We counsel all types of clients about the importance of protecting themselves and those they serve from the dangers of cyber attacks and intrusions into their electronic systems and digital lives. When we offer such counsel, we talk about things such as the importance of identifying cyber risk, ways to minimize that risk, having a plan in place if or when a cyber attack occurs and the benefits of cybersecurity insurance coverage. But what do our clients expect when they share with us, as outside counsel, sensitive or privileged information? The answer to that question often comes in many forms depending upon the client and the nature of the client’s business.
Over the better part of the last decade, we have seen the number of cybersecurity incidents and breaches involving law firms rise dramatically. During that time period, the FBI has issued numerous advisories and notifications to law firms warning that our industry was being targeted by cyber criminals as a result of critical information and data held by law firms in providing legal services to clients.1 In its 2017 Legal Technology Survey Report, the ABA noted that 22% of its respondents reported having suffered a data breach in 2017 compared to 14% in 2016. As cyber attacks against law firms increase, our clients become more concerned about how we handle and protect their critical, sensitive and privileged information and data.
In light of the sharp uptick in cyber attacks, corporate clients are increasingly making demands upon their outside counsel to best ensure the security of their information and data. Many corporate clients require outside law firms to submit lengthy requests for proposal outlining the firm’s cybersecurity policies and procedures, require outside firms to undergo cybersecurity audits, require outside firms to identify and provide the firm’s process for reporting suspected or actual breaches of the law firm’s systems, impose limitations on a law firm’s ability to hire third-party vendors or contractors, or require outside firms to maintain certain cybersecurity insurance coverage.
Further, in response to growing concerns over cybersecurity and law firms who service their members, in 2017, the Association of Corporate Counsel (“ACC”) published its Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information.2 These Controls, created to “serve as a benchmark for law firm cybersecurity practices,”3 identify data security controls to protect “Company Confidential Information” which includes any proprietary information that is not publicly available.4 The Controls address issues such as:
- Retention of Confidential Information, including the time period and purposes for such retention; • Return or Destruction of Confidential Information upon completion of the engagement;
- Handling of Data, including encryption, data security breach reporting, and compliance with all applicable laws, regulations and ordinances;
- Physical security for locations in which Confidential Information is located or may be accessed.
- Logical Access Controls designed to manage access to Company Confidential Information.
- Monitoring of network and employees and other individuals who may have access to Company Confidential Information.
- Use of Vulnerability and Risk Assessments and Testing Controls
- System Administration and Network Security
- Corporate Client Security Review Rights allowing a company to inspect, examine and review facilities, books, and data handling practices used in rendering legal services to companies.
- Industry Certification or Other Security Requirements.
- Background Screening of Employees, Subcontractors and other Workers.
- Requirement to obtain and maintain Cyber Liability Insurance.
- Requirements for Outside Counsel Subcontractors.
Use or implementation of such Controls would need to comply with applicable law as well as outside counsel’s ethical obligations to each of his or her clients, but can be a helpful tool to promote awareness of and prevention of cyber security risk. Such efforts and advances in law firm cybersecurity are supported by the ABA. In August 2014, the ABA adopted Cybersecurity Report and Resolution 109, as revised, providing “RESOLVED, That the American Bar Association encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization, and the data and systems to be protected.”5
More recently, the Corporate Legal Operations Consortium’s Law Firm Cybersecurity Initiative has taken up a similar goal to develop industry standards for law firms’ cybersecurity policies and procedures to protect client data.6
For law firms who seek to represent corporate clients, you must be prepared to meet such expectations. While the Model Rules of Professional Conduct require that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”7, corporate client demands for cybersecurity policies will likely surpass that requirement.
This article was prepared by Holly M. Whalen, Esq. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke at USI Affinity today.
- See November 1, 2009 FBI Advisory Warning; FBI Advisory Warning, January 2010; FBI Private Industry Notification, Alert No. 160304-001, March 4, 2016.
- Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information. ©2017 Association of Corporate Counsel.
- March 29, 2017 Press Release, www.acc.com.
- Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information. ©2017 Association of Corporate Counsel at p. 2.
- ABA Cybersecurity Report and Resolution 109, August 2014.
- Legal Departments Developing Criteria to Judge Outside Counsel Data Defenses, Spiezio, Caroline, www.Law.com, March 26, 2018.
- ABA Model Rule of Professional Conduct 1.1.