Mauricio Duarte (QIL + 4 ABOGADOS / Universidad Francisco Marroquín)
Parties to arbitration, just like “millennials”, are dependent on digital data and network systems. Currently, most of the data created is used and stored in digital formats using internet and computer technology. This should not be surprising; the online world enables people to interact and behave in new and efficient ways. However, the resulting dependence on digital records creates significant cybersecurity vulnerabilities, which can result in major harm to the parties involved in an international arbitration.
In 2018, the White & Case – Queen Mary International Arbitration Survey: The Evolution of International Arbitration (“Survey”) revealed that the use of international arbitration is likely to increase in the technology sector. Furthermore, the Survey showed that technology is widely used in international arbitration and an overwhelming majority favours the use of hearing room technologies, cloud-based storage, video conferencing, Artificial Intelligence and virtual hearing rooms.
However, as the digital environment continues to grow rapidly, it is time to acknowledge that any effort to achieve a successful relationship between technology and arbitration must also consider related privacy and data security concerns. This post discusses some essential tasks that can be undertaken by key players in international arbitration to protect privacy and data security and ensure a successful arbitration.
Cyber Security Scandals
In 2015, the Permanent Court of Arbitration’s (“PCA“) website was hacked as a result of a cyber-attack originated in China. Hackers placed a malicious code, infecting the computers of diplomats, lawyers, and others who visited the website, which caused the PCA to temporarily take the website down. This constitutes the first real example that cybersecurity is, in fact, becoming increasingly relevant in the context of international arbitration.
Other recent security incidents have made clear that no company is immune from cyber-attacks. For example, the Equifax cybersecurity scandal shocked data experts around the world in 2017. The incident involved the breach of a security protocol that was easy to decipher and “hackers” accessed sensitive information including names, social security numbers, birth dates, addresses, driver’s licenses and credit card numbers taken from consumers’ personal data.
As a result of this and many other cybersecurity incidents, the United States National Institute of Standards and Technology (“NIST”) issued a Framework for Improving Critical Infrastructure Cybersecurity. The framework defined high-level goals of any cybersecurity risk management program. Identify, Protect, Detect, Respond, and Recover are the 5 main goals for any successful cybersecurity program which could be considered in international arbitration. If these principles were adopted; 2019 could be the year in which there is an awakening for the international arbitration community regarding cybersecurity concerns in the field.
Cyber Security Protocol
International arbitration as a preferred choice of dispute resolution involves sensitive subject matters, which normally might require discovery of confidential information including trade secrets, financial information, and personal identifiable information. In order to preserve international arbitration as a preferred alternative to resolve disputes, arbitral institutions and arbitrators will have to identify critical data and software to protect valuable information. This will enable arbitrators to effectively build procedures that satisfy both cybersecurity and data privacy concerns at arbitral proceedings.
Parties, as users of international arbitration, expect arbitrators and arbitral institutions to take reasonable measures to protect non-public exchanges of information. This expectation derives from parties’ awareness of the risk of cybersecurity incidents, which may result in a wide range of losses for them, including (a) out-of-pocket expenses for legal advice and forensic investigators; (b) regulatory penalties imposed by authorities; (c) potential damages awarded in civil claims; and (d) damages to market reputation. For instance, Facebook is currently facing lawsuits and monetary claims for the recent scandal involving Cambridge Analytica.
In 2018, ICCA, the New York Bar Association and the International Institute for Conflict Prevention and Resolution released a draft of the Cybersecurity Protocol for International Arbitration (“Cybersecurity Protocol”). The Cybersecurity Protocol originated as an acknowledgment from practitioners that arbitration proceedings are not immune to increasingly pervasive cyber-attacks. This also meant that attention to cybersecurity is required and essential to ensure that international arbitration maintains the confidentiality of the dispute resolution process.
In a digital era, a variety of factors must be considered when adopting security protocols for the transfer of sensitive information. However, with the new Cybersecurity Protocol, arbitral institutions and arbitrators will have some principles and guidelines to Identify, Protect, Detect, Respond, and Recover data from cybersecurity incidents that might take place in the arbitration proceedings.
