Shielding Sensitive Information in Arbitration: Strategies for Ensuring Cyber Security and Confidentiality

Deepesh Tapariya and Tarang Arora
Maharashtra National Law University, Nagpur

Introduction:

When I was young my teachers were the old.

I gave up fire for form till I was cold.

I suffered like a metal being cast.

I went to school to age to learn the past.

Now when I am old my teachers are the young.

What cannot be moulded must be cracked and sprung.

I strain at lessons fit to start a suture.

I go to school to youth to learn the future.

— Robert Frost (1874-1963)

In order to fully understand the present, its issues, and concerns, – let alone the future – it is essential to go back to the roots also. If we trace the origins of arbitration, we can plainly see that it has developed from a conventional, in-person method to a more efficient and accessible form of conflict resolution through online arbitration[1]. The introduction and subsequent acceptance of information technology has prompted a shift in traditional arbitration practises, which can sometimes jeopardise the secrecy of the proceedings.

Online arbitration, also known as Online Dispute Resolution, uses digital communication technologies and cloud-based platforms to give a simple, cost-effective, and flexible approach to resolve disputes in today’s digital era[2]. However, online arbitration is still in its infancy, and as a result, the legislation has not given this topic enough thought, so that even after the high-level committee’s recommendation, there are still gaps that lead to cyber security and breach of confidentiality, as discussed in section 42A of The Arbitration and Conciliation Act, 1996. The topic of confidentiality in arbitration has long been the focus of several discussions and arguments. The main issue is whether online arbitral procedures can uphold the system’s secrecy principle. The authors have discussed this breach of confidentiality through the lens of the Hon’ble courts and the precedents passed by them in the plethora of the cases in the very first part of this writing. Concerning the extent and legality of the secrecy agreement, there are still lingering stains of doubt[3]. This makes things worse and presents unique complications, and the same has been discussed by the authors below and the solutions to it has also been provided along with in which the authors have discussed how Artificial Intelligence and Blockchain technology can be the torchbearer[4]. At the end the authors have provided a germane conclusion which sum-up that because of the advancement in technology how the confidentiality gets affected and how cyber security gets affected.

Status Quo on Confidentiality in Arbitration Proceedings

The Arbitration Act of 1996’s Section 75 mandates that the arbitral processes and the awards be kept private. The same has also been supported by the prestigious courts, and that too in plethora of the cases. The Hon’ble Bombay High court Court ruled HSBC PI Holdings (Mauritius) Ltd. v. Avitel Post Studioz Ltd.[5] that maintaining confidentially is the “hallmark” of arbitration and should be always done thus. But to our dismay, India currently lacks data protection regulations, much alone one that is specifically tailored for arbitration, despite having a part discussing secrecy and many cases. Legislative difficulties are in the forefront, notwithstanding the Arbitration Act’s support for the principles of party autonomy and secrecy not only on the national level but also on the global level too. Confidentiality laws relating to arbitration processes have been codified in jurisdictions all over the world. For instance, Section 2D of the Hong Kong Arbitration Ordinance (HKAO) gives litigants in that city the legal right to ask a court to conduct hearings on arbitration-related matters in a private setting.[6] A party may also limit the publishing of court rulings pertaining to arbitration procedures under Section 2E of the HKAO[7]. Like how Sections 2D and 2E of the HKAO are fundamentally the same as Sections 22 and 23 of the Singapore International Arbitration Act (IAA)[8].

Notwithstanding the fact that a change to the Act that added sections 42A and 43K was made based on the recommendations of the High-Level Committee appointed by retired Supreme Court Judge B.N. Krishna in 2017, it has not yet been announced.

Quandary: Confidentionality

The non-obstante provision in Section 42A of the modified Act states that everyone involved in the processes barring the award must retain secrecy until publication of the information is required for the enforcement and execution of the judgement. As for the duties of any party wishing to provide any type of sensitive data from arbitration to a court, this article likewise offers room for misunderstanding. The involvement of third parties in the arbitration procedures, who could rely on the private information from the arbitration proceedings, is another crucial factor that must be taken into consideration in this case. In the case of Mahanagar Telephone Nigam Ltd. v. Canara Bank[9], the Delhi High Court allowed third parties to establish their level of involvement and claim their reference in the arbitration proceedings. This merely indicates that such reference proceedings may necessitate disclosing private information from arbitration proceedings and the same has been pondered by the Hon’ble Supreme Court in Jaideep Khanna v. Abhishek Nevatia.

