FacultyFaculty/Author Profile

Cybersecurity and Data Protection in International Arbitration: Practical Suggestions for Case Management and Compliance


AMY TAUB: It is now my pleasure to turn this briefing over to David Wilson from Sherman and Howard.

DAVID B. WILSON: Thanks, Amy, and thanks to PLI in their whole entire staff for this opportunity. I wanted to begin by, as I introduce my fellow panelists, to just talk to you a little bit about the genesis of this program. I served and I guess continue to serve as co-chair of the ICC's task force on the use of information technology and international arbitration.

In connection with the IT task force's report, which is in your conference materials, we found that situations where arbitrators were using Gmail, the parties were using unsecure methods to transfer very confidential data, using unsecure platforms to host information, including Facebook chat rooms, and then we also found an absence of institutional products that were really addressed to solving any of these data hosting or data transfer issues.

And so that actually spawned some conversations with my fellow commission member, Mark Morril. And Mark, whom you all may know as an independent arbitrator and mediator based in New York City, and he has served as a sole arbitrator, co-arbitrator, chair in a variety of subjects as well as an emergency arbitrator. And Mark was one of the first people to really have a keen interest in the issue of cybersecurity in international arbitration.

And in that context, he and I talked about some revisions to at that point draft ICC Task Force report and where we began to address those issues as well, which brings us to our third panelist, Kathleen Paisley. And Kathleen is also an international arbitrator and mediator based between Brussels, New York, and London. And her expertise focuses on data and intellectual property, including patents technology, antitrust, and complex damages.

She is triple-qualified with a law degree from Yale, an MBA in finance, and has passed the CPA. Of most relevance today, she has spent the last 25 years focused on data protection issues from the perspective of the European Union and more recently with its intersection with arbitration.

And so we decided to do a presentation that would marry data protection and cybersecurity. And so we believe that-- we think that this is either the first or the second program in the world to address these topics together. And so if we go to slide 2, we're going to talk to you basically about what you signed up to hear, which are the things that were covered in the program description.

What we're going to do is to basically bounce back and forth among Kathleen, Mark, and myself in terms of handling the questions. And so with that in mind, let's go to the next slide, slide 3, and let's just begin by why we're talking about this at all. If you have signed up to receive the Global Arbitration Reviews Daily Alert about new arbitration matters, you know that international arbitration is big business that generates big interest among people in the international arbitration and business communities.

And very sensitive information is involved in these cases that have commercial value. And even, if you think about it, through the Panama Papers breach, actually helped to topple in terms of a serious data breach, helped topple the regime of Prime Minister Sharif in Pakistan. And so there's a commercial reason why we're talking about it, but Kathleen and Mark, there's more. And why don't you give us your perspectives on why we're here today and why these topics are important.

MARK C. MORRIL: OK. So David, why don't I start with that. And very pleased to be working with you. So I think as we focus on international arbitration, one thing to bear in mind is that arbitration is not uniquely vulnerable to security breaches. But it is likewise not exempt from what is happening all over the world all of the time.

There are some aspects that make international arbitrations attractive targets. We have a lot of high-value data that we deal with regularly. It is frequently a multi-actor process with multiple counsel, arbitrators, institutions, experts, outside vendors, with a lot of transmission of confidential data. It is inherently cross-border, and it involves a lot of travel.

So as we say on slide 4, it is no longer a moated castle. It is one with lots of potential entry points. And as you pointed out, there can be very significant impact if there is a breach. Kathleen, did you want to weigh in on that?

KATHLEEN PAISLEY: Yeah. I mean, I think-- hi. Kathleen Paisley. And I'd just like to echo David and Mark. Thanks to the PLI and to each of them for including me in this panel. I tend to look at these issues from a data protection perspective, but just focusing on the potential issues related to a breach for arbitration in general cybersecurity breach.

We as an institution are dependent upon the trust of our actors. And even a relatively small breach in financial terms can be devastating to the process, devastating to the firm, devastating to the arbitrator. So I think, although we are not uniquely vulnerable, given the issues you stated, concerning the inherent value of the data we process, and the fact that many of us are of different degrees of sophistication with respect to our processing, and turning to slide 5, I think the real point is none of us on this call-- and nobody wants to be what is sort of unflatteringly referred to as the weakest link-- it only takes one person to topple a very sophisticated cybersecurity protection framework.

So I think that's what we'd like to talk to you about today, practical things we can all do to be more secure, keeping in mind that arbitration is inherently dependent upon its reputation and the fact that we are the confidential process. And if we lose our confidentiality, then we lose one of the big pluses that arbitration has over the court.

DAVID B. WILSON: Mark, let's go to slide 6, and maybe you could address what are the weak links that increase risk and how we mitigate against those risks.

