The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released its ACC Chief Legal Officers (CLO) 2017 Survey which found that two-thirds of in-house legal leaders ranked data protection and information privacy as ‘very’ or ‘extremely’ important.  In response to this growing concern, the ACC recently released “first-of-its-kind” safety guidelines to help “in-house counsel as they set expectations with their outside vendors, including outside counsel.” Firms concerned about facing these guidelines should review their cybersecurity risk management policies, procedures and practices.

The Controls

The Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (“the Controls”) were developed in a joint effort between in-house counsel members of the ACC together with several law firms specialized in data security related issues. This joint effort signifies the importance of cohesion between in-house and outside counsel when handling sensitive corporate data. “We are increasingly hearing from ACC members, at companies of all sizes, that cybersecurity is one of their chief concerns, and there is heightened risk involved when sharing sensitive data with your outside counsel,” said Amar Sarwal, ACC vice president and chief legal strategist.

The Controls address a broad range of data security related measures including: data breach reporting, data handling and encryption, physical security, employee background screening, information retention/return/destruction, and cyber liability insurance. Particular measures may be too burdensome under the circumstances, while the Controls as a whole may not be sufficient to satisfy applicable legal requirements such as the HIPAA privacy and security rules for business associates. Still, the Controls include a number of measures firms will have to consider carefully. For example, the Controls suggest that outside counsel be required to maintain

logical access controls designed to manage access to Company Confidential information and system functionality on a least privilege and need-to-know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, [and] two-factor or stronger authentication for its employee remote access systems.

The Controls also would require outside counsel to be responsible for its subcontractors with access to confidential information, including by requiring those subcontractors to abide by the Controls. As for data breach notification, the Controls recommend a short time frame – under the Controls, outside counsel would be required to notify a client within 24 hours of discovering an actual or suspected incident.

It is the hope of the ACC that the Controls will serve as a “best practice”, standardizing the protocols companies implement when interacting with third-party vendors who may have access to sensitive corporate data, and ensuring that adequate protections are in place to prevent and respond to a data breach. Law firms should not be surprised to see these Controls, in one form or another, included in litigation and other guidelines mandated by their corporate clients.