35
CANADIANLAWYERMAG.COM/INHOUSE JULY 2017
"Some breaches in the U.S. brought at-
tention to the fact law firms can be a target,
and in this day and age any law firm can
be a target," says Wasser. "I have read a lot
of articles that say law firms are the weak
link and I think that was probably true in
the past, but I do think, especially with the
breaches that happened last year, that law
firms are very quickly coming up to speed."
Lawyers and law firms have always had a
duty in terms of confidentiality with client
information, but companies are becoming
more sophisticated in knowing they need
to build contractual protections into their
agreements with their service providers and
that includes their outside law firms.
"I think when talking about service pro
-
viders there is a two-step approach — con-
tractual protection, which can help you
in the event of a breach, and allocating li-
ability, but also nobody wants to have that
breach to start with. I think the first step is
to do some due diligence and ask questions
to make sure a service provider is taking the
steps necessary to secure information the
best they can."
The problem, too, says Wasser, is that in
many instances breaches are not being per
-
petrated by the people you are entrusting
the information to — many are as a result of
outside intrusions and cyberattacks.
"I think a lot of organizations are asking
their service providers including their law
firms what are your processes and getting
the information they need about whether
further steps need to be taken to protect the
information before they get to the contract
stage," she says.
This spring, the Association of Corporate
Counsel issued guidelines for law firm cyber
-
security. The push for guidelines has been
driven largely by one of the most regulated
sectors law firms deal with, says Amar Sarwal,
ACC vice president and chief legal strategist.
"It's been driven largely by the financial
services industry, particularly the banks
as they have been getting pressure for a
number of years from the regulators who
are pushing them to closely monitor and
audit their entire supply chain," says Sar
-
wal. "There was definitely a push by the big
banks, but the goal of the ACC is to give
guidance to in-house departments writ
large, not just one particular industry."
The ACC's safety guideline for
outside counsel who have access to
sensitive company data as part of
their engagements with corporate law
departments is called "Model Information
Protection and Security Controls for Outside
Counsel Possessing Company Confidential
Information" and serves as a benchmark for
law firm cybersecurity practices.
Encompassing information retention/
return/destruction, data handling and en
-
cryption, data breach reporting, physical
security, employee background screening
and cyber-liability insurance, the model
requirements are based on ACC members'
experience, past data security audits and
learned best practices in ensuring that sen
-
sitive client data remains confidential.
"We are increasingly hearing from ACC
members, at companies of all sizes, that cy-
bersecurity is one of their chief concerns, and
there is heightened risk involved when shar-
ing sensitive data with your outside counsel,"
says Sarwal. "With these Model Information
Protection and Security Controls, the in-
house bar, with the help of outside counsel,
is taking the lead on sharing established best
practices to promote data security."
A number of ACC members worked
together to draft the guidelines, receiving
input from several law firms on the stan
-
dards. The guidelines are being issued on
the heels of the "ACC Chief Legal Officers
(CLO) 2017 Survey" finding that informa-
tion privacy and data breaches/protection
of corporate data were ranked as "very"
or "extremely" important by two-thirds of
CLOs and general counsel. Since 2014, the
percentage of GCs and CLOs expressing
data breaches as "extremely" important rose
to 26 per cent this year from 19 per cent.
"The trust between a law firm and a cli
-
ent is fundamental to a productive attor-
ney-client relationship. A vital way for law
firms to gain client trust is to protect the
confidential information provided to them
by their clients from cyber-threats," said
Brennan Torregrossa, vice president, asso
-
ciate general counsel and head of the global
external legal relations team at GlaxoS-
mithKline, whose law department assisted
in developing the guidelines. "These model
controls should be extremely valuable to
ACC legal departments and law firms alike
to ensure that adequate tools and processes
are in place to provide cyber-protection and
to take agreed-upon steps in the event of a
breach. In a time of rapidly developing risks
and threats, clients and law firms need to
respond in unison with speed and clarity."
Many corporate law departments conduct
data security audits when they retain a new
law firm, a responsibility increasingly held
by corporate legal operations professionals
that manage outside counsel relationships.
According to the "ACC Foundation: The
State of Cybersecurity Report," more than
one quarter of in-house counsel are "not
confident" or "not sure" regarding their law
firms' data security. The ACC guidelines
will give companies a benchmark when cre
-
ating their own requirements for outside
counsel or when initiating a security audit.
Sarwal says large law firms have done a
better job nailing down protocols because
they have been under pressure from their cli
-
ents for some time now to address the issue.
He thinks the largest firms in Canada
have been more proactive on a wide array
of issues. "They aren't perfect and there's
more work to be done, but they've been
more collaborative," he says.
The mid-size firms on both sides of
the border are the intended targets of the
ACC's model.
In the context of law firm mergers, Sarwal
says that, in some cases, the in-house coun
-
sel have taken a hard look at the merged
firm and wondered do they have the same
information security protocols that they
agreed to with the acquirer firm?
"It does require some ingenuity on the
part of in-house counsel and the outside
L a w D e p a r t m e n t M a n a g e m e n t
We are increasingly hearing
from ACC members, at
companies of all sizes,
that cybersecurity is one of
their chief concerns, and
there is heightened risk
involved when sharing
sensitive data with your
outside counsel.
AMAR SARWAL, ACC
