The Association of Corporate Counsel (ACC) recently released their “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information,” which specify baseline security measures that legal departments may require of outside counsel and set expectations with respect to their data security practices.
This comes just as the New York State Department of Financial Services (NYS DFS) cybersecurity requirements went into effect on March 1 this year.
Law firms need to pay attention to both developments. The ACC guidelines will set client expectations of law firms while the DFS regulations mandate requirements for financial institutions operating in New York which extend to their service providers, including law firms. Most of the world’s notable brands have a presence in New York, so it’s hard to imagine many firms not being subject to compliance.
The New Standard of Care
Together, the ACC recommendations and the NYS DFS regulations create an impactful story for the legal services industry: They establish an effective standard of care with regard to the handling of client data.
Lawyers appreciate the importance of standards of care; they’re the benchmarks against which firms are measured when evaluating whether they acted appropriately, whether they’ve met the minimum expected behavior.
Once established, a standard of care is used to establish negligence or prove failure to meet an obligation. For example, if a firm was alleged to have committed malpractice, if it’s proven that they performed at a level lower than the industry established standard of care, it’s more likely they will be found liable.
A similar construct exists in medical malpractice actions—the relevant standard of care for any procedure would be relied-upon to determine whether a doctor was negligent.
When it comes to the protection of client data by law firms, we are already seeing the definitions of this standard being tested in the class action suit against Chicago law firm Johnson & Bell.
Much of the information protection security controls proposed by the ACC and contained within the NYS DFS cybersecurity regulation already are considered best practices for both physical and electronic assets. Many already may be in place at most law firms.
However, much remains to implement. Firms located in some regions have not traditionally been as concerned about physical access inside their offices; they will need to adjust, taking steps such as securing certain areas. Most firms provide remote desktop access, yet many still have not implemented two-factor authentication; they will need to do so.
However, the most significant change—and one which will require most firms to take immediate action—impacts the standard of care for protecting of non-public, electronic information. In short, the old standard of care that allowed firms to operate ‘optimistic’ or open environments inside their firewall is dead.
The former standard which consisted of locking-down a firm’s perimeter via a firewall and allowing anyone inside the firewall (i.e. everyone working at the firm) full access to non-public client information is no longer acceptable. The new standard, clearly established by both the ACC guidelines and the NYS DFS regulations, is ‘need-to-know’ access.
Here’s the lowdown. From the ACC Model Information Protection guidelines:
“Outside Counsel must have logical access controls designed to manage access to Company Confidential Information and system functionality on a least privilege and need-to- know basis.”
From the NYS DFS Cybersecurity regulations: Section 500.07 Access Privileges.
“As part of its cybersecurity program, each Covered Entity shall limit access privileges to Information Systems that provide access to Nonpublic Information solely to those individuals who require such access to such systems in order to perform their responsibilities and shall periodically review such access privileges.”
Firms must now fundamentally change an entrenched practice that has heretofore allowed everyone within the firewall access to sensitive information, from the obvious data repository of a firm’s document management system through to its time and billing systems.
More so, though some might mistakenly believe that limiting access in their document management system alone will suffice, a recent high profile case of insider trading stemming from unauthorized viewing of time entry narratives demonstrates the broader need for limiting access to all systems which contain nonpublic client information. Clearly, this change will have a meaningful impact upon how firms operate.
Historically, firms have relied-upon the open access model to foster knowledge-sharing, mostly for the benefit of repurposing content and templates. Thankfully, today, effective knowledge and experience management tools have been developed which can support more appropriate knowledge sharing and templating without having to resort to open access. These modern systems make it possible for firms to meet the stricter security mandates.
Meanwhile, not all the information in a law firm is confidential. Many of the documents that are filed with government agencies and courts are in the public domain. Firms are able to treat public data differently and enable access across the firm. The challenge firms struggle with is building a unified process that allows this public information to be classified correctly.
How to Implement Controls for Confidentiality
While changing to a need to know model may be challenging, thanks to technology, it can be accomplished without negatively impacting a firm’s workflow. Some firms have built internal systems to try and manage the security but those often fail to scale and, ultimately, it shouldn’t be an IT job.
Need-to-know security should be calibrated appropriately based on client requirements; it doesn’t automatically mandate that all matters be secured only to their respective matter team. Firms will need to develop a set of changes when setting controls for confidentiality:
Determine what data is confidential;
Understand how that data should be compartmentalized to the most appropriate groups;
Create a set of controls that define what options are available for partners to select; and
Determine the appropriate level of self-service, if any, for each compartment of data.
The appropriate security level for each client’s confidential data is a decision best made by a firm’s relationship partner in conjunction with the client. Once that determination is made, the most effective and efficient method for implementing and maintaining that security is via software. Relationship partners must work with clients to establish what constitutes ‘least privileged’ for their data, and that determination should be brought into the firm’s new business intake process. Beyond that, it should be reviewed with the client on an annual basis.
In essence, there are several different ways to segment access:
Client Team: Everyone who works for a client will have access to all that client’s matters.
Practice Group: Members of the practice group will have access to all matter data for that practice. This has been a common practice for private client service or trust & estate groups.
Client & Practice Group: Members of the client team for matters within a practice group will have access to only those matters.
Matter Level: People only have access to the matters they work on.
Controlling how people gain access to data under this new standard of care is critical. Service desk teams or Tier 2 Support should not be the primary arbiters of controlling access: relying on such a method will either kill a firm’s productivity or, worse, send their professionals on circuitous adventures to circumvent policy—or both.
Modern, appropriately-designed software that provides self-service features to enable a firm’s general counsel or head of risk to determine and delegate how people gain access will be most effective at ensuring efficiency and compliance.
Such software should allow firm personnel to request access, via ‘push’ (the relationship partner or team member can grant and send access to individuals assigned to work on the matter) or ‘pull’ (the individual user can request access as needed for specific clients or matters) functionality, according to policies set at the document or client/matter level.
The ACC guidelines and the NYS DFS cybersecurity regulations tell an impactful story for the legal services industry: need to know access privilege is the new standard of care. Every law firm working for financial services clients with a presence in New York will be required to do so—and all their peer firms will calibrate their processes upward accordingly.
The firms quickest out the gate to meet the ACC guidelines for information protection will immediately compete. They will have the advantage of being able to advertise and promote this ability to their advantage in their RFP responses. If your firm is not yet there, the clock is ticking.