Thirteen recommendations for law firm cybersecurity practices

Carrie Brooker

Is your legal department's sensitive information vulnerable to a cyberattack? It's a question many corporate counsel are wrestling with in the wake of reported data breaches at several international law firms. Cravath Swaine & Moore LLP and Weil Gotshal & Manges LP were among the victims of hacker attacks last year, and hackers were responsible for leaking client information from the Panamanian law firm Mossack Fonseca.

These data breaches should serve as a wake-up call for corporate counsel. The answer may lie in new guidance from the Association of Corporate Counsel, which outlines how law firms can protect, store and transmit confidential information of its legal department clients. The guidance is intended to help legal departments establish best practices for cybersecurity practices with their law firms, and can serve as a benchmark for legal departments creating their own requirements for outside counsel or initiating a security audit.

Below are the 13 sections that the guidance – drawn from ACC legal department members' experience, data security audits and existing best practices – addresses to help ensure that sensitive client data remains confidential.

1. Policies and procedures: The ACC guidance stresses that law firms must take the lead with implementing policies and procedures to address their clients' cybersecurity concerns. These policies must thoroughly address organizational and technical measures to have in place to protect confidential information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The guidance also stresses ongoing information security training for all law firm employees.
2. Retention and return/destruction: The ACC guidance provides recommendations related to the retention, return, and deletion or destruction of confidential information, along with related certification requirements.
3. Data handling: The ACC guidelines emphasize the importance of encryption in protecting confidential information and outlines mechanisms for encrypting data while in transit and while residing on internal systems, as well as for removable and mobile devices. The guidance also establishes procedures for disclosing a data security breach.
4. Physical security: The ACC guidance describes how to implement general measures for physically securing confidential information against unauthorized access.
5. Logical access controls: The ACC guidelines detail the logical access controls law firms should have in place to manage access to confidential information and system functionality on a least privilege and need-to-know basis. The ACC guidance notes that enforcement of logical access controls enables access to be immediately revoked or modified in response to job terminations or changes, as needed.
6. Monitoring: The ACC guidance explains how law firms should continuously monitor networks and employees, subcontractors, and contingent workers for malicious activity and other activity that could cause damage or vulnerability to confidential information.
7. Vulnerability controls and risk assessments: The ACC guidelines recommend how often to perform vulnerability tests and assessments of systems containing confidential information. The ACC guidelines also specify that law firms should have application security software development controls to use to eliminate and minimize the introduction of security vulnerabilities.
8. System administration and network security: The ACC guidance advises law firms to implement operational procedures and controls – including antivirus protection, malware and threat detection software, firewalls, and intrusion detection and prevention systems, among others – to ensure that technology and information systems are configured and maintained according to prescribed internal standards and consistent with applicable industry standard safeguards.
9. Security review rights: The ACC guidelines recommend that law firms' facilities, books, systems, records, data, practices, and procedures be made available for inspection and review by auditors and regulators in order to monitor and examine them to verify the integrity of confidential information, and to monitor compliance with the confidentiality and security requirements.
10. Industry certification/additional security requirements: The ACC guidelines urge law firms to achieve ISO27001 certification and to implement additional security requirements, as needed or requested.
11. Background screening of outside counsel employees, subcontractors, and contingent workers: The ACC guidance recommends conducting background screening for all employees, subcontractors, and contingent workers who work with or come into contact with confidential information, including an annual certification to verify that all personnel who work with sensitive information have passed background screening requirements.
12. Cyber liability insurance: The ACC guidelines advise law firms to obtain cyber liability insurance coverage with an insurance company having a minimum credit rating of A- from Standard and Poors or other equivalent rating agency, with a minimum coverage level of $10,000,000.
13. Subcontractors: The ACC guidelines urge law firms to take responsibility for all subcontractors – including reprographics vendors, off-site storage vendors and cloud server hosting facilities – that have access to confidential information. The ACC guidance emphasizes that obligations should be subcontracted to a third party only by way of written agreement, imposing the law firm's own information protection model.

Access the full ACC guidance on law firm cybersecurity practices in this PDF file.

Follow us on Twitter