Purpose宗旨——The purpose of the ICCA-NYC Bar-CPR Cybersecurity Protocol for International Arbitration (the “Cybersecurity Protocol” or the “Protocol”) is twofold.
ICCA—NYCBar—CPR国际仲裁网络安全议定书(后称“议定书”)有两重宗旨:
First, the Protocol is intended to provide a framework to determine reasonable information security measures for individual arbitration matters. That framework includes procedural and practical guidance to assess security risks and identify available measures that may be implemented.
第一,议定书旨在为个人仲裁信息安全措施的决策提供框架。该框架包含安全风险评估并提出可行的应对措施的程序和实践指导。
Second, the Protocol is intended to increase awareness about information security in international arbitrations. This includes awareness of: (i) information security risks in the arbitral process, which include both cybersecurity and physical security risks; (ii) the importance of information security to maintaining user confidence in the overall arbitral regime; (iii) the essential role played by individuals involved in the arbitration in effective risk mitigation;and (iv) some of the readily accessible information security measures available to improve everyday security practices.
第二,议定书旨在提高国际仲裁对信息安全的认识。包括:(1)仲裁程序信息安全风险,包括网络安全和实体安全风险;
(2)在所有仲裁制度中用户保密信息安全重要性;
(3)个人参与对仲裁风险有效消减的重要性;
(4)可加强日常安全的可行的信息安全措施。
Scope of theProtocol 适用范围
(a) Application Beyond International CommercialArbitrations在国际商事仲裁之外的适用
Although the Protocol has been drafted with international commercial arbitrations in mind,it may also be a useful reference for domestic arbitration matters and/or investor-state arbitrations.
尽管议定书用于国际商事仲裁,国内仲裁和/或投资者与国家间仲裁也可以参考。
(b) Data Protection Issues 数据保护问题
Information security and data protection issues are closely connected, largely because there is increasing regulation around the globe governing the processing of personal data. It is typical for data protection law and regulations to mandate, among other things, that persons processing personal data implement reasonable information security measures.
信息安全和数据保护问题是紧密相关的,主要是因为全球范围内对个人数据处理有了更多管控。其中以数据保护法和和授权规则为个人数据处理可行合理的信息安全措施。
Organization of the Protocol 议定书架构
The Protocol is organized into Principles, Commentary, and Schedules.Each Principle provides high-level guidance and is accompanied by explanatory Commentary.The Principles are supplemented as necessary with more detailed guidance contained in the Schedules. Following the Schedules, the Working Group acknowledges the many organizations and individuals who contributed to the Protocol.
议定书分为原则、解释和附表。每个原则都提供了高层次的指导,并附有解释性的评注。附表中包含更详细的指导,在必要时对原则进行了补充。按照附表,工作组感谢为议定书作出贡献的众多组织和个人。
Principles 1-4 address the scope and applicability of the Protocol.
o Principle 1 establishes the basic building blocks of the Protocol, including the framework approach and the reasonableness standard.
o Principles 2-3 address the role of the arbitral tribunal,1 the parties 2 and any administering institution 3 in ensuring effective information security for a particular arbitration matter.
o Principle 4 addresses the relationship betweenthe Protocol and applicable law and other binding obligations.
原则1-4阐述了议定书的范围和适用性。
o 原则1建立了议定书的基本构件,包括框架方法和合理性标准。
o 原则2-3阐述了仲裁庭、当事人和任何管理机构在确保某一仲裁事项的有效信息安全方面的作用。
o 原则4涉及议定书与适用法律和其他具有约束力的义务之间的关系。
Principle 5 establishes the standard of reasonableness, which governs what measures should be adopted to address issues of information security in an individual arbitration matter.
原则5建立了合理性标准,该标准规定了应采取哪些措施来解决个人仲裁事项中的信息安全问题。
Principles 6-8 set out a series of factors to be considered in determining what information security measures are reasonable in a particular matter and how they should be applied.
原则6-8列出了在确定哪种信息安全措施在某一问题上是合理的以及应用时应考虑的一系列因素。
Principles 9-13 provide a series of suggested procedural steps to address information security issues in an individual arbitration.
o Principles 9-10 recognize the importance of partyautonomy in determining what information security measures are reasonable in any given case.
o Principles 11-13 recognize the arbitraltribunal’s authority to determine the information security measures applicableto the arbitration.
原则9-13提供了一系列建议的程序步骤,以解决个人仲裁中的信息安全问题。
o 原则9-10指出在确定任何给定情况下合理的信息安全措施时,当事人自治的重要性。
o 原则11-13指出仲裁庭有权决定适用于仲裁的信息安全措施。
Principle 14 clarifies that the Protocol does notestablish liability or a liability standard for any purpose whatsoever.
原则14阐明,议定书不为任何目的认定责任或责任标准。
Schedule A addresses baseline information security practices that all custodians of arbitration-related information should consider in connection with their everyday business activities.
附表A 解决了所有与仲裁有关的信息的保管人在日常商业活动中应考虑的基准信息安全实践。
Schedule B considers the risk factors that can beused to assess the risk profile of an arbitration.
附表B 考虑了可用于仲裁风险预测评估的风险因素。
Schedule C gives examples of specific information security measures and processes that might be adopted for particular arbitration matters.
附表C 给出了可能针对某一仲裁事项采用的特定信息安全措施和流程的示例。
Schedule D contains sample language for addressing information security issues in arbitration agreements, agendas for case management conferences, procedural orders, and post- arbitration dispute resolution clauses.
附表D 包含用于解决仲裁协议中的信息安全问题,庭前会议的议程,程序命令和仲裁后争议解决条款的示例语言。
Schedule E lists prevailing cybersecurity standards and resources that may be consulted for further information.
附表E 列出了当前的网络安全标准和资源,可以用于参考以获取更多信息。
Schedule F is a glossary of terms used in the Protocol, which are also included in foot notes for ease of use.
附表F 议定书涉及到的术语、
Scope and Applicability
范围和适用
Principle 1 The Cybersecurity Protocol provides are commended framework to guide tribunals, parties, and administering institutions in their consideration of what information security measures are reasonable to apply to a particular arbitration matter.
原则1《网络安全议定书》为指导仲裁庭、当事人和管理机构考虑某一仲裁案件采取何种合理的信息安全措施提供了一个建议框架。
Commentary to Principle 1
原则1解释
(a) Recommended framework. Principle 1 establishes the basic approach of the Protocol, which is to provide a framework for the consideration of the security measures to be applied to the information processed 5 during a particular arbitration matter.
(a)建议框架。原则1确立了议定书的基本方法,该方法为在某一仲裁事项中考虑将应用于所处理信息的安全措施提供了框架。
(b) The Protocol is not intended to, and does not, provide a one-size- fits-all information security solution. A core premise of the Protocol is that reasonable information security measures should be applied to arbitral proceedings, but that the measures which will be reasonable in a particular matter may vary significantly based on the facts and circumstances of the case, as well as evolving threats and technology.Tribunals and parties who decide to utilize the Protocol in an arbitration can refer to the guidance in the Protocol to determine reasonable information security measures for their matter.