MARK C. MORRIL: OK. So I think what I'd like to do is start with slide 5 and then segue over to slide 6, David.


MARK C. MORRIL: I think one of the gating questions that we frequently hear is I understand that this is a big threat. I also understand and I keep hearing it's not a question of if but when I will be hacked. So should I as a participant in the process just do nothing? It's inevitable. So the answer to that is a resounding no.

I hope that the takeaway that you all have from today's session is that this is a critical issue. Attention really must be paid. You'll hear that there are legal and ethical obligations. The marketplace is demanding that we as participants in the process pay attention. Your own data, your own reputation is at stake. So all of that is true. At the same time, I hope your takeaway will be that there are effective measures out there that are straightforward and accessible. We'll talk about a lot of them today. There are more in the materials that I hope we'll get to.

There is the ICCA, New York City Bar CPR Protocol on Cybersecurity in International Arbitration. Kathleen and I are members of that working group. There is a recent IBA protocol, which is not arbitration focused, but it does give a lot of practical advice. So there is guidance out there, and what you need to do is accessible.

I want to just say a word on the weakest link. There has been a lot of discussion of the weakest link. And I think an ultimately unproductive attempt to identify who is inherently the weakest link. The answer to that is anybody can be the weakest link. Most breaches result from behavior. So it's the laptop left in the airport security line. It's the document left on the printer. It is the use of an unsecured network. That can happen by anybody anyplace, no matter what your infrastructure is.

There are challenges no matter where you are. If you're in a very large entity with good systems, you're also inherently going to have a lot of entry points where security can be breached. If you're an individual practitioner, you are going to have to take affirmative measures to make sure that your data is protected. So this is something that everybody needs to pay attention to no matter what position they're in.

So moving over to slide 6, I'm not a big fan of top-10 lists, but as I prepared for this presentation, it turned out that there were 10 points that I wanted to hit. So I'm going to go through them very quickly in the interest of time. First, bear in mind that the level of security that's required is going to vary. The baseline standard ultimately is one of reasonableness.

Reasonable measures are going to vary depending on the sensitivity of the data, the size and the value of the matter, the resources of the participants. But also bear in mind that every matter, some aspects will be confidential. Certainly draft arbitration awards, communications between counsel and client, communications among panel members, those things are inherently confidential.

And then I would say number two is C, use the materials that are available to you. Please look at the things that are in schedule C to that consultation draft cybersecurity protocol, the ICCA document that's in the course materials. There's lots of very specific information in there.

Number three, I'll touch on quickly, is passwords. Passwords are important. Maintaining unique long passwords is important. Where there's an opportunity to have two-factor or multi-factor authentication, turn that on and use it. The first one on the slide is encrypted email and no Gmail please. I think the way I would generalize that point is avoid consumer free versions of anything. Pay the $99 for the professional version. There is a business version of Gmail that does have data security features that the consumer version does not-- doesn't sweep the data for Google's advertising program and so on.

There are other secure platforms available. So do think about your secure encrypted email. Think about data transfer using a secure system. Again, I would not say never Dropbox, never Box. There are better, more secure platforms out there. I'm using something called FileCloud. The advantage of that is that you hold your own encryption key. So you're not sharing that with anybody. And it's clear that there's no third-party who's a custodian of your data.

Number four, lock your documents. Certainly, particularly as you're emailing them around, but also as you're storing them. Networks. No hotel Wi-Fi. A VPN which masks the identity of who you are, where you are, et cetera, makes it much safer. In the event that you need to use an unencrypted system or an unsecure system, you definitely should be on a VPN. But you are much better off using a mobile hotspot using your data-- there are lots of unlimited data plans around-- rather than using a secure network.

We will be talking about safe travel habits in the context of one of the ethics opinions. Travel presents special and unique vulnerabilities. One thing to bear in mind as a preview to the travel discussion is data minimization. You cannot lose what you don't have. So you do not need to carry around with you or even have on your own home computer, office computer, all of the data from every case you've ever been involved in. Have a document retention policy and just don't have things.

Messaging. The slide says WhatsApp instead of messaging. If you read the recent disclosure of messages in the CBS corporate litigation, I think your takeaway from that would be don't use messages if you're doing something confidential, whether it's WhatsApp or any other quote, unquote "secure messaging platform." It's just not the right modality for secure and confidential information. Just read the articles about the CBS litigation.

Encryption. Whole-disk encryption should be turned on. On the IOS system, I think it's turned on by default. If it's not on your system, make sure it's turned on. Whether you have encryption turned on may also affect your obligations of breach notification. Use secure platforms certainly. And it's amazing that people do do this. No Facebook, no Google Chat Room. Don't use unsecure platforms.

