top of page
The Legal Journal On Technology

THE CURIOUS CASE OF DATA BREACH IN PERMANENT COURT OF ARBITRATION

This Article is written by Musa Saidu, a second year law student at Ahmadu Bello University, Zaria, Nigeria.



More than 36 billion records got exposed as a result of data breaches in the year 2020[i] and this is still yet to account for the actual numbers due to reluctance of victim organizations to report data breach unless required to do so.[ii] Economically, cybercrime is projected to cause damages adding up to $6 trillion globally in 2021[iii] and it is expected to hit $10.5 trillion by 2025 as it grows annually by 15% from 2015 when it was only $3 trillion. Despite this staggering increase in data breach, only 5% of companies’ folders are properly protected[iv] and as a result, 95% of folders containing trillions of personal, business and security data is vulnerable to all forms of cyberattacks.


The website of the Permanent Court of Arbitration was hacked in July, 2015, during a serious marine boundary dispute between China and the Philippines,[v] also known as the South China Sea Arbitration Case, which was instituted under Annex VII of the United Nations Convention on the Law of the Sea (UNCLOS) and a malware was implanted which makes the computers of the parties, lawyers, diplomats, and any other person who visited the website vulnerable to data theft. The nature of the attack was disclosed by Rich Barger, the CIO at Threat Connect, according to him the cyberpunks used a “watering hole” trap on the website[vi], a form of cyberattack in which a malware is implanted on a particular website that compromises computers of users who visit such website and thereby making them vulnerable to data breach.


The Permanent Court of Arbitration is global institution established in 1899 to resolve disputes between countries through arbitration. Today, the PCA resolves disputes not just between states but covers private parties, NGOs and the combination of them on matters relating to territorial sovereignty, human rights, international commercial arbitration, interpretation of treaty, etc. The Permanent Court of Arbitration is the first global mechanism for the settlement of inter-state disputes[vii].


Arbitration in essence is a dispute resolution mechanism in which disputing parties mutually agree to appoint arbitrator(s) who would then make a binding decision on the matter. In arbitration, the parties avoided litigation in court for swiftness and privacy of their affair.

One of the pioneer aspects of arbitration is confidentiality and privacy in the entire process; from the time it was instituted to the final ruling (award). Article 9 of the Rules of Ethics for International Arbitrators (1987)[viii] provides that the option of whether to make the process open or confidential is left at the volition of the parties and therefore, by default, an arbitrator and all other people involved ranging from lawyers, supporting staffs, diplomats, to expert witnesses are expected to ensure total confidentiality of the process unless declared otherwise by the parties themselves.


Of course not all arbitral cases involve the need to disclose a top secret information as an evidence or an item that would support a party’s claim and as such, a leak of an information therefrom may not be as lethal as when the arbitration concerns security of a nation, economic plans/policies that has the potential to change the world market, or matters relating to territorial dispute, which is the issue of contention in the South China Sea Arbitration Case.


Although no concrete evidence was produced, there are many reports indicating that the hack was originated from China. ThreatConnect suspected that the hacking was in accord with the way hackers with bonds to the Chinese military operate.[ix]This, coupled with China’s attitude towards the process in the first place[x] justifies the allegation. What could China possibly get by hacking into the systems of the people associated with the arbitration?[xi] By breaching the devices of those concerned with the case, they would be able to obtain crucial information about their reaction, for instance, that nation’s next moves regarding the disputed islands if the decision favors the Philippines.[xii]

The practice of malicious intrusion into another country’s data during arbitration is devastating and undermines the very essence of the arbitral institution and is an indication of lack of good faith and negligence of the duty of protecting the confidentiality of the process by the intruding party.


THE DUTY OF CONFIDENTIALITY IN ARBITRATION

It is understood that cybersecurity is not the sole responsibility of the arbitrator but a shared responsibility. All people involved in the process, especially those that possessed or have accessed a sensitive information have this responsibility as security of data related to any arbitration matter is practically dependent upon the vigilance of individuals holding such data and a breach into one person’s device could affect them all. Anyone could be an Achilles’ heel of the data. Because of this, arbitrators are encouraged to equip themselves with security measures such as setting up firewall to monitor network traffic, reduction in transfer of data, ensure devices are properly encrypted and prepare for a breach response to reduce the damage done. This is especially important as over 77% of organizations are yet to have a response plan when they are breached[xiii] and it takes nearly six months for even the major companies to detect a data breach[xiv] by which time, a lot of their data have been compromised.


