The Troublesome Gap is ADR Firms’ Security

Summary: 

ADR institutions strive to maintain strong security at the front end, but may lose control once cases move to individual neutrals who work in fragmented personal tech environments with varying levels of security compliance. This creates a structural vulnerability the institution cannot monitor, audit, or defend—especially as sensitive data replicates across unmanaged tools. The solution is not more policies but a mindset shift: neutrals’ workflows must be treated as part of the institutional security surface. A single, integrated platform with strong security that supports every role in the organization offers the best consistent, defensible way to ensure end-to-end confidentiality and compliance.

Discussion: 

Most ADR organizations invest heavily in secure technology to protect the cases they administer – but some unintentionally lose that control at a critical point in the workflow, when the case is handed off to the neutral who will provide the arbitration or mediation services.

From an institutional perspective, the story is reassuring. Case intake, document exchange, and scheduling for the primary session(s) often occur on secure, policy‑driven platforms with encryption, access controls, audit logs, and carefully drafted policy statements. These systems are designed to provide at the very least a reasonable level of security and to demonstrate diligence to parties, counsel, regulators, and insurers.

Yet the end‑to‑end reality of an ADR matter is broader than what happens inside the institutional platform. Once a mediator or arbitrator is appointed, much of the substantive work, analysis, preparation, notes, both caucus and plenary, communications with parties, award or agreement writing—shifts to local computers and software tools that sit outside of the organization’s direct control. Smaller organizations may lack even the top-level system and just use basic software tools throughout; email, Word or Google Docs, calendars, contact managers, spreadsheets, all on separate computers that have no consistent data security infrastructure.

That is the gap

What happens once the case is assigned? After the appointment, control of case files and communications is turned over to the assigned neutral(s). Individual neutrals’ security practices vary widely. Undoubtedly, some are knowledgeable and diligent in the tools and techniques of data security. But the reality is that the firm has no visibility into their neutrals’ compliance, and very many neutrals rely on an assortment of personal or ad hoc tools to manage the assigned matter, similar to the small firm context:

• Personal email accounts, sometimes mixed with other professional work.
• Downloading documents to local file storage on a personal computer, or into cloud storage chosen by the neutral with unknown security.
• File‑sharing services like Dropbox or maybe just email attachments as determined by the neutral
• Note‑taking apps, word processors, and task managers, all with varying levels of protection and disparate data storage.
• Messaging tools conveying case information outside of the institution’s ecosystem.
• Inconsistent document retention after a matter is closed.

Each of these tools may (or may not) be perfectly reasonable on their own. The problem is not the use of these tools, but the replication of sensitive information in each tool’s data storage, transfer of data between tools, and the absence of consistent governance around how the tools are configured and used in the context of the firm’s confidential ADR proceedings.

From a risk standpoint, the question is simple: if sensitive data has left the controlled environment of the institution’s system, can the organization still credibly say it understands, manages, and can evidence the protections applied to that data?

In many cases, the honest answer is no.

This is a structural vulnerability

This is not about any individual neutral being careless or indifferent. Most mediators and arbitrators take confidentiality seriously and try to “do the right thing.” The vulnerability is structural:

• Fragmented environments: Each neutral may use a different combination of devices, apps, and storage locations, creating an unmanageable variety of risk profiles.
• Inconsistent security baselines: Some neutrals may employ strong passwords, MFA, encryption, and device management like hard drive encryption for their personal computers and devices; others may not, and the institution often has no visibility into that.
• Limited oversight and auditability: Even where expectations are set in rules, codes of conduct, or training, it is difficult for the organization to verify compliance or show an audit trail.
• Data lifecycle blind spots: Institutions may have clear retention and deletion policies for what’s on their servers, but not for copies of documents, notes, screenshots, or drafts living on a neutral’s laptop or in their personal cloud.

