Guest blog: The issue of cybersecurity in legal practice

Many working groups and professional associations have been developing protocols or guidelines aimed at addressing and improving the issue of cybersecurity in legal practice. This growing concern has also reached the international arbitration community. While the International Bar Association (IBA) launched its own cybersecurity guidelines in October 2018 at its annual conference in Rome, the International Council for Commercial Arbitration (ICCA) has joined forces with the New York City Bar Association (NYC Bar) and the International Institute for Conflict Prevention and Resolution (CPR) to launch a dedicated working group. The Working Group on Cybersecurity presented a draft version of its Cybersecurity Protocol for International Arbitration in April 2018 during the ICCA Congress in Sydney. The document is currently subject to a consultation period until 31 December 2018. The issue of cybersecurity in international arbitration is also addressed in a report by the ICC Commission on Arbitration and ADR, which discusses the issues to consider when using Information Technology in International Arbitration, updated in April 2017.

Arbitration stakeholders are particularly exposed to cybersecurity threats. This is due to the highly sensitive nature of many international arbitration cases; amount of information and documents exchanged in the course of these proceedings; and the fact that parties in international arbitration such as states/state entities and high-profile companies, are themselves regular targets of cyberattacks. One turning point in raising public awareness was the attack of the Permanent Court of Arbitration’s (PCA) website during the hearing on jurisdiction in the South China Sea maritime boundary dispute between the Philippines and China. The purpose of the attack appeared to be an attempt by hackers to gain access to the servers of the representatives of several South Eastern Asian states that attended the hearing as observers.

Given the participation of several types of actors — including arbitrators, counsel, parties, arbitral institutions, etc. — international arbitration proceedings necessarily involve transfers of large amounts of sensitive data within a network with varying levels of cybersecurity. While arbitrators or counsel practising in international law firms usually benefit from an appropriate level of cyber protection, this may not be the case for academics or practitioners in smaller structures. Arbitral institutions may also have varying levels of cybersecurity. Participants in arbitration proceedings with lower levels of cybersecurity may become the weak link of the network in a given case. Weak links allow hackers to target the remaining participants through a first intrusion on these weaker servers, as seems to have been the case with the PCA website attack. Counsel and parties frequently seem to be the final targets of cyberattacks, as they hold more sensitive information and documents than arbitrators or arbitral institutions. Another illustration of the targeting of parties and counsel is the hacking of the government of Kazakhstan’s server, which resulted in the online release of privileged communications with its counsel in relation to on-going arbitrations.

If one party has an interest in exploiting a breach of cybersecurity in the proceedings, arbitrators may need to deal with a question of admissibility when evidence is obtained through hacking. This issue was presented to the tribunal in the International Centre for Settlement of Investment Disputes (ICSID) case Libananco v. Turkey. The respondent sought to introduce as evidence audio recordings of privileged communications between the claimant and its counsel, which were intercepted and recorded in the context of unrelated criminal investigations. The decision on admissibility may be even more challenging in cases where the ultimate author of the cyber intrusion cannot be identified with certainty, as was the case for the attack of the PCA website.

While stakeholders with inadequate levels of cybersecurity pose a risk to all the participants in an arbitration, it is crucial to report any uncovered attack or intrusion to all of those involved, in order to allow counsel and parties to adopt protective security measures accordingly. As hackers constantly diversify their attacks, exchanging information on how to improve cybersecurity is fundamental to increase the level of protection achieved by law firms. Sharing communities to discuss common challenges and share best practices are now recognised as one of the best defences against cyber threats and attacks. Alongside other international law firms, Linklaters is, for instance, a founding member of Legal Services Information Sharing and Analysis Organisation (LS-ISAO), a member-driven community that shares threat and vulnerability information among member firms for their mutual defence.

In terms of the arbitral procedure, the case management conference constitutes a good opportunity for parties and the arbitral tribunal to discuss secure options for the transfer of data. Arbitral institutions may also have a role in promoting cybersecurity. This could be by addressing the issue in their rules and providing for secure methods of transfer — which can vary from case to case — or developing secure platforms to store electronic data, as ICC aims to do. This new platform should both allow for a secure exchange of data and improve the efficient management of the case by the institution.

*Disclaimer: The content of this interview does not reflect the official views of the International Chamber of Commerce. The opinions expressed are solely those of the authors and other contributors.