Some InfoSec Guidance for In-House and Outside Counsel: ACC Issues its “Model Information Protection and Security Controls”
In previous posts here on the blog, we’ve explored the ever-increasing information security risks faced by law firms, which hold some of their clients’ most sensitive and confidential information. It seems that every week there’s a new headline that underscores the severity of this risk—this week, one of the world’s largest and most respected law firms fell victim to a ransomware attack, shutting down its entire computer network system for several days.
Last year we called out some resources on information security available through the ABA’s Cybersecurity Legal Task Force, which works in concert with the FBI to alert lawyers to cyber risks. And earlier this year we explained the new cybersecurity regulations promulgated by the New York Department of Financial Services, which extend to law firms and other providers serving financial institutions. And now there’s even more specific guidance on these issues for in-house counsel and the law firms they retain: On March 29, 2017, the Association of Corporate Counsel (“ACC”) released its Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information. The Model Controls are designed to serve as list of baseline security measures that corporate counsel may consider requiring its outside law firms to implement.
What Guidance Do The Model Controls Offer?
The Model Controls address thirteen areas of security measures to which outside counsel would commit prior to storing or accessing “Company Confidential Information” (defined as “any information that is proprietary to Company and is not publicly available”). The overarching theme of the Model Controls is that outside counsel (both firms and individual attorneys) are responsible for the same robust level of data security and privacy already maintained by their client companies. The suggested requirements for outside counsel include:
- Developing and implementing extensive physical and electronic security measures and incident response protocols, including a process to regularly audit those systems.
- Retaining or returning/destroying data within 30 days of a request by the company. The Model Controls do carve out some types of data from this requirement, such as day-to-day email exchanges, attorney work product, public information, anything retained due to legal or ethical obligations or for disaster recovery, and latent data that is essentially inaccessible without specialized forensic tools.
- Encrypting information at rest using industry standards (such as USFIP Standard 140-2, Level 2) when the data is stored on outside counsel’s systems, on a third party vendor’s systems, or on removable media and mobile devices.
- Transmitting confidential information via email only where Transport Layer Security encrypts the communications, including transmission of confidential information to the company or to third party vendors (such as attaching evidentiary data).
- Implementing two-factor authentication for any remote connectivity using mobile devices, tablets, or laptops.
- Reporting any suspected or actual security breaches to the company designee within 24 hours of discovering the event and maintaining a single point of contact within the firm, accessible by the company 24×7, and able to obtain relevant information on the incident within 48 hours.
- Maintaining physical security requirements around access and protection, including 24×7 security guards on site where the data is stored, server room enhanced access such as biometric identification, and access logs retained for 90 days, among many others.
- Establishing logical access controls, including two-factor or stronger authentication and requirements around revoking and deactivating that access.
- Monitoring systems, employees, and contractors for security incidents on a continuous basis.
- Conducting vulnerability tests and assessments, including hacking/penetration tests and code review annually and upon major software changes.
- Establishing extensive system and network administration procedures and implementing security processes that conform to industry standards, such as daily antivirus and malware screens.
- Providing the company, regulators, and others designated by the company with inspection rights for facilities, systems, and practices of Outside Counsel with regard to the confidential information.
- Undertaking, at the request of the company, the ISO 27001 certification process and providing the company with evidence of that certification when complete.
- Conducting background screens on all employees, contractors, and contingent workers that access or come into contact with confidential information.
- Maintaining cyber liability insurance coverage (where available) from a company with at least an A- rating from S&P or equivalent agency and a minimum coverage of $10,000,000.
- Imposing, in writing, the company’s requirements upon any subcontractors (including third party vendors and contract attorneys) engaged for review or storage of confidential information.
What Does This Guidance Mean for Outside Counsel?
The majority of the requirements under the Model Controls apply to firms as organizations, requiring a systematic approach to information security across the firm. However, the Model Controls also affect individual attorneys at firms in two major ways.
The first, and possibly greatest impact on individual attorneys is the requirement around email communications. Rather than simply transmitting data via email, attorneys must ensure that any Company Confidential Information is transmitted either via encrypted email (using Transport Layer Security) or is uploaded to a Secure File Transfer Protocol (“SFTP”) site for download by the necessary party. Many firms already maintain such policies, but deviation from the protocol by an individual attorney risks triggering a security breach for the firm at large under the Model Controls.
The second impact on individual attorneys is the mandate to impose these security requirements on any third party vendors (such as e-Discovery providers and cloud-based hosting vendors). The Model Controls require this imposition in writing prior to beginning the engagement, meaning that outside counsel would now be responsible for ensuring compliance before transmitting any data to a vendor they directly engage. While many third party vendors, like DiscoverReady, already have strict security requirements in place that align with the Model Controls, outside counsel now has increased responsibility to proactively analyze service provider security. Failure to do so risks creating unnecessary delays in the discovery process, which could jeopardize outside counsel’s ability to meet court ordered deadlines.
Importantly, the Model Controls make clear that the document is not intended to be a “definitive statement on the subject” or to “establish any industry standards for any purpose,” but rather to serve as a “resource providing practical information to in-house counsel.” Nevertheless, the Model Controls surely will become an important benchmark for law firms and other outside providers serving corporate law departments. Here at DiscoverReady, we’ve always been proud of our industry-leading information security program, and we welcome this additional guidance from the ACC.