Interestingly, this post was scheduled to be shared on Facebook on 10/4/21. As you may be aware, Facebook suffered a breach that caused an hours’ long interruption in service, resulting in a significant loss of revenue for Facebook and those who rely on Facebook to generate revenue. This is a wake-up call. What became evident is neither the size of an organization or its purported technical prowess guarantees 100% uptime or absolute protection against cyber attacks. And while most can accept that technical challenges are a part of our interconnected world despite the execution of company-wide data protection and cybersecurity policies, what was also evident is that many businesses and organizations do not have a Plan B.
A SECURE VENUE – PLAN A
Data protection is paramount given the increasing use of virtual mediation and arbitration using the internet and mobile devices. Consequently, ADR firms and ADR participants should understand the differences between Cybersecurity & Data Protection and their respective obligations regarding how data will be protected when transmitted, stored, managed, and accessed. Additionally, given the various networks involved in the online dispute resolution process, there must also be security measures that must be in place to ensure that data is not lost or stolen.
For ADR firms, fundamentally, once data has been created, they must take steps to make primary storage and backup storage arrangements; choose the types of storage to use and the appropriate storage infrastructure; address access management and the associated access controls, and establish data security measures to protect data. For participants, knowing what kind of data will be submitted by the parties and how they will submit data allows all parties to discuss how it will be protected during transmission and while stored.
When doing business at the intersection of cybersecurity and data protection, four types of measures can be used in conjunction with one another: prevention, detection, response, and recovery.
PREVENTION
The most effective type of security is the one that is most difficult to breach. Ensuring security, in this case, means implementing measures that prevent unauthorized access, such as firewalls, encryption, and authentication controls. All parties to a case must be educated on protecting themselves against viruses and other malware that could potentially harm their computers. Organizations should have a full cybersecurity policy in place, which includes a clear outline of the organization’s security objectives.
DETECTION
The second measure is detection. Detection is nothing more than knowing that something has happened, whether or not you know what it is. It involves detecting unauthorized activity, hacking attempts or virus infections, and having a plan triggered by the knowledge.
RESPONSE
The third measure is a response. Once the problem has been detected and brought to someone’s attention (either automatically or manually), either ADR firms or participants need to be able to respond accordingly. For example, if the security policy dictates that all systems shut down in the event of an attack, then systems must shut down immediately, resuming normal business operations once the threat has been neutralized.
RECOVERY
The fourth stage is recovery, which is putting things back together after they have been taken apart by the attackers or by system failures. Recovery includes many steps beyond simply removing viruses from infected computer systems. It also involves restoring lost data from backups and re-establishing any connections to hosts on internal or external networks.
SO WHAT’S PLAN B?
Good cybersecurity and data protection plans will include prevention and detection methods, confirmation that all parties know how their data is managed and protected, and their responsibilities for ensuring their information is secure, followed by a well-defined response process in the event of a breach or loss. As Virtual ADR becomes the venue of choice for mediations and arbitrations, cybersecurity and data protection measures implemented by ADR providers will mitigate risks and protect participants.
Even with the best data protection and cybersecurity plans in place, something can go wrong. For example, an employee might accidentally email sensitive information to the wrong person, or a hacker could steal your user account credentials. In addition, a server could crash, taking all your data with it, or you might be hit by a natural disaster or ransomware attack.
THE SHOW MUST GO ON
Plan B is a contingency plan that has been pre-determined by the company to ensure that the organization can continue to provide services and support during an outage. The plan will include all of the steps needed to recover the systems, applications, databases, and other elements of the IT infrastructure.
Whether written or informal, organizations should rehearse Plan B periodically to ensure that all stakeholders are familiar with their roles in the event of an unexpected event. This ensures smooth operation when disaster strikes and allows for more timely notification of critical decision-makers. It’s also crucial to note that Plan B is not just an IT issue. ADR case participants, business partners, vendors, and clients may also be subject to similar consequences because of your shared reliance on technology. The faster you communicate with them about how you’re responding and what they need to do in response, the better off everyone will be.
Plan A has rightfully secured its place as a normal part of ADR organizations’ business practices. In light of the recent blackout, Plan B deserves a seat at the table.
