Legal Cybersecurity
One of the core advantages that drives parties to arbitrate is the promise of confidentiality. Unlike public court proceedings, arbitrations provide parties with a private forum through which to air and resolve their disputes. This advantage, however, is threatened by unwanted and unauthorized intrusions by cybercriminals, who are ubiquitous in the modern world and target the legal sector with particular vigilance. Cyberattacks against law firms have been on the rise for a number of years—unsurprising given the wealth of highly sensitive and valuable client information that law firms possess. It is a misconception that these attacks are randomly carried out by bored, tech-savvy teenagers looking for a buzz. They are often conducted by sophisticated, well-funded hackers looking for specific information about pending deals or disputes. Cybercriminals are actively targeting the legal sector to obtain nonpublic information about corporations in order to turn potentially significant profits on stock markets trades.
Notwithstanding this modern threat, most arbitration practitioners continue to rely upon unsecure platforms to store, serve, and file their documents, most notably unencrypted emails and commercially available cloud repositories.
But all is not lost, there is a practical solution. Protect your data with legal technology. The legal technology sector has developed protected and convenient platforms that empower parties, their counsel, and the arbitrators with the gift of security. These platforms not only allow users to store, serve, and file documents securely, but also to collaboratively draft documents from opposite ends of the world.
Confidentiality
Practitioners are well-versed in the benefits of arbitration over other avenues of dispute resolution. Since the inception of arbitration centuries ago, one key component remains unchanged in its significance—confidentiality. In his 1934 work, The Historical Background of Commercial Arbitration, Wolaver suggests that the origins of arbitration lay in the settlement of trade disputes by amicable private tribunals.
In the present day, confidentiality is, and is viewed as, a vital component to the process. A survey of U.S. and European users of international commercial arbitration conducted on behalf of the London Court of International Arbitration by the London Business School listed confidentiality as the most important benefit.
Particular care should be taken in the case of international arbitrations with parties, counsel, and arbitrators from different countries or continents triggering a spider web of data privacy laws. Fortunately cross-border regulation will require parties to take security measures to protect sensitive and personal information. Unfortunately, sometimes regulatory requirements along with attorney ethical obligations to ensure the confidentiality of client information isn’t enough, and security shortcomings create a perfect storm for practitioners and their clients alike.
Basic Email Is Not Secure
Email is one of the most popular forms of communication, as well as one of the most vulnerable to hacking via viruses, malware, trojans, keyloggers, man-in-the-middle, and man-in-the-browser attacks—along with the potential breach of devices, networks, and servers themselves.
To understand why email is not secure, one must remember that the historical design of the same fundamental email system that we use today was conceived without security in mind. When email was originated decades ago, internet usage was extremely limited and everything that was transferred was done openly and could be accessed and read by everyone “online”. Email should be thought of like a paper postcard—anyone can see what’s written on it if they put themselves in its path.
It’s also important to remember that every email resides in many locations at once. Before an email arrives on a recipient’s device(s), the email will travel through myriad intermediary networks, servers, routers, and switches which are often operated by different providers. Each of these locations is a separate vulnerability point to unauthorized intrusions. A hacker that infiltrates any of these locations can access and even alter the email’s content.
Despite the significant privacy and security advances since email’s initial creation, such as the use of passwords, encryption, and private wires between senders and receivers, security measures are too often improperly implemented and/or infrequently used.
Most Cloud Repositories Are Not Secure
An alternative method that many arbitrators, practitioners and counsel rely upon to store, transmit, serve, and “file” sensitive documents in an arbitration are commercially available “cloud” repositories (such Box, Dropbox, and similar platforms). But similar to email, these environments were not designed with security as the priority whichc as resulted in significant unauthorized intrusions, such as when 68 million Dropbox users had their information hacked.
Online storage environments that are commercially available present many vulnerabilities, but a few privacy concerns to consider are:
- many platforms claim ownership over all information that is uploaded, thus claiming the right to use and share such information for any disclosed purpose
- administrators and developers of such platforms have full access to the information shared
- security measures utilized by most platforms are not disclosed to users
- users are typically not allowed to perform encryption on their own information before uploading
- many providers utilize U.S.-based servers and are subject to U.S.-government eavesdropping programs (even if the users reside outside of the U.S.)
- most solutions do not have built-in password protection or encryption for individual documents
The Committee on Professional Ethics of the New York State Bar Association addressed the inherent problem of security in cloud environments when it issued Opinion 842, which concludes that a lawyer may only “use an online data storage system to store and back up client confidential information” if the lawyer first “takes reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer’s obligations under rule 1.6” and “exercise[s] reasonable care to prevent others whose services are utilized by the lawyer from disclosing or using confidential information of a client.”
Legal Technology to the Rescue
Luckily for arbitrators, practitioners, and their clients, the gap between unsecure practices and the need for confidentiality is being fulfilled by the legal technology service providers.
Because such platforms are designed from the start with an emphasis on security, the features that ensure confidentiality are multifaceted and nearly impossible to circumvent. Security begins with multi-factor authentication to access the database in the first place (i.e., two sets of login criteria to obtain access). Thereafter, every file uploaded is encapsulated within an encryption shield to prevent the interception of data and the unauthorized extraction or distribution of content. Further, through the use of access controls within the platform (known as “Information Rights Management”), the party uploading a document can control how much access they give to his or her counterparties (or to the arbitrators themselves). For example, when filing particularly sensitive documents through the platform, the receiving parties’ access can be restricted to being able to view the contents through the platform while disabling the ability to edit, print, download or email the document to others. Even the ability to take a “screenshot” can be disabled.
Conclusion
In today’s digital age, attorneys, and their clients can never be too careful when handling sensitive information contained in electronic documents. For the arbitration community—and in particular the international arbitration community—this means taking advantage of the technological advances that ensure the ability to share and collaborate. Avoid any risk of your client’s confidence and the web of regulatory security requirements, and implement legal technology.