And I would say be very cautious about behavior. With all of our attention to security, I cannot tell you how frequently I get, as an arbitrator, secure USB drives with a yellow sticky and the password written on it by a helpful paralegal. You need to make sure that the people you're working with are aware of these issues, aren't doing things like that. That is a not trivial example. It has happened to me more than a few times.

And beware of creeping copies. We're all using markup, various markup tools. Some of those are making copies. iCloud is very grabby. So really know your inventory. Know where your data is. That's a lot of dense material, David. But I hope it gave an overview.

DAVID B. WILSON: Well, thank you. If we go to slide 7 just briefly, data protection and security issues really depend on the stage of the process and who's involved, as the header of the slide says. We're going to talk generally about communications in the context of the arbitration among the parties, the parties and the arbitrators, and between and among the arbitrators themselves. But the principles that we're talking about generally would apply to pre-arbitration situations as well.

Let's go to slide 8. And this is the meatier stuff in terms of we've talked about risks and best practices. But what are the obligations that we all have? There are really three sorts that we're going to move through-- attorney ethics rules, a GDPR and other data protection laws, and then we'll comment on what's in place with respect to arbitral rules.

If we go to slide 9, ethics rules, at least as promulgated in most jurisdictions, deal with broad obligations that attorneys or solicitors or other admitted practitioners have to follow. The rules are not for arbitration specifically nor are they practice specific, but rather, they're just what we have to do as lawyers. And these rules all focus on our obligations to our clients.

Mark will address in a few minutes some specific ethics opinions that are-- pardon me-- some ethics opinions that are more specific and prescriptive and many of which have come out very, very recently. So let's dive into this. If we go to slide 10, for those of you on the line who may be admitted to practice in England and Wales, now for what it's worth, I am, and so I guess this stuff is interesting to me. I envy the Solicitors Code of Conduct.

Their obligation is to protect confidential information that are very familiar to those of us who practice also in the US. The duty is to protect the client. And so the lawyer has to keep the affairs of its clients confidential unless disclosure is required or permitted by law or if the client consents. The lawyer has to have effective systems and controls in place to enable the lawyer to identify risks to client confidentiality, but also to protect against those risks.

There was a recent case involving JK Rowling, the author, of course, of the Harry Potter series, who wrote another novel under a pseudonym to see if it would sell, even if she were not identified as JK Rowling. And the lawyers talked about that. Ultimately, that information was spilled out, and the ethics authorities in England have very recently come down on the lawyers who were responsible for sharing that information.

We go to slide 11. In the US, for those jurisdictions that are under the Model Rules of Professional Conduct, lawyers have to be competent, including with respect to the benefits and risks associated with relevant technology. And so lawyers can't hear no evil, see no evil, but really have to educate themselves as to, well, if I do use Dropbox, for example, who owns the data? Is it me or is it Google or somebody else? And does the data get erased after my case is over or is it going to essentially be out there on the internet forever?

We go to slide 12. The basic obligation concerning confidentiality of information is in 1.6 of the Model Rules of Professional Conduct and essentially says that the lawyers have to make reasonable efforts to keep clients' information confidential. You can't talk about your cases. You can't disclose client information without the client's consent. As you know, this obligation is broader than with respect to privileged communications. It has to do with any information provided by the client regardless of whether that information is privileged or not.

Going to slide 13. The comment, and this is common 18 to rule 1.6, that says that rule 1.6(c) requires a lawyer to act competently to safeguard information against unauthorized access by third parties and against inadvertent or unauthorized disclosure. So the question is, OK, so I had this arbitration, and I'm transferring a whole bunch of my client's confidential information to an arbitrator, who I may not know and that was appointed by an arbitral institution and to my opponent, who is in a commercially adverse relationship to my client.

What do I have to do or what should I try to do as an advocate to make sure that information that is being transferred is consistent with my ethical obligations under Rule 1.6? And what the rules say-- Mark alluded to this earlier, and he'll talk more about this in a few minutes-- is that the obligation is subject to a reasonableness test to prevent unauthorized access or disclosure.

We go to slide 14. There's a list of these reasonableness factors. One size does not fit all. Every piece of information would not necessarily need to be protected with the same quality of protections, if we're talking about information, for example, that's not commercially sensitive versus information that really is kind of the keys to the kingdom for the company.

But think about this-- how do you know what's going to happen to the information when it's transferred? You can manage risks that you're in, but how about risks that the arbitrator is in or that opposing counsel is in? And what sorts of procedural orders and mechanisms need to be in place to maximize those protections?

If you look at the slide 15, and this is comment 19 to 1.6, these obligations also extend to data transfers. Mark has talked about that already, and I'm not going to repeat that. But other than just to say that it is important to consider. Well, Mark, if we go to slide 16, there are a bevy of ethics opinions that have started to address these issues, and could you walk us through what the ethics regulators have said?

