LegalApril 20, 2020

Compromised hearings cybersecurity and commercial arbitration

Brandon Malone is a concerned man. As a leading expert in the field of commercial arbitration, he believes that cybersecurity-related breaches could do much to compromise confidential and even highly sensitive arbitration proceedings. Brandon concedes that no security system can ever fully protect sensitive data and documents from being hacked. But he does believe that protocols should be in place nonetheless, so that at least some breaches can be thwarted. The commercial arbitration industry has still far to go in this respect – and it needs to act quickly.
Assessing risk is a very important part of the [aforementioned] protocol on cybersecurity.
Brandon Malone, Honorary Lecturer at the Centre for Energy, Petroleum and Mineral Law and Policy at the University of Dundee.
Commercial arbitration is often predicated on the need for the privacy of parties to a given arbitration. Trade secrets, confidential contractual agreements and other sensitive commercial considerations all require a high level of confidentiality during arbitration proceedings. However, that confidentiality is increasingly under threat from the growing scope and capabilities of cyber attacks. Cybersecurity has become critically important in the commercial arbitration field. That is certainly the opinion of our esteemed interviewee for this article, Brandon Malone.

Brandon is a Scottish solicitor advocate, arbitrator and adjudicator with over 25 years’ experience in dispute resolution in Scotland and internationally. He is both a solicitor advocate in Scotland and solicitor to the Senior Courts of England and Wales. He is accredited by the Law Society of Scotland as a specialist in Construction Law, and as a specialist in Arbitration Law. He became Scotland’s first Approved Solicitor Arbitrator in 2016 after having been instrumental in the establishment of the Scottish Arbitration Centre. Among many other accomplishments, he is also an Honorary Lecturer at the Centre for Energy, Petroleum and Mineral Law and Policy at the University of Dundee.

Brandon is undoubtedly a leading expert in the always challenging world of dispute resolution. It is for that reason that Wolters Kluwer invited him to chat with us regarding his background in arbitration and his thoughts on the importance of cybersecurity in his field.

The Scottish Arbitration Centre and ICCA

The Law Society of Scotland asked Brandon to get involved in the Scottish Government’s project to establish an international dispute resolution centre. And so he helped set up the Scottish Arbitration Centre in 2011, which is the body for domestic and international disputes in Scotland. He was the inaugural chair of its Board and has been involved with the Centre ever since. He soon became affiliated with the International Council for Commercial Arbitration (ICCA).

After leading Edinburgh’s successful bid to host the ICCA 2020 Congress, he was invited to join the Programme Committee for ICCA’s 2018 conference held in Sydney, Australia. At the 2018 conference, Brandon moderated a session titled “Technology as Disruption,” in which the potential detriments of AI and matters pertaining to cybersecurity were discussed.

Brandon had also proposed a cybersecurity protocol prior to that conference, known as the ICCA – New York City Bar – CPR Protocol on Cybersecurity in Commercial Arbitration. He believed such a protocol was essential in commercial arbitration, given that it often involves very sensitive, highly confidential information and documents. Commercial arbitration hearings are sometimes done online or via telephone, which makes them especially vulnerable to cyberspace compromises.

Brandon’s Collaborations with Wolters Kluwer

Brandon has always known about Wolters Kluwer, given the company’s extensive experience in publishing on arbitration and ADR topics. His link with Wolters Kluwer came through ICCA, since Wolters Kluwer produces publications for ICCA. Brandon provides the National Report for Scotland in the ICCA International Handbook on Commercial Arbitration.

Anatomy of Cybersecurity in Commercial Arbitration

Brandon was asked whether he could provide an example from personal experience of an arbitration where a cybersecurity breach seriously impacted the arbitration. He replied that he had not to date been personally involved in any such breach. He did however cite the notorious 2016 case of Philippines vs China (known as the South China Sea Arbitration) brought before the Permanent Court for Arbitration (PCA) in The Hague, Netherlands, in which the contentious proceedings between the two countries was hacked and even shut down the Court’s website.