(b)该协议并非旨在也不提供一应俱全的信息安全解决方案。议定书的核心前提是对仲裁程序应采取合理的信息安全措施,但根据案件的事实和情况以及不断变化的威胁和技术,合理的措施在特定事项上可能会有很大差异。决定在仲裁中使用议定书的仲裁庭和当事人,可以参考议定书指南,为其事务确定合理的信息安全措施。
(c) Relationship between cybersecurity and information security. Due to the highly digitized nature of today’s international arbitrations, the Protocol focuses on cybersecurity, which concerns the means employed to maintain the confidentiality, integrity, and availability of digital information. However, the guidance in the Protocol applies broadly to all information security measures, including both cybersecurity and physical security, and the Protocol therefore refers generally to information security rather than to cybersecurity wherever appropriate. As such, in this Protocol, the term “information security” includes security for all types and forms of electronic and non-electronic information, including both commercial and personal data.
(c)网络安全与信息安全之间的关系。鉴于当今国际仲裁的高度数字化性质,本议定书着重于网络安全,网络安全涉及用于维护数字信息的机密性、完整性和可用性的手段。然而,议定书指南广泛适用于所有信息安全措施,包括网络安全和实体安全,因此该协议通常指的是信息安全,而不是在适当情况下的网络安全。因此,在本议定书中,术语“信息安全性”包括针对所有类型和形式的电子和非电子信息,包括商业和个人数据。
(d) Importance of reasonable information security.The need for reasonable information security measures in international arbitrations is highlighted by: the litigious backdrop of arbitration, which can lead to the targeting of information; the often high value, high stakes nature of disputes, which increases the risk of security incidents and the likelihood that those incidents will cause significant loss; the exchange of information that is often confidential commercial information and/or regulated personal or other data; and the cross-border nature of the process, which creates complex challenges in complying with applicable legal requirements and heightens the consequences of a security incident.
(d)合理的信息安全的重要性。国际仲裁中需要采取合理的信息安全措施的必要性体现在:仲裁的诉讼背景,这可能导致以信息为目标。纠纷通常具有高价值、高风险的性质,增加了安全事故的风险,并增加了这些事故造成重大损失的可能性;经常性机密商业信息和/或受监管的个人或其他数据的信息交换;以及程序的跨境性质,这在遵守适用法律要求方面带来了复杂的挑战,并加剧了安全事故事的后果。
Specific consequences that may result from inadequate attention to information security include:
economic loss to individuals whose commercial information or personal data is compromised;
loss of integrity of data, or questions about the reliability and accuracy of data,due to a cyber security incident;
unavailability of data, networks, platforms, or websites due to disruption caused by a cybersecurity incident;
potential liability under applicable law and other regulatory frameworks, including applicable data protection regimes;
and reputational damage to parties, arbitrators, administering institutions, and third-parties, as well as to the system of arbitration overall.
对信息安全的关注不足可能导致的特定后果包括:
对商业信息或个人数据受到损害的个人造成的经济损失;
由于网络安全事故而导致的数据完整性损失或有关数据可靠性和准确性的问题;
由于网络安全事故引起的中断而导致数据,网络,平台或网站不可用;
适用法律和其他法规框架(包括适用的数据保护制度)下的潜在责任;
对当事人、仲裁员、管理机构和第三方以及整个仲裁系统的名誉损害。
In the increasingly digital landscape in which proceedings take place, the credibility of any dispute resolution system,including arbitration, depends on maintaining a reasonable degree of protection of the information exchanged during the process, not only with respect to the information’s confidentiality (except where the parties intend for the information to become public), but also its integrity and availability.
在日益数字化的仲裁程序中,任何争议解决系统(包括仲裁)的可信度都取决于对过程中交换的信息保持合理程度的保护,而不仅仅是在信息的机密性方面(除非各方打算使信息公开),还要保证其完整性和可用性。
Further, arbitration has the benefit over other dispute resolution processes of enabling parties to maintain the confidentiality of the dispute resolution process itself, where they want to and where applicable law permits, and the information exchanged within it. Reasonable information security measures are essential to ensure that international arbitration maintains this advantage.
此外,与其他争议解决流程相比,仲裁的优点包括使当事人能够在他们希望的地方和适用法律允许的范围内以及在其中进行信息交换的情况下,维护争议解决流程本身的机密性。合理的信息安全措施对于确保国际仲裁保持这一优势至关重要。
Principle2 As a threshold matter, each party, arbitrator, and administering institution should consider the baseline information security practices that are addressed in Schedule A and the impact of their own information security practices on the arbitration. Effective information security in a particular arbitration requires all custodians of arbitration-related information to adopt reasonable information security practices.
原则2首先,任一当事人、仲裁员和管理机构应考虑附表A中涉及的基准信息安全惯例以及其自身的信息安全惯例对仲裁的影响。某一仲裁的有效的信息安全要求与仲裁相关的信息的所有托管人都采取合理的信息安全措施。
Commentary to Principle 2
原则2解释
(a) Baseline security. Principle 2 recognizes it is important that all persons who have access to arbitration-related information apply reasonable information security measures in their general business activities (“baseline security”).
(a)基准安全。原则2指出重要的一点,所有能够获得与仲裁相关的信息的人,在其一般业务活动中均应采用合理的信息安全措施(“基准安全”)。
International arbitrations tend to involve a constant exchange and hosting of information among parties, tribunals, and administering institutions, which means that they are largely digitally interdependent and any break in the security of arbitral information by any one participant in the arbitration has the potential to affect all participants and to compromise the security of the entire arbitration. Thus, the security of information in an arbitral proceeding ultimately depends on the decisions and actions of all individuals involved. Actions by any individual can be the cause of an information security incident or be the “weakest link,” no matter the setting in which they practice or the infrastructure available to them. Indeed, many security incidents result from individual conduct rather than a breach of systems or infrastructure.
国际仲裁往往涉及当事人、仲裁庭和管理机构之间的不断交换和托管信息,这意味着它们在数字上是相互依存的,并且任何仲裁参与者在仲裁信息安全性方面的任何破坏都可能影响所有参与者,从而损害整个仲裁的安全性。因此,仲裁程序中信息的安全性最终取决于所有相关个人的决定和行动。任何人的行为都可能是信息安全事故的起因,也可能是“最薄弱的环节”,无论他们的实践环境或可用的基础结构如何。确实,许多安全事故是由于个人行为而不是违反系统或基础架构引起的。
Because day-to-day security practices and infrastructure pre-date individual arbitration matters, pre-existing information security practices of parties, arbitrators,or administering institutions may have a significant impact on the security of the arbitration process and arbitration-related information. Thus, the participants in an arbitration may need to seek guidance from their own information technology personnel or consultants, when such resources are available.
由于日常安全惯例和基础结构在各个仲裁之前就已经存在,因此,当事人、仲裁员或管理机构现有的信息安全惯例可能会对仲裁过程和与仲裁相关的信息的安全性产生重大影响。因此,当此类资源可用时,仲裁的参与者可能需要寻求自己的信息技术人员或顾问的指导。
While the need and ability to implement information security measures in a particular arbitration inevitably will vary based on the size, sophistication, and available resources of the parties, arbitrators, and any administering institution, Schedule A highlights general, readily accessible cybersecurity measures that all custodians of arbitration-related information should consider employing in their day-to-day use of technology, so as to protect the confidentiality, integrity, and availability of data in their arbitration-related activities.
尽管在某一仲裁中实施信息安全措施的需求和能力不可避免地会根据当事人、仲裁员和任何管理机构的规模、复杂程度和可用资源而有所不同,但附表A强调了所有保管人可采取的易于使用的通用网络安全措施。仲裁相关信息的使用应考虑在其日常使用技术中使用,以保护其仲裁相关活动中数据的机密性、完整性和可用性。
Since many of the measures that are reasonable to adopt as a matter of such baseline security may also be required of the participants in an individual arbitration matter, there is significant overlap between Schedule A, which addresses baseline security measures, and Schedule C, which focuses on security measures that may be applied in individual arbitrations.
