19 Sep 2019
By the time this is published there will be just over one week before the 2019 CIArb Annual Mediation Symposium takes place in central London. This year’s event is as timely as ever and has the theme: “Mediation in Times of Crises”. Issues of crisis abound in the world from warring factions in the Middle East to the political issues in Brexit; mediation has a big role to play in bringing these crises to an end – the theme for this year’s event is therefore well-chosen.
As Baumann and Clayton of the Center for Security Studies at ETH Zurich found:
Mediation is the most common form of third-party conflict management, and a time-tested method for managing and resolving conflicts. Between 1946 and 2015, about half of all civil and inter-state conflicts involved a type of intervention labelled “mediation”….
Such conflict scenarios have many actors, not all of whom have interests which align. Some may even be malign. A typical example of what might go wrong occurred in the Permanent Court of Arbitration (PCA) in the case of The Republic of Philippines v. The People's Republic of China commonly called The South China Sea Arbitration which took place between January 2013 and July 2016. In those proceedings the PCA (qua Registry to the arbitration) provided a platform into which the arbitral proceedings were filed. That platform was hacked in July 2015 by inserting a malware infection onto the platform which reportedly emanated from somewhere in China. The author understands this arose as a result of a failure to update patches for the Adobe Acrobat PDF viewer program. A simple issue like security updates brought about a massive breach of the obligation of confidentiality. There have of course been similar instances of such cyber-security breaches affecting arbitrations and mediations since 2015.
The PCA breach affected an arbitration but in the cyber-security context there is no difference between arbitration and mediation. This is because both arbitration and mediation place the same obligation upon neutrals to ensure the absolute confidentiality of the proceedings. This obligation has recently been joined by more regulation affecting mediators under the Data Protection Act, 2018, the General Data Protection Regulation and similar regulatory regimes in many jurisdictions around the world.
Another relevant cyber-security breach took place in March 2016 but perpetrated by criminals rather than alleged agents of a State actor. These hackers are usually interested in commercial gain. A Russian hacker located in the Ukraine attacked forty-six large US law firms as targets in a phishing attack aimed at retrieving confidential information about clients to sell for the purposes of insider trading.
Law firms, which store confidential information about clients in bulk are just one example of the types of entities targeted by criminal actors who seek to make a profit from the sale of stolen data. Given ADR always involves the transmission of confidential information that others might use for profit, parties and neutrals in ADR proceedings should be particularly alert to the threat of criminal and/or political attack.
There is always a risk of such attacks in ADR. When mediating a crisis that risk is very high because of the profile of the mediation to which hackers will be attracted for any of a number of nefarious reasons.
CIArb has, rightly, recognised the rising importance of the electronic means for conducting ADR in the modern era of technology and ADR by including reference to the conduct of both mediations and arbitrations by electronic means in its 2018 Cost-Controlled Expedited Arbitration Rules and its 2018 Mediation Rules.
A good example may be seen in paragraph 13 of the second appendix to the CIArb Arbitration Rules of 1 December 2015:
Matters for potential consideration by the parties and the arbitral tribunal at the case management conference
The use of electronic means of communication in submissions to the arbitral tribunal and any other communication among the parties and the arbitral tribunal.
Best practice in the world of ADR world is always developing and reflects the way society evolves. Any revision of these rules should, perhaps, include a provision obliging neutrals to consider requiring a secure Platform for the case-management of proceedings. CIArb could further support their neutrals in this respect with training in cyber-security essentials.
In times of crises mediation has never been more needed. In such situations mediation has never been more exposed to the risk of a cyber-security attack which seeks to discredit the integrity of the mediation process by those less than fully supportive of efforts at resolution.
TONY N GUISE
Tony is the Director of DisputesEfiling.com Limited the provider of online ADR platforms and a Past President of the London Solicitors Litigation Association