The GC of a major, US-based corporation receives an email from a vice president in the chief security officer’s business unit, reading, “Hey, did you see this article? Whenever I go to IT security conventions, I hear about cybersecurity issues at law firms. What are we doing about that?” The email also contains a link to a LegalTech article titled “Law Firms Fail on Cybersecurity, and Corporate Clients Are Cracking Down.”
The legal press has extensively covered cybersecurity risks faced by law firms. Law firms are targets because they hold clients’ most sensitive and confidential information. Almost every week there’s a new headline underscoring this risk. But what should a client ask its outside counsel to do to keep the company’s information secure?
The ACC’s Model Controls
The Association of Corporate Counsel (“ACC”) has put together a set of suggestions, a good start for a cybersecurity discussion between a company and its outside counsel: “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information.”
The Model Controls list 13 steps that law firms might take to protect confidential client information (“CCI”). In general terms, these steps align outside counsel’s security policies and practices with a client’s.
- Establish physical and electronic security measures and incident response protocols, including regular audits.
- Remove or return CCI within 30 days after a client request. This suggestion doesn’t apply to back-and-forth emails, attorney work product, public information, information counsel retains under legal or ethical obligations or for disaster recovery, and information (such as deleted files) that requires specialized tools to access.
- Use at-rest encryption of CCI, whether it’s stored with outside counsel or a third party vendor.
- Send CCI only via email with Transport Layer Security encryption, if a client requests this level of security.
- Require two-factor authentication for remote connectivity.
- Report security breaches within 24 hours of discovery using pre-established procedures
- Maintain physical security for data centers.
- Establish logical access controls for CCI on a need-to-know basis.
- Track systems, employees and contractors for security incidents.
- Perform regular hacking/penetration tests and code review.
- Establish industry-standard system and network security processes, such as regular antivirus and malware scans.
- Permit audits of facilities, systems and practices covering CCI.
- Get ISO 27001 certification, if a client requests it.
- Background check employees, contractors and contingent workers with access to CCI.
- Get cyber liability insurance.
- Have subcontractor and vendors with access to CCI adopt the client’s security requirements
The Model Controls state that they are a list of possible security steps, not a “definitive statement on the subject.” Instead, they’re “practical information [for] in-house counsel.” They don’t “establish any industry standards for any purpose.” But despite this disclaimer, the Model Controls are a valuable checklist of things to think about and discuss with outside counsel.
Two items in the Model Controls stand out as high-priority: encrypted email and vendor adoption of client requirements.
Many companies are still using unencrypted email to communicate with outside counsel. Anyone who intercepts an unencrypted email message can read it. Modern email programs (such as Outlook and Gmail) support encrypted email. Encrypted emails are much more difficult to read, even if they’re intercepted. It may therefore be a good practice to encrypt any email that includes CCI using Transport Layer Security. Also, it is a good practice to use Secure File Transfer Protocol (“SFTP”) to transfer CCI instead of File Transfer Protocol (“FTP”). Many law firms and vendors already support email encryption and SFTP. In fact, many of them strongly encourage clients to encrypt their email and file transfers.
Vendor Adoption of Client Requirements
Security only works if it applies everywhere that CCI is stored. That includes e-discovery and cloud storage vendors. The Model Controls recommend that clients insist that vendors accept their security requirements in writing, in an engagement agreement. This approach makes the vendor responsible for complying with the client’s requirements. It also means that a company and its outside counsel share the responsibility of selecting vendors that can meet the client’s standards. Many vendors already have procedures in place to meet industry-standard requirements. But others will struggle to meet them. Careful selection of a vendor with strong security procedures helps avoid risk, delay and expense.
Law firm and vendor cybersecurity matters. The ACC Model Guidelines lay out a good list of items for clients to think about and discuss with counsel to help protect the clients’ confidential information.