由于单个仲裁事项中的参与者也可能需要采取许多合理的措施来作为此类基准安全问题,因此处理基线安全措施的附表A与着重于重点的附表C之间存在很大的重叠部分。
(b)Familiarity with existing security practices. Principle 2 also recognizes that familiarity with, and consideration of the adequacy of, existing information security practices and infrastructure of parties, arbitrators and administering institutions is an essential first step to determining what information security measures should be adopted in a particular arbitration matter.
(b)熟悉现有的安全做法——原则2还指出,熟悉并考虑当事方,仲裁员和管理机构的现有信息安全惯例和基础架构是否适当,是确定在特定仲裁事项中应采取何种信息安全措施的重要的第一步。
For example, some parties, arbitrators, or administering institutions may be bound by internal policies that also will be relevant to the consideration of measures in the arbitration, as, for example, policies limiting communication with personal e-mail addresses or prohibiting the use of unencrypted portable drives (i.e., media, such as USB drives, DVD’s, or hard disks, that are accessible without any further steps, such as entering passwords, to decipher their content). Individuals involved in international arbitrations should ensure that they are aware of any such policies that apply to them and that they are in compliance.
例如,某些当事人、仲裁员或管理机构可能受内部政策的约束,这些内部政策也将与仲裁措施所考虑的相关,例如,限制与个人电子邮件地址通信或禁止使用电子邮件的政策。未加密的便携式驱动器(诸如USB驱动器,DVD或硬盘之类的介质,无需其他步骤即可访问,如输入密码来解密其内容)。参与国际仲裁的个人应确保他们了解适用于他们的任何此类政策,并确保其遵守规定。
Principle 3 Parties, arbitrators, and administering institutions should ensure that all persons directly or indirectly involved in an arbitration on their behalf are aware of, and follow, any information security measures adopted in a proceeding, as well as the potential impact of any security incidents.
原则3当事人、仲裁员和管理机构应确保所有直接或间接参与仲裁的人都知道并遵循仲裁中采取的任何信息安全措施以及任何安全事故的潜在影响。
Commentary to Principle 3
原则3 解释
(a)Information-sharing. Principle 3 recognizes that many persons, other than the parties, tribunals, and institutions directly involved in an arbitration, may have access to arbitration-related information and that the security of such information may be undermined if reasonable information security measures are not applied by all such persons, each of whom could cause a security incident.
(a)信息共享。原则3指出,除直接参与仲裁的当事人、仲裁庭和机构外,许多人都可以访问与仲裁相关的信息,并且,如果所有人都没有采取合理的信息安全措施,这些信息的安全性可能会受到损害。这些人中的每个人都可能导致安全事故。
(b)Applicable legal or other requirements. In some cases, legal, contractual, or ethical obligations may require that parties, arbitrators, and institutions ensure that reasonable information security measures are in place before they share arbitration-related information with others, and/or that such measures are subsequently complied with.
(b)适用的法律或其他要求。在某些情况下,法律、合同或道德义务可能要求当事人、仲裁员和机构在与他人共享与仲裁相关的信息之前,确保采取适当的信息安全措施,和/或随后遵守这些措施。
(c)Supporting personnel. Parties, arbitrators, and administering institutions may be supported by, among others, employees, lawyers, legal assistants, law clerks, trainees, administrative or other support staff, case management personnel, and tribunal secretaries. To mitigate the risk of security incidents, information security awareness should permeate organizational structures and extend to such persons, who should be made aware of, and comply with, any information security measures adopted in the arbitration.
(c)支持人员。当事人、仲裁员和管理机构可能会得到以下人员的支持:员工,律师,法律助理,法律文员,受训人员,行政或其他辅助人员,案件管理人员和仲裁庭秘书。为了降低安全事件的风险,信息安全意识应渗透到组织结构中,并扩展到此类人员,这些人员应了解并遵守仲裁中采用的所有信息安全措施。
(d)Independent contractors and vendors. Parties may engage independent contractors or third party vendors to assist with the arbitrations, including, among others, consultants, experts, translators, interpreters, transcription services, and document production or “e-discovery” vendors and professionals.These persons will typically have a contractual relationship with, or be under the practical control of, a party, but will not be under the actual control of the arbitral tribunal and may not suffer directly from the consequences of an information security incident.
(d)独立承包商和供应商。各方可以聘请独立承包商或第三方供应商协助仲裁,其中包括顾问,专家,笔译,口译,转录服务以及文件制作或“电子发现”供应商和专业人员。这些人通常与当事方具有合同关系或受其实际控制,但不受仲裁庭的实际控制,且可能不会直接遭受信息安全事件的后果。
Parties who provide access to arbitral information covered by information security measures to such third parties should ensure that those third parties are aware of applicable security measures, have the necessary technical capabilities to comply with them, and agree to follow them. In relationships governed by contract,it will often be appropriate to expressly address information security in the agreement.
向此类第三方提供信息安全措施涵盖的仲裁信息访问的各方,应确保这些第三方了解适用的安全措施,具有遵守这些措施的必要技术能力并同意遵循这些措施。受合同约束的关系,通常适合在协议中明确解决信息安全问题。
(e) Fact witnesses. Fact witnesses may need to be supplied with information related to the arbitration, yet may not be employed by, or have a contractual relationship with, any party. Where a fact witness is unable or unwilling to comply with applicable information security standards, the matter should be referred to the arbitral tribunal for consideration, and,if necessary, direction.
(e)事实证人。事实证人可能需要提供与仲裁有关的信息,但可能并未被任何一方雇用或与任何一方有合同关系。如果事实证人不能或不愿意遵守适用的信息安全标准,则应将该事项移交仲裁庭考虑,并在必要时进行指示。
Principle 4 The Protocol does not supersede applicable law, arbitration rules, professional or ethical obligations, or other binding obligations.
原则4本议定书不可取代适用法律、仲裁规则、职业或道德义务或其他具有约束力的义务。
Commentary to Principle 4
原则4解释
(a)Superseding obligations. Principle 4 recognizes that the Principles and other guidance in the Protocol may be subject to overriding legal or other binding obligations and that such obligations may determine or affect the information security measures that are adopted in the individual circumstances of the arbitration.
(a)取代义务。原则4指出,议定书中的原则和其他指南可能会凌驾于法律或其他有约束力的义务之上,并且此类义务可能会决定或影响在个别仲裁情形中采用的信息安全措施。
(b) Legal obligations, including data protection law and regulation. Legal requirements may apply to all persons who either process or control arbitration-related information.
Furthermore,parties, arbitrators, and administering institutions may have individual responsibility for compliance with such obligations.
(b)法律义务,包括数据保护法律法规。法律要求可能适用于处理或控制与仲裁相关的信息的所有人员。此外,当事人、仲裁员和管理机构可能对遵守此类义务负有个人责任。
The most prevalent legally imposed information security requirements are those contained in many of the more than 100 national data protection laws, regulations, and industry norms applicable across the globe to certain types of personal data and data of public importance, including, for example, the General Data Protection Regulation (“GDPR”) in Europe, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and California Consumer Privacy Act in the United States, the General Data Protection Law in Brazil, and the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in Canada.
