TagTime with Catherine Amirfar – Cybersecurity and International Arbitration: A Wake-up Call*

Author: Dominique Jones**

This post provides a summary of the December 9, 2020 TagTime webinar. During that episode, Catherine Amirfar† discussed “Cybersecurity and International Arbitration: A Wake-up Call” with Dr Kabir Duggal and Amanda Lee as a part of the ongoing series run by Delos Dispute Resolution.[1]

Throughout the episode, Ms. Amirfar discussed cybersecurity risks and how data breaches could specifically impact the field of international arbitration. She also discussed prevention plans and described necessary steps that parties to arbitration should take in order to prevent data breaches. Last, Ms. Amirfar shared practical tips on cybersecurity etiquette before taking questions.

Ms. Amirfar defined a data breach as a breach of confidentiality, integrity, the availability of personal data, or a combination of those elements. The European Union’s General Data Protection Regulation (“GDPR”) Article 4 § 12 also offers a useful definition of a data breach that has proliferated in international organizations.[2] Ms. Amirfar then described the broad range of motives and opportunities for cyber criminals seeking access to confidential data.  The speed and interconnectivity of the online system allows criminals to operate on an international level and quickly gain access to data including personal information, monetary information, and trade secrets. Highly sensitive information may be leaked through data breaches during state-to-state disputes or during investment treaty arbitration against states.

The increased reliance on Zoom and virtual platforms in the wake of Covid-19 has increased the opportunities for criminals to access personal information through a variety of methods such as phishing emails, social media logins, and even emails that appear to be sent from a “trusted source.” Ms. Amirfar recalled that in April 2020, a cyber-criminal figured out that Ms. Amirfar had been newly appointed as president to the American Society of International Law (“ASIL”). The criminal created an email address that was one letter off from her own and emailed the treasurer of ASIL asking for a transfer of funds. Sophisticated cyber cons such as this, which require research and coordination, are on the rise as vital business is increasingly conducted online.

Cyber hacking and attempted breaches have grown exponentially since Covid-19 required the world to work from home. Law firms and other businesses rolled out remote work overnight, with less focus given to vulnerabilities in an effort to get online quickly. Additionally, employees working remotely have expanded the number of people conducting substantive work on unsecured Wi-Fi networks. Ms. Amirfar noted that within the international arbitration field, unsecured networks such as these provide an attractive target for cyber breaches.

International arbitration often deals with high-value disputes between multinational corporations, governments, and public figures. Throughout the arbitration process, high-value data is stored in multiple places, often across different jurisdictions, under different governmental regimes, with the tribunal, and sometimes also with experts. The exchange of this confidential information is often digital and communicated through unencrypted means. Ms. Amirfar provided examples of high-profile data breaches that rocked the international arbitration community.[3]

Ms. Amirfar highlighted that the challenge for investor-state dispute settlement (“ISDS”) was to protect the “weakest link” which provides access points for hackers. Even financial institutions or defense corporations that implement adequate security measures on their end may become vulnerable when data is transmitted to third-party vendors or service providers. By the same token, Law practitioners are often seen as ripe targets based on the perception that their security system is not as robust as those of clients. The New York Bar Association and Chicago Bar Association both faced breaches in 2020.

Within international arbitration, the consequences of a breach are extensive. Successful cyber-attacks may lead to the disclosure of sensitive data, trade secrets, or data of commercial value contained in documents used in arbitration. When these breaches are disclosed, they may result in adverse media coverage and reputational damage to arbitration institutions and counsel. There may be a cost associated with data recovery. Additionally, some bar ethics rules specify that counsel must take reasonable steps to secure information. A cyber breach may demonstrate the failure to meet these ethical obligations. Taken together, these consequences may lead to a loss of confidence in the international arbitration system, especially given the emphasis on confidentiality and security for companies and Governments alike.

Ms. Amirfar presented prevention techniques that parties can adopt to avoid a cyber breach, as well as mitigation techniques once data has been compromised. In light of the move to online proceedings, many arbitral institutions have issued guidance for virtual hearings and other proceedings.[4] In 2017, Debevoise & Plimpton released its own cybersecurity protocol which included guidance on the transfer and storage of sensitive information, limited disclosure and use of sensitive information, and a procedure for the disclosure of data breaches.[5]

In order to preempt and counter cybersecurity breaches, Ms. Amirfar led viewers through five tips on basic security hygiene. The bottom line is to balance the convenience of online information-sharing with the known risk of such activities. First, limit the collection and use of sensitive data. Practitioners should determine whether such information is really needed for the dispute and if so, if it can be stored on a protected platform, with, for example, visual access only. Second, know your assets and architecture. Complex passwords, multifactor authentication, and encryption of sensitive data can create additional levels of security. Sensitive information and passwords should not be transmitted via email. Third, data should be backed-up in the event that it is lost or corrupted. In addition, policies should be in place to limit the retention of data after the arbitration ends. Information should be returned to the client or securely destroyed. Fourth, never use public Wi-Fi and adopt protections to strengthen at-home networks. Fifth, a cyber threat mitigation plan should be adopted early on in an engagement, usually at the first procedural conference.

All parties should be responsible for establishing protocols at the outset of international arbitration for the transfer and storage of sensitive data, for virtual hearings and conferences, and to limit disclosure of sensitive information. Additionally, parties should adopt procedures for dealing with the disclosure of data breaches. Having a plan ahead of the breach can provide a way forward for parties, especially in jurisdictions where there is a requirement to disclose.