AVAILABLE SAFEGUARDS

Various measures do exist in order to prevent data leakage in the paradigm where hearings turn virtual. The use of a platform which has an automatically generated meeting ID, IP to IP encryption and password-protected hearing rooms are one of the prime examples, these measures along with additional guidelines can be found in soft law like Seoul Protocol[xv], AAA Note[xvi] and ICCA Report no. 6[xvii]. Hence, in light of the fact that there are sufficient techniques to prevent data leakage and to ensure effective witness and expert examination, virtual hearings can be conducted without curtailing the parties’ right to be heard. Thus, as both the Parties’ right to equality and right to be heard will be upheld in a virtual hearing, there will be no vitiation of due process requirements.


CONCLUSION

It is an unfortunate yet undeniable reality that cybercrime has found its way into the legal practice and more so, into the institution of arbitration, it is believed that the parties to arbitration entered into it in good faith and that they agree to be bound by the decision of the tribunal. Any conduct by either party that negates established rules of conduct should be punished and sadly the legal effect of data breach tends to be uncertain and complex because of differences of countries and data security laws the parties are subjected to. Anyone could be a victim of cybercrime and as such those involved should implement necessary security measures to ensure reliable, veracious and uncompromised arbitral institution which the public can have confidence on. Therefore, the need is for the stakeholders to identify the loopholes and work a way around it. Given that primarily, Arbitration is a creature of consent and secondly, that there are available measures; the parties should actively consent to include certain necessary measures.



[i] Risk Based Security, 2020 Q3 Report Data Breach QuickView, 10 (2020), https://pages.riskbasedsecurity.com/hubfs/reports/2020/2020%20Q3%20Data%20Breach%20QuickView%20Report.pdf. [ii] Id. [iii] Steve Morgan, Cyberwarfare in The C-Suite, 1 (2021) https://1c7fab3im83f5gqiow2qqs2k-wpengine.netdna-ssl.com/wp-content/uploads/2021/01/Cyberwarfare-2021-Report.pdf . [iv] Varonis, Data Gets Personal: 2019 Global Data Risk Report from the Varonis Data Lab, 17 (2019), https://www.varonis.com/2019-data-risk-report/ . [v] Philippines v. China (PCA case number 2013 – 19) [vi] Luke Eric Peterson, Permanent Court of Arbitration Website Goes Offline, with Cybersecurity Firm Contending That Security Flaw was Exploited in Concert with China-Philippines Arbitration, IAREPORTER (Apr. 21, 2021, 12:07 PM), https://www.iareporter.con/articles/permanent-court-of-arbitration-goes-offline-with-cyber-security-firm-contending-that-security-flaw-was-exploited-in-lead-up-to-china-philippines-arbitration/#ixzz3gjZFys4p . [vii] Directorate General of legal Affairs, The Permanent Court of Arbitration Background Information, 6 (2007) [viii] Which provides that “deliberations of the arbitral tribunal, and the contents of the award itself, remain confidential in perpetuity unless the parties release the arbitrators from this obligation.” [ix] Luke, supra note 6. [x] In its position paper regarding the matter released by China’s Foreign Ministry on December 7, 2015, China argued that the tribunal does not have jurisdiction to decide on the matter and that it is beyond the purview of the UNCLOS to decide the issue of territorial sovereignty. Finally, China made it clear that it would not accept the decision of the tribunal no matter what. [xi] Assuming that it was China who actually hacked the PCA’s website. [xii] Jason Healey & Anni Piiparinen, Did China Just Hacked the International Court Adjudicating Its South China Sea Territorial Claims?, THE DIPLOMAT (Apr. 22, 2021, 9:36 AM), https://thediplomat.com/2015/10/did-china-just-hack-the-international-court-adjudicating-its-south-china-sea-territorial-claims/ . [xiii] Devon Milkovich, 15 Alarming Cyber Security Facts and Stats, CYBINT (Apr. 22, 2021, 11: 49 AM) https://www.cybintsolutions.com/cyber-security-facts-stats/ . [xiv] Id. [xv] Seoul Protocol on Video Conferencing in International Arbitration http://www.kcabinternational.or.kr/user/Bo ard/comm_notice_vie w.do?BBS_NO=548&BD_NO=169&a mp;CURRENT_MENU_CO DE=MENU0025&TOP_MENU_COD E=MENU0024. [xvi] AAA-ICDR Virtual Hearing Guide for Arbitrators and Parties https://go.adr.org/rs/294SFS516/images/A AA268 _AAA%20Virtual%20Hearing%20Guide% 20for%20Arbitrators%20and%20Parties.pdf. [xvii] ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2020).

161 views0 comments

Recent Posts

See All

Cross-Border Data Transfers in DPDP Act

By Uddhav Gupta (2nd Year MNLU , Nagpur) The DPDP Act  establishes a framework which safeguards digital personal data in India. It...

Comments


bottom of page