法律上最普遍施加的信息安全要求是全球适用于某些类型的个人数据和具有公共重要性的数据的100多项国家数据保护法律,法规和行业规范中的许多要求。欧洲的《通用数据保护条例》,1996年的《健康保险携带和责任法案》(“ HIPAA”)和美国的《加利福尼亚消费者隐私法案》,巴西的《通用数据保护法》以及《个人信息保护》和加拿大的《电子文件法》(“ PIPEDA”)。
Data protection regimes may vary from jurisdiction to jurisdiction, including with respect to what constitutes “personal data.” Non-compliance with applicable law may result in substantial penalties and/or litigation risk. Furthermore, data protection enforcement and other legal risk may be inconsistent among different jurisdictions and create obstacles to transborder information exchanges,including during international arbitration proceedings. It is therefore important in each case for all parties, arbitrators, and administering institutions to understand their legal obligations with respect to the processing of information, including personal data, during an arbitration.
数据保护制度可能因司法管辖而异,构成“个人数据”的司法权管辖范围也可能有所不同。不遵守适用法律可能会导致重大的处罚和/或诉讼风险。此外,不同司法权管辖范围之间的数据保护执法和其他法律风险可能不一致,并给跨境信息交换(包括国际仲裁程序)造成障碍。因此,在所有情形下,对于所有当事人、仲裁员和管理机构而言,了解其在仲裁期间对信息(包括个人数据)的处理的法律义务都非常重要。
However,although data protection laws may vary in their specific requirements, almost all require the implementation of reasonable data security measures to protect the processing of personal data. Among other things, it is important to look to applicable law to determine how applicable concepts of “reasonableness,” “adequacy,” “appropriateness,” and “proportionality” have been applied, as the interpretation of these terms may differ under various legal regimes.
但是,尽管数据保护法的具体要求可能有所不同,几乎所有法律都要求实施合理的数据安全措施来保护个人数据的处理。此外,重要的是要参考适用的法律来确定如何应用“合理性”、“充分性”,“适当性”和“比例性”的适用概念,因为这些术语的解释在不同的法律制度下可能会有所不同。
Where participants in the arbitration are faced with differing or conflicting legal obligations, the tribunal may need to determine, in consultation with the parties and any administering institution, how to harmonize such obligations,taking into consideration the consequences of non-compliance, principles of proportionality and due process, as well as the tribunal’s role in the administration of justice.
如果仲裁参与人面临不同或相抵触的法律义务,仲裁庭可能需要与当事各方和任何管理机构协商,在考虑到不遵守规定的后果、相称原则、程序正当原则以及仲裁庭在司法中的作用之后,如何协调此类义务。
(c) Arbitration rules and institutional involvement. If an arbitration is administered by an institution, it may be necessary for the parties, their representatives, and the arbitral tribunal to consult and coordinate with that institution prior to adopting information security measures in order to ensure that proposed measures are consistent with, and can be implemented pursuant to,the institution’s rules, practices, technical capabilities, and legal obligations. In some cases, the legal obligations of an administering institution (for example, under data protection law) may impact what information security measures are adopted by the parties and tribunal.
(c)仲裁规则和机构参与。如果仲裁是由一个机构管理的,则当事方,其代表和仲裁庭可能有必要在采取信息安全措施之前与该机构进行协商和协调,以确保建议的措施与该机构保持一致,并遵守机构的规则、惯例、技术能力和法律义务。在某些情况下,管理机构的法律义务(例如,根据数据保护法)可能会影响当事方和仲裁庭采取何种信息安全措施。
Depending on the sensitivity of the information involved in a particular arbitration or the nature of applicable legal obligations, coordination with the institution may be necessary at the time the arbitration is commenced or in some cases even before. This may be necessary, for example, to determine whether secure notification of a request for arbitration or request for emergency relief is possible or whether a more limited filing may be appropriate in the first instance; to determine whether data can be transferred; or to request institutional attention to the secure handling of confidential information by potential arbitrators.
根据特定仲裁所涉及信息的敏感性或适用法律义务的性质,在仲裁开始之时或在某些情况下甚至可能需要与机构进行协调。例如,这对于确定是否有可能进行安全的仲裁请求或紧急救济请求通知,或者是否适宜于提交有限的资料;确定是否可以传输数据;或要求机构注意潜在仲裁员对机密信息的安全处理。
As information security receives increasing attention, some institutions are adopting their own rules and practices relating to information security. For example, institutions have started to refer expressly to information security in their rules and practice notes. Some institutions are also adopting or endorsing secure platforms for the transmission and hosting of some of the information related to arbitrations they administer. Such rules and practices may or may not be considered mandatory by the institution.
随着信息安全受到越来越多的关注,一些机构正在采用自己有关信息安全的规则和惯例。例如,机构已开始在其规则和操作说明中明确提及信息安全。一些机构还采用或认可安全平台,以传输和托管与其管理的仲裁有关的某些信息。这些规则和惯例可能会也可能不会被机构认为是强制性的。
(d) Ethical and professional obligations. Ethical and professional rules and guidance increasingly address information security, often in terms of well-established duties of confidentiality and competence. Parties and tribunals should consider potentially applicable obligations of this nature. In the case of the tribunal,for example, this may include consideration of an ethical obligation to preserve and protect the legitimacy and integrity of the arbitration process.
(d)道德和职业义务。道德和职业规则与指南越来越多地涉及信息安全,通常是根据已确立的保密和能力胜任职责。当事人和仲裁庭应考虑这种性质的潜在适用义务。例如,对于仲裁庭而言,这可能包括考虑维护和保护仲裁程序的合法性和完整性的道德义务。
The Standard标准
Principle 5 Subject to Principle 4, the information security measures adopted for the arbitration shall be those that are reasonable in the circumstances of the case as considered in Principles 6-8.
原则5 在不违反原则4的前提下,仲裁所采用的信息安全措施应为原则6-8所考虑的情况下合理的措施。
Commentary to Principle 5
原则5解释
(a) Principle 5 recognizes that there is no one-size-fits-all approach to information security in arbitration matters and that the application of the reasonableness standard in the Protocol is always subject to superseding legal and other obligations, as set forth in Principle 4.
(a)原则5认识到在仲裁事项中没有一种一应俱全的信息安全方法,并且如原则4所述,在议定书中适用合理性标准总是要取代法律和其他义务。
This individualized approach recognizes that the implementation of information security measures entails balancing potentially competing considerations (such as cost and convenience) and that, subject to Principle 4, similarly situated parties may make different, but equally legitimate, choices based on their own preferences, including considerations of cost and proportionality, risk tolerance,and technical capabilities, among others.
这种个别化的方法指出,信息安全措施的实施需要考虑潜在的竞争因素平衡(例如成本和便利性),且根据原则4,处于相似位置的当事人可以根据自己的偏好做出不同但同样合法的选择,包括成本和比例、风险承受能力和技术能力等方面的考虑。
Principles 6-8 and the related schedules provide three-step guidance on how to apply the reasonableness standard in each case. First, Principle 6 and Schedule B walk through risk factors bearing on what security measures are reasonable in particular arbitration matters. Next, Principle 7 identifies categories of information security measures that should be considered in each matter. Principle 8 then flags aspects of the arbitration process to which information security measures may be applied. Schedule C supplements Principles 7 and 8 with examples of specific information security measures and processes that might be adopted for particular arbitration matters. It is anticipated that Schedule C will require updates over time. The reasonableness standard also provides flexibility to accommodate changes in technology and the best practices and threats current at the time of an actual dispute.
