Editor’s Note: In this comprehensive article, Rob Feigenbaum and Veronica Gromada examine the critical issue of cybersecurity within the domain of arbitration proceedings. They emphasize the vulnerability of arbitration transcripts to cyber threats, given their content often includes highly sensitive information such as trade secrets, personal health and identifying information, and proprietary data. The piece highlights the increasing instances of cyberattacks targeting legal firms and arbitration institutions. It also discusses the adoption of robust cybersecurity measures as per the ICCA-NYC Bar-CPR Protocol and parallels with best practices in litigation. The authors advocate for the integration of advanced technology platforms compliant with SOC-2-Type 2 and ISO 27001 standards to ensure the security and integrity of arbitration transcripts. This article is valuable for arbitration professionals, providing insights into safeguarding sensitive information and adhering to evolving cybersecurity standards.


Content Assessment: Cybersecurity of Arbitration Transcripts

Information - 95%
Insight - 96%
Relevance - 92%
Objectivity - 94%
Authority - 95%

94%

Excellent

A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article, "Cybersecurity of Arbitration Transcripts," by Rob Feigenbaum and Veronica Gromada.


Industry Expert Article*

Cybersecurity of Arbitration Transcripts

By Rob Feigenbaum and Veronica Gromada[1]

Arbitration proceedings often involve sensitive corporate information concerning trade secrets, Personal Health Information (“PHI”) and Personal Identifying Information (“PII”) covered by data protection laws and regulations, unpublished financial information, strategic plans and forecasts, proprietary research, payment card data, pre-patent data and other confidential topics. The sensitive information in arbitration proceedings is often not just that of the parties, but also that of the parties’ customers, business partners, suppliers or employees, all of which expect the parties (and others who receive the information from the parties) to maintain strict confidentiality with respect to their information.

In recent years, hackers seeking access to sensitive corporate information have targeted law firms which represent parties in arbitrations and litigation, see Xiumei Dong, Law Firm Data Breaches Continue to Rise, Law360 (Feb. 6, 2023); Isabel Vincent, Massive Cybersecurity Breach Hits Biggest U.S. Law Firms, New York Post (July 8, 2023), and the arbitral institutions themselves. See John Choong, Vasuda Sinha, Sofia Klot and Olivier Andre, Data Protection and cybersecurity in international arbitration remain in the spotlight (“In 2015, hackers attacked the [] website [of the Permanent Court of Arbitration in The Hague (PCA)]. Malware planted on the section of the PCA’s website devoted to the China–Philippines maritime boundary dispute posed a potential risk to visitors, causing the PCA’s website to go off-line for a week. That same year, in Caratube v Kazakhstan, confidential information was leaked from the Kazakh government’s IT system and the claimant eventually obtained some of the leaked documents.”).[2]

The legal, business, reputational and other risks of cybersecurity incidents have never been greater for the arbitration bench and bar. Fortunately, industry leaders have recognized the critical importance of maintaining cybersecurity, and they have developed standards for cybersecurity in arbitration proceedings. Arbitration organizations are doing their part by highlighting the importance of cybersecurity, training their panelists and staff, as well as publishing guidance for those participating in arbitration. See, e.g., AAA-ICDR Best Practices for Maintaining Cybersecurity and Privacy[3]; AAA-ICDR Information Security Program[4]; JAMS, “Doing the Cybersecurity Two-Step:  Securing Your Practice and Protecting Your Brand.” [5]

Most prominently, the International Council for Commercial Arbitration (“ICCA”), New York City Bar Association (“NYC Bar”) and International Institute for Conflict Prevention and Resolution (“CPR”) promulgated the ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (“ICCA-NYC Bar-CPR Protocol”) in 2019, which was updated in 2022.[6]  The International Chamber of Commerce (ICC) Commission on Arbitration and ADR has also promulgated standards in its publication, Leveraging Technology for Fair, Effective and Efficient International Arbitration Proceedings.[7]

To foster greater cybersecurity protections in arbitrations, and educate arbitrators and practitioners about cybersecurity,[8] the ICCA-NYC Bar-CPR Protocol recommends adoption of “reasonable information security measures for individual arbitration matters,” provides “procedural and practical guidance to assess security risks and identify available measures that may be implemented,” and increases awareness of “information security risks in the arbitral process” and “some of the readily accessible information measures available to improve everyday security practices.” Id. at xi.

Under the ICCA-NYC Bar-CPR Protocol, “the information security measures adopted for the arbitration shall be those that are reasonable in the circumstances of the case” (Principle 5) based on different factors, including “the existing information security practices, infrastructure, and capabilities of the parties, arbitrators, and any administering institution” (Principle 6(b)). Consideration should be given to, among other things: “(a) asset management; (b) access controls; (c) encryption; (d) communications security; (e) physical and environmental security; [and] (f) operations security.” Principle 7. “Information security should be raised as early as practicable in the arbitration” (Principle 10), and “the arbitral tribunal has the authority to determine the information security measures applicable to the arbitration” (Principle 11), which recognizes the tribunal’s “own interests in preserving the legitimacy and integrity of the arbitration process” (Principle 10, Comment a).

