June 22, 2017

June 21, 2017

Subscribe to Latest Legal News and Analysis

June 20, 2017

Subscribe to Latest Legal News and Analysis

June 19, 2017

Subscribe to Latest Legal News and Analysis

Association of Corporate Counsel Develops Model Information Protection and Security Controls for Outside Vendors, Including Outside Counsel

The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released its ACC Chief Legal Officers (CLO) 2017 Survey which found that two-thirds of in-house legal leaders ranked data protection and information privacy as ‘very’ or ‘extremely’ important.  In response to this growing concern, the ACC recently released “first-of-its-kind” safety guidelines to help “in-house counsel as they set expectations with their outside vendors, including outside counsel.” Firms concerned about facing these guidelines should review their cybersecurity risk management policies, procedures and practices.

The Controls

The Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (“the Controls”) were developed in a joint effort between in-house counsel members of the ACC together with several law firms specialized in data security related issues. This joint effort signifies the importance of cohesion between in-house and outside counsel when handling sensitive corporate data. “We are increasingly hearing from ACC members, at companies of all sizes, that cybersecurity is one of their chief concerns, and there is heightened risk involved when sharing sensitive data with your outside counsel,” said Amar Sarwal, ACC vice president and chief legal strategist.

The Controls address a broad range of data security related measures including: data breach reporting, data handling and encryption, physical security, employee background screening, information retention/return/destruction, and cyber liability insurance. Particular measures may be too burdensome under the circumstances, while the Controls as a whole may not be sufficient to satisfy applicable legal requirements such as the HIPAA privacy and security rules for business associates. Still, the Controls include a number of measures firms will have to consider carefully. For example, the Controls suggest that outside counsel be required to maintain

logical access controls designed to manage access to Company Confidential information and system functionality on a least privilege and need-to-know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, [and] two-factor or stronger authentication for its employee remote access systems.

The Controls also would require outside counsel to be responsible for its subcontractors with access to confidential information, including by requiring those subcontractors to abide by the Controls. As for data breach notification, the Controls recommend a short time frame – under the Controls, outside counsel would be required to notify a client within 24 hours of discovering an actual or suspected incident.

It is the hope of the ACC that the Controls will serve as a “best practice”, standardizing the protocols companies implement when interacting with third-party vendors who may have access to sensitive corporate data, and ensuring that adequate protections are in place to prevent and respond to a data breach. Law firms should not be surprised to see these Controls, in one form or another, included in litigation and other guidelines mandated by their corporate clients.

Jackson Lewis P.C. © 2017

TRENDING LEGAL ANALYSIS


About this Author

Principal

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

973- 538-6890
Damon Silver, Employment Lawyer, Corporate Matters, Jackson Lewis
Associate

Damon W. Silver is an Associate in the New York City, New York, office of Jackson Lewis P.C.

In his Privacy, e-Communication and Data Security practice, Mr. Silver advises clients in various industries on compliance with federal and international privacy laws, including HIPPA, the ADA, GINA, FMLA, the TCPA, FCRA, and the EU-U.S. Privacy Shield. He also provides guidance to organizations on data breach prevention and response. 

In the area of employment litigation, Mr. Silver defends employers in federal, state, abitral, and administrative proceedings against discrimination and retaliation claims under Title VII, the ADA, the ADEA, FMLA, and New York state and city laws; against wage and hour claims under the FLSA and New York Labor Law; and against contractual and workplace tort claims. He also counsels employers regarding personnel and policy decisions. 

212-545-4063