Navigating Cybersecurity in ADR

Any mediation introduction includes a discussion about confidentiality, and the rise of Online Dispute Resolution (ODR) has brought privacy back into the limelight. With the increased use of applications like Zoom, most of us reframed our introductions to include that all participants must be in a private area where someone cannot overhear them, cannot record anything, or take any screenshots. We all add passwords to our meetings and make sure we only admit people involved after there were so many problems of people “Zoom bombing” confidential events. We all emphasize that what happens in mediation stays in mediation; however, what do we do to provide security for the confidential information we receive before the mediation begins?

Mediation Briefs and Sensitive Information

Before a mediation most of us receive a mediation brief, with some exceptions. It is typically sent to us over email, especially now, and we are expected to handle it with care and secrecy given its sensitive nature. Family mediators are given information about a divorce, a mediator in personal injury will be provided medical records, and a business mediator could get patent information. The mediation brief contains, in large part, the same sensitive information that comes out in the mediation itself; the information we promise will remain confidential. While we may keep this information to our physical selves, we tend not to consider how securely it is being held in our email and web services'.

The information mediators receive can be a treasure trove for hackers due to its sensitive nature and the fact that information is collected altogether. Evidence of this is seen in how law firms have become a significant target for hackers because they have access to sensitive information their clients consider worth suing over, all gathered in one place. Law firms, big and small, are hit internationally by data breaches, including Ransomware attacks where their data is stolen, held for ransom, and if the hackers aren’t paid, leaked to the public.[1] That sensitive information is also summarized in mediation memorandums, and it is not uncommon for them to be left on our emails and computers.

Such a practice is concerning because too many of us use cybersecurity practices and tools that are just waiting to be exposed. Unsecure email, weak or nonexistent access control policies, on-premises hardware and software that is rarely updated are all common, and all increase the odds that when a hacker targets us, we won't be able to keep them out.

The Numbers

Cybersecurity may seem to some as a buzzword, especially if you don't come from a tech background, but it is incredibly important to those who deal with confidential information.

In 2018, hackers stole nearly 447 million consumer records containing sensitive personal information, according to the Identity Theft Resource Center. "Sensitive" personal information is a specific set of categories that are meant to be treated with extra security: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, and biometric data.[2]

In Jan 2019, hackers freely distributed a collection of 2.2 billion (yes, billion) unique usernames and associated passwords online.[3] That is so many that even unskilled hackers could try leaked usernames and passwords on any public internet site in the hopes that people have reused them.

More experienced hackers only need an email and can use software tools to "guess" the passwords. If they succeed, they can change your password, lock you out, then steal or encrypt any sensitive information that happen to be sitting there unprotected like medical records or legal files.

Rather than believing only other people get hacked, or as long as we don’t click on that strange link we will be okay, we must become more proactive and assume someone will try to get the information and files we keep on our computers or online.

Human Error

Even if our business-related security is up to date, it is easy to still put ourselves at risk. Regardless of how good our systems are human error can always be the most significant problem. For instance, is your password strong enough? The reason not to use a password that is your name or birthday is because it's the first thing a hacker or their software will try. Complicated passwords that include upper and lower case letters, numbers and symbols should be the only option you consider.

It is also important to be pre-emptive. Change your passwords regularly. It may seem inconvenient, but it's necessary. In 2012 LinkedIn was hacked, and passwords for nearly 6.5 million user accounts were stolen. Four years later, LinkedIn discovered that an additional 100 million email addresses and hashed passwords had been taken in the same 2012 breach. LinkedIn forcefully invalidated the passwords of all users that had not changed their passwords since 2012. In other words, don't expect to be informed or even aware of a data breach, so don't rely on some notice to motivate changing your passwords.

Don't underestimate how connected everything is. Even if your business system is safe, if you use the same passwords as your personal accounts, both are essentially compromised in a breach. Also, many websites now offer the option of logging in with your Google or Facebook account information. While that is certainly convenient, that means breaching just one of those accounts gives access to all of them. When Facebook was hacked, 50 million accounts gave access to millions more because they were all connected.

What is "Secure"?

Nowadays, it is hard to keep up with all of the security we can use, especially if you did not grow up with computers. Email scanning, firewalls, anti-virus programs are the systems most people are familiar with but is not enough. Tools with robust security controls like data encryption in transit and at rest, and tools that leverage cloud-based platforms, which continuously monitor the threat landscape should be implemented.

This piece was motivated by a conversation I had with a friend who works in cybersecurity. Since that conversation, I have changed every aspect of my online life. I was already using a VPN (Virtual Private Network), which is currently considered the bare minimum of protecting your privacy by providing a secure connection to another network that shields your browsing activity from surveillance. I have now switched from Google Chrome to a browser specifically designed for privacy called Tor Browser. It uses Firefox as the base, but protects against tracking, surveillance, and censorship by routing internet traffic through multiple servers and encrypting it at each step. I even switched to a note-taking service called Standard Note that keeps my notes encrypted.

The most important change directly regarding the safety of parties' confidentiality was to begin using an email software built to protect emails and attached files on a computer and on route to their destination, rather than the traditional Gmail or Outlook. There are a lot of email software options that provide certain levels of security and encryption, but I recently started employing Tutanota. Tutanota is an email service, built in Germany, with end-to-end encryption and 2FA (two-factor authentication) to make sure nobody can decrypt or read my data. It is also open-sourced, as is all of the software I transitioned to, meaning external security experts can peer-review and verify the code that is being used.

Perhaps I am going overboard, but when I read that 2.2 billion usernames and passwords were freely given out, or think about the damage that could come to the parties or my colleagues who work with me if I were to get hacked, I feel justified in taking the extra steps. In 2020, we are obligated to learn about cybersecurity. Otherwise, how can I look at a party in the face and speak to them about confidentiality?