Managing Data Privacy and Cybersecurity Issues

Introduction

The privacy of personal data and cybersecurity are governed by national mandatory laws that vary greatly from country to country. They are not addressed specifically in national arbitration laws or the core provisions of arbitration rules. Their relevance for dealing with evidence is only indirect because restrictions on the use of personal data may be used as a ground for arguing that certain requested documents should not be disclosed to another party or filed as evidence in an arbitration procedure. Procedurally, cybersecurity is only relevant insofar as the protection of personal data requires certain measures that protect system integrity and functionality. Moreover, the privacy of communications within the systems of one party or between arbitrators must be maintained technically with a view to not creating factual imbalances among the parties. It is also essential that the integrity of data consisting of digitalised evidence can be maintained and protected throughout the proceedings. However, there is a dimension that goes beyond the merely procedural aspects. Compliance with the applicable data protection and cybersecurity law is a duty to which law firms and the parties themselves as enterprises are bound. As a minimum, the applicable legal protection of personal data is also binding on arbitrators. Arbitration is not exempt from these mandatory regulations and should be organised better and managed in a way that ensures compliance by all participants.

Cybersecurity

Before dealing with cybersecurity, we need to have a notion of cyber threats in the context of arbitration.

Authenticity and integrity of data

The original version of much documentary evidence is in a digital format and processed by clients and counsel electronically. Further, communication with other parties and arbitrators is digital, even if at times digital files are printed and used as hard copy on paper. The transmission of this digital information is not done using physical storage methods that are exchanged but is sent via digital networks. Digital records (documents) are easily modified. It is technically difficult to reconstruct a trail of modifications and to verify attributes that establish that a digital record (document) is authentic and has not been modified. It is even difficult to tell a digital copy from a digital original. Therefore, there is a potential cyber threat concerning the authenticity of digital evidence that often cannot be resolved by returning to a physical blue ink original, because no such original ever existed. Thus, one cybersecurity aspect is that tampering with data or falsifying data even in transit is technically possible and more complex to detect and prove, even if the procedural issues concerning falsified or manipulated documentary evidence need not distinguish between the digital and the blue ink document. If a party contests the authenticity and integrity or that the purported author of the data is the real author, this is examined and established by the usual procedural means (e.g., via a computer forensic expert).

The aim of protective cybersecurity measures, therefore, is to preserve the integrity and the authenticity of data and to protect it against manipulation by somebody. This is achieved by restricting physical access to the hardware through which the digital evidence can be accessed and by establishing a user rights management system in respect of what any legitimate user may do with the data (read, write, delete, copy). Furthermore, the term ‘legitimate user’ will be defined and there will be a form of digital control for access to the digital system to which the user is admitted, which ensures with a sufficient degree of likelihood that the real person accessing the system is the person to whom the user rights were granted. This is achieved by a user name, a password and (ideally) a separate one-time security code sent to the user via another channel, often through SMS or a special mobile phone app, or by email. Furthermore, this is achieved by regular backups of data stored on the system by those who own or oversee the system. These backups are shielded from the wider network, encrypted, digitally time-stamped and accessible to only a very restricted number of designated persons (usually IT staff). Since in nearly all cases any digital information (documents) will automatically be stored as identical copies within the same system, or on other systems to which it was intentionally transmitted, and the meta data will normally at least allow to date some copies, there is a relatively good degree of likelihood that covert manipulations of documents can be detected by a computer forensic, provided the described procedures are implemented, the system is backed up frequently and there are sufficiently long retention periods.

Data privacy

Another threat to cybersecurity is penetration of a system to collect information that could not be obtained by other legal means. In this respect, the key concern is with legally protected, secret or commercial information, the technical know-how of any party, information that would per se be excluded from any disclosure request (privileged information in the broader common law sense), or the confidentiality of which is otherwise protected by the applicable rules of law. One example is the exchange of information within the arbitral tribunal for decision-making purposes (secrecy of the deliberations). Acquiring this information requires sufficient access to the directory structure of the target system and the right to at least read and copy information. This will require an intruder to obtain and use the rights of a user who has sufficiently broad rights within the system, ideally an administrator. Since virtually all computer systems are connected to the internet, negligent configuration of protocols for accessing communication ports or software flaws (exploits) can be used to penetrate the system and to instal malicious software that acquires the aforementioned access rights and is used to extract information of interest from the system without anybody noticing. However, in most instances, the human factor provides the point of intrusion by clicking on a hyperlink, revealing some relevant information, or by accessing a website that pushes malicious code. All this can facilitate illicit infiltration.