MARK C. MORRIL: There are a lot of them, David. And some of them give very specific guidance. I'd like to focus on three that are very recent. There are two ABA opinions and one New York City Bar Committee on Professional Ethics opinion. So ABA Formal Opinion 477R which was issued in May of 2017, discusses generally and gives a very broad overview of securing communication of protected client information.

What I will say is that a lot of the ethics opinions do speak in terms of client obligations. If you work through the various ethics provisions and look at the arbitrator ethics code, some of which are on slide 18, I don't think we'll have time to discuss those in detail. But you work through to the same obligations for other participants in the arbitration process.

So the ABA 477R recognizes that we live in a world where the principal mode of communication is electronic. We live in a world where people have multiple devices. They discuss at some length the various ethical obligations that David talked about.

And then they delve in in some detail, and this will be the important part of the opinion for the audience here, to start to talk about the fact-based analysis and how do you make the reasonable efforts determination, talking about things like the sensitivity of the information, the likelihood of disclosure, the cost of employing safeguards, the difficulty of implementing safeguards, the extent to which safeguards may actually get in the way of what you're trying to do, adversely affect the lawyer's ability to represent the client.

They talk about the importance of having a discussion about this, and you'll see this across the participants as we talk about arbitrators raising this issue in the case management conferences. So it's important to understand the issues, to discuss the issues, and react. And the reasonableness is going to vary lots of different ways. There's an obligation also to train lawyers and non-lawyer assistants. Again, my example of the yellow sticky attached to the secure USB drive. There's an obligation to perform diligence on vendors. That's another place where information can easily be lost. So that is an important decision.

The ABA just a week or so ago, on October 17, released its Ethics Opinion Number 483. And that is lawyer's obligations after an electronic data breach or cyber attack. So we all recognize, notwithstanding best efforts and encryption and all of the things we've been talking about, the inevitable can happen.

So this ethics opinion discusses in some detail, again the background and again what the lawyer should do. I don't have time to discuss it in detail, but it does talk about an obligation to monitor for security breaches. You may not know they're happening since a lot of them obviously are stealth attacks.

It talks about the desirability of having proactively developing in advance an incident response plan so that you know your infrastructure, you know what might have been lost, and you're in a position to promptly respond to an attack. That's an important decision to look at.

There are legal requirements, some of which Kathleen will be talking about on breach notification. Some of those are state in the EU. There's the GDPR. There are different obligations, vis-a-vis clients and former clients. That's discussed in very helpful ways in that decision.

The third of these three I think very important decisions is the New York City Bar Ethics Committee Formal Opinion 2017, Number 5. That is a very interesting read on an attorney's ethical obligations regarding border searches of electronic devices containing confidential information. The statistics are in there. It is not commonplace, but it is not unusual for border agents now to be taking custody of and requiring the owner of an electronic device to give a password to give access to what's on the device.

There's an extensive discussion of the obligation. You'll be happy to know that you're not required to go to jail. You're required to resist, but ultimately you can comply with the demand. Again, one of the headlines is don't have a lot of data-- excuse me-- on your travel device. You may want to have a burner laptop. And you may want to uninstall applications that provide remote access. So those, I think, are the most important decisions. David, there are others listed in the slides, but I don't think we have time to talk about them.

DAVID B. WILSON: So if we go to slide 18, and Mark, you may just want to very, very briefly go over this. There are some arbitrator-specific obligations that are promulgated by certain institutions or organizations.

MARK C. MORRIL: This is the one I referred to briefly. It does thread the needle as to how you get from some of these client-focused ethics opinions and ethics rules to rules that apply to the participants. So the ABA arbitrator ethics do talk about trust and confidentiality inherent in the office of being an arbitrator. Go back and look at the ethics decisions. They all-- many of them hinge on confidentiality.

In the article that's in the materials, the Call To Cyber Arms that I co-authored with Stephanie Cohen in the Fordham International Law Journal, we talk also about the obligation of competence that you see again in the lawyer ethics rules, but that cuts across other participants.

The Chartered Institute rule on slide 18 talks about trust and confidence. And the ABA Arbitrator Ethics Code, which is fairly old but still very helpful, again talks about discretion, confidentiality, and competence. So all of those things bring you back to the ethics provisions that David was talking about and the ethics opinions that I mentioned.

DAVID B. WILSON: So Kathleen, let's talk about data protection, and for purposes of the next few slides, let's assume that the parties are involved in an arbitration. One's in the EU, one's in the US, and the parties want to use or obtain documents in the arbitration.

Can they use and transmit their contract documents? What about documents with personally identifiable information like email addresses? And then what about third-party documents? And in answering these questions, could you take us through what the GDPR is about and how the GDPR applies in the context of an international arbitration?