Parties, arbitrators and arbitral institutions will have to work actively to identify what information might be vulnerable to cyber threats. This means, there should be an exhaustive consideration of what type of information is likely to be exchanged by the parties in the case. Intellectual property; trade secrets or other commercially sensitive information; financial information; personal data; and information that is subject to express confidentiality agreements or other relevant obligations should be considered.
However, identifying the relevant data or information is the first step. The arbitral tribunal will also need to identify whether the risk of a cyber attack is high or low, and whether the consequences of a breach are likely to be minor, moderate, or severe. This determination will depend on the identity of the parties; the industry/subject matter of the dispute; the size and value of the dispute; the prevalence of cyber threats and the severity of potential consequences if there is a breach of information security.
After identifying the data and potential risks, arbitrators will need to establish security protocols for the storage and transfer of sensitive data and information. This protection will require a digitally secure infrastructure that would contain or store the potential information. For instance, it is not recommendable to use a “cloud service” or similar services, such as Dropbox, with a fairly predictable password such as: “1234arbitration”. In this regard, the NIST has recommended that passwords should be based on unique passphrases, at least 8 characters long, and easily remembered. In addition, common dictionary words, past passwords, repetitive or sequential characters and context-specific words should be avoided.
Encryption, pseudonymization, or anonymization of information before it is exchanged could be a reasonable measure, depending on the concerns. Moreover, other protection measures could also address the limiting of exchanges of confidential commercial information and personal data; restriction of access to arbitration-related information and the method of transmission of the information.
Hopefully, the future of a blockchain infrastructure can contribute to cybersecurity in international arbitration. Blockchain is a distributed and immutable ledger, which stores information, known as blocks. Blocks are structured in the form of a ‘chain’ sequence, stored on various nodes (i.e., computers), which ensure that no single person or entity can manipulate the ledger without everyone else knowing. In other words, a blockchain protocol could serve as a tamper-resistant and resilient repository of data, to modernize and increase cybersecurity.
After identifying and enabling protection measures, a tribunal would need to have tools to detect a possible cybersecurity breach. For instance, the use of a program that specializes in detecting both malware and non-malware forms of spyware could be helpful (anti-spyware software). Also, the use of antivirus software’s (not the trial versions) should enhance the process to detect a possible breach. Arbitral institutions could also adopt an enhanced digital infrastructure with a security service (i.e., intrusion detection system or intrusion prevention system) that monitors networks or systems for the purpose of finding or detecting, in real-time or near real-time, attempts to access system resources in an unauthorized manner.
Arbitrators would need to create a Cyber Incident Response Plan, providing instructions or procedures to respond and mitigate the consequences of a cyber incident. For instance, suspending the procedure until the cyber risk is addressed could be an option. Other options could include a strict mandatory 72-hour breach notification requirement; use of computer forensics to address the issue and alternatives to recover information; and the use cryptography for documents that have not been compromised in order to prevent anyone but the intended recipient from reading that data.
Although sometimes it might be difficult, if a cybersecurity incident occurs, a tribunal would have the responsibility to try to restore the data that has been lost, accidentally deleted, corrupted or made inaccessible. However, a tribunal could also adopt protection measures (since the beginning) to have a data back-up system in which copy of files and programs is made in order to facilitate recovery, if necessary. This backup should be done routinely and even considering the so-called “3-2-1 rule”, according to which 3 copies of the data should be made, 2 should be stored locally in different storage media, and 1 copy should be stored offsite.
The Cybersecurity Protocol discussed in this post is designed to encourage practitioners to become more familiar with cybersecurity risks and to provide guidance on measures to be taken in light of those risks. Although the lack of regulation in a particular industry could be interpreted as something positive at times, this does not apply to situations in which there could be: (a) economic loss to parties, arbitrators, and arbitral institutions; (b) reputational damage to arbitral institutions, arbitrators and counsel, as well as to the system of international arbitration overall; and (c) potential liability under applicable laws and other regulatory frameworks.
As the frequency and sophistication of cyber-attacks grow, we will need to ensure the adoption of good practices to protect digitally stored information. The incorporation of new technologies will not dismantle arbitral proceedings. On the contrary, technology will boost the appeal of arbitration to resolve disputes, especially in the technology sector. Thus, as practitioners, we shall all be familiar with the need to Identify, Protect, Detect, Respond, and Recover.