Cybersecurity measures against this kind of threat will never provide complete protection, but depending on the quality of the measures deployed, the time and the resources required may make any illicit attempt to access a computer system unattractive in relation to what could be gained by obtaining the information. Basic cybersecurity measures include instant software updates as they become available, system inoculation by firewalls and other software that protects ports, nested access right systems, up-to-date password management with secondary authentication when logging in, forced logout, blocking access when a terminal or computer is temporarily left unattended, and sophisticated monitoring software, based on artificial intelligence, to detect suspicious activities within the directory structure. Furthermore, the data stored on network storage devices and on computers of any kind, including mobile telephones, can be encrypted with mechanisms that work in the background and are transparent to legitimate users. Additionally, it should be a requirement that all users are given training so that they are able to access and use the system correctly and efficiently. Some insurers that provide cover for cybersecurity breaches offer packages that help with defining and implementing all these measures.

These types of measures may also be required by the applicable personal data protection laws as part of the requirements for limiting the use of personal data to permitted purposes.

All these measures are generic to all industries, including legal services, and not specific to arbitration matters.

Cybersecurity and functionality preservation

The various methods of illicit access may also be used for sabotage. Whole file directories containing data, system information and other software can be encrypted or turned into useless bits and bytes to extort money from the system operator (i.e., a ransomware attack), are simply to disrupt an organisation’s activities, such an ongoing arbitration proceeding. Taking out insurance cover against this type of risk is not the solution. As with other disruptive events, such as water, fire, earthquake, and the like, it is important to have in place a practicable recovery plan that enables all data and systems to be restored to the state prior to the disruptive event. On a procedural level, the necessary measures would be more or less similar to when the office building of a party’s representative burns down. As a minimum, all running procedural periods (submission deadlines, hearing dates, etc.) would need to be adjusted, after due consultation with the parties.

Aspects of cybersecurity specific to arbitration

Arbitration forces parties, especially their legal representatives, and the arbitrators to communicate by electronic means by exchanging digital information that often is confidential during a certain period only. During the arbitration, these players form a temporary system that is disbanded when the case is complete. This system often crosses many frontiers and, therefore, various mandatory regulations concerning technical security and data may apply. However, arbitration laws and arbitration rules do not define the minimum technical standards regarding cybersecurity measures to which all players in the temporary set-up would need to adhere. No one player knows enough about the cybersecurity measures deployed by any other player, and there are no technical audit mechanisms in place that would help to impose minimum standards.^[2] Dealing with these matters is technically complex and may require time and resources which, owing to the primary purpose of arbitration (i.e., effective dispute resolution), could appear disproportionate in relation to the benefit.

Considering these diverging factors, the preferable viable approach for parties and arbitrators is to address the relevance of cybersecurity in the case at hand as early as practicable during the proceedings.^[3] The tribunal and the parties should assess the likely relevance of any of the above-mentioned cyber threats, the potential negative effects on the legitimate interests of any party, should any such risk materialise, and the resources required to sufficiently minimise the identified technical risk. Essentially, this is a cost benefit analysis, which need not always be very sophisticated. Experience would indicate that arbitrators and parties agree and trust each other that basic security measures are in place and no specific additional action is required. However, there are cases for which specific measures must be taken, preferably by a consensual order of the arbitral tribunal.