The ICCA-NYC Bar-CPR Protocol recognizes that cybersecurity risks can arise from the court reporters who transcribe arbitration proceedings, and the technology platforms that the reporters are utilizing. “Parties may engage independent contractors or third party vendors to assist with an arbitration, including . . . transcription services . . . [and] providers of on-line case management platforms and hearing platforms. These persons will typically have a contractual relationship with, or be under the practical control of, a party, but will not be under the actual control of the arbitral tribunal and may not suffer directly from the consequences of an information security incident. Parties who provide access to arbitral information covered by information security measures to such third parties should ensure that those third parties are aware of applicable security measures, have the necessary technical capabilities to comply with them, and agree to follow them. In relationships governed by contract, it will often be appropriate to expressly address information security in the agreement.Principle 3, Comment 3(d) (emphasis supplied). See also AAA-ICDR Best Practices for Maintaining Cybersecurity and Privacy, p. 2 (“A deadline should be set by the arbitrator for the parties to meet and agree upon procedures to govern the handling of sensitive information [including] [s]haring of arbitration-related sensitive information with authorized third parties, such as . . . vendors, such as a stenographer.”).[9]

When establishing cybersecurity protections in arbitration proceedings, arbitrators and arbitration counsel should look for guidance to the best practices for cybersecurity protections in depositions and court hearings (“litigation proceedings”). As we have written recently, see Rob Fiegenbaum, Geoff Vance and Patrick Zeller, Information Security in Court Reporting,[10] attorneys representing parties in litigation proceedings are bound under ethical rules, and protective orders, to take reasonable steps to maintain the security of client information and testimony. See ABA Model Rule of Professional Conduct 1.6(c) and Comment 18; ABA Model Rule 5.3, Comment 3; Formal Opinion 498 of the ABA Standing Committee on Ethics and Professional Responsibility; ABA Model Rule 1.1, Comment 8. 

However, court reporters who are selected by counsel to transcribe litigation proceedings are almost exclusively independent contractors who use their own personal laptop computers to store client data and prepare testimony, and they typically work with additional independent subcontractors such as videographers (to videotape the proceedings), and scopists and proofreaders (to assist in finalizing the transcripts), who also use their own personal laptop computers.  See Feigenbaum, et al., supra.   This cybersecurity problem with litigation proceeding transcripts is present whether the litigation proceedings are remote, in person or hybrid. The issue was addressed years ago by law firms and other legal support companies, such as electronic discovery companies, when those law firms and companies achieved compliance with Service Organization Control (“SOC-2–Type 2”) and International Organization for Standardization (“ISO 27001”) standards for data security. Id.

Fortunately, new technology platforms became available in the legal industry during the pandemic that allowed for litigation proceedings to be transcribed without having court reporters, videographers, proofreaders and scopists store and manage client data and testimony on their personal devices. Id. (citing www.prevail.ai).  The new technology platforms are SOC-2-Type 2 and ISO 27001 compliant; they cost a relatively small amount compared to the cost of preparing the transcript; and they assure that client data and testimony (1) are always stored in, and never leave, a secure cloud-based environment, (2) can be encrypted for use in transmission and storage, and (3) can be subject to regular third-party security audits, including penetration testing. Id. The use of these new technology platforms avoids the data security risk of the old way of preparing transcripts, with numerous people with different roles passing along confidential information without much security, and it protects law firms and other legal services providers from hackers who continue to target them for the purpose of acquiring sensitive client information. Id.

In addition, the new technology platforms enable arbitrators to access, search, summarize and identify key testimony from depositions and hearings by making plain English queries in the platforms. See www.prevail.ai. The new technology also flags potential inconsistencies between the testimony of a witness and that of other witnesses in the case. Id. Arbitrators no longer need to spend time hunting for testimony in disparate places throughout the record, making complex, Boolean word searches across multiple repositories of testimony to find the key testimony (when electronic repositories of the testimony are even available). And arbitrators will have assistance in identifying the testimonial inconsistencies that are often the most impactful factors on the rulings in a case.   The arbitrators’ process of considering and writing their opinions will be much more efficient.

Arbitrators, and counsel in arbitration proceedings, should follow the emerging best practices for cybersecurity in litigation proceedings, and utilize the new, SOC-Type 2 and ISO 27001 compliant technology platforms for preparation of transcripts in arbitrations. This approach would be most consistent with the letter, and spirit, of the ICCA-NYC Bar-CPR Protocol. The ICCA-NYC Bar-CPR Protocol indicates that, “[w]here appropriate, file-sharing or cloud storage services may be used as an alternative to e-mail for more secure transmissions. Cloud storage is a service that maintains data on remote servers that are accessed over the internet. Third party cloud storage can provide better security than an individual practitioner or small organization can reasonably provide on its own.” Id. at Schedule A, Section V. The Sample Information Security Measures in the ICCA-NYC Bar-CPR Protocol recommend “[u]sing business or enterprise-level email and digital communications accounts, not free consumer or personal email services, for any emails or remote meetings regarding this matter,” and “[u]sing business or enterprise-level document sharing systems or software, not free consumer or personal storage or sharing, for any shared documents.” Id. at Schedule C, Section IV.

