Law360 (May 6, 2020, 5:14 PM EDT) --
|Claire Morel de Westgaver|
Yet, given the cross-border nature of arbitration, parties, counsel, arbitrators and institutions have been conducting proceedings remotely even prior to the pandemic. It is no news that much of an arbitration practitioner's work can be done from anywhere with a secure Wi-Fi connection — an office, a home, a conference or hotel room, or an airport lounge. Aside from certain hearings that might not be suitably conducted via videoconferencing, the disruptive impact of COVID-19 on arbitration has therefore been relatively modest.
There are, however, risks associated with the changes caused by work-from-home policies implemented as a result of the pandemic. The sudden surge in remote working and rapidly deployed and expanded information technology infrastructure inevitably exacerbate gaps in cybersecurity.
State cybersecurity agencies have reported increased COVID-19-themed cyber operations by advanced persistent threat groups and malicious cyber actors who are exploiting this vulnerability to "hack and leak" and deploy malware. The threats that have been observed, and which are expected to continue over the coming weeks and months, include:
- Phishing, using the subject of COVID-19 as a lure;
- Malware distribution, using COVID-19-themed lures;
- Registration of new domain names containing words relating to COVID-19;
- Attacks against newly — and often rapidly — deployed remote access and teleworking infrastructure;
- Hijacking of videoconferencing virtual rooms which do not have sufficiently strong encryption and privacy protections (e.g., reported cyber hackers who "video-crashed" and disrupted conference calls hosted over certain unsecured videoconferencing applications).
Arbitration stakeholders are not immune to these heightened cybersecurity and hacking risks. As the community continues to tap into the flexibility of arbitration to meet the needs of the current environment, it must not lose sight of the cyber risks associated with remote working. Law firms, arbitration team leaders and other stakeholders should implement reasonable information security measures and best practices to mitigate against these risks.
Appropriate guidance from information technology experts should be sought, awareness of tools or behavior that may compromise the security of arbitration proceedings should be raised, and the community should share takeaways from each of their own experiences.
For instance, the 2020 Cybersecurity Protocol for International Arbitration jointly released in 2019 by the International Council for Commercial Arbitration, New York City Bar Association and the International Institute for Conflict Prevention and Resolution provides helpful guidelines and examples of information security measures that may be adopted and tailored to a particular arbitration.
On a more systemic level, some arbitral institutions had already put in place secure digital platforms for the transfer of communications and documents. The current situation caused by COVID-19 is likely to generate initiatives to increase the scope of these platforms to address remote working measures and assist with the holding of virtual hearings and deliberations.
Information security measures that meet the needs of the day are important to preserve the integrity, confidentiality and fairness of the arbitration process. In some instances, the arbitral proceedings themselves might not be subject to confidentiality duties. However, some channels of communication and some documents generated and/or exchanged in connection with the arbitration will invariably be subject to strict duties of confidentiality.
For example, communications between counsel and their clients, and those between arbitrators, are always confidential. A data breach giving rise to the disclosure of communications covered by attorney-client privilege may have profound consequences in terms of due process and fairness. Similarly, a leak of arbitrators' deliberations and draft awards would jeopardize the integrity of the proceedings and the validity of the ensuing award. It may also expose arbitrators to criticism or challenge, with the risk of wider political implications.
The aim of this article is to suggest some best practices and practical precautionary measures that arbitration practitioners can take to manage heightened cybersecurity risks.
Accounts, Passwords and Virtual Private Networks
With most practitioners now accessing their work or organization's network systems remotely, passwords are the first line of defense in protecting user accounts from being hijacked in account-takeover attacks.
Individuals involved in arbitral proceedings should ensure that the access and transfer of confidential information, work-sharing spaces, data rooms, servers and network systems are protected by strictly observed passwords with case, special character and numerical-sensitive combinations. Multifactor authentication should be used when possible and appropriate.
Counsel, arbitrators and other participants should exercise caution if they choose to circulate documents or information using applications outside the relevant organization's selected or approved document management systems. Where external, non-approved document management systems are used, these should ideally be reviewed and approved by the organization's IT security team, to scan for any encryption or security risks.
Alongside this, given that most practitioners are accessing their organization's network systems remotely, virtual private network, or VPN, servers are paramount to the security of each organization's systems and data, including information and communications relating to arbitral proceedings.
In this context, it is critical that law firms, expert advisory firms, barristers' chambers, and academic and arbitral institutions take steps to ensure that their VPN servers are fully patched with sufficient bandwidth to support the current surge in traffic for the foreseeable future. In addition, it is important for all employees to access the firm's VPN servers strictly via a secure, private Wi-Fi connection to reduce exposure of the VPN servers to cyberattacks.
Use of Personal Devices
Many practitioners will now be accessing their work, organization's network systems, or carrying out business functions from their own personal devices (laptops, tablets and smartphones) in addition to or in the absence of corporate managed devices. The use of personal devices heightens the risk of user-initiated deliberate data loss (e.g., from copying data from a work application to the personal device's local storage system). Personal devices are also more vulnerable to malicious exfiltration and scraping of data, and malicious exploitation of the device as a result of weak security configuration and lack of monitoring.