Typically, the points covered in such a procedural order are:

• end-to-end encryption for case-related data in transit (including, but not limited to, emails);
• if cloud storage is used, (1) zero-knowledge encryption (service provider admin cannot read) and (2) restrictions on server locations (e.g., data protection, location in a country where agencies have excessive access rights);
• access on a need-to-know basis only, with no provision of access to third parties, including subcontractors of parties and party representatives (e.g., subcontractors used for support services such as coding of disclosable evidence, hearing support, expert services, among others, especially, when located in other countries with an unknown or low legal or de facto protection standard for data);
• terms of agreement establishing direct rights of disclosing parties, which must be in place prior to giving any data access to third parties, among others;
• rules for disclosed information (documents) concerning secure storage, retention periods and destruction deadlines, especially for disclosed documents that are not filed as exhibits;
• retention periods and destruction deadlines for case files;
• any specifically required cybersecurity measures, including special rules for certain categories of information;
• who is to bear the costs of special cybersecurity measures or authorisation, so that these are considered as costs of the proceedings on which the tribunal will rule; and
• whether complex measures need to be implemented in respect of allocation of tasks and schedule, or appointment of IT representatives on each side.

However, in spite of the absence of hard or soft legal rules governing these matters, the basic minimal cybersecurity measures can be established by each party, including arbitrators who practise alone and therefore do not have access to technical support staff around the clock.^[4]

If parties to arbitral proceedings do not have such a security set-up, such as arbitrators acting alone, they are likely to be the weakest link in the security process. They will also bear a heavier burden with the technical requirements of security management. Nevertheless, they can and must guarantee a minimum level of security for their data processing and communications.

The minimum essential requirements for this (assuming the use of a workstation computer and a wireless local area network)^[5] are that:

• the computer is used only by the identified professional and not by third parties;
• the computer is protected by a sufficiently complex password, which is used only to access this device (i.e., not for any other purposes, such as shopping on the internet);
• the operating system of the computer and the programs installed on it are continuously updated;
• the hard disk is encrypted^[6] or, as a minimum, the directories containing the files used for the procedure are encrypted and password-protected;
• no work is carried out within an account that has administrator rights, but in a simple user account without permission to instal any software;
• web browsers in particular are configured so that executable codes cannot ‘infect’ them;
• only the programs necessary for work are installed, having been obtained from a trusted source. These programs should be given only the technical access rights they need for their functions – no additional permissions should be configured;
• a constantly updated virus protection program and a personal firewall with a high level of protection level are running;
• connections to a wi-fi^[7] local area network are encrypted and password-protected. Devices must be explicitly enabled to join the network based on their identifier; and
• mobile devices must be enabled for complete remote deletion via control software in the event of loss.

These measures also apply mutatis mutandis to laptops, tablet computers and smartphones.

There are also behavioural aspects to be considered, because human beings are the weak point of any security set-up:

• No programs from unknown or untrusted sources, including apps or plug-ins, should be installed. If there is a prompt on-screen to agree to execute a program, it will not be granted unless there is a valid reason and a trustworthy source has been identified.
• Emails containing links and requesting the input of data must be checked beforehand. Warning signs include an unidentifiable or unknown sender, several unidentifiable recipients, no personalised salutation, bad grammar, etc. If in doubt, these messages should be deleted. If the number of these messages being received is inordinately large, a spam filter should be installed. The email addresses of the parties to the arbitration proceedings and other known addresses can be entered in ‘white lists’,^[8] which avoids them being filtered out.
• File attachments from an unknown origin should not be opened, and should be deleted, or at least checked with a virus scanner first. Executable files are a warning sign, especially if the option to execute is hidden in the visible file name. It is possible to set the operating system so that the suffix indicating the type of file (e.g., .exe, .dll for executable code) is always displayed.
• External data carriers should be read only from a trustworthy source and only after scanned for viruses.
• For access protection, password protection must always be provided - even if the screen saver is activated for a short standby period. Furthermore, passwords should be sufficiently complex,^[9] and not assigned for multiple purposes. This can be supported by using a password manager.
• Access (even physical access) to data storage devices or individual directories in which security-sensitive data is stored should be granted only to those persons who have to work with it (need-to-know principle).
• In addition to electronic and behavioural protection measures, physical protection of the data is also required; for example, physically shutting away mobile data carriers or locking and securing devices containing relevant files. Rooms must be locked and access controlled if they contain computers on a local area network (LAN) through which locally stored data or file repositories can be accessed more easily than should be the case for access through wide area networks (WAN), namely the internet. Systematic physical access control and management of buildings where all this is located is needed. Mobile devices should be locked away when not being used, especially while travelling or otherwise outside access-controlled locations.