KATHLEEN PAISLEY: Happy to. It's interesting, because I was just thinking while I listened to Mark speak that Mark and I were on a panel together almost exactly two years ago, where he talked mostly about cybersecurity, and I talked about data protection. And I think that was the genesis both for his excellent article about a Call To Cyber Arms and also for me to write very extensively about the GDPR and arbitration, which is something literally I've been thinking about for 25 years, since I started practicing in Brussels but under the old regime.

So the first thing I think is for everybody to take a step back. None of this is new news in Europe. We had the Data Protection Directive. The Data Protection Directive was applicable since 1995, implemented into Member State Law by Round 98. And the rules that we talk about under GDPR were all in the Data Protection Directive, as implemented into Member State Law.

The difference is, there were no teeth. There was no real enforcement mechanism, and in many jurisdictions, like the one I spend a lot of time in Belgium, there was virtually no compliance of this by the authorities. So the GPA doesn't really do much. So everybody knew on some high theoretical level that maybe data protection rules applied to arbitration, but nobody really cared very much because there was very little practical impact.

So then GDPR comes along, and I must say, and I have been in Brussels for I guess now almost 30 years, I have never seen anything like the compliance efforts that went into GDPR. The only thing that's vaguely comparable is Y2K, but this is like much more. I mean, trillions of dollars were spent complying with the GDPR, trying to comply. And so obviously, that has brought GDPR to the floor, more than data protection ever was generally and with respect to arbitration.

But still, two years ago, when I first talked about this, there was the look across the audience was total disbelief, that for example, the information that we process in terms of evidence, the emails that each of us look at that have copied 20 people, how could that possibly be the personal data of all those 20 people? I mean, that means that in every even relatively simple arbitration, there can be hundreds of data subjects, because every one of the people who is identifiable from each piece of evidence is a data subject.

So how is that ever going to work? Well, my theory is that it can work. It will be inconvenient, but it can work, but that we need to kind of accept it and that it actually is going to apply much more broadly than just folks like me who are primarily based in Europe. Because the GDPR has very broad extraterritorial effect and potentially applies to some arbitrator's law firms, experts, parties that are based in the United States, Asia, et cetera, but that have made affirmative efforts to market into Europe. That's when the GDPR applies to you.

So in some ways, that's bad news, because you have to comply with the rules. In other ways, it's good news, because that means you can have information transferred to you and participate in the process in a way that allows there not to be a problem with respect to data transfers and the like, because those issues only arise for individuals who are not subject to the GDPR.

So let's take a step back on slide 19, and to make the very basic point, the rules that are contained in the GDPR apply primarily to data controllers. Data controllers, the way that term is defined, will apply to virtually everybody in the arbitral process. It will apply to parties, lawyers, institutions, arbitrators, experts. It's inherent in what we do that we must be able to control the data. I am an arbitrator. I cannot only process the data according to the way the parties tell me to process it, I have to be able to independently process it the way I feel is appropriate for the case. That makes me a controller.

So what is personal data? Personal data is anything where an individual is identified or identifiable. That means every witness. That means everybody who's mentioned in an email. That means everybody who's mentioned in a contract. That means people whose metadata allow them to be identified. It's very broad.

So turning to slide 20, what's the risk? Why should we be worried? Well, we should be worried because the fines are significant. There was just an article-- I think it was in Law 360 that the fines just in six months of the year following implementation of the GDPR in the UK doubled. But that's a drop in the ocean compared to what is expected to happen.

Now, nobody expects the big fines to initially be against arbitrators or even law firms unless they are careless. But there is still that risk, and that risk is primarily driving the parties to be sure that when they give data in an arbitration, that that data will be GDPR compliant, because they as the party is obligated to make sure that their data is used in the GDPR-compliant way.

There's also the risk of civil suits. The GDPR expressly permits class actions in a way that is not typically the case in Europe. And also I think we all need as arbitrators and parties to this process to realize that whenever there is an issue like this, there's an enforcement risk.

Achmea specifically referred, and it's in the portion of the award that addressed commercial arbitration, for those of you who are familiar with the Achmea award, it confirmed the [INAUDIBLE] doctrine, which basically says commercial arbitrators must address issues of mandatory application in European law for the award to be enforceable in Europe.

They don't have to decide them right, but they need to address them. And Achmea confirmed the [INAUDIBLE] doctrine with express reference to data privacy. So there is clearly not only a risk of parties making issues with data protection authorities to fool around with the process, but also risk of enforcement.