After providing these key takeaways, Ms. Amirfar took questions on cybersecurity in the international arbitration context. She cautioned tribunals to consider carefully allowing evidence that was found to be the result of an unlawful breach, since this may incentivize attacks. She noted that this is often a case-by-case inquiry dependent upon the rules in a particular jurisdiction: for example, clearly probative information that is not fabricated may be permitted in some jurisdictions as long as claimant or counsel had no role in securing the information, such as in the case of leaked documents that are published by news sources. In any case, a threshold needs to be established in order to authenticate the information collected as a result of a data breach.

Ms. Amirfar offered steps that should be taken immediately in event of a security breach. In an ideal situation, there is someone working to respond instantly to news of a breach and who can spring into action no matter the time of day or night. After an alert, IT specialists have designated protocols to work to contain the breach. For example, with respect to some breaches, it has been possible to isolate a “live virus” by taking a system offline and localizing the virus, which can help identify the source of the breach. When this is not possible and information has already left the system, mitigation efforts kick in. At this point, disclosure responsibilities are triggered, either under domestic rules or international regimes such as the GDPR, and counsel must work with the client to navigate this process. Where appropriate, early disclosure to the tribunal is prudent. While it may take time to discover the extent of the breach, alerting other parties to a security threat may protect them if further attacks continue to target the arbitration.

In closing, Ms. Amirfar tagged Matthew Gearing QC[6] to appear on a future episode of the TagTime webinars.

[1] Catherine Amirfar, Cybersecurity and International Arbitration: A Wake-up Call, TagTime (Dec. 9, 2020), available at https://member-delosdr.org/video-tagtime-catherine-amirfar-on-cybersecurity-and-international-arbitration-a-wake-up-call/.

[2] Regulation (EU) 2016/679 of May 4, 2016, General Data Protection Regulation, 2016 O.J. (L 119) 1. Article 4 §12 defines “personal data breach” as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise possessed.”

[3] See Libananco Holdings Co. Ltd. v. Republic of Turkey, ICSID Case No. ARB/06/8 (in the course of a separate court-ordered money laundering investigation, it became known that the  Turkish government had intercepted privileged communications and materials that had been exchanged between the claimant and its counsel in connection with the arbitration); Luke Peterson, Permanent Court of Arbitration website goes offline, with cyber-security firm contending that security flaw was exploited in concert with China-Philippines arbitration, IAReporter, July 23, 2015, https://www.iareporter.com/articles/permanent-court-of-arbitration-goes-offline-with-cyber-security-firm-contending-that-security-flaw-was-exploited-in-lead-up-to-china-philippines-arbitration/.

[4] See CPRADR.org, CPR’s Annotated Model Procedural Order for Remote Video Arbitration Proceedings (July, 2020), https://irp-cdn.multiscreensite.com/ffb7ea18/files/uploaded/4.21%20FINAL%20Annotated%20Model%20Procedural%20Order%20for%20Remote%20Video%20Arbitration%20Proceedings.pdf. The CPR model provides a template to give parties, counsel and tribunals the opportunity to embed security features into their procedural order. See also International Court of Arbitration, ICC Guidance Note on Possible Measures Aimed at Mitigating the Effects of the COVID-19 Pandemic(April 9, 2020), available at https://iccwbo.org/content/uploads/sites/3/2020/04/guidance-note-possible-measures-mitigating-effects-covid-19-english.pdf (including Annex II which contains “suggested clauses for inclusion in cyber protocols of procedural orders” for hearings that will be conducted virtually); ICCA-NYC BAR-CPR, Protocol on Cybersecurity in International Arbitration 2020 Edition (Nov. 21, 2019), available at, https://cdn.arbitration-icca.org/s3fs-public/document/media_document/icca-nyc_bar-cpr_cybersecurity_protocol_for_international_arbitration_-_electronic_version.pdf (describing cyber risk assessment, categories of information-security measures, and suggesting a procedural framework for the adoption of cybersecurity measures during an arbitration).

[5] Debevoise & Plimpton, Protocol to Promote Cybersecurity in International Arbitration (July 19, 2017), available athttps://www.debevoise.com/news/2017/07/debevoise-announces-protocol-to-promote.

[6] Matthew Gearing QC is a partner in Allen & Overy’s Global Arbitration group. He is widely regarded as a leading arbitration practitioner; in particular he was appointed Queen’s Counsel (England & Wales) in February 2014.

* * This post is part of a series summarising Delos Disputes Resolution’s TagTime webinars.
** Dominique Jones, J.D. Candidate 2021, Columbia Law School. Dominique is Co-Student-Editor-in-Chief for the American Review of International Arbitration for the 2020-2021 academic year. After graduation, she will be joining Debevoise & Plimpton, LLC in their New York office.  The views expressed in this post do not necessarily reflect the views of the Review.
† Catherine Amirfar is a partner at Debevoise & Plimpton, LLC where she serves as Co-Chair of the Public International Law Group and sits as a member of the Firm’s Management Committee. She is the current President of the American Society of International Law (ASIL) and co-hosts a podcast, “International Law Behind the Headlines.” Ms. Amirfar is a member of the Governing Board of the International Council for Commercial Arbitration (ICCA), and serves as Co-Chair of the ICCA-ASIL Task Force on Damages in International Arbitration. She is also a member of the Court of Arbitration of the Singapore International Arbitration Centre and the International Centre for Dispute Resolution of the American Arbitration Association.