In all events, it should be borne in mind that cybersecurity rules can be established, but compliance with them will always remain difficult to monitor. For this reason, in principle, each party should protect its system for data communication with the other parties involved in such a way that access is not possible by unknown third parties (see above). In addition, an obligation should be imposed to immediately notify the other parties involved of attacks on one party’s system that has actually, or potentially could, affect the data relating to the procedure and to cooperate to the extent necessary to minimise the risk.

Legal consequences of cybersecurity breaches

If a party or arbitrator, or any other participant, has intentionally or negligently caused a cybersecurity breach, the legal consequences thereof will be determined by the mandatory laws that are applicable either to that person or in regard to the action or omission involved.. These mandatory laws may provide for damage claims by aggrieved parties or fines. Depending on the law that governs the contractual basis of the relationship between the parties and the arbitrators during the arbitration, intentional or negligent causation may also result in the breach of a secondary (unwritten) duty that may conceivably also give rise to damage claims. However, this is still largely uncharted territory.

Can a cybersecurity breach taint the integrity of the arbitral proceedings and lead to annulment of the award? If any actions involve adulterated or falsified digital evidence and those actions can be proved to be attributable to a particular party, the same principles apply as would apply to any other falsified means of evidence. However, if information has been obtained by illicit means and used as evidence in the arbitration, the consequences may vary, as the approach to this kind of problem is not the same everywhere. If information that has been obtained by illicit means outside the sphere of the arbitral tribunal concerns the secrecy of the deliberations and has enabled one of the parties to adjust its arguments and win the case, the outcome is again unclear, because this unacceptable behaviour need not necessarily lead to a different result than would have been the case without the intrusion. Nevertheless, it is probably best to refrain from any speculation in this regard and to wait for representative case law to emerge.

Protection of personal data

Legislation protecting personal data, that is to say information relating to or attributable to an identified or identifiable natural person has existed in many countries for several decades but was not identified as being relevant for arbitration proceedings until the European Union enacted Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data^[10] (GDPR). Cybersecurity is one part of the protection duties under the GDPR.^[11] With its rather strict standards, the GDPR has evolved into a sort of benchmark. Therefore, we focus here on the GDPR only, as it does not exclude arbitration from its scope of application. The potential fines for breaches, and the greater emphasis placed by law firms’ clients on compliance-related topics, have attracted an increased level of often purely theoretical attention to the processing of personal data in the context of arbitral proceedings.^[12]

Protecting personal data in arbitration

Fortunately, in most arbitration cases, the information being exchanged does not involve unmanageable amounts of personal data and most of that data will concern persons who are involved in the arbitration or somehow related to one of the parties and the contentious events. These persons will often be aware of the dispute and the fact that their name and other relevant personal data is being used for the purpose of the arbitration. Considering that arbitral proceedings are normally private, it is relatively unlikely that the personal information would be shared beyond a limited number of recipients who have interests therein, or that they would use it other than for the purpose of their role within the arbitral proceedings. Thus, the risk of substantial damage to an individual^[13] will normally be at the lower end of the scale. Most importantly, in most cases, acquiring, storing and processing personal data for establishing and proving the relevant facts of the case will be permitted under Article 5 of the GDPR (paragraph (1) and paragraph 6(1), subparagraphs (b), (c), (e) and (f)) without consent being required under Article 6(1)(a). Only occasionally will the fundamental rights of the affected natural person prevail (e.g., see GDPR, Article 9), owing to the exceptional nature of the personal data. However, this does not mean that the secondary duties need not be complied with, such as the duties to inform (Articles 14, 15) and to correct (Article 16) and the right to object (Article 21). The personal data must be deleted after the appropriate period once the arbitration is completed (Article 5(1)(e)). It is important to note that, if processing certain personal data is permitted under Article 6(1) of the GDPR for the purpose of the arbitration, a subsequent use of that data for another purpose will not be permitted unless it is provided for under Article 6(1) of the GDPR. If, for example, an arbitrator sends an unpublished curriculum vitae (CV) to the parties so that they can verify his or her arbitration credentials, the act of copying this CV and passing it to a service provider who offers arbitrator profiling services would not be allowed without a retractable consent (Article 6(1)(a)). This also applies mutatis mutandis to any kind of witness.