Another issue that the authors believe still needs to be addressed is that, following the amendment act in 2019, ODR has become popular, but there are no laws in place to combat it. Apart from the arbitration act, there is a difficulty with the PDP (personal data protection) bill as well. It mentions data fiduciaries, but it is unclear whether an arbitrator or an arbitral institution is a data fiduciary.

Cybersecurity Threats and their potential consequences

Cybersecurity is one of the most important aspects of online arbitration. The use of digital platforms for arbitration introduces potential vulnerabilities that fraudsters might exploit, leading to security breaches and data theft and these are the threats any arbitration proceeding might face. Some of the prominent styles of cyber crime has been discussed below:

Malware attacks employ harmful software to gain unauthorised access to or harm computer systems. Malware may be used in online arbitration to install spyware, ransomware, or other malicious software on the computers of the parties or arbitrators. Example: Moreover, In July 2015[10], the Permanent Court of Arbitration in The Hague held a hearing on the dispute between the Philippines and China over territory in the South China Sea and on the third day of the hearing, the Court’s website went down suddenly, which turned out to be the result of a cyberattack launched from China wherein the hackers had injected malware into the site, making everyone who visited it exposed to data theft[11]
Phishing is the fraudulent use of emails or websites to obtain personal information such as usernames, passwords, or credit card numbers. In the context of online arbitration, a phishing assault might be used to steal login credentials or other sensitive information from the parties or the arbiter.
A distributed denial of service (DDoS) attack is using several computers to overwhelm a network or server with traffic, rendering it unreachable to normal users. A denial-of-service attack might be used to disrupt online arbitration sessions or restrict access to the online case management system[12].

All of these cybersecurity issues may have repercussions ranging from a lack of privacy to the theft of trade secrets to the loss of sensitive data, which may harm the firm’s image and, more crucially, can jeopardise the integrity or belief in arbitration as a dispute resolution method in general[13].

Cybersecurity Risks in Online Arbitration: How to Avoid Them

As we all know, due to technological advancements, arbitration procedures have challenges related to confidentiality and privacy; nevertheless, we may use the same technology to preserve confidentiality and data breaches by utilising blockchains and artificial intelligence.

Blockchain

Blockchain technology has the potential to be an excellent solution for dealing with cybersecurity threats in online arbitration. Using various blockchain-based tools and capabilities, parties may ensure that the arbitration process is secure, transparent, and resistant to cyber-attacks. One of the key advantages of using blockchain in online arbitration is the ability to build decentralised platforms and because these platforms are not centralised and have no single point of failure, cyber attackers find them more difficult to exploit[14]. Another solution afforded by blockchain technology is the development of immutable records. Blockchain allows for the creation of irreversible records, ensuring that all data essential to the arbitration process, such as evidence and findings, is secure and cannot be altered by cyber attackers. Authentication and access control are two more areas where blockchain might be used to mitigate cyber threats[15]. Parties may be forced to use their private keys to access the online arbitration platform, ensuring that only authorised users have access to the site. This increases security and reduces the possibility of unauthorised access and data breaches and ultimately endorsing confidentiality and the same has been cited by NITI Aayog paper titled “Blockchain: The India Strategy“[16]

Example:

Kleros is a blockchain-based arbitration tool. It employs blockchain technology to develop a decentralised arbitration system capable of resolving disputes in a variety of businesses like as e-commerce, insurance, and real estate. The platform automates the arbitration process via smart contracts, and rulings are determined by a panel of jurors who are encouraged to make fair and unbiased conclusions[17].

Artificial Intellegence:

Artificial intelligence (AI) might be used to control these risks efficiently as AI has the ability to detect and prevent cyber risks, as well as strengthen security measures and safeguard the integrity of the arbitral process. One way AI might help reduce cyber risks is through real-time threat identification. AI algorithms can continuously monitor the online arbitration platform, analysing data trends and identifying anomalies that may indicate a cyber-attack. Another way AI might help avoid cyber threats is through automated attack response. When a cyber-attack is detected, AI can automatically respond by shutting down compromised accounts, preventing unauthorised access, and notifying the appropriate parties to take action[18].

Moreover, AI may be used to improve authentication and verification, making illegal access more difficult for cyber attackers. This can include implementing biometric authentication, such as fingerprint or face recognition, to ensure that only authorised users have access to the online arbitration platform.

Example:

Privacera is a cloud-based data governance and security platform that leverages AI and machine learning to identify and prevent data breaches while also protecting data privacy. The programme leverages AI algorithms to detect potential security vulnerabilities and classify sensitive data based on its sensitivity and worth[19].

Apart from that, keep in mind that the arbitrator chosen has significant expertise in data secrecy, and the use of VPN, firewalls, and dual encryption should be encouraged while transmitting data. Also, parties should define cyber security specific conventions ahead of time so that if a scenario like this arises, it can be addressed much more easily[20].