So if we turn-- I'm going to slow note-- on slide 21, I just like to make the point, I think the issues that Mark addressed and David are incredibly helpful, because the GDPR, although it applies to arbitration, was not intended for arbitration or for the courts. There is a court exemption for member state courts from the GDPR. So the GDPR, broadly speaking-- I mean, I can go into detail if anybody's interested-- but broadly speaking, the data protection rules don't-- they apply to the member state courts, but they're only enforceable by the courts themselves.

So the presumption is the GD broad basically doesn't apply to the member state courts. And moreover, in Europe, as you know, other than England, we don't have disclosure. So there is no-- the people who wrote these rules were not thinking about the broad kind of discovery we have in the United States.

So then, we had this-- so we have people who are writing the rules who are not familiar with the kind of disclosure we do in arbitration today. And so people think in their minds there must be an arbitration exception. There is not. Some of the more difficult rules are exempted but few. So for the most part, it's safe to assume that the rules and the GDPR apply to arbitration.

Going to slide 22, you need to have-- the thing to remember as an American lawyer or anyone is that data processing is illegal under the GDPR unless there's a basis for the processing. In the US, you can process unless it's prohibited. In Europe, you cannot process unless it's allowed. And you must choose a basis on which you're processing. You can't just throw seven out there and hope one sticks. You have to choose a basis.

Now, many people believe that the basis for processing in international arbitration will be consent. I think that is incorrect. Consent is very difficult to obtain, often impossible, and moreover, it can be withdrawn at any time. So I think the more likely basis on which most arbitral data will be processed during an arbitration under the GDPR will be what's called the legitimate basis test. And all of this requires data minimization, which means you can't process more data than is required for the case.

In addition to that, you obviously need to have a legal basis for the transfer, which is the issue that David started with, which is difficult if the-- so I can transfer a document tomorrow if Mark is subject to the GDPR or if otherwise we have put in place contractual or other means to allow the transfer. If not, then we have to look at the exceptions, et cetera. It's very complicated.

So if there are people in the arbitration, as David said, people who are-- you know, there is a co-arbitrator who is not subject but one who is, there's a party who's not subject and one who is, this creates a lot of complexity. It requires as a matter of law all the cybersecurity that Mark spoke so well to, those all required as a matter of law.

And there's a potential that even a higher level is required but certainly wasn't talked about. And the great thing about these ethics opinions is that because the GDPR was not geared towards arbitration, there's very little that really gives us guidance. We know it applies.

There is one opinion which applies the rules in the Data Protection Directive to discovery for US court litigation, which is worth reading. But for the most part, we're in the dark. So these ethics committee opinions are extremely helpful in helping those of us in Europe think about how these cybersecurity rules should be applied in the GDPR context.

And then I think I'll just close and turn it back over to you, but I would like to say one word about what's required in terms of data subject rights. So let's assume that we've figured out we've got adequate cybersecurity in place. By the way, data breach notification, you have 72 hours to notify. And if not, the fine is potentially 10 million euros.

So data breach is a big deal. And what is really surprising to me is that only like 25% of the law firms that have been surveyed have data breach implementation processes in place. So that is a potentially large issue that will need to be addressed by all of us is data breach notification. But let's say we've got all that in place.

We've got the transfers worked out. We've got the legitimate basis for processing. What happens then? Well, what happens then is we also have to be sure that all the data subject rights have been respected. What are those? Transparency about data processing for the arbitration.

So does that mean somebody has to tell all these hundreds of people who are mentioned in emails that there's an arbitration using their data? That's something that we all need to think about, because that seems to breach the confidentiality provisions, but it's an issue. And who's going to get the data breach notification? Everybody's the data controller. Everybody has the obligation, but somebody needs to be assigned the obligation to do that within the process, because we don't want these data subjects getting 12 notices.

So I think that's all going to be the practical things that need to be worked out. And data subjects have the right to review the data. They have the right to correct it. How is that going to work in an arbitration? So these are all things that are going to need to be thought through in some detail on a case-by-case basis. But I think if we put in place proper rules and procedures it's doable, but it's going to, to a certain degree, probably change the way we do things when the GDPR applies.

DAVID B. WILSON: Well let's switch forward. Thank you, Kathleen. That's fascinating. And I was excited to get Kathleen on this program, because she really knows this area. And I would commend to you her article in the materials, which is, It's All About The Data, and it really is comprehensive. And she perhaps more than anyone else whom I've encountered has thought through these issues. What do the arbitral rules say?

Slide 24. Not much. They're largely silent currently about cybersecurity and data protection. Arbitrators have broad authority to manage the case, including to enter procedural orders that cover the needs of the case with respect to both cybersecurity and data protection.

The issue really is whether the arbitrators and the parties are sophisticated enough to be able to know what to address and how to address it in a way that's not going to compromise the party's right to a full and fair opportunity to present their cases. And so I think that's part of the conundrum.