原则6-8和相关附表为每种情况下如何应用合理性标准提供了三步指导。首先,原则6和附表B考虑了某一仲裁中合理的安全措施相关风险因素。接下来,原则7确定了在每个问题中应考虑的信息安全措施的类别。原则8标记了仲裁过程中可以应用信息安全措施的各个方面。附表C补充了原则7和原则8,并举例说明了可能针对某一仲裁事项采用的特定信息安全措施和流程。预计附表C将需要随着时间的推移进行更新。合理性标准还提供了灵活性,以适应技术和最佳实践的变化,以及在发生实际争议时所面临的威胁,
Determining Reasonable CybersecurityMeasures
确定合理的网络安全措施
Principle 6 In determining which specific information security measures are reasonable for a particular arbitration, the parties and the tribunal should consider:
(a) therisk profile of the arbitration, taking into account the factors set forth in Schedule B;
(b) the existing information security practices, infrastructure, and capabilities of the parties, arbitrators, and any administering institution, and the extent to which those practices address the categories of information security measures referenced in Principle 7;
(c) the burden, costs, and the relative resources of the parties, arbitrators, and any administering institution;
(d) proportionality relative to the size, value, and risk profile of the dispute;and
(e) the efficiency of the arbitral process.
原则6 在确定哪种特定的信息安全措施适用于某一仲裁时,当事人和仲裁庭应考虑:
(a)仲裁的风险预测,并考虑到附表B所列的因素;
(b)当事人,仲裁员和任何管理机构的现有信息安全惯例、基础架构和能力,以及这些惯例在多大程度上解决了原则7所提信息安全措施的类别;
(c)当事人,仲裁员和任何管理机构的负担,费用和相对资源;
(d)与争议的规模、价值和风险预测有关的均衡性;和
(e)仲裁程序的效率。
Commentary to Principle 6
原则6解释
(a) Factors bearing on reasonableness. Principle 6 sets out factors to be considered in determining what information security measures are reasonable in particular arbitration matters.
(a)影响合理性的因素。原则6列出了在确定某一仲裁事项中合理的信息安全措施时应考虑的因素。
(b) Risk analysis. Principle 6(a) recommends a risk analysis to determinethe risk-profile of the arbitration. Schedule B identifies relevant risk factors relating to the nature of the information expected to be shared in the arbitration, potential security threats, and the potential consequences of an information security breach.
It is possible that some aspects of an arbitration may have a higher risk profile than others, in which case the risk analysis will be useful inidentifying those aspects of the case that may warrant the application of more secure measures.
(b)风险分析。原则6(a)建议进行风险分析,以确定仲裁的风险状况。附表B确定了与预期在仲裁中共享的信息的性质、潜在的安全威胁以及信息安全漏洞的潜在后果有关的风险因素。
仲裁的某些方面可能比其他方面具有更高的风险状况,在这种情况下,风险分析将有助于确定那些方面可以保证更安全措施的采用。
(c) Practical considerations. The remainder of Principle 6 identifies practical considerations that may bear on what information security measures are reasonable. For example:
(c)实际考虑。原则6的其余部分确定了对合理的信息安全措施的可行考虑。例如:
i. Consistent with Principle 2, Principle 6(b) flags that the day-to-day security practices and digital infrastructure of the parties, tribunal, and administering institution may affect what security measures are reasonable in any given arbitration matter.
For instance, if all participants already employ a level of information security appropriate to the case, additional measures may not be needed. To make such a determination, it may be appropriate in some instances for the parties, arbitrators, and any administering institution to discuss their existing information security with others, including the baseline security measures identified in Schedule A, and to agree that certain measures will be maintained during the arbitration, subject to modification under Principle 2.
i. 与原则2一致,原则6(b)指出,当事人、法庭和管理机构的日常安全实践和数字基础架构可能会影响在任何给定仲裁事项中合理的安全措施。
例如,如果所有参与者都已经采用了适合该情况的信息安全级别,则可能不需要其他措施。为做出这样的决定,在某些情况下,当事人、仲裁员和任何管理机构应与他人讨论其现有的信息安全性,包括附表A中确定的基准安全性措施,并同意某些措施在仲裁期间予以保留,但可以根据原则2进行修改。
ii. Principles 6(c) and (d) draw attention to the possibility that the parties, arbitrators, and any institution may have differing technical or financial resources or other constraints on their technical capacity that will influence what may be reasonable in a particular case. In such instances, it will be important to balance such limitations with all other relevant factors.Special consideration should be given to what measures may be taken without significant expenditure or resources.
ii. 原则6(c)和(d)提请当事人、仲裁员和任何机构注意,具有不同的技术或财务资源或对其技术能力的其他限制的可能性会影响在特定情况下的合理范围。在这种情况下,平衡此类限制与所有其他相关因素非常重要。应特别考虑在没有大量支出或资源的情况下可以采取哪些措施。
iii. Principle 6(e) recognizes that if proposed information security measures would be so onerous as to prevent the arbitration from proceeding in an orderly fashion, then the balance of ‘reasonableness’ may weigh against their adoption. In particular, information security measures that are too difficult to implement risk being ignored or evaded, or may have a negative impact on the administration of the arbitration.
iii. 原则6(e)指出,如果提议的信息安全措施过于繁琐而使仲裁无法有条不紊地进行“合理性”的平衡可能会使这些措施无法采用。特别是难以实施的信息安全措施有被忽略或规避的风险,或可能对仲裁管理产生负面影响。
Principle 7 In considering the specific information security measures to be applied in an arbitration, consideration should be given to the following categories:
(a) asset management;
(b) access controls;
(c)encryption;
(d)communications security;
(e)physical and environmental security;
(f)operations security; and
(g)information security incident management.
原则7在考虑将在仲裁中采用的特定信息安全措施时,应考虑以下类别:
(a)资产管理;
(b)访问控制;
(c)加密;
(d)通讯安全;
(e)实体和环境安全;
(f)运营安全;和
(g)信息安全事故管理。
Commentary to Principle 7
原则7解释
(a)Categories of information security measures. Upon determining what level of security is reasonable in consideration of the risk profile and other relevant circumstances under Principle 6, Principle 7 addresses the broad categories of security measures that should be considered. These categories may be useful to consider in an individual arbitration, taking into account, and adapting as necessary to reflect, the risk assessment that has been carried out pursuant to Principle 6.
(a)信息安全措施的类别。在根据原则6的风险状况和其他相关情况确定安全等级合理后,原则7指出了应考虑的广泛安全措施类别。考虑到根据原则6进行的风险评估,并在必要时进行调整以反映这些风险,可以在单个仲裁中考虑这些类别。
While a brief explanation of each general category in Principle 7 is provided below, arbitrators, parties, and administering institutions should look to Schedule C for specific examples of how security measures within each category may be tailored to address risks present in different aspects of the arbitration, asset forth in Principle 8.
尽管下面对原则7中的每个通用类别进行了简要说明,但仲裁员、当事人和管理机构应参考附表C,以获取如何调整每个类别内的安全措施以应对仲裁不同方面所存在风险的具体示例,如原则8所述。
(b) Asset Management: Information should be identified, classified, and controlled as appropriate for the arbitration.
Through the risk analysis in Principle 6, the parties and tribunal may have identified certain aspects of the arbitration, such as information containing commercia ltrade secrets, that is of a higher risk profile than other aspects of the arbitration. It may be appropriate in such circumstances to categorize such information for the purpose of applying differing levels of protection or differing types of measures based on different risk profiles.
Retention and destruction policies that will apply during the arbitration and after its conclusion are another aspect of asset management.
