Arbitration is a process of resolving a dispute between two or more parties through one or more arbitrators to obtain a legally binding decision outside of court. 诉讼程序和奖项仍然保密.
Through the COVID-19 pandemic, conducting business remotely has become the norm. Due to insufficient cyber hygiene practices, information is often compromised from cyberattacks. Security measures should be implemented to prevent leakage of information through web, 个人设备, 存储, 等. 数据可能包括敏感的个人信息,如医疗信息, 与工作相关的邮件, 合同, 政府签发的个人识别号码, 银行资料, 等., and such information needs additional protection per various countries’ data protection regulations. 方, arbitrators and administering institutions have to ensure the confidentiality of client information is maintained.
Most law firms and legal practitioners have implemented cybersecurity policies to reduce the chances of cyber-attacks. 的 最近报道的网络攻击 Mossack Fonseca, Cravath Swaine等律师事务所 & Moore和Weil Gotshal & 管理人员把律师事务所的网络安全问题放在了聚光灯下. 2019年,国际商事仲裁理事会(ICCA) 纽约市律师协会(NYC Bar) and International Institute for Conflict Prevention and Resolution (CPR) published Protocol on 网络安全 in International Arbitration, 简称“2020年议定书”.” This article not only discusses cybersecurity measures but also intends to increase awareness of cybersecurity in both domestic and international arbitrations.
2020年议定书分为14项原则、评注和时间表. Each principle is supported by high-level guidance that is accompanied by explanatory commentary. 原则1-4规定了协议的范围和适用性, 原则5规定了合理性的标准, 原则6-8建立合理的安全措施, Principles 9-13 address procedural steps to address information security issues in an arbitration, 原则14明确了议定书的责任标准. 附表中给出了基于这些原则的详细指导. 本协议中的附表是基线安全措施(附表A), 仲裁信息安全风险因素(附表B), 仲裁信息安全措施样本(附表C), 及样本语文(附表D), 标准与资源(附表E)及术语表(附表F).
适用范围及适用性
范围包括因保密性(未经授权的访问)而造成的预防损失, integrity (unauthorized change) and availability (make information available whenever it is needed). 该范围适用于与仲裁程序有关的任何信息. 基线保安措施须按附表A的规定实施.
仲裁员在分享仲裁相关信息前, parties or administering institutions need to ensure that information security measures are implemented as per applicable legal, 合同, 规管及相关规定. 所有辅助人员, 包括员工, 律师, 法律助理, 法律助理, 学员, 行政或其他支持人员, 个案管理人员, 法庭秘书, 等., 包括第三方, will be given information security awareness training so that they adopt information security measures while handling arbitrational information. If there is conflict between legal regulations and information security measures, 前者占上风.
应用标准
Standards recommend performing risk analysis to determine risk profile of the arbitration. 风险分析包括通过发现后果来确定风险等级, 脆弱性, 威胁和威胁发生的概率. 通过这个, high-risk level and low-risk level is determined by calculating the acceptable risk level. Controls are implemented in high-risk level cases to avoid information security breaches. 基准证券措施列于附表A. 的re are eight categories given in the schedule and are explained below in the context of the arbitration process:
- 知识和教育: Security threats and solutions to be kept abreast of by subscribing to email alerts or newsletters and undertaking awareness training. Standards and government regulations shall be considered, to which Schedule E can be referred.
- 资产管理: This involves identifying, classifying and controlling assets as appropriate for arbitration.
- 访问控制: 访问仲裁信息,包括系统, 设备, 应用程序, 或者服务应该在需要知道的基础上仅限于授权用户. Users should be given a unique user ID and password with multifactor authentication.
- 加密: 加密用于保护机密性, 仲裁信息的完整性和可用性. 有各种类型的加密机制,如AES, DES, RSA等.
- 通信安全: When arbitration information is transferred through emails, networks, memory cards, 等.,在通信安全中保证了信息的安全. 使用安全的共享服务, 安全的网络, 加密的通道, 提供密码访问视频会议, 等.,这里有一些例子.
- 物理和环境安全: Physical access to arbitration information should be controlled to prevent unauthorized access.
- 操作安全: Integrity (unauthorized changes) issues arising in information processing facilities of arbitration information is prevented through operational security. 例如漏洞监控、系统审计、例行备份等.
- 资讯保安事故管理: 信息安全漏洞被称为事件. Responding to incidents and providing notification of breaches to relevant authorities are part of incident management.
的 types of security measures to be considered may differ depending on the parties, 涉及的法庭和机构.
建立合理安全措施的指引
Three-step guidance on how to establish reasonable security measures is provided in Schedule B. Risk factors related to what information security measures are reasonable in particular arbitration matters are covered in first step. 的 second step identifies categories of information security measures that should be considered in each matter, and the final step highlights the aspects of the arbitration process to which information security measures may be applied. Reasonableness provides flexibility to accommodate changes in technologies and best practices. 仲裁员, parties and institutions should agree on the reasonable security measures during the initial procedural conference. 程序语言示例见附录D, which may be used to raise issues of information security for consideration at the procedural conference and sample language that arbitration tribunals can use in procedural orders. 仲裁法庭及, 如果有必要的话, administering institutions can be consulted for finalized information security agreements between parties when there are disputes. 当事人可以选举具有信息安全问题知识的仲裁员.
的 information security agreements can be modified during the course of arbitration depending on the circumstances. Such modification should be done with the consultation of all parties and administering institutions. 在违反信息安全的情况下, the arbitration tribunal is empowered to direct the parties to cover the costs or order sanctions, 根据适用法律.
责任标准
的 2020 protocol is intended to provide a framework for securing arbitration information that can be overridden to comply with legal obligations. 本协议不构成任何法律责任.
