<b><i>Online Extra</b></i><br>What Companies Can Demand From Law Firms on Data Security

When hackers broke into the computer networks of two major law firms in New York last year, stealing confidential client information allegedly used for insider trading, cybersecurity jumped up on the list of issues keeping in-house counsel awake at night.

The targeting of the law firms served as a wake-up call for the legal industry. Indeed, in surveys, the Association for Corporate Counsel (ACC) has seen more and more in-house lawyers describe cybersecurity as “extremely” important.

What's a corporate legal department to do about it? For one, make sure a law firm—the hired gun — isn't the weak link in the company's cyber defense.

The ACC, an organization representing more than 42,000 in-house lawyers, on March 29 released its first set of model cybersecurity practices to help corporate legal departments ensure that outside firms safeguard their company's confidential information. The guidelines read like a contract between a company and its outside counsel, spelling out how the law firm will handle sensitive information. Among the association's “highly recommended” measures: Demanding that law firms encrypt all confidential information in their systems.

“It's a real threat and can really do some serious damage. These guidelines are meant as sort of a road map to find some common ground here on expectations,” said Brennan Torregrossa, vice president and associate general counsel at the pharmaceutical company GlaxoSmithKline, who helped draft the cybersecurity guidance.

Torregrossa said GSK general counsel Dan Troy once mused about having an established standard of guidelines rather than having to regularly haggle with law firms over cybersecurity. For law firms, it would mean setting a foundation for cybersecurity practices rather than creating individual protocols for each client.

The in-house association attached a couple of disclaimers to its guidelines. Corporate counsel should not use the model as a substitute for “legal analysis and good judgment; company's internal requirements and policies; or regulatory provisions.” And the group said that the model guidelines are not meant to establish any industry standards.

Several in-house legal teams and law firms participated in drafting the cyber guidelines but Torregrossa declined to identify them in an interview, citing promises made while soliciting their feedback.

Cybersecurity protocols vary across the legal industry, Torregrossa said. Some firms will be better prepared to adopt the standards than others. He said one part of the guidance could create tension between inside and outside counsel: A suggested requirement that law firms report any actual or suspected breach within 24 hours to a designated contact at the client company.

“What I think is particularly interesting, and what I think really does go above and beyond anything in any agreement, is getting consensus on when a client should be notified of a breach of a law firm's servers and information,” Torregrossa said.

“A day is a very quick turnaround and a quick time to decide to notify a client of a breach or a suspected breach. I think it does set some guidelines between the firm and the client that, at least in my experience, have been difficult to navigate in discussions” with firms, he added.

The ACC's guidance, titled “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information,” comes on the heels of a recent survey showing that two-thirds of top company lawyers view cybersecurity as “very” or “extremely” important.

Since 2014, the percentage of top in-house lawyers characterizing data breaches as “extremely” important rose from 19% to 26% this year.

“We are increasingly hearing from ACC members, at companies of all sizes, that cybersecurity is one of their chief concerns, and there is heightened risk involved when sharing sensitive data with your outside counsel,” said Amar Sarwal, the ACC's vice president and chief legal strategist. “With these Model Information Protection and Security Controls, the in-house bar, with the help of outside counsel, is taking the lead on sharing established best practices to promote data security.”

*****
C. Ryan Barber writes for Corporate Counsel, an ALM sibling of Cybersecurity Law & Strategy. He can be reached at [email protected]. On Twitter: @cryanbarber

When hackers broke into the computer networks of two major law firms in New York last year, stealing confidential client information allegedly used for insider trading, cybersecurity jumped up on the list of issues keeping in-house counsel awake at night.

The targeting of the law firms served as a wake-up call for the legal industry. Indeed, in surveys, the Association for Corporate Counsel (ACC) has seen more and more in-house lawyers describe cybersecurity as “extremely” important.

What's a corporate legal department to do about it? For one, make sure a law firm—the hired gun — isn't the weak link in the company's cyber defense.

The ACC, an organization representing more than 42,000 in-house lawyers, on March 29 released its first set of model cybersecurity practices to help corporate legal departments ensure that outside firms safeguard their company's confidential information. The guidelines read like a contract between a company and its outside counsel, spelling out how the law firm will handle sensitive information. Among the association's “highly recommended” measures: Demanding that law firms encrypt all confidential information in their systems.

“It's a real threat and can really do some serious damage. These guidelines are meant as sort of a road map to find some common ground here on expectations,” said Brennan Torregrossa, vice president and associate general counsel at the pharmaceutical company GlaxoSmithKline, who helped draft the cybersecurity guidance.

Torregrossa said GSK general counsel Dan Troy once mused about having an established standard of guidelines rather than having to regularly haggle with law firms over cybersecurity. For law firms, it would mean setting a foundation for cybersecurity practices rather than creating individual protocols for each client.

The in-house association attached a couple of disclaimers to its guidelines. Corporate counsel should not use the model as a substitute for “legal analysis and good judgment; company's internal requirements and policies; or regulatory provisions.” And the group said that the model guidelines are not meant to establish any industry standards.

Several in-house legal teams and law firms participated in drafting the cyber guidelines but Torregrossa declined to identify them in an interview, citing promises made while soliciting their feedback.

Cybersecurity protocols vary across the legal industry, Torregrossa said. Some firms will be better prepared to adopt the standards than others. He said one part of the guidance could create tension between inside and outside counsel: A suggested requirement that law firms report any actual or suspected breach within 24 hours to a designated contact at the client company.

“What I think is particularly interesting, and what I think really does go above and beyond anything in any agreement, is getting consensus on when a client should be notified of a breach of a law firm's servers and information,” Torregrossa said.

“A day is a very quick turnaround and a quick time to decide to notify a client of a breach or a suspected breach. I think it does set some guidelines between the firm and the client that, at least in my experience, have been difficult to navigate in discussions” with firms, he added.

The ACC's guidance, titled “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information,” comes on the heels of a recent survey showing that two-thirds of top company lawyers view cybersecurity as “very” or “extremely” important.

Since 2014, the percentage of top in-house lawyers characterizing data breaches as “extremely” important rose from 19% to 26% this year.

“We are increasingly hearing from ACC members, at companies of all sizes, that cybersecurity is one of their chief concerns, and there is heightened risk involved when sharing sensitive data with your outside counsel,” said Amar Sarwal, the ACC's vice president and chief legal strategist. “With these Model Information Protection and Security Controls, the in-house bar, with the help of outside counsel, is taking the lead on sharing established best practices to promote data security.”

*****
C. Ryan Barber writes for Corporate Counsel, an ALM sibling of Cybersecurity Law & Strategy. He can be reached at [email protected]. On Twitter: @cryanbarber