Issues may arise if personal data is introduced into the case that is not required to be processed because it is irrelevant to the outcome of the case. Here we enter a grey zone because identifying this information within the information heap often encounters in arbitration during early fact finding may be difficult. Here we enter a grey area because identifying particular details from all the information that is often produced during early fact-finding may be difficult. Notwithstanding, it should be normally possible to identify such things as customer lists of natural end users and similar names and to individually identify their relevance for the case.

Only absolutely necessary personal data should be introduced into the proceedings. The parties shall ensure that any personal data they introduce into the proceedings do not require consent for the purposes of the proceedings or that the necessary consent has been obtained. Considering the various ancillary duties regarding personal data when pursuing a policy of data hygiene, minimising the amount of processed personal data would appear to be reasonable practice for parties and their counsel who ultimately control the personal data that is introduced. Another solution may be to anonymise the personal data in documents.

To keep the amount of personal data, the knowledge of which is not vital to the prosecution or legal defence, as small as possible in individual proceedings, the party introducing data for the first time into the proceedings may make it all anonymous (by blacking out) or provide pseudonyms, for example. These could be listed in a glossary, which can easily be kept separate and confidential, and be destroyed without the need of much of a search when the moment has come. The glossary could even be kept by the respective party, subject to the reservation that the arbitral tribunal may order disclosure of the depersonalised data, if this proves to be expedient.

If there is any uncertainty on the part of the party importing these types of data, this should be communicated to the receiving parties to the proceedings by way of explanation. Breaches of data protection must be reported immediately to the other parties. The fundamentally relevant question of the point in time of the deletion of all data in the arbitral proceedings on all data carriers, including the data room (destruction of files), shall be clarified in such a way that it is carried out completely as soon as possible, typically the statutory retention periods have expired.

Together and individually in their respective spheres of control arbitrators, parties and party representatives are responsible^[14] for complying with the mandatorily applicable data protection rules. Even if the acquisition and processing of personal data is normally authorised, there are certain restrictions. For example, if personal data are transmitted, stored or processed in territories outside the European Union, the legally required precautions must be taken regularly beforehand. Because the EU authorities had not managed until 2021 to agree with the United States on a valid exchange system, any transmission of personal data to the United States was fraught with legal risk. The same is so with many other countries outside the European Union.^[15] Additionally, as soon as any responsible entity subcontracts certain data processing activities to third parties, that party must first enter into a contract for commissioned data processing that has certain mandatory requirements as to the protection of personal data.^[16] These duties require systemic precautions and measures, which are now commonly implemented within corporations and larger law firms that operate globally. However, independently practising arbitrators or more locally oriented law firms outside the European Union may struggle with compliance as soon as they get within the (extraterritorial)^[17] reach of the GDPR or any other comparable piece of legislation.

It is essential, therefore, not only from the compliance perspective but also from a practical perspective, for arbitrators and parties who prefer to minimise the amount of additional processes and work that is not directly related to the dispute, to generate and use personal data only sparingly, not to store it in unnecessary data copies and to delete it completely as soon as possible in consideration of legal retention periods.

Procedural measures and their legal qualification

For this purpose, the issue of coordinated measures to comply with the applicable data protection laws should be addressed as early as possible^[18] before huge amounts of digital evidence are exchanged and filed. In its first procedural order, the tribunal could include appropriate directions, which by way of the following generic example (including a stern responsibility disclaimer worded by the author) could be read and be amended by more specific rules:

Data protection:

(1) The arbitral tribunal draws the attention of the parties to the proceedings to the fact that the arbitration proceedings are not exempted from the applicable provisions of the law on the protection of personal data (in Germany, the DSGVO, GDPR and German Data Protection Act (BDGSG)), compliance with which each party to the proceedings remains independently responsible for itself, and in connection with these arbitration proceedings.