Conclusion:

Maintaining confidentiality in online arbitration proceedings is critical for the process’s integrity and the parties’ protection, and it is one of the primary reasons why parties select arbitration. However, with the advancement in technology and introduction of Online Dispute Resolution (ODR), cybercrime such as hacking and data breaches occur, posing a significant threat to the confidentiality of online arbitration proceedings and resulting in a violation of right to privacy under Article 21 of the Indian constitution. As a result, it is correct to say that the same technology can both help and hinder confidentiality, and it is critical to strike a balance between using technology to improve the arbitration process and defending against cyber threats because ODR is still in its infancy, and if this trend continues, it will discourage people from choosing India as a seat for arbitration Resolution[21]. Furthermore, strong safeguards must be put in place to protect online arbitration confidentiality and prevent cybercrime from jeopardising the process’s impartiality and legality, which can be accomplished through the use of blockchain, artificial intelligence, and some of the fundamental protective measures.[22]

Reference:

[1] Harpreet Kaur, ‘The 1996 Arbitration and Conciliation Act: A Step Toward Improving Arbitration in India’ (2010) 6 Hastings Bus LJ 261

[2] Jory Canfield, ‘Growing Pains and Coming-of-Age: The State of International Arbitration in India’ (2014) 14 Pepp Disp Resol LJ 335

[3] Ananya Bajpai & Shambhavi Kala, ‘Data Protection, Cybersecurity and International Arbitration: Can They Reconcile?’ (2020) 8 Indian J Arb L 1

[4] Aashit Shah, ‘Using ADR to Resolve Online Disputes’ (2004) 10 Rich JL & Tech 1

[5] HSBC PI Holdings (Mauritius) Limited vs. Avitel Post Studioz Limited and Ors. (22.01.2014 – BOMHC) : MANU/MH/0050/2014

[6] Paul D. Carrington, ‘Virtual Arbitration’ (2000) 15 Ohio St J on Disp Resol 669

[7] Amy J. Schmitz, ‘Arbitration in the Age of COVID: Examining Arbitration’s Move Online’ (2021) 22 Cardozo J Conflict Resol 245

[8] Dory Reiling, ‘Beyond Court Digitalization with Online Dispute Resolution’ (2017) 8 IJCA 2

[9] Mahanagar Telephone Nigam Limited vs. Canara Bank And Ors (03.08.2022 – DEOR) : MANU/DEOR/87818/2022

[10] Amy J. Schmitz, ‘Arbitration in the Age of COVID: Examining Arbitration’s Move Online’ (2021) 22 Cardozo J Conflict Resol 245

[11] Alek Felstiner, ‘Grappling with Online Work: Lessons from Cyberlaw’ (2011) 56 St Louis U LJ 209

[12] Jeff Aresty, Daniel Rainey & Robin Page West, ‘Expand Your Practice with Online Dispute Resolution Technology’ (2015) 32 GPSolo 22

[13] Stephen E. Friedman, ‘Trusting Courts with Arbitration Provisions’ (2018) 68 Case W Res L Rev 821

[14] Federico Ast & Bruno Deffains, ‘When Online Dispute Resolution Meets Blockchain: The Birth of Decentralized Justice’ (2021) 4 Stan J Blockchain L & Pol’y 1

[15] Orna Rabinovich-Einy & Ethan Katsh, ‘Blockchain and the Inevitability of Disputes: The Role for Online Dispute Resolution’ (2019) 2019 J Disp Resol 47

[16] Armaan Patkar, ‘Indian Arbitration Law: Legislating for Utopia’ (2016) 4 Indian J Arb L 28

[17] Tom W. Bell, ‘Copyrights, Privacy, and the Blockchain’ (2016) 42 Ohio NU L Rev 439

[18] jim Pastore, ‘Practical Approaches to Cybersecurity in Arbitration’ (2017) 40 Fordham Int’l LJ 1023

[19] Upasana Borah, ‘Online Dispute Resolution: Risk or Solution towards Indian Legal System’ (2021) 4 Int’l JL Mgmt & Human 1184

[20] F. Cassim, ‘Formulating Specialised Legislation to Address the Growing Spectre of Cybercrime: A Comparative Study’ (2009) 12 Potchefstroom Elec LJ 35

[21] Paridhi Swami & Shruti Mandhotra, ‘The Conundrum of Data Confidentiality in Arbitration’ (2021) 1 Nyaayshastra L Rev A

[22] Tejas Karia, Ila Kapoor & Ananya Aggarwal, ‘Post Amendments: What Plagues Arbitration in India’ (2016) 5 Indian J Arb L 230

Disclaimer: The Opinions expressed in this article are that of the author(s). The facts and opinions expressed here do not reflect the views of IBC Laws (http://www.ibclaw.in). The entire contents of this document have been prepared on the basis of the information existing at the time of the preparation. The author(s) and IBC Laws (http://www.ibclaw.in) do not take responsibility of the same. Postings on this blog are for informational purposes only. Nothing herein shall be deemed or construed to constitute legal or investment advice. Discussions on, or arising out of this, blog between contributors and other persons shall not create any attorney-client relationship.