(b)资产管理:应根据仲裁情况对信息进行识别、分类和控制。
通过原则6中的风险分析,当事人和仲裁庭可能已经确定了仲裁的某些方面,例如包含商业商业秘密的信息,其风险预测要比仲裁的其他方面要高。在这种情况下,根据不同的风险状况应用不同的保护级别或不同类型的措施而对此类信息进行分类可能是适当的。
仲裁期间和仲裁结束后适用的保存和销毁政策是资产管理的另一个方面。
(c) Access Controls: Access to arbitration-related information, including access to any systems, services, devices, or applications that host such information, should be limited to authorized individuals.
(c)访问控制:对仲裁相关信息的访问,包括对托管此类信息的任何系统、服务、设备或应用程序的访问,应仅限于授权个人。
Parties and the tribunal may wish to consider, for example, restricting access to arbitration data on a need to know basis. They might also consider policies that will apply in the arbitration in respect to the control of user accounts, passwords and multi-factor authentication (particularly where a shared platform is used to host arbitration-related data), or in respect to remote access protocols.
当事人和仲裁庭可能会考虑,如在需要了解的基础上限制对仲裁数据的访问。他们还可能考虑将在仲裁中应用的策略,涉及对用户帐户、密码和多重要素身份验证的控制(尤其是在使用共享平台托管与仲裁相关的数据的情况下),或者针对远程访问协议。
(d)Encryption: Encryption is the process of making plain text illegible without decryption tools, such as passwords or encryption keys. It is one of many security techniques from the field of cryptography, which deals more generally with the protection of information and communications from unauthorized recipients through the use of codes. Use of encryption should be considered where appropriate to protect the confidentiality, integrity, and availability of confidential or sensitive information in the arbitration.
(d)加密:加密是在没有密码或加密密钥之类的解密工具的情况下使纯文本难以辨认的过程。它是密码学领域众多安全技术之一,更普遍地涉及通过代码的使用来保护信息和通信免受未授权接收者的侵害。在适当的情况下,应考虑使用加密来保护仲裁中机密或敏感信息的机密性、完整性和可用性。
(e) Communications Security: The means used to communicate electronically and to share information digitally should be secure. Common means employed to protect communications security include exercising caution with attachments and links,use of secure share-file services in lieu of e-mail, and avoiding the use of public networks or, if necessary, mitigating the risks of use.
(e)通信安全:用于电子通信和数字共享信息的手段应是安全的。保护通信安全的常用方法包括:谨慎处理附件和链接,使用安全的共享文件服务代替电子邮件,避免使用公共网络,或者在必要时降低使用风险。
(f) Physical and Environmental Security: Physical access to information resources in the arbitration and to the hearing premises should be controlled to prevent unauthorized access, damage, or interference.
(f)实体和环境安全:应控制对仲裁中信息资源和听证场所的实体访问,以防止未经授权的访问、破坏或干扰。
(g) Operations Security: Operations security measures are largely concerned with ensuring the integrity of information processing systems that are used in the arbitration. What this means in practice depends on the circumstances, but suchmeasures could include, for example, agreements regarding vulnerability monitoring, system auditing, and routine back-up of a shared platform.
(g)运营安全:运营安全措施主要涉及确保仲裁中使用的信息处理系统的完整性。实际上,这意味着什么取决于实践情况,但是这些措施可能包括如有关漏洞监视、系统审核和共享平台的常规备份协议。
(h) Information Security Incident Management: Consideration should be given to the implementation of agreed incident response capabilities and to the timing and extent of an obligation to provide notification of abreach.
(h)信息安全事故管理:应考虑实施约定的事故响应能力以及履行违规通知义务的时间和范围。
Principle 8 In some cases, it may be reasonable to tailor the information security measures applied to the arbitration to the risks present in different aspects of the arbitration, which may include:
(a)information exchanges and transmission of arbitration-related information;
(b) storage of arbitration-related information;
(c) travel;
(d) hearings and conferences; and/or
(e) post-arbitration retention and destruction policies.
原则8 在某些情况下,将适用于仲裁的信息安全措施调整为适合仲裁不同方面的风险可能是合理的,其中可能包括:
(a)信息交流和与仲裁有关的信息的传播;
(b)与仲裁有关的信息存储;
(c)旅行;
(d)庭审和会议;和/或
(e)仲裁后保存和销毁政策。
Commentary to Principle 8
原则8解释
(a)Principle 8 recognizes that certain information security measures, such as those enumerated in Principle 7, may be applied differently to different aspects of the arbitration. While examples of the categories that may be relevant to the different aspects of the arbitration are provided below, these are not intended to be exclusive, nor to suggest that each of the referenced categories or measures will be appropriate in any individual arbitration.
(a)原则8认识到某些信息安全措施,例如原则7所列举的措施,可以分别应用于仲裁的不同方面。虽然下面提供了可能与仲裁相关的不同类别的示例,但这些示例并非唯一的,也不是暗示每个所引用的类别或措施都适用于任何单独的仲裁。
Furthermore, because specific measures that may be adopted are likely to change over time, detailed examples of how the general information security categories in Principle 7 may be tailored to aspects of the arbitration process are contained in Schedule C, which the Working Group expects to revise over time.
此外,由于可能采用的具体措施可能会随着时间而变化,附表C中包含了有关如何将原则7中的通用信息安全类别定制为仲裁程序的各方面详细示例,工作组希望今后对此进行修订。
(b) Information exchanges and transmission of arbitration-related information. Access controls, communications security, encryption, and operations security will be most relevant to securing information exchanges and transmission of arbitration-related information. The types of security measures to be considered may differ depending on the parties, tribunal, and institutions involved, and it may be appropriate to consider different measures for exchanges among parties and their representatives, the arbitral tribunal,and/or any administering institution. Consideration should be given to how transmissions of arbitral data will be made (e.g., e-mail; via third-party platform or virtual data room; USB drives or other portable storage devices) as well as to corresponding protective measures (e.g., only enterprise-grade e-mail services will be used; portable storage devices must be encrypted and the password for decryption must be communicated separately).
(b)信息交流和与仲裁有关的信息的传播。访问控制、通信安全、加密和操作安全与确保信息交换和仲裁相关信息的传输是相关度最高的。所考虑的安全措施的类型可能取决于涉案当事人、仲裁庭和机构,并且可能需要考虑采取不同的措施,以便当事人及其代理人、仲裁庭和/或任何管理机构之间进行交流。应考虑如何进行仲裁数据的传输(例如电子邮件;通过第三方平台或虚拟数据室;USB驱动器或其他便携式存储设备)以及相应的保护措施(例如仅限企业电子邮箱服务器;必须对便携式存储设备进行加密,且与解密密码必须分别进行通信)。
(c) Storage of arbitration-related information.Generally, measures in the categories of asset management, access controls and encryption will be most relevant to the secure storage of arbitration-related information. Measures should be considered for storing communications, pleadings, disclosure materials, and evidence, and may include measures such as minimizing the processing of confidential commercial information, personal data, or other sensitive information in relation to the arbitration; limiting certain information to attorneys’ eyes only; and agreeing to confidentiality provisions or implementing protective orders.
(c)存储与仲裁有关的信息。通常,资产管理、访问控制和加密类别中的措施与与仲裁相关的信息的安全存储相关度最高。应该考虑采取措施来存储通讯、诉状、披露材料和证据,且可以包括诸如减少与仲裁有关的机密商业信息、个人数据或其他敏感信息的处理等措施;将某些信息仅限律师的阅览;并同意保密条款或执行保护令。
(d) Travel.The nature of international arbitration is such that significant travel is often involved. Travel-related information security concerns are addressed in Schedule A as a matter of baseline information security. Access controls, encryption and physical security are relevant categories in considering measures to be applied when travelling with arbitration data.
