In September 2018 the UK Information Commissioner imposed a fine of £500,000 on Equifax UK for a massive breach of data security in which Equifax UK had played no part. Why was that?
The breach had in fact been allowed to happen by Equifax Inc, the USA parent of Equifax UK when millions of their clients’ details were obtained by hackers. It became the UK subsidiary’s problem when Equifax UK failed to ensure that its US parent protected that data appropriately. This was a case decided under the Data Protection Act, 1998 as the breach occurred before the GDPR came into force. Had GDPR applied I have no doubt the fine would have been much, much higher.
In a sense the fine is only of passing interest. What is of much greater concern to mediators is the obligation imposed upon the controller of personal data to ensure adequate data security measures are in place to protect data.
One arbitrator recently described himself to me as a dinosaurarbitrator. Meaning he secured the confidentiality of the arbitration proceedings he was charged with running by requiring everything to be on paper. That of course is one approach. It does not reflect the reality that in practice parties may use a mixed media approach to their arbitrations and mediations. Paper is used but also paper scanned into PDF format which is then attached to unencrypted emails sent via servers in the USA subject to the US Patriot Act. Paper has also been known to get left behind on trains, planes and other places too.
Another approach is to trust the parties to use their own secure platforms. But as the Information Commissioner demonstrated in the recent Equifax decision that approach alone will not relieve Neutrals of liability.
To be safe from fines Neutrals need to develop a system for appraising the parties platforms (and the skills to know how to carry out such appraisals) or to require their own platform (compare PicArbs and Hunt ADR) or to require their clients to choose from a panel of trusted providers of platforms to Neutrals. This third option is the approach being developed by the International Institute for Conflict Prevention and Resolution (CPR). Building on the work they and others have done in creating a cyber-security protocol. CPR and the Chartered Institute of Arbitrators (CIArb) recently changed their rules to require consideration of such issues at the outset of the ADR process in question.
A complementary strand of activity is to provide Neutrals with cyber-security awareness training. This is being provided by CPR and by Hunt ADR in the UK. It applies not only in arbitrations but to mediations too. This is so because of the obligation, common to both forms of ADR, to keep the proceedings confidential.
Paper and the open envelope of Outlook emails are tools no responsible Neutral would wish to find himself or herself using. Delegating responsibility for cyber-security to the parties, or anyone else for that matter, is, since the Equifax UK decision, tantamount to abandoning responsibility with all the reputational and monetary losses that accompany such an approach.
The DEF platform is the only Cloud based platform which protects Neutrals from such risks and enables mediation and arbitration to take place on the same platform. It is also the only Platform which, at the touch of a button, enables seamless MedArb or ArbMedArb.
For those reasons administered schemes such as Hunt ADR, PicArbs and CPR are turning to DEF to provide a secure, modern approach to delivering ADR. We are delighted to be working with each of those Institutions.