A proportionate security control of these devices is critical to ensure that they are adequately protected. Access to personal devices should be password protected with minimum passcode length and multifactor authentication where possible. No business or confidential data should be stored locally on the personal device.
In addition, third-party use of this personal device (e.g., by family members, or in the course of maintenance or repair services) should be controlled with care. Organizations should conduct regular audits of business data accessible via their employee's personal devices. They may also consider imposing a universal level of security by requiring use of antivirus software on all personal devices that are used for work and business functions.
Telephone and Video Conferences
Telephone and videoconferencing has become the primary medium of communication between colleagues and clients even within the same jurisdiction. In the realm of dispute resolution, many courts and arbitral institutions, state bodies and tribunals have transitioned to virtual hearings with the use of telephone and videoconferencing platforms and online dispute resolution.
Just a few weeks ago, it was reported that the substantive merits hearing of a large Brazilian corporate International Chamber of Commerce arbitration, involving over 70 participants, was successfully heard remotely via a cloud-based videoconferencing software platform.
With respect to the use of video and telephone conferencing, it is important that practitioners ensure that the relevant platform or software offers the necessary security and encryption required to protect the information that is exchanged. To the extent practicable, the platform or application should be run by the relevant IT support team to ascertain any potential security risks.
Many video and telephone conferencing platforms offer the option to share documents and presentations. However, to the extent that any such documents or presentations include confidential information, use of this feature should be avoided, unless the organization's IT security team has confirmed that the platform has the necessary encryption to prevent unlawful interception or retention by third parties. Instead, participants could agree to use a shared, multifactor password-secured and encrypted virtual/cloud document repository, where the relevant documents could be shared prior to or during the meeting.
More broadly, practitioners and users will also find helpful guidance on best practices for the planning, testing and use of videoconferencing in international arbitration in the Seoul Protocol on Video Conferencing in International Arbitration.
The Seoul Protocol identifies potential challenges and risks associated with the use of videoconferencing and sets out various practical preparatory arrangements that parties can take to avoid logistical breakdowns. In addition, it recommends the technical specifications of video, audio, bandwidth and bridging that parties should use to ensure the efficient and smooth operation of hearings conducted by videoconference.
It is important for practitioners to adopt the necessary information security measures in telephone and videoconferencing so that fairness and impartiality, effectiveness and confidentiality in the arbitration process are safeguarded.
Informal Communications: Instant Messaging
Working remotely also means that instant messaging via various digital messaging platforms like WhatsApp are more commonly used for business. Where instant messaging is used as an informal, expeditious medium for work-related communications during this period, the boundaries between private and professional life in this medium of communication become blurred.
Some professionals may use these digital messaging platforms for informal, ad-hoc communications. Others use instant messages for virtually all their business dealings. The "social" and inherently informal nature of instant messaging often means that individuals are less circumspect in what they write than they would be if communicating by email. It is for these reasons that arbitration users, counsel and clients should exercise special care in the information they disclose on these platform mediums. The level of security can vary significantly from one platform to another.
Furthermore, there is potential for such communications to be considered as a form of discoverable evidence in a prospective dispute or, for instance, be deemed representative of an agreement in lieu of a signature.
Informal Communications: Email
Many companies have reported an uptick of COVID-19 phishing attempts via email, web links and instant message communications targeted at employees who are working remotely from personal devices (rather than firm-issued and firm-configured devices).
Practitioners should be wary of clicking on links embedded in emails from unknown or unusual senders (whether in their personal or work email inboxes). This is especially critical when accessing emails on the organization's VPN servers, as it may risk a potential hacking of the organization's VPN server, infiltration of the remote network system, and leaking of large amounts of confidential information. Law firms and other organizations should circulate updated guidance to their employees on phishing emails.
Document Sharing and Storage
With the closure of physical offices and the consequential unavailability of printing facilities, almost all communications and exchange of information is being done in electronic format. In fact, most major arbitral institutions have issued guidance to the effect that all communications, submissions and exhibits should be filed and exchanged via electronic means, to the full extent possible.
While this approach is not new to practitioners, it is even more critical to maintain good practices in the circulation and exchange of information between colleagues, clients and counterparties. As far as possible, documents should be exclusively stored and shared within the relevant organization's network system and/or the designated cloud document repository or file transfer platforms.
The exchange of documents outside these channels (e.g., third-party services like Dropbox, Google Drive) should be avoided as much as possible. If documents are transferred externally (using personal email addresses or outside the designated file transfer platform), users may wish to require a password to access these documents. The password should be transmitted separately from the underlying documents.
In addition, storage of these documents or client confidential information on the local drive of personal devices should be avoided. Furthermore, documents, client confidential information and other work product should exclusively be saved on the firm's network system folders or on password protected data storage carriers.
The shift toward working from home on a full-time basis and the more widespread dependence on technology may have long-term positive effects on international arbitration in terms of time and cost efficiency, impact on the environment and diversity.
