WASHINGTON (March 29, 2017) –– The Association of Corporate Counsel (ACC), a global legal association representing more than 42,000 in-house counsel in 85 countries, today announced the release of safety guidelines for outside counsel who have access to sensitive company data as part of their engagements with corporate law departments. The guidelines, “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information,” will serve as a benchmark for law firm cybersecurity practices.
Encompassing information retention/return/destruction, data handling and encryption, data breach reporting, physical security, employee background screening, and cyber liability insurance, the model requirements are based on ACC members’ experience, past data security audits, and learned best practices in ensuring that sensitive client data remains confidential.
“We are increasingly hearing from ACC members, at companies of all sizes, that cybersecurity is one of their chief concerns, and there is heightened risk involved when sharing sensitive data with your outside counsel,” said Amar D. Sarwal, ACC vice president and chief legal strategist. “With these Model Information Protection and Security Controls, the in-house bar, with the help of outside counsel, is taking the lead on sharing established best practices to promote data security.”
A number of ACC members worked together to draft the guidelines, receiving input from several law firms on the standards. The guidelines are being issued on the heels of the ACC Chief Legal Officers (CLO) 2017 Survey finding that information privacy and data breaches/protection of corporate data were ranked as “very” or “extremely” important by two-thirds of CLOs and general counsel (GCs). Since 2014, the percentage of GCs and CLOs expressing data breaches as “extremely” important rose from 19 percent to 26 percent this year.
“The trust between a law firm and a client is fundamental to a productive attorney-client relationship. A vital way for law firms to gain client trust is to protect the confidential information provided to them by their clients from cyber threats,” said Brennan Torregrossa, vice president, associate general counsel, and head of the global external legal relations team at GSK, whose law department assisted in developing the guidelines. “These model controls should be extremely valuable to ACC legal departments and law firms alike to ensure that adequate tools and processes are in place to provide cyber protection and to take agreed upon steps in the event of a breach. In a time of rapid developing risks and threats, clients and law firms need to respond in unison with speed and clarity.”
Many corporate law departments conduct data security audits when they retain a new law firm, a responsibility increasingly held by corporate legal operations professionals that manage outside counsel relationships. According to the ACC Foundation: The State of Cybersecurity Report, more than a quarter of in-house counsel are “not confident” or “not sure” regarding their law firms’ data security. The ACC guidelines will give companies a benchmark when creating their own requirements for outside counsel, or when initiating a security audit.
To read the law firm data security guidelines, visit http://advocacy.acc.com/2017/03/model-information-protection-and-security-controls-for-outside-counsel-possessing-company-confidential-information/.