(d)旅行。国际仲裁的性质使得其经常性涉及大量次数的旅行。附表A中解决了与旅行有关的信息安全问题,这是基准信息安全问题。访问控制、加密和实体安全性是考虑携带仲裁数据旅行时要采取的措施的相关类别。
(e) Hearings and conferences. Information security measures for hearings and conferences may include procedures for the handling of any transcripts, recordings, or videos which are made; restrictions on what technology, such as smartphones, attendees may bring to and use at hearings; and establishing a protocol for remote testimony. Access controls and physical security will be relevant categories, among others, at these events in the arbitration.Furthermore, when hearings and conferences are held telephonically, secure telephone services should be used.
(e)听证会和会议。听证会和会议的信息安全措施可能包括处理所制作的任何笔录、录音或录像的程序;限制听众可以使用和使用智能手机等技术;并建立远程证词协议。在仲裁的这些事件中,访问控制和实体安全是相关类别。此外,以电话方式举行听证会和会议时,应使用安全的电话服务。
(f) Post-arbitration document retention and destruction. As a matter of prudent asset management, issues to be considered with respect to post-arbitration document retention and destruction may include whether to require that arbitration-related information be returned or safely disposed of, and the timing of any such requirement, with due consideration for applicable legal or ethical obligations, rules relating to the correction of awards and award recognition/enforcement proceedings, and legitimate interests in retaining information (e.g., for conflict checking or precedent purposes). Consideration may also be given to whether there should be a process for certification of compliance with respect to any such requirement.
(f)仲裁后文件的保存和销毁。作为审慎的资产管理,在仲裁后文件保存和销毁方面要考虑的问题可能包括是否要求归还或安全处置与仲裁有关的信息,以及在适当考虑提出此类要求时关于时间所适用的法律或道德义务,与更正裁决和裁决认可/执行程序有关的规则,以及保存信息的合法权益(例如,用于冲突检查或先例目的)。还可以考虑是否应针对任何此类要求提供合规证明的过程。
The Processto Establish Reasonable Cybersecurity Measures
建立合理的网络安全措施的程序
Principle 9 Taking into consideration the factors outlined in Principles 6-8 as appropriate, the parties should attempt in the first instance to agree on reasonable information security measures.
原则9 适当考虑原则6-8中概述的因素,各方应首先尝试就合理的信息安全措施达成协议。
Commentary to Principle 9
原则9解释
(a) Importance of party autonomy. Principle 9 recognizes the important role that parties and their legal representatives play in establishing information security measures.
Party autonomy is fundamental in information security, as it is in other aspects of the arbitral process, and ordinarily parties and their legal representatives will take the lead in considering what information security measures should be employed for the arbitration, as they will have the best information about what security measures will be reasonable for their arbitration, as well as the greatest interest in ensuring compliance with those measures during the arbitration.
(a)当事人自治的重要性。原则9指出当事人及其代理人在建立信息安全措施中的重要作用。
当事人自治在信息安全中是至关重要的,就像仲裁程序其他方面一样,通常当事人及其代理人将首先考虑应采用何种信息安全措施进行仲裁,因为他们拥有关于哪种安全措施对其仲裁是合理的以及在仲裁期间确保遵守这些措施的最大利益最好的信息。
(b) Confer.In the first instance, legal representatives should generally confer concerning the information security measures to be implemented in an arbitration, taking into consideration the Principles in this Protocol.
Issues that legal representatives should consider discussing with their clients and opposing counsel may overlap with issues ordinarily considered in the context of disclosure and document preservation, and also with potential data protection issues.
(b)协商。首先,代理人通常应考虑到本议定书中的原则,就仲裁中将要实施的信息安全措施进行商谈。
代理人应考虑与客户和与对方律师讨论的问题可能涉及在披露和保存文档时通常考虑的问题,以及潜在的数据保护问题。
Principle 10 Information security should be raised asearly as practicable in the arbitration, which ordinarily will not be later than the first case management conference.
原则10 信息安全应在仲裁中尽早提出,通常不迟于首次案件管理会议(CMC)之前。
Commentary to Principle 10
原则10解释
(a) Earlycase management topic. Principle 10 recognizes that information security should be raised as early as practicable in the arbitration. The expectation generally is for issues of information security to be discussed with the parties and, where necessary, with any administering institution, in preparation for, and during, the initial case management conference or procedural hearing.
(a)早期案例管理。原则10指出应在仲裁中尽早提高信息安全性。这通常在首次庭前会议或程序性听证会期间或与当事方以及必要时与任何管理机构讨论信息安全问题期间。
Schedule D provides sample procedural language that arbitral tribunals may use to raise issues of information security for consideration at the procedural conference. Arbitral tribunals should also consult institutional rules and practices.
附表D提供了仲裁庭可以用来提出信息安全问题的程序语言样例,供程序会议考虑。仲裁庭还应咨询机构规则和惯例。
In some cases, the initial procedural hearing or case management conference may be too late to raise information security issues; in such a case, any party may raise information security measures for consideration by the tribunal or any administering institution at any time.
在某些情况下,在首次程序听证会或庭前会议提出信息安全问题可能为时已晚;此时,任何一方均可随时提出信息安全措施,供仲裁庭或任何管理机构考虑。
At the initial conference, the arbitral tribunal should be prepared to:
i. engage the legal representatives in a discussion about reasonable information security measures;
ii. discuss the ability and willingness of its members to adopt specific security measures;
iii.address any disputes about reasonable information security measures;
iv. express its own interests in preserving the legitimacy and integrity of the arbitration process, taking into account the parties’ concerns and preferences, the capabilities of any administering institution, and other factors discussed in this Protocol; and
v. address any other issues related to information security that it considers relevant to the proceeding.
Where cases are administered by an institution, that institution may raise issues of information security with the parties or tribunal at any time.
在首次会议上,仲裁庭应准备:
i. 与代理人就合理的信息安全措施进行讨论;
ii. 讨论其成员采取特定安全措施的能力和意愿;
iii. 解决有关合理信息安全措施的任何争议;
iv. 在考虑到当事方的关注和偏好,任何管理机构的能力以及本议定书中讨论的其他因素时,表达自己的利益以维护仲裁程序的合法性;和
v. 解决它认为与该程序有关的任何其他与信息安全有关的问题。
由机构管理案件,该机构可以随时向当事人或法庭提出信息安全问题。
Principle 11 Taking into consideration Principles 4-9 as appropriate, the arbitral tribunal has the authority to determine the information security measures applicable to the arbitration.
原则11适当考虑原则4-9,仲裁庭有权决定适用于仲裁的信息安全措施。
Commentary to Principle 11
原则11解释
(a)Tribunal authority. Principle 11 recognizes that the arbitral tribunal has the authority to determine the information security measures applicable to the arbitration and that, ordinarily, it should defer to any agreement of the parties.
(a)仲裁庭权限。原则11指出,仲裁庭有权决定适用于该仲裁的信息安全措施,且通常应当遵从当事各方的任何协议。
The general expectation is that the arbitral tribunal will incorporate directions concerning information security in an early procedural order. Schedule D provides sample language that tribunals may use in procedural orders. Alternatively, the tribunal may simply approve and order an information security agreement made by the parties.