Article Dashboard

Chapter	Topic	Content
CH-2: General & Definitions
		Short Note on Insolvency and Bankruptcy Code, 2016 (IBC, 2016)
		Dispute and Existence of a Dispute
		Operational Debt and Operational Creditor
		Persons who may initiate Corporate Insolvency Resolution Process(CIRP)
		Analysis provisions of Limitation Act, 1963 with respect to Insolvency and Bankruptcy Code, 2016
CH-3: CIRP
	Topic-1 : CIRP Application & Withdrawal
		Analysis of Minimum amount of default under Section 4 of IBC
		Procedure of filing application by Financial Creditor before NCLT under Section 7 of the IBC
		Procedure of filing application by Operational Creditor before NCLT under Section 8 & 9 of the IBC
		Initiation of CIRP by corporate applicant under Section 10 of the IBC
		Analysis of withdrawal of CIRP proceeding pursuant to settlement under Section 12A of Insolvency and Bankruptcy Code, 2016 (IBC)
	Topic-2 : Declaration of moratorium and public announcement
		Declaration of moratorium and public announcement [Section 13, 14 & 15 of the IBC]
		All about the Moratorium under Section 14 of the Insolvency and Bankruptcy Code, 2016 including judicial pronouncements
	Topic-3 : Appointment and tenure of IRP & RP
		Appointment and tenure of Interim Resolution Professional and Resolution Professional [Section 16, 22 & 27 of the IBC]
		Role of an Interim Resolution Professional and Resolution Professional
	Topic-4 : Management of affairs by IRP
	Topic-5 : Receive and collate all the claims submitted by creditors
	Topic-6 : Committee of creditors and meetings
		Constitution of Committee of Creditors under Section 21 of IBC
		Role of Committee of Creditors & It’s Commercial Wisdom
		Analysis of provisions on Authorised Representative under IBC
		Meetings & Voting of the Committee of Creditors under Section 24 of the IBC
	Topic-7 : RP to conduct the CIRP and manage the operations
		Resolution Professional to conduct the CIRP and manage the operations of the Corporate Debtor
		Insolvency Resolution Process Costs & Essential supplies
		To identify preferential transactions under Sec. 43 of the Code in any CIRP, step to be taken by a Resolution Professional
	Topic-8 : CIRP and Resolution Plan
		Information Memorandum, Expression of Interest, Request for Resolution Plans & Resolution Plans
		Role of the prospective resolution applicant
		Persons not eligible to be Resolution Applicant [Sec. 29A of IBC]
		Submission and approval of the Resolution Plan
		Liability for prior offences under Section 32A of the IBC
CH-4 : Liquidation Process
	Topic-1 : Initiation of Liquidation
	Topic-2 : Appointment & Remuneration of Liquidator
		Appointment & Remuneration of Liquidator under Sec. 34 of IBC
		Powers and duties of Liquidator under Sec. 35, 37 of IBC
	Topic-3: Liquidation Estate
	Topic-4: Public announcement, Preliminary report, Early dissolution and Progress reports under Liquidation
	Topic-5: Claims under Liquidation
	Topic-6: Preferential, undervalued and Extortionate Credit Transactions
		Preferential, Undervalued and Extortionate Credit Transactions under Sec. 43, 44, 45, 46, 47, 48, 49, 50, 51 of IBC
		To identify preferential transactions under Sec. 43 of the Code in any CIRP, step to be taken by a Resolution Professional
	Topic-7: Secured Creditor in Liquidation Proceedings
	Topic-8: Realisation of Assets in Liquidation Proceedings
	Topic-9: Proceeds of Liquidation and Distribution of Proceeds
CH-5 : Personal Guarantor
		Chapter VIII Indemnity and Guarantee of Indian Contract Act, 1872
		All about Personal Guarantor under IBC Part-I
		All about Personal Guarantor under IBC Part-II
		Insolvency Resolution Process Regulation
		Bankruptcy Process for PG Regulation
		IRP Application to AA Rules
		Bankruptcy Process Application to AA Rules