: just seal it up tight, so nothing can get in or out. But that’s not very useful. So we must work pro-actively with disputing parties and their counsel to balance efficiency and security.

Do the parties or their counsel encrypt every file they send the mediator or arbitrator (or each other)? Is it the mediator’s or arbitrator’s responsibility to recommend encryption or other security measures? Should they demand it, if counsel say it’s too much trouble?

Some may prefer to deliver files on a USB drive or other physical device, rather than by email. (In the past, I’ve received document books and other evidence on a CD; not very useful now that my current laptop doesn’t have a CD drive. Just a reminder that we need to keep evolving technology in mind when we decide what security to adopt.)

Many organizations don’t allow external media to be connected to their systems, due to the risk that viruses could be delivered on those media. Do you have software that automatically scans any USB or other device for viruses when you plug it into your desktop or notebook?

Another option is to use a third party “Dropbox” type of service as a repository for all of the electronic files. Cloud services often have better security to control access to the files, and options to determine what level of security and authentication is appropriate for a particular matter. Authorized users may be limited to reading the files in place, or they may be allowed to download them to their own systems. (The former is more secure; the latter more convenient, if the user wants to access the files offline…)

What about email attachments? Maybe it’s safe to open or save attachments from the counsel on a particular file, but a sophisticated hacker could spoof the email address to deliver an attachment that allows the hacker to copy and read every file on the target system.

You will have noticed by now that this piece is throwing out more questions than answers. That’s because none of the sessions I’ve attended recently have any easy solutions to offer. Some independent mediators and arbitrators talk about software and services they have used to address these concerns in specific cases, but there don’t seem to be any generally-accepted standards.

Law firms use a wide range of security applications, so getting the lawyers on a file to agree on a common standard or platform often seems more challenging than getting them to agree to settle the entire dispute.

Cohen and Morril conclude that the arbitrator’s (and by extension, a mediator’s) duty is to take reasonable measures to provide unauthorized electronic access to information. They also look at the scope of that “reasonableness” standard and some practical measures that neutrals can take. These depend in part on the nature and sensitivity of the mandate, as well as the circumstances of the file.

Security standards are continually changing, so what was reasonable last year may not cut it any more. Unfortunately, “reasonableness” is usually only evaluated in hindsight, once a breach has occurred, so mediators and arbitrators must make a risk assessment, based on the kind of work the do. And they must periodically re-evaluate that assessment, in light of changing technology and the evolving expectations of disputing parties and their counsel.

Although it is now a couple years old, I encourage everyone to read the Cohen and Morril article, first for a healthy dose of fear, then beginning at pg 1014, for some useful ideas for implementing and continually improving their own cybersecurity practices.

Comments are closed.