人们普遍期望仲裁庭将在程序上尽早纳入有关信息安全的命令。附表D提供了仲裁庭可以在程序命令中使用的示例语言。或者,仲裁庭可以简单地批准并下达当事各方达成的信息安全协议。
Where disputes arise about information security measures, the tribunal should resolve any such disputes, including any disputes about what measures should be adopted in the first instance and any disputes arising from either an agreement adopted by the parties or measures ordered by the tribunal. In case of post-arbitration disputes, it may be advisable to provide for a dispute resolution mechanism that will apply in the event that the arbitral tribunal is functus officio at the time of a dispute regarding information security measures. To that effect,see the sample language provided in Schedule D.
发生关于信息安全措施的争议时,仲裁庭应解决任何此类纠纷,包括有关一审应采取何种措施的争议,以及由当事方通过的协议或仲裁庭命令的措施引起的任何争议。如果发生仲裁后纠纷,建议提供一种纠纷解决机制,该机制将使得仲裁庭在有关信息安全措施的纠纷发生时依职权适用。为此,请参阅附表D中提供的示例语言。
(b)Tribunal deference. The arbitral tribunal should ordinarily respect any agreement the parties have reached on the information security measures to be employed, subject to overriding legal or other obligations under Principle 4 and unless there are significant countervailing considerations. Conversely, the parties cannot unilaterally bind either the arbitral tribunal or any institution administering the arbitration. Therefore, to the extent an information security agreement between the parties impacts the arbitration process, it should be formalized only after consultation with the tribunal and ,if necessary, any administering institution.
(b)仲裁庭遵循。仲裁庭通常应遵从当事各方就将要采用的信息安全措施达成的任何协议,但应遵守原则4至高的法律或其他义务,除非有重大补偿考虑。相反,当事各方不能单方面约束仲裁庭或任何管理仲裁的机构。因此,在各方之间达成的信息安全协议影响仲裁程序的情况下,仅可在与仲裁庭以及必要时与任何管理机构协商后才能将其正式化。
Circumstances in which the arbitral tribunal may be justified in departing from the parties’ agreement may include, but are not limited to:
i. measures to protect third-party interests, including the interests of witnesses or others who may be involved in the arbitration as described in the commentary to Principle 3;
ii.capabilities of the arbitrators and administering institution; and
iii. the tribunal’s own interest in protecting the legitimacy and integrity of the arbitral process, including the security of its own communications and deliberations.
仲裁庭有理由背离当事方协议的情况,可能包括但不限于:
i. 采取措施保护第三方利益,包括原则3解释中指出的证人或其他可能参与仲裁的利益;
ii. 仲裁员和管理机构的能力;和
iii. 仲裁庭自身在保护仲裁程序的合法性和完整性方面的利益,包括其自身通讯和审议过程的安全性。
(c) Arbitrator selection. If the subject matter of the arbitration itself involves the resolution of information security related issues, the parties may wish to:(i) engage arbitrators with sufficient knowledge of information security issues to resolve the issues without reliance on an independent expert; and/or (ii) use adversarial expert testimony to educate the arbitral tribunal similar to the treatment of other technical issues arising in arbitration.
(c)仲裁员选择。如果仲裁的主题本身涉及解决与信息安全有关的问题,则当事各方期望:(i)聘请对信息安全问题有足够知识的仲裁员来解决这些问题,而无需依靠独立的专家;和/或(ii)使用对抗式专家证词来说服仲裁庭,类似于对仲裁中产生的其他技术问题的处理。
Principle12 The arbitral tribunal may modify the measures previously established for the arbitration, at the request of any party or on the tribunal’s own initiative, in light of the evolving circumstances of the case.
原则12仲裁庭可以根据案件的发展情况,应任一方当事人的请求或由仲裁庭主动修改先前为仲裁而制定的措施。
Commentary to Principle 12
原则12解释
(a) Evolving circumstances. Principle 12 recognizes that the procedures adopted at the outset of the arbitration may be modified as necessary throughout the course of the proceeding, including updates as to:
i. what qualifies as the nature of the information being processed;
ii. required procedures based on the specific circumstances of the caseas it develops; and
iii. changed circumstances, such as changes in applicable law, risks in the proceeding, institutional rules/requirements, or technological developments.
(a)不断变化的情况。原则12指出,可以在整个诉讼过程中根据需要修改仲裁一开始采用的程序,包括以下方面的更新:
i. 作为正在处理的信息的本质;
ii. 根据案件的具体情况采取必要的程序;和
iii. 情形变化,例如适用性的变化
法律,程序风险,体制规则/要求或技术发展。
(b) Consultation. Such modifications should be made after consultation with the parties and any administering institution.
(b)协商。此类修改应在与当事人和任何管理机构协商后进行。
Principle 13 In the event of a breach of the information security measures adopted for an arbitration proceeding or the occurrence of an information security incident, the arbitral tribunal may, in its discretion: (a) allocate related costs among the parties; and/or (b) impose sanctions on the parties.
原则13如果违反为仲裁程序采取的信息安全措施或发生信息安全事故,仲裁庭可自行决定:(a)在当事各方之间分配相关费用;和/或(b)对双方施加制裁。
Commentary to Principle 13
原则13解释
(a) Costs and sanctions. Principle 13 clarifies the power of the arbitral tribunal to order costs or sanctions in the event of a breach of the information security measures adopted for an arbitration proceeding or the occurrence of an information security incident.
The authority conferred on the arbitral tribunal in Principle 13 is implied in the tribunal’s general powers and in institutional rules providing that the tribunal has the authority to administer the arbitration.
(a)费用和制裁。原则13阐明了在违反仲裁程序所采取的信息安全措施或发生信息安全事故的情况下,仲裁庭有权命令支付费用或制裁。
原则13中赋予仲裁庭的权力隐含在仲裁庭的一般权力和机构规则中,前提是该仲裁庭有管辖权。
(b) Subject to applicable law. As noted in Principle 4, the arbitral tribunal’s powers are subject to, and may be limited by, applicable law.
(b)遵守适用法律。如原则4所述,仲裁庭的权力受适用法律的约束并可能受到适用法律的限制。
Principle 14 The Protocol does not establish any liability or any liability standard for any purpose, including, but not limited to, legal or regulatory purposes, liability in contract, professional malpractice, or negligence.
原则14议定书没有为任何目的建立任何责任或任何责任标准,包括但不限于法律或监管目的、合同责任、渎职或过失。
Commentary to Principle 14
原则14解释
(a) Not a liability standard. Principle 14 clarifies that the Protocol is not intended to establish any liability or any liability standard for any purpose.
As established throughout, the Protocol is intended to provide a general framework for how information security issues may be considered in an arbitration, and is subject to any overriding legal or other obligations that may exist. It would therefore be inappropriate to apply the Principles established by the Protocol to form any legal or other liability or responsibility.
(a)不是责任标准。原则14阐明,议定书无意为任何目的建立任何责任或任何责任标准。
贯穿整个议定书可见,该议定书旨在为如何在仲裁中考虑信息安全问题提供一个通用框架,并受可能存在的法律或其他义务的约束。因此,将议定书确立的原则应用于任何法律或其他义务或责任是不合适的。
(b) Party autonomy. Principle 14, however, is not intended to limit the right of the parties to make agreements that allocate liability for security incidents, nor is it intended to limit the power of the arbitral tribunal to issue directions regarding issues such as costs or sanctions as provided in Principle 13.
(b)当事人自治。原则14无意于限制当事各方订立安全事故责任分配协议的权利,也无意于限制原则13中仲裁庭就费用支付或制裁等问题下达命令的权力。