In the wake of recent high-profile data breaches, such as November's Target Corp., many corporate legal departments and IT leaders are tightening up network security. And they expect their outside counsel to do the same.
Here are eight practical steps you can take to minimize your corporation's risk and be sure that your lawyers are in synch. Consider including security requirements in your outside counsel engagement letters and billing guidelines:
1. Control access: Make sure that access to your company’s documents is limited to only law firm personnel who are working on the engagement.
2. Control communication: When communicating about the corporation, require that firm personnel only communicate internally and externally via firm-owned email systems. That helps the firm maintain control over client-related communications. Preclude law firm personnel from using their own mobile devices, personal email accounts, or personal computers to work on your matters.
3. Limit delivery and exchange of client-related documents to secure channels. Your company’s IT department or the firm’s support staff can probably help you create a secure FTP (file transfer protocol) site that would securely deliver documents relating to your matters to your outside counsel. To the extent possible, require your firm to limit the production of documents containing personal information or at least require outside counsel to always encrypt delivery of such records.
4. Restrict document sharing: Block the use of Dropbox, Skydrive and other document-sharing sites from law firm networks to minimize the risk of sharing client-related documents outside of the firm. Also ask your outside counsel to disable Outlook’s autopopulate feature and similar tools that could result in your company’s documents being delivered to unintended recipients.
5. Secure its internal computer networks with the use of anti-virus software, malware protection, firewalls, and strong passwords that are stored securely. A note about passwords: they can be easy to crack, so require at least a 12-character password that is unique to the law firm’s systems. Encrypt information as much as possible, whether produced to others or stored on your computers. Laptops should be protected with whole disk encryption, especially since stolen and lost laptops are one of the leading causes of law firm data breaches. Physically secure computer equipment, file rooms, and the firm’s physical and virtual office spaces.
6. Properly dispose all documents relating to the engagement at the end of the assignment. This is an often-overlooked step in the retention process. Don’t forget about data that may reside on the firm’s copiers, scanners or other equipment. Many state laws now mandate how business records must be destroyed if they contain personally identifiable information. Research the laws applicable to your company and make sure your outside counsel complies with them.
7. Conduct background checks on all personnel who work on your matters. This would include law school interns, clerks, temporary employees, contract employees, contingent workers, and support staff who may be working on document reviews or other tasks.
8. Create and implement a security breach plan, including immediate notification to your company in the event of an actual or suspected breach. All attorneys and support staff should be trained about those procedures.
NOT JUST YOUR LAW FIRM
These same requirements should be included in contracts with your expert witnesses and other vendors. You may need to do your own checking to confirm the firm’s compliance with any security protocols or hire an independent third party to do so.
Attorneys have an obligation to protect confidential client information. This duty is not limited to privileged information, but includes all information relating to a client or furnished by the client acquired during the course of representation. To the extent that a client is damaged by a data breach occasioned by a lawyer’s revelation of confidences, the firm may be subject to disciplinary action or malpractice actions. The threat of reputational harm may be the best deterrent. Outside counsel in today’s digital world must make protecting client data an integral part of the overall engagement.
Allison Brecher is senior litigation counsel and director of information management and strategy at Marsh & Mc
Allison Brecher is senior litigation counsel and director of information management and strategy at Marsh & Mc
No comments:
Post a Comment