Furthermore, arbitration is now being considered by some litigants not only as a temporary solution to the closure of national courts, but also as a long-term alternative to litigation, for its potential ability to weather future (health-related or otherwise) crises that may have an impact on national courts' ability to function.
It is, however, imperative that members of the international arbitration community recognize existing and new cybersecurity risks and work to build cybersecurity resilience in arbitration across the board to protect the integrity of arbitral proceedings and, ultimately, the future of arbitration as a sustainable dispute resolution process.
Claire Morel de Westgaver is a partner and Rachel Chiu is an associate at Bryan Cave Leighton Paisner LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 Cybersecurity and Infrastructure Security Agency (CISA, US) Alert (AA20-099A): COVID-19 Exploited by Malicious Cyber Attackers (8 Apr 2020) https://www.us-cert.gov/ncas/alerts/aa20-099a; National Cyber Security Centre (UK) Cyber Experts Step In As Criminals Seek to Exploit Coronavirus Fears (16 Mar 2020) https://www.ncsc.gov.uk/news/cyber-experts-step-criminals-exploit-coronavirus
 Kelly Zegers, Law 360 Shareholders Sue Zoom over Privacy, Hacking Concerns (8 Apr 2020) https://www.law360.com/articles/1261581/shareholders-sue-zoom-over-privacy-hacking-concerns
 ICCA-NYC Bar-CPR Cybersecurity Protocol for International Arbitration (2020 Edition) https://www.arbitration-icca.org/projects/Cybersecurity-in-International-Arbitration.html
 See: Work From Home Cybersecurity Basics: Wireless Network Security (3 Apr 2020) https://www.bclplaw.com/en-GB/thought-leadership/work-from-home-cybersecurity-basics-wireless-network-security.html
 ICC Guidance Note on Possible Measures Aimed at Mitigating the Effects of the COVID-19 Pandemic, ¶10-15 (9 Apr 2020) https://iccwbo.org/publication/icc-guidance-note-on-possible-measures-aimed-at-mitigating-the-effects-of-the-covid-19-pandemic/; CIArb Guidance Note on Remote Dispute Resolution Proceedings https://www.ciarb.org/media/8967/remote-hearings-guidance-note.pdf; AAA-ICDR COVID-19 Update, Virtual Hearing Guide for Arbitrators and Parties (20 Apr 2020) https://go.adr.org/covid19.html; HKIAC HKIAC Service Continuity during COVID-19 (27 Mar 2020) https://www.hkiac.org/news/hkiac-service-continuity-during-covid-19
 See: Harry N. Mazadoorian, Law 360 COVID-19 and Online Dispute Resolution: A Whole New World Out There (1 Apr 2020) https://www.law.com/ctlawtribune/2020/04/01/covid-19-and-online-dispute-resolution-its-a-whole-new-world-out-there/?slreturn=20200322023603 . In HK: http://ebram.org/, https://www.bclplaw.com/en-GB/thought-leadership/hk-covid19-qanda-on-the-hk-governments-covid-19-online-dispute-resolution-scheme.html; In China: Vincent Chow, Law 360 China Pushes for Increase in Online Dispute Resolution as It Reboots Economy (19 Mar 2020) https://www.law.com/2020/03/19/china-pushes-for-increase-in-online-dispute-resolution-as-it-reboots-economy-292-63799/?utm_source=email&utm_medium=enl&utm_campaign=morningminute&utm_content=20200323&utm_term=law&slreturn=20200322023251.
 Graziella Vlenti A pandemia na maior arbitragem societária do país, a disputa pela Eldorado (22 Mar 2020) https://exame.abril.com.br/negocios/a-pandemia-na-maior-arbitragem-societaria-do-pais-a-disputa-pela-eldorado/
 Korean Commercial Arbitration Board Seoul Protocol on Video Conferencing in International Arbitration (18 Mar 2020); http://www.kcabinternational.or.kr/user/Board/comm_notice_view.do?BBS_NO=548&BD_NO=169&CURRENT_MENU_CODE=MENU0025&TOP_MENU_CODE=MENU0024.
 ICC Guidance Note on Possible Measures Aimed at Mitigating the Effects of the COVID-19 Pandemic, ¶10-15 (9 Apr 2020) https://iccwbo.org/publication/icc-guidance-note-on-possible-measures-aimed-at-mitigating-the-effects-of-the-covid-19-pandemic/; LCIA Services Update: COVID-19 (18 Mar 2020) https://www.lcia.org/lcia-services-update-covid-19.aspx; ICSID ICSID Makes Electronic Filing its Default Procedure (13 Mar 2020) https://icsid.worldbank.org/en/Pages/News.aspx?CID=359; SIAC COVID-19: SIAC Case Management Update https://www.siac.org.sg/images/stories/press_release/2020/ANNOUNCEMENT%20COVID-19%20SIAC%20Case%20Management%20Update.pdf; AAA-ICDR COVID-19 Update (20 Apr 2020) https://go.adr.org/covid19.html.
For a reprint of this article, please contact firstname.lastname@example.org.