Is it fair to say that there is a greater emphasis on security issues and the provision of security measures in commercial/investment arbitration when compared to other, non-commercial arbitration proceedings? Brandon believes that there is a distinction because commercial and investment arbitration can involve very sensitive information and documents, which people in the field are aware of within the context of cybersecurity. There are generally more security-related considerations with a commercial arbitration than there would be with other types of arbitration, for example, labour or employment-related arbitration.

Brandon states how, “assessing risk is a very important part of the [aforementioned] protocol on cybersecurity” with regard to the degree of possibility that a data breach can occur during a commercial arbitration proceeding.

However, a distinct downside is that cyber breaches in commercial arbitration proceedings are not easily or often publicized or even divulged by affected parties. Brandon points out that there are two reasons for this: (1) Parties don’t like to go public with a breach as it can be embarrassing and even commercially prejudicial and (2) parties to an arbitration are not always aware that they’ve been breached. As a result, those factors certainly make cybersecurity measures even more difficult to implement.

The Reality of Cybersecurity in Commercial Arbitration

Brandon was asked whether reasonable security measures could ever stop professional hackers gaining access to confidential documentation during a commercial arbitration. His reply was measured: “It’s very difficult to ensure because there really is almost no way to prevent every single hack. But that doesn’t mean you don’t try”.

In his opinion, having a protocol in place, such as that which he introduced at the ICCA conference in 2018, will at least ensure two things: (1) it will keep the amateur and casually opportunistic hackers out and (2) a protocol can at least try to take some measures to prevent cybersecurity by more sophisticated hackers, even those by hostile foreign government entities. One example is to not hold all arbitration online or in the cloud. Information security in the protocol, which would incorporate cybersecurity and paper-based arbitration, is not 100% foolproof, but it could be helpful for certain, hyper-sensitive documents.

There is also the question of whether the talent pool of arbitrators will have to change due to cybersecurity-related demands, i.e., having arbitrators that are more IT-savvy and understand the unique dangers of cyber-related attacks on arbitrations. Brandon believes that the market will have to dictate that. He concedes that there is indeed a lower level of understanding than there should be regarding cybersecurity among some professionals in the arbitration field. He believes it is improving but that there remains a lack of engagement from certain quarters in his field.

Some Interesting Conclusions

Nearly every other specialist in technology-related law that we’ve interviewed has stated how the advent of AI will be the single-biggest disrupter to the legal systems and enforcement of legislation in their countries/regions in the coming years. Would Brandon consider the same to be true in the commercial arbitration field? He replied that, “AI has the potential to have a significant impact on the way we do things,” although he believes that most of it could be beneficial.

Brandon’s next reply was especially interesting, however: he thinks the biggest disrupter will actually be quantum computing, which, given how immense its capabilities could eventually be, could be a disrupter far beyond even our current comprehension thereof, especially if it is used in tandem with AI. For example, Brandon believes that AI in tandem with quantum computing could (potentially) circumvent all cybersecurity. As such, an entirely new form of encryption would be required, which in itself could be hugely disruptive. He’s not sure when that technological leap will come down the line, “but it really will be a quantum leap”.

Any assumptions the reader might have that commercial arbitration is primarily technical and even somewhat ‘dry’ might need to be reconsidered in light of the insights provided by Brandon Malone. Like so many other fields of law, commercial arbitration is in what could be considered a ‘quiet state of flux’.

Technology will continue to be a major disrupter, and so evolutions in how commercial arbitrations are undertaken will no doubt need to evolve.
expert insights

Podcast: International Law Talk

During a series of podcasts we will bring you insightful analysis, commentary and discussion from thought leaders and experts on current topics in the field of International Arbitration, IP Law, International Tax Law, Competition Law and other international legal fields.
During a series of podcasts we will bring you insightful analysis, commentary and discussion from thought leaders and experts on current topics in the field of International Arbitration, IP Law, International Tax Law, Competition Law and other international legal fields.