We go to slide 25. There are exceptions. We've mentioned the ICC IT task force report. Most thought leadership on these issues has come from outside of the arbitral institutions, although we expect that that probably will change based on GDPR.

In addition to Mark's and Kathleen's articles, we would mention the Debevoise Protocol to promote cybersecurity, euphemistically known as the Debevoise Protocols. The ICCA Draft Cybersecurity Protocol. There are also IDA Cybersecurity Guidelines.

We've got a little bit less than-- well, about 10 to 15 minutes remaining in the program to get you out of here by 2:05 Eastern or maybe a little bit before. And so we wanted to jump forward to slide 26 and talk, in conclusion really, about some practical steps that folks can take to address these issues on a going-forward basis. And Mark, why don't we turn it back over to you to start going through slide 26.

MARK C. MORRIL: Sure, David. I think that all of the actors are focused. You mentioned the institutions who have not yet issued rules, but I think the emphasis is on yet all of the major institutions, both domestically in the US and internationally are very focused, not only on protecting their own data, which is critical since there have been institutional breaches, for example, the Permanent Court of Arbitration in the Hague, but also on the data of the participants.

And I think we're going to see-- in fairly short order, we're going to see institutional rules that will talk about data security and cybersecurity expressly. And we're also going to see the institutions, I believe, develop secure platforms to manage the process.

In the meantime, as you mentioned, and as discussed in the Fordham article, in a typical arbitration the arbitrators have ultimate authority for this as an element of case management. I think in the first instance, and now I'm really over to slide 28, the arbitrators will manage this by deferring or expecting in the first instance that the parties and the parties' counsel will be discussing the issue.

In most instances, I think we will see that data security and cybersecurity will be a topic of discussion at the official case management conference, the first procedural conference. And it will be addressed in the first procedural order. Now, there may be instances where data is very sensitive that that moment is too late.

There may be emergency arbitration proceedings. There may be even at the inception of the arbitration, there may be a need to address the issue. But I think what we're going to see going forward typically is that this will be addressed initially by counsel. It'll be on the agenda for the initial procedural conference. And I think we'll see essentially a laundry list of issues that will find its way into the initial procedural order or the terms of reference, if you're in an ICC arbitration.

Kathleen and I happen to be sitting together and are working on one right now where we have asked the parties to tell us about email encryption, what password controls they're contemplating, what their incident response measures are, how sensitive is the data, how much personal identifiable information there is, how the data protection rules generally impact the case. I think you're going to see arbitrators reaching out and expecting parties to address that. And conversely, parties care about it, and they're going to expect tribunals to address it. So Kathleen, maybe over to you for some more comments on that subject.

KATHLEEN PAISLEY: Yeah. Maybe I might just go back a slide, if you wouldn't mind, to 26 and 27 for a second. So I've been starting to work, not myself alone, but myself and others have been starting to work with the institutions about those cybersecurity issues and data protection issues.

And I think what we're going to see going forward in the near future is, at least in Europe and potentially other places, but at least in Europe, I think we are going to see the institution issue, data protection policies of their own basically saying that they will comply with the GDPR in their processing of the data. And that they expect that the data that is presented during the arbitration to have been essentially GDPR checked so that whatever is presented is GDPR compliant at the moment it's presented.

That's my expectation, and they will also have policies that will include cybersecurity. I do think there will be a move towards platforms, but that will take longer. There is also a question, I think-- I mean, I think a lot of institutions are really taking this quite seriously, particularly cybersecurity but also GDPR, about thinking about ways to be practical and put in place training for arbitrators.

I know that the task force, the ICC Task Force, has done some training. I think that we're going to see more of that from the institutions. There is a cry for it from arbitrators, you know, tell us what we should be doing and we'll do it. And so I think there'll be that. And I also think that arbitrators are going to start feeling-- they will issue their data protection notices. If you look online now, some of the major arbitrators have already posted data protection notices. Louis Hilburn has. Judith Gill has, and soon we will have them, at least those of us who are exposed to GDPR compliance.

So I think that that will be the first step, which is the institution will tell the parties, listen, this arbitration is subject to GDPR, because we as an institution are. And then there will be the arbitrator saying, listen, I'm subject to GDPR and here's my policy with respect to GDPR. And then the parties will then be able to choose an arbitrator for its case, depending on whether they want a GDPR arbitrator or a non-GDPR arbitrator. I mean, it's likely to get quite complicated.

And then everybody has an obligation as parties to think about has my data-- is my data acceptable for processing during this arbitration? And my expectation is that both the institutions and the arbitrators are, because of the huge legal and financial risks, are going to push back hard on the parties for them to be responsible that before the data is presented that it has been checked.