Arbitration, and typically commercial arbitration, is an Alternative Dispute Resolution (ADR) which is agreed by parties of the dispute. Arbitration can be used to replace the traditional way of litigation in court.
Derive from arbitration’s dispute settlement principles, arbitration shows many pros and brings many benefits for parties in commercial dispute, specifically as follows:
A Polish appeals court vacated an International Chamber of Commerce (ICC) partial award for alleged irregularities in the arbitrator's appointment (for further details please see " ICC award set aside due to irregularities in arbitrator's appointment "). The sole arbitrator's final award was also successfully challenged and set aside. The first reason to vacate the final award was also the issue of the sole arbitrator's appointment.
In Vietnam, it is becoming more common to have an arbitration tribunal constituted under the rules of a foreign arbitration institution (such as the International Chamber of Commerce or ICC) but with the seat in Vietnam. Such a tribunal will conduct the proceeding in Vietnam under the Vietnamese Commercial Arbitration Law ( CAL ).
It is normal to inspect the goods that have been lost or damaged during the performance of the sales contract and in the contract of carriage. However, improper inspection can lead to significant disputes and damages that you can refer to below.
The ten years of Law on Commercial Arbitration 2010 (LCA) are also the 10-year development period of VIAC - the first institutional arbitration organization in Vietnam, the organization that goes along with the formation and advancement of the legal framework of commercial arbitration in Vietnam.
Law on Commercial Arbitration (“LCA”) enacted in 2010 was considered a major step forward for the development of commercial arbitration in Vietnam. Compared with the previous years and with international standards, LCA has made remarkable progress, namely recognizing enterprises’ freedom of choice, broadening the scope of arbitration, raising the arbitral tribunal’s authority, valuing court assistance (especially interim measures enforcement), encouraging flexibility in language of arbitration, and improving party’s autonomy in arbitration while maintaining proper manners during arbitral proceedings.
Mr. Doug Jones, a leading arbitrator in the international arbitration community, revealed to me his infatuation with the beautiful beach and Vietnamese delicacies after a seminar in Da Nang. He was also inspired by the confidence, assertiveness, competence and the ambition to improve domestic arbitrators to the same level as those working in the international sphere of young arbitrators and VIAC Secretaries.
Law on Commercial Arbitration 2010 (LCA)- the procedural law governing arbitration proceedings whose seat is in Vietnam
Nowadays, as the digital economy emerges, electronic agreements on online websites are becoming more and more prevalent; hence, the legal effect of establishing terms and conditions of service when accessing the website (browse-wrap) and clicking (click-wrap) are of particular interest. The following paper analyzes some of the legal aspects of online agreement conclusion, especially the establishment of the arbitration agreement by means of browse-wrap and click-wrap.
Whether settling disputes in Court or through arbitration, when a party has the burden of proof, it must submit evidence to the arbitral tribunal. The evidence can be in many different forms: Document electronic evidence, audio recordings, video recordings, witness statement, etc. In international arbitration practice, especially in complex disputes, a type of evidence that is frequently used by the parties to defend their opinion/request is testimony/report of "expert witness".
In international commerce and investment, parties to a dispute often select arbitration as an alternative dispute resolution other than litigation in which the court, an authorized state agency, adjudicate disputes. An explanation for this phenomenon is that arbitration may be the optimal means that the parties can exercise their autonomy in writing to select one or several individuals who are not representing state agencies and state power (the so-called private parties) to resolve disputes. However, to prevent the possibility of arbitrators "privatizing" justice,  the New York Convention and the ICSID Convention set out the rules for annulment of arbitral award when such award violates arbitral proceeding. Here, questions arise. What rules of procedure are violated? And to what extent is the commercial and investment arbitral award annulled? This article seeks to elucidate the theory and practice of annulment for violations of procedure under the New York Convention and the ICSID Convention.
Goods can be consolidated, batched, packed, sorted, and grouped for a certain period of time before being loaded onto a trailer for carriage to the consignee. Disputes about whether the time to do these things are within the scope of insurance liability or not is an issue worth knowing (through the lawsuit with the documents of a foreign law firm) below for readers’ reference.