Thanks to the new technology platforms, arbitrators and counsel in arbitration proceedings can, at a relatively small cost compared to the cost of preparing the transcript, assure that client data and testimony (1) are always stored in, and never leave, a secure cloud-based environment, (2) can be encrypted for use in transmission and storage, and (3) can be subject to regular third-party security audits, including penetration testing. In addition to providing better protection for sensitive client information in arbitration proceedings than the old way of preparing transcripts, use of the new technology platforms will foster greater compliance with the ICCA-NYC Bar-CPR Protocol, reduce cybersecurity risks and potential liabilities for arbitrators and arbitral institutions,[11] and further the worthy goal of the arbitration bench and bar to increase education and compliance with cybersecurity requirements in arbitration proceedings.


End Notes

[1] Rob Feigenbaum is the Co-Founder and CEO of Prevail Legal. Veronica Gromada is Partner at Shook, Hardy and Bacon. The authors would like to thank Ashish Prasad, Vice President and General Counsel of HaystackID, for his valuable assistance in preparing this article.

[2] https://www.freshfields.us/insights/campaigns/international-arbitration-in-2023/data-protection-and-cybersecurity-in-international-arbitration-remain-in-the-spotlight/#:~:text=The%20ICCA%2DNYC%20Bar%2DCPR,encryption%20and%20security%20incident%20management)

[3] https://www.adr.org/sites/default/files/document_repository/AAA258_Best_Practices_Cybersecurity_Privacy.pdf

[4] https://www.adr.org/sites/default/files/document_repository/AAA_InformationSecurity_Summary.pdf

[5] https://www.jamsadr.com/events/2023/doing-the-cybersecurity-two-step-securing-your-practice-and-protecting-your-brand.

[6] https://cdn.arbitration-icca.org/s3fs-public/document/media_document/ICCA-reports-no-6-icca-nyc-bar-cpr-protocol-cybersecurity-international-arbitration-2022-edition.pdf. While the Protocol was drafted to focus on international commercial arbitrations, it is also intended as “a useful reference for domestic arbitration matters and/or investor-state arbitrations, as well as other ADR procedures.” Id. at xi.

[7] https://iccwbo.org/wp-content/uploads/sites/3/2022/02/icc-arbitration-and-adr-commission-report-on-leveraging-technology-for-fair-effective-and-efficient-international-arbitration-proceedings.pdf

[8] The drafters emphasized that, “[i]n the increasingly digital landscape in which proceedings take place, the credibility of any dispute resolution system, including arbitration, depends on maintaining a reasonable degree of protection of the information exchanged during the process, not only with respect to the information’s confidentiality (except where the parties intend for the information to become public), but also its integrity and availability. Further, arbitration has the benefit over other dispute resolution processes of enabling parties to maintain the confidentiality of the dispute resolution process itself, where they want to and where applicable law permits, and the information exchanged within it. Reasonable information security measures are essential to ensure that [] arbitration maintains this advantage.” Id. at 9.

[9] https://www.adr.org/sites/default/files/document_repository/AAA258_Best_Practices_Cybersecurity_Privacy.pdf

[10] https://complexdiscovery.com/solving-the-problem-of-information-security-in-court-reporting/.

[11] In arbitration matters where, for whatever reason, the old way of preparing transcripts is utilized, the parties, arbitrators and arbitral institutions should follow the guidance of Principle 3, Comment 3(d) of the ICCA-NYC Bar-CPR Protocol, and “expressly address information security” in contractual agreements with court reporters. See supra. The contractual agreements should include confidentiality and cybersecurity requirements, indemnification requirements in the event of a breach, and other provisions that are commonplace in contracts with law firms and other legal support companies.


* Shared with permission of authors.

Assisted by GAI and LLM Technologies

Additional Reading

Source: ComplexDiscovery

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is a highly recognized digital publication focused on providing detailed insights into the fields of cybersecurity, information governance, and eDiscovery. Based in Estonia, a hub for digital innovation, ComplexDiscovery OÜ upholds rigorous standards in journalistic integrity, delivering nuanced analyses of global trends, technology advancements, and the eDiscovery sector. The publication expertly connects intricate legal technology issues with the broader narrative of international business and current events, offering its readership invaluable insights for informed decision-making.

For the latest in law, technology, and business, visit ComplexDiscovery.com.

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, DALL-E2, Grammarly, Midjourney, and Perplexity, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.