And that's where, if you move over to slide 30 onwards, there will be cybersecurity protocols is my expectation. And there'll also be data protection protocols. And what we've done here is not to be gone through at all, but at the very back of this, the last five to six slides, is a checklist that I prepared based upon the Sedona Conference materials, a checklist just for, if you're in a GDPR arbitration, what is likely to come up and need to be included either in PO 1 or in a data protection protocol, terms of reference. But these are the issues that are likely to be raised.

And you know, just one quick point. For example, a lot of people are worried about this getting in the way of disclosure, and it may well, because there is a data minimization requirement. In some cases, there may be a requirement to [INAUDIBLE] the data. But there's also likely to be a lot of gamesmanship. And for example, if I'm a party, and I have already given my data to my counsel who's outside of the European Union, arguably I can't then say rely on my data protection risk to not give it to the other side.

So it really requires a lot of thinking through who's done what to whom before the issue has been raised in the disclosure context. But I think we will see a lot of data disclosure fights over GDPR. I think it adds another layer of complexity, but at the end of the day, my bet is it's going to end up with more data being more securely processed and less of it.

So whether that's a good or a bad thing probably depends on how you feel about data-heavy arbitration. But my bet is that GDPR arbitrations will have less data. And it will be more securely processed. But that's required by the ethics rules too, not necessarily the same degree of data minimization but certainly secure processing and all the care that you've talked about, Mark and David.

DAVID B. WILSON: Well, it's 1:57 Eastern, and so I regret we probably are not going to have time to get to questions as we wrap up. But if you do have questions, send those to PLI. They'll forward those on to us, and we would be more than happy to answer those questions offline.

I wonder if, as an advocate, whether we're going to start to see GDPR-centered gamesmanship in terms of the kinds of documents that might be provided properly under a disclosure request under the IBA rules or even in terms of the types of evidence that people might or might not present in an arbitration. Mark, you mentioned the ICCA protocols. Could you tell us more about those and how those would be helpful to the folks in this context.

MARK C. MORRIL: Sure, David. I'm glad you asked that question. I think what we're seeing in this program is a lot of common threads. Certainly data minimization is one. Reasonable measures is another. A lot of that comes together in this ICCA Consultation Draft Cybersecurity Protocol. I really commend that to your attention. Also, it is a consultation draft. We would very much like the reaction as to whether people on this call agree with what's in it and whether it provides helpful guidance.

So broad overview is that this is a framework document. This is an area where things change frequently. So what we have attempted to provide is a framework for addressing the issue. There is some pretty granular advice in the schedules. One of the schedules which is in the drafting process will provide more granular advice. But we do recognize that things will change.

There is an attempt to talk about reasonable measures in some detail. If you look at articles 7 through 12, they lay out some of the factors that we've talked about during the course of today's call, ultimately recognizing that there is no one size fits all. But there is, I think, some very helpful guidance in that document, with more guidance to come.

DAVID B. WILSON: So it's 2:00 PM Eastern, and our carriage is about to turn into a pumpkin here on Halloween. Kathleen, last word in, let's say, two minutes or less. Are the GDPR regulators really going to get involved in terms of GDPR violations in connection with international arbitrations?

KATHLEEN PAISLEY: It certainly won't be their first port of call. I think what is much more likely is that disgruntled parties will bring complaints and create issues. And then they will feel obligated to address those. And once that door's opened, who knows where it will lead. And as I said, I do think this may be raised in terms of enforcement as well. And if there is a large data breach, then of course, all bets are off. But I don't think it will be their first port of call.

But parties are going to be concerned, because parties will have-- they have data protection officers. And those data protection officers need to ensure data protection compliance. It's now in the boardroom. They say that there are three issues now that are keeping board members and general counsel busy in their compliance area, and GDPR is now probably second on that list to corruption, over and above anti-trust.

DAVID B. WILSON: Well, thanks to everybody for dialing in today. Let me conclude just by saying if you have questions, send them, and we'll try to respond to the best extent we can. The other thing that I would say is if you have suggestions or anecdotes or other concerns in this area that we have not raised, would you let us know that as well, simply because we are each actively involved with various of the arbitral institutions. And we have pipelines, as they say, to communicate your concerns. Again, thank you and let me turn it back over to Amy.

AMY TAUB: Thank you so much. We are now out of time. I would like to thank our listeners and today's excellent speakers, Mark Morril, Kathleen Paisley, and David Wilson for a very timely and informative presentation. We appreciate your remarks. Bye bye.

DAVID B. WILSON: Thank you. Bye.


  • twitter
  • LinkedIn
  • YouTube
  • RSS

All Contents Copyright © 1996-2018 Practising Law Institute. Continuing Legal Education since 1933.

© 2018 PLI PRACTISING LAW INSTITUTE. All rights reserved. The PLI logo is a service mark of PLI.