(2) The tribunal expects:

a) that all personal data introduced into the proceedings are legitimate for the purposes of the arbitration; and

b) only such personal data are imported as are necessary in the best judgement of the party importing them to assert or defend a claim. This includes the expectation that personal data contained in historical evidence that do not meet this requirement and are not necessary for text comprehension will be blacked out or pseudonymised.

(3) In this context, the arbitral tribunal points out that the aforementioned statutory rules are not procedural rules, do not, in principle, regulate procedural admissibility issues, and do not establish any obligations other than the statutory obligations among the parties to the proceedings.

(4) Nevertheless, within the framework of its general regulatory powers, the arbitral tribunal reserves the right to take measures, on its own initiative or at its request, to regulate the integrity of the procedure and its conduct, including with regard to personal data.

However, it may be prudent not to convert these measures, the aim of which is compliance with mandatory rules that are unrelated to the dispute submitted to arbitration, into procedural rules or procedural agreements between the parties. If they would qualify as procedural rules in the sense of the lex arbitri or the applicable arbitration rules, any inadvertent breach could affect the integrity of the arbitration proceedings and, consequently, the award. This is not the purpose of mandatory data protection law, which provides for the appropriate sanctions. This means that measures should be adopted that permit compliance with data protection laws but, if unintentionally not followed, may not serve as a ground to challenge the integrity of the arbitral proceedings or the validity of the final award. Again, there is no significant case law to date.

Orders for document production

Can a party oppose or resist an order for the production of documents on the ground that they contain personal data that the party may not disclose under applicable mandatory data protection legislation? In essence, it would appear that it is a miscarriage of the procedural powers of the arbitral tribunal under any lex arbitri, if it were to order an act that, according to the provisions of a mandatory applicable law of general application, would qualify as a forbidden and punishable act. Therefore, in such a case, the affected party should have the right to oppose a request for such an order. Under the International Bar Association’s Rules on the Taking of Evidence in International Arbitration of 2020 (the IBA Rules),^[19] this opposition would be based on one of the grounds set forth in Article 9(2) of the IBA Rules. However, as explained above, in many instances, submitting and processing personal data as part of arbitral proceedings will not be prohibited, provided certain procedures are observed. Thus, the arbitral tribunal, after having heard the parties, may adopt certain measures, such as blacking out the sections containing the personal information, other forms of anonymisation or restrictions regarding where the disclosed personal information may be stored and how it must be protected. If restrictions of the latter kind are required and not already in place, the tribunal should order that the receiving party (including the representatives acting also in their own name) give the disclosing party binding under­takings that fully comply with legal requirements. As stated above, the arbitrators and parties’ counsel are themselves responsible under data protection laws, at least under the GDPR. Arbitrators should bear in mind that there is a substantial likelihood that any legal privilege otherwise applying to liability under their function may not extend to that aspect of data protection. However, as indicated above, mandatory data protection law will hinder disclosure orders only in very limited and special cases. Furthermore, there is as yet no settled corpus of case law on the levels that apply to state courts and arbitral tribunals.

Data obtained by illegal means (hacked data)

Arbitration laws and arbitration rules, including proposed rule frameworks as increasingly promoted by arbitration associations, generally do not provide clear universal rules regarding the admissibility of illegally obtained evidence or sanctions that could be deployed should such a situation arise. Comparative procedural law reveals that the approaches to illicitly obtained evidence that a party subsequently uses vary also at national state court level; and because international arbitration is all too often still influenced by the national procedural backgrounds of counsel and arbitrators, the answers to such issues also vary.^[20] Legally, it does not make any difference whether a physical document was stolen or a digital representation of the same information was obtained through ‘hacking’; the procedural response should be the same. Therefore, this is not a new or unknown issue, but it is one that needs to be dealt with by the arbitral tribunal based on the agreed procedural rules, and taking account of all relevant facts, in a proportionate manner. This kind of matter is legally more difficult to resolve than situations in which original electronic data is manipulated with the intent to deceive.

Notes