How do you tell a law firm or vendor that you’re concerned about their data security? Or, more importantly, how do you tell them what you’re looking for in a safe and secure business partner?
The Association of Corporate Counsel has language that can help. The ACC has released its first-ever guidelines on data security for outside law firms. The new model guidelines, which the ACC developed for in-house counsel to use with their external legal providers, are drafted in such a way that they can easily be used independently or incorporated into a policy or agreement with any outside law firm that handles the company’s sensitive information.
ACC’s Data Security Guidance: What Does it Cover?
The model document covers key topics such as management of company confidential Information, which is defined with great specificity (while allowing room for the company to expand upon if needed), document retention, system requirements, data encryption, data security breaches, physical security protection, data access controls, monitoring, liability, insurance requirements, and the use of subcontractors (i.e. third-party data storage).
The guidelines allow corporate counsel to call for:
- Annual reviews of law firm or vendor procedures to address :
- Compliance with local, state and federal laws,
- Cyber liability insurance (at the firm’s cost), and
- Annual risk assessments.
Outside Counsel Data Protection
The guidelines’ recommended encryption and data protection language incorporates and references the U.S. Federal Information Processing Standard 140-2, Level 2 standards (FIPS 140-2),issued by the National Institute of Standards and Technology. They also recommend adding an optional provision regarding ISO Certification. Under the model vendor agreement, the ACC recommends that a legal vendor should comply with a security cryptographic encryption standard of level 2 under the FIPS 140-2 standard at a minimum (level 4 is the highest).
Document retention is dealt with concisely in the model document. Specifically, retention is permitted for only as long as is necessary to satisfy the purpose for which the document(s) was provided to the vendor, unless required otherwise by law. Return or destruction, however, has a number of conditions and exclusions that are drafted to counterbalance the firm’s standard practices, such as computer backup procedures, and the burden of destroying files upon request. Certification of compliance is required any time a request has been made to the vendor to return or destroy CCI within 30 days of the request.
Dealing with Data Breaches
Data breach reporting is a key provision in the new guidelines. Any data security breach (defined in the section as “any suspected or actual unauthorized disclosure, loss, or theft of Company Confidential Information”) requires notification within 24 hours of the discovery to a designated company contact.
Additionally, the model language requires the vendor to make any notifications required by law (such as disclosures to customers if personal identifiable information were compromised), as well as to fully cooperate with the company to identify the root cause of the breach. The vendor also must provide a single contact for the company to use for the full duration of the breach investigation and make the contact available to the company on a full 24/7 basis. That person must be authorized to act on behalf of the vendor, and be knowledgeable of the vendor’s network architecture and information technology system or have full access to that information.
The model document also contains requirements for personnel security protocols including background screening, network security, access to the physical location where the data is stored, annual risk assessments, and security training for law firm personnel.