Legal tech, digital evidence, hacked evidence… these all are trending buzz words in a field that lawyers appear to conquer these days. At the same time, lawyers must be aware of the new risks associated with that innovation. Whatever is digital, can eventually be hacked. Possibly, the client will ask: so, what’s your suggestion?
Legal tech, digital evidence, hacked evidence… these all are trending buzz words in a field that lawyers appear to conquer these days. Of course, it is necessary that lawyers familiarise themselves with whatever innovation is waiting around the corner. After all, they need to adapt to their client’s needs and innovation is for sure one of them. At the same time, lawyers must be aware of the new risks associated with that innovation. Whatever is digital, can eventually be hacked. Possibly, the client will ask: so, what’s your suggestions? Indeed, that broad question cannot be answered in a single blog entry. However, it can refer to some important sources to deepen technical literacy – which is no luxury any longer but becoming a basic skill for today’s lawyers.
This blog is essentially about the issue of hacked evidence, its legal implications and potential remedies. Recently, the case of J&F Investimentos and CA Investment which was reported on GAR illustrates the legal difficulties that are inherent to the potential hacking of technical devices. In its award, the arbitral tribunal ordered J&F to sell 50 % of its shares to CA. Later, the Brazilian police discovered a cyber-attack that had been orchestrated by CA, and in which it had accessed around 70,000 emails from the members of the arbitral tribunal, from counsel of J&F and from some key witnesses. The hack had been accomplished by means of a virus that had created copies of all incoming and outgoing emails of a specific list of email addresses. J&F claimed that CA had violated the fundamental principle of a fair process as CA had had unfettered access to privileged communications of J&F – so, that there was no equality of arms. As a consequence, J&F challenged the entire tribunal explaining that the arbitrators could no longer be impartial as they could not unread what they had read. Currently, this challenge request is pending with the ICC Court whose decision is eagerly awaited – how will the ICC maintain the integrity of the arbitral process? How will this decision be a possible guideline for other arbitral institutions?
The potential challenge of a tribunal is not the only legal issue that may arise when hacking is involved in arbitration proceedings. How should a tribunal deal with the admissibility of hacked evidence? First, “illegality” implies that data which is subject to specific protection such as personal data or privileged information was intentionally accessed in some way. Second, “hacking” means that this access was performed through means of technology. So, essentially, the formula should be as follows: hacking = evidence obtained illegally through means of technology. So, what should arbitrators do with this?
Trying to give a little structure to this issue, let’s go through a quick analysis of the typical legal frameworks known in arbitration. The first level is the parties’ agreement in their dispute resolution clause. It is not quite realistic that parties will have addressed a potential cyber-attack including the respective remedies already when concluding their contract. On a second level, arbitration rules could provide some guidance on this issue. However, many arbitral institutions and rulemakers are already reluctant in dealing with the topic of digital evidence in general, as can be seen from the ICC Rules, the UNCITRAL Rules or the LCIA Rules. On the other hand, the DIS Rules in article 28.2 or the IBA Guidelines on the Taking of Evidence in article 3.3 do indeed provide some guidance on how to deal with digital evidence. But again, there is no guidance on how to deal with cyber-attacks or hacks. On a third level, national case law could shed some light on this enigma. In many jurisdictions, evidence obtained illegally is not admissible in front of state courts. In Austria, the situation is slightly different. There has been settled case law since 2001 clarifying that illegal tape recordings are indeed admissible as long as a balancing of interests of the parties has been performed. Getting more specific, one party has the right of the protection on the spoken word (“das Recht am gesprochenen Wort”). But the other party has an interest to present its case properly and might have no other means at its disposal to manage this in an adequate way. This assessment is done on a case-by-case basis of course. Also, in context with the GDPR, the use of illegally obtained evidence generally may lead to significant fines.
In arbitration, however, there is no such restriction or pre-condition of performing a balancing of interests when illegally obtained evidence is involved. Instead, there is a broad discretion of tribunals which has taken different shapes in case law to date. In various investment arbitration cases such as Conoco Philips v Venezuela (ICSID case no ARB/07/30) or Caratube International v Kazakhstan (ICSID case no ARB/13/13), the arbitral tribunals had to deal with large scale data breaches where privileged data appeared on WikiLeaks eventually. In all these cases, tribunals took vastly different stances. Some tribunals were of the opinion that these documents were admissible in general. Other tribunals came to the conclusion that such data is only admissible as long as there is no illegality to it, i.e., that the data was not hacked. But most of the times the tribunals preferred focusing on the relevance and materiality of the evidence before moving on to the more delicate decision on admissibility. On an overall level, the problem of hacked evidence is not new – it only becomes more frequent and consequently, more fragmented without any consistent guidance so far.
Indeed, the legal implications are complex and obscure when damage is already done. Consequently, prevention by mitigating the risk of a cyber-attack is key. At the moment, the most important document on this issue is ICCA-CPR-New York Bar Protocol on Cybersecurity from 2020. It focusses on the implementation of cyber security measures for arbitral processes and gives guidance on how arbitral tribunals and the parties can ensure that the arbitration is safe. The scope of protection according to the protocol is the storage, transmission and access of data. As laid down in principle 3 of the Protocol on Cybersecurity, cooperation of everybody involved is required since every participating person (or device, such as laptops) takes part in establishing sufficient security – there is a very fitting saying: “A chain is as strong as its weakest link”. Everybody must work together to prevent data breaches. As a main principle, the protocol foresees measures that are reasonable and provides different degrees of possible security measures, depending on different factors of the specific case, such as the type of industry, amount in dispute and complexity of the case. The protocol also provides for security practices that are already adjusted to the different risk profiles of arbitration proceedings. To summarise, the Protocol on Cybersecurity is a very useful tool for complex and delicate cases. Given the lack of guidance on cyber security measures in arbitration agreements or arbitration rules, it will most probably be counsel turning into the main player in implementing a safe and sound cyber surrounding by requesting the tribunals to take the Protocol on Cybersecurity into consideration.
In the end, what is left of those fancy buzz words when lawyers and their clients are faced with a real threat? Well, the time has definitely come to truly understand their relevance and give practical meaning to them – and as lawyers, we can take the first step into a new digital reality in international arbitration.