In other words, the institution’s security posture can be no stronger than the least‑protected environment in which data resides. When a matter is highly sensitive or high‑stakes, this gap should be deeply concerning. The end user neutral’s technology is part of the institutional risk surface.

For ADR organizations, the takeaway is to choose a top-tier management solution that also provides easy-to-use tools for the neutral’s tasks and extend that platform to provide a single technology environment for the entire firm. The individual neutral’s technology environment is part of the institution’s risk surface, whether or not it appears on an internal network diagram.

Addressing this requires a mindset shift

• Viewing neutral workflows as an extension of the organization’s information governance program, not as a separate, private domain.
• At a minimum, setting clear minimum technical standards for tools and environments used in connection with institutional cases.
• A better solution is for a firm to provide or endorse secure, purpose‑built software that neutrals can use to manage matters, rather than leaving them to assemble their own patchwork of consumer and general‑purpose tools.
• The best solution is a single, integrated platform that provides tools for firm-level administration and features for every other function in the organization, easy invoicing for the accounting staff, task reminders, and standard templates for case managers, scheduling tools and reminders for administrative assistants, and note-taking, timekeeping, document access, and more for the neutrals actually delivering the services. With role-based security, each member of the team can perform their tasks in a single, secure environment while limiting access to sensitive information at each level to “need-to-know” determined by the administrators.
• Even with a single system for the entire firm, firms should build mechanisms for training, support, and, where appropriate, verification that these expectations are met.

With a single, integrated system the personal computer becomes a mere access device. Nothing sensitive is stored on it. It is used to access the firm software where case files and other materials are safely stored, and the operational software for task management, document preparation, scheduling, communications and other functions. This mitigates the risks inherent with personal computers and varying degrees of data security sophistication by their owners. All essential functions are hosted in a secure cloud environment with appropriate backups and safeguards.

When institutions do not take these steps, they effectively operate with two different levels of protection: a highly controlled, well‑documented layer at the front end, and a fragmented, lightly governed layer once the case is in the neutral’s hands. That inconsistency is exactly the disconnect that forward‑looking ADR organizations should be working to close.

A new industry standard

If you are responsible for risk, compliance, or leadership within an ADR organization, it is worth asking:

• Do our current policies and systems truly cover the full lifecycle of a dispute, including the neutral’s working environment?
• Could we clearly explain—and evidence—to a skeptical third party how confidentiality is protected from initial filing through final resolution, across all the tools our neutrals use?
• Are we providing our neutrals with the right technology and guidance to meet the standards we espouse to the public?

A single integrated solution is better than herding cats with policies and protocols.

Firmwide policies and protocols are often used to address this structural issue. And some aspects of security such as sensitivity to phishing are best addressed with in-house training. But let’s face it, in a firm with a sizable roster of neutrals who are often working from remote locations, making pronouncements about nerdy things like encryption settings and document transfers are going to get about as much compliance as you get herding cats.

The principles behind the social economics book Nudge, by Richard Thaler and Cass Sunstein, suggest a better approach. The message in Nudge is essentially, if you want people to behave a certain way, make it easier for them to do the right thing.

How does that apply here? Offer the neutrals access to an integrated platform that extends from the Administrator’s office to every member of the team supporting the delivery of quality dispute resolution services. Ensure that the technology you offer is easy to use, includes tools that align with their needs, and makes their lives and work easier. This way, the firm administrators can maintain their priority on data security and confidentiality, while also gaining control and compliance as the firm’s neutrals willingly adopt the secure platform.

For firms that genuinely want their security and confidentiality story to hold together from end to end, strength at the institutional level coupled with “whatever tools the neutral happens to use” is not a defensible answer. Recognizing the gap is the first step. Then, providing the neutrals with a technology toolset as an integral part of the institutional infrastructure, not as something inherently beyond the firm’s control, will be the essential second step to sustaining trust in ADR with disputes that all involve sensitive information.

This article can also be found at Mediate.com using this link.