Alternative Dispute Resolution
The ADR community is beginning to appreciate the dangers posed by cyber-attacks and the need to conduct their business online. Unauthorised access to the data in an arbitration or a mediation is the greatest threat to its primary duty to provide confidentiality.
These are the issues which alarm the ADR community and the proposed solutions:
- Communication using unencrypted email – not safe, at all
- Working in a firm’s extranet is fine but then exchanging documents in lever arches and/or unencrypted devices is a disaster waiting to happen
- The challenge of finding a document exchange platform which is not hosted in the US and subject to the Patriot Act is almost impossible
- If a document exchange platform not hosted in the US can be found the next challenge is to understand if that requires off-platform communications leading again to concerns about unencrypted emails.
- If a platform is found which is not hosted in the US AND enables on-platform communications the sad reality is that that communication function will not be tailored for the ADR community. This causes inefficiency – the very opposite of what a Platform is supposed to provide. These inefficiencies lead to GDPR breaches with mis-typed email addresses and documents sent to the wrong recipients.
In her quarterly reports of data incidents for the past 12 months the Information Commissioner has drawn attention to regulation 5(f) of the GDPR:
[Personal date shall be] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The Commissioner identifies the most common breaches of these obligations in the Legal and Judicial sectors as:
- Data posted or faxed to incorrect recipient
- Loss or theft of paperwork
- Data sent by email to incorrect recipient
- Failure to redact data
- Failure to use bcc when sending email
- Loss or theft of unencrypted devices
Some arbitral institutions are beginning to require cyber-security to be addressed at case management hearings under its rules, for example the April 2019 edition of the rules of the International Centre for Dispute Resolution (ICDR). At present the ICDR does not have a secure platform for conducting the arbitrations which it administers. The ICC is in the same insecure boat. No African or Middle Eastern arbitral centre has a secure space for the conduct of arbitrations. The Hong Kong International Arbitration Centre (HKIAC) and the London Court of International Arbitration (LCIA) do but not for their mediation service. The Chartered Institute of Arbitration (CIArb) is not an administered scheme but nevertheless has rules requiring cyber security to be addressed. No arbitration should take place without data protection requirements being satisfied.
By leaving cyber-security to the parties the ADR providers leave themselves wide open to regulatory sanction and irreparable reputational damage. The International Council for Commercial Arbitration has recently drawn up a draft protocol on cyber-security working with the International Institute for Conflict Prevention and Resolution and the New York City Bar. Only a few arbitral institutions in the world have invested in providing a secure platform for their arbitrations. Some of the institutions that have such a platform do not, unfortunately, make that facility available for their mediation service.
In February 2019 the law firm Bryan Cave Leighton Paisner published the results of a survey conducted amongst users of arbitration services, arbitration Institutions and experts from across the world. The aim of the survey was to gauge the level of awareness of data security risks and how willing, or otherwise, the ADR community was to do something about securing their livelihood and their clients’ affairs.
The key findings were:
|Proposition||Percentage who agree with the proposition|
|Is cyber-security important?||90%|
|Is a secure shared platform valuable?||83%|
|compulsory use of a secure platform hosted by the institution would be useful||62%|
|Would you pay the ADR provider more for such a secure platform?||47% (a further 30% said they didn’t know, presumably because the price was not specified)|
|Have you been the subject of an unauthorised access incident?||11% (more than 1 in 10)|
The survey responses suggest that for an ADR provider making a Platform available to the parties is a positive plus and more likely to attract work. Some aspects of this challenge are obvious, some less so. Below are three examples which are, perhaps, less obvious but of importance.
The Collaboration Gap
The client and his or her lawyer together with experts work together using a firm’s extranet. They decide to use ADR to crack the case. Both sides exchange documents by post, DX, unencrypted email or using a document exchange platform not designed for ADR and equally insecure.
They do this because they have not realised in those document exchanges (The Collaboration Gap) massive GDPR breaches lie in wait. The Collaboration Gap exists because neither side the other’s platform and the ADR provider has no secure platform which meets the criteria described at the beginning of this article.
If a document exchange platform can be found which serves the purpose that exchange will typically not provide for tailored email notifications for particular recipients nor will it restrict access to documents to those entitled to see them and prevent those not entitled to view them from viewing them.
The list of participants engaged in sending emails off-platform and/or requiring different degrees of restricted access is lengthy and includes:
- Junior Counsel (x?)
- Assistant solicitor(s)
- Administrative staff
- The arbitrator/mediator/evaluator
- The ADR Provider’s staff
I call this scenario: chaos you do not know you are creating.
Ad hoc secure platform
No party should arbitrate, mediate or evaluate using an Institution or other ADR provider which does not run a Platform fit for the purpose. This means meeting data security standards. You can learn about relevant data security requirements and standards for the Platform on our information site, here: https://www.disputesefiling.com/data-security.php.
Using a provider without a Platform is dangerous (in the extreme) and a significant number of arbitrations have already been suffered unauthorised data access incidents, see the statistics above. If you are wedded to an ADR provider because of the expertise of its members, for example, then engage with them and seek an agreement about the required data security specification for your case; the link, above, is a good starting place.
DisputesEfiling (DEF) has been drawing attention to these issues for the some years.
Some ADR providers are already alive to the dangers. Providers such as PI Claims Arbitration Service and Hunt ADR have mandated the DEF Platform to protect themselves from cyber-attack and thus avoid the inevitable ICO inquiry, big fines and catastrophic loss of reputation that follow such an attack.
The community is recognising that a Platform is necessary to provide security for all participants, including the provider! Such a platform would enable documents to be held securely and shared safely with discrete areas for confidential working for each side, a collaborative or open area for exchanging documents and a further discrete area for communications between Tribunal members and the Registrar/Administrator of the Institution (the Platform). DEF has developed such a Platform.
In 2017 a shift in thinking began to take place amongst ADR providers and users aligning the industry with our approach in providing a secure, structured, Cloud based-space tailored for the needs of the ADR community.