A Working Group established by the International Council for Commercial Arbitration, the New York City Bar Association and the International Institute for Conflict Prevention & Resolution has released the 2020 edition of its Protocol on Cybersecurity in International Arbitration (the  “2020 Protocol”).

The 2020 Protocol, which reflects feedback provided on the initial Consultation Draft Protocol that was released at the ICCA Congress in April 2018, aims to “provide a framework to determine reasonable information security measures for individual arbitration matters” and “increase awareness about information security in international arbitrations”.

Structure and content of the 2020 Protocol – key points

As with the Consultation Draft Protocol, the 2020 Protocol does not set out prescriptive rules on the steps that parties should take to minimise the risk of cybersecurity breaches. Rather, it provides high-level guidance in the form of 14 Principles (accompanied by explanatory commentary) that address the scope and applicability of the 2020 Protocol as well as the determination of, and process for establishing, reasonable cybersecurity measures.

Schedules containing more detailed guidance have also been included to supplement the 14 Principles. For instance, Principle 2 encourages each party, arbitrator and administering institution to consider the baseline information security practices addressed in Schedule A which, in response to feedback on the Consultation Draft Protocol, includes additional guidance regarding which measures may be appropriate in the individual circumstances of each case. The non-exhaustive checklist in Schedule A includes (amongst other suggested practices) the implementation of document retention and destruction policies which minimise holding data that is no longer needed, and the use of multi-factor authentication to remotely access networks containing confidential information.

Principle 6 encourages the parties and the tribunal to consider various factors to determine which specific information security measures are reasonable in the context of their arbitration. To assist with this process, Schedule B lists factors that are likely to impact the risk profile of the arbitration in question, including the subject-matter of the dispute, the participants in the arbitral process and the value of the dispute.

Principle 9 underlines the role of party autonomy, recognising that parties and their legal representatives are typically best placed to identify which information security measures are appropriate in the context of their dispute. The 2020 Protocol also encourages stakeholders to raise information security as early as practicable in the arbitration, and in any event no later than at the first case management conference (Principle 10). A proposed agenda for the case management conference, as well as language that may be adapted for the tribunal’s procedural order, are set out in Schedule D.

The 2020 Protocol also highlights the importance of the arbitral tribunal’s role in the cybersecurity context, recognising that arbitral tribunals have the authority to determine the applicable information security measures (although they should ordinarily defer to any agreement of the parties; Principle 11), modify information security measures at the request of a party or on their own initiative (Principle 12) and allocate costs and/or impose sanctions in the event of a breach of the information security measures adopted (Principle 13). In circumstances where the 2020 Protocol does not establish any liability standard (Principle 14), it will be interesting to see the how arbitral tribunals establish liability in the event of an information security breach.

Relationship between the 2020 Protocol and national data protection laws

Principle 4 of the 2020 Protocol stipulates that it shall not “supersede applicable law, arbitration rules, professional or ethical obligations, or other binding obligations”. In this regard, the 2020 Protocol recognises that its guidance may be subject to overriding information security requirements contained in national data protection laws and regulations, including the General Data Protection Regulation in Europe. To the extent that such legal obligations conflict, it will fall to arbitral tribunals to determine how they should be harmonised.

Future revisions

The Working Group recognises that changing technology and regulatory landscapes, as well as practical experiences gained from implementing its guidance, will warrant ongoing review and revision of the 2020 Protocol. Accordingly, the Working Group encourages stakeholders to provide feedback on an ongoing basis to cybersecurity@arbitration-icca.org.

Comment

The growing relevance of information security is an unavoidable feature of modern-day international arbitration practice. Indeed, the Working Group anticipates that as arbitration users become increasingly aware of the importance of cybersecurity, arbitral institutions and others will adopt new measures aimed at enhancing information security (including initiatives which may supplement the 2020 Protocol). In the meantime, it will be interesting to observe how arbitral tribunals fill in the gaps of the 2020 Protocol, including by resolving disputes regarding which information security measures should be adopted and establishing liability in the event of a breach of such measures.

Erin Marsh would like to thank Sagar Gupta for his assistance in the preparation of this article.