In a previous blog, we noted that law firms have an ethical and legal duty to safeguard and protect client secrets, confidences and sensitive information, which may include personal identifying information or personal identifying health information. With respect to attorneys’ ethical obligations to protect such information, ABA Model Rules 1.1 and 1.6 require attorneys to take competent and reasonable measures to safeguard information relating to their clients. As for the legal duty, federal and state statues, as well as duties recognized under the common law impose obligations upon law firms to implement, among other things, written information security programs and data security policies to safeguard protected confidential and sensitive information.
We also previously noted that hackers choose their mark indiscriminately, seeking only a vulnerable network to penetrate that maintains information they can monetize. The value of the cache of sensitive data and exploitability of a network, rather than size, are the determinative factors of whether a law firm is targeted by a hacker. While law firms of all sizes have been subject to attack, last year a number of BigLaw Firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, were reported to have been hacked in efforts by cyber criminals seeking to profit by illicitly obtaining insider information regarding merger deals in which the firms were counsel. In BigLaw, it was reported that in 2016 more than 45 firms were subject to cyber attacks in efforts to obtain information relating to mergers and acquisitions being worked on by those firms.
Mindful that law firms, like any other third party vendors entrusted with sensitive information may be subject to cyberattacks, this week the Association of Corporate Counsel (“ACC”) issued the “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information" (“Model Controls”) …. to provide a list of baseline security measures and controls some legal departments may consider requiring from outside vendors.” The Model Controls or guidelines set forth policies and procedures in which the ACC indicates some legal departments may want to consider requiring of their vendors, including law firms (outside counsel). Some of the guidelines include:
- Policies and procedures to protect confidential information, including preventing such information from “accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and nature of the information to be protected, as well as having internal security and privacy policies in place to keep the information secure"
- Incident response plans that provide for “reasonable investigation, response, mitigation, and notification of events that implicate the confidentiality, integrity, and availability of Outside Counsel’s technology and information assets, or events that cause the unauthorized or unintentional disclosure of Company Confidential Information”
- Retention/Return Destruction policies that require the return of documents upon completion of the assignment, unless applicable law, regulations or professional ethical rules require retention by outside counsel for a longer period. Subject to certain exceptions, at the conclusion of the engagement, the guidelines provide that outside counsel should be required to return or destroy confidential information. Exceptions include, among others, emails without confidential information, work product, information that becomes part of the public domain and information required to be maintained by outside counsel pursuant to law, regulation or professional ethical rules
- The use of encryption for confidential information in transit and at rest, including encryption of email, portable devices and media
- Data breach reporting, including compliance with applicable laws and statutes (including applicable notification provisions) and notification by outside counsel to the company with 24 hours of discovery of the breach and cooperation with identifying the cause of the breach and remediation relating thereto
- Provide physical security of confidential information against unauthorized access through, among other things, issuance of picture identification badges, maintaining security guards monitoring entrance(s) to the facility where company confidential information is stored, processed or destroyed, close circuit TV surveillance and alarm system
- Access control systems that “manage access to company confidential Information and system functionality on a least privilege and need-to- know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, two-factor or stronger authentication for its employee remote access systems (and elsewhere where appropriate).” The guidelines suggest that the access controls should allow for changes and revocation of access and privileges as needed
- Continuous monitoring of networks
- Periodic (at least annual) vulnerability and risk assessments
- ISO27001 certification, recommended but not required
- Cyber liability insurance with a minimum coverage level of $10,000,000
- Responsibility for subcontractors (third party vendors) retained by outside counsel rests with outside counsel, with the requirement that they impose the Model Controls governing their relationship with the company.
While the foregoing only reflects some of the Model Controls issued by ACC for consideration by its member companies, it demonstrates that companies are insisting that their outside counsel undertake efforts to safeguard their data, with established policies and procedures implemented. As these guidelines are incorporated into vendor contracts, outside counsel will be required to establish best practices to protect confidential information. The Model Controls provide a set of expectations that outside counsel will likely be required to meet to continue servicing their clients. To that extent, it provides a clear guidance to outside counsel. As the cost of a breach, including crisis management, reputational harm, notification compliance, mitigation and remediation, credit and fraud services and litigation expenses, to name a few, can be substantial, companies will seek assurances from their outside counsel that they will not become their weakest link in their efforts to protect confidential information.
To the extent not already in place, adopting and installing polices in accordance with the ACC guidelines will become necessary to continue to serve as outside counsel for a number of companies who adopt all or part of the Model Controls.