Mark G. McCreary, co-chair of the Privacy and Data Security Practice at Fox Rothschild LLP, writes this piece, worth reading in full: “Privacy and Data Security Obligations: Law Firms Have an Outside Counsel Guidelines Problem” —
- “Yet, often OCGs contain privacy and data security obligations that do not match the reality of practicing law and servicing a client. These obligations often come from an IT department or compliance professional who goes to extreme lengths to ensure they cannot be blamed if there is a data incident. This attitude and approach have created an OCG problem for law firms.”
- “I am responsible for reviewing and negotiating the privacy and data security obligations of OCGs for my law firm. I enjoy that responsibility because I often get to collaborate with in-house counsel that, in most cases, have never read these requirements.”
- “The things that I hear from in-house counsel most often are ‘they really say that,’ ‘that makes no sense, how could you agree to that,’ and ‘nobody has ever raised these concerns.’ Protecting data is outside most in-house counsel’s job responsibility, so these responses are normal.”
- “My firm takes data security extremely seriously, and we are supported by firm management. When I speak with the employees responsible for ensuring the data security of a client, they leave that conversation knowing that their data is adequately protected. We have never failed to successfully negotiate OCGs so that they accurately reflect our practices and procedures, while at the same time meeting the client’s requirements.”
- “But that does not mean every conversation and negotiation is without its challenges. Clients would benefit greatly from the following suggested approaches. While the list is not exhaustive, it is based on the terms in OCGs that I most commonly encounter that do not match the reality of practicing law and servicing a client.”
- “Deletion of Data. …work product from a previous matter can be immensely helpful and efficient when working on subsequent matters… we also have a Records Retention Policy with data retention schedules. We do not want to be in possession of client data longer than necessary… Lastly, some data simply cannot be deleted. Data that is contained in backups cannot be retrieved, data in databases often cannot be isolated without ‘breaking’ the database, and the process of removing email from disaster recovery solutions is often the equivalent of launching a nuclear weapon, if possible, at all.”
- “Notification of Data Incidents. Often OCGs will say the law firm will ‘immediately’ notify the client of a data incident, or within 24 hours. This is arbitrary and not in line with the accepted international standard of 72 hours”
- “Forbidding Disclosure of a Data Incident. Similar to notification of a data incident, at times client will say that unless required by law we cannot notify any third party of a data incident unless the client approves the notification and its content… we cannot have an outside party dictating the timing, messaging and approach of an incident response when those things can impact potential claims against us.”
- “Audits and Assessments. Firms should agree to complete periodic data security questionnaires and assessments. They should also agree that clients can come on premises and conduct and review those questionnaires and assessments. They should not agree that clients can do a physical audit of their systems. Those systems contain the data of all of clients, and it would be a breach of ethical duties… Similarly, firms should agree to provide an executive summary of a data security audit, an ISO 27001 certification, or a penetration test. Under no circumstance should the firm provide a full copy of an audit, an ISO 27001 certification, or the results of a penetration test to a client – really any third party.”
- “Approval of Third-Party Vendors. My solution has been one of two approaches. I will carve out vendors that have access to the data of many clients, such as Microsoft, Mimecast, Relativity, and reprographic and trial service vendors. I agree that if the vendor is a client-specific solution, the client should be involved in that decision.”
- “No Client Data Outside of US Borders. My solution has been (1) to agree not to store client data outside of the U.S., as long as I can have it processed temporarily outside of the U.S. (excluding regulated data), and (2) create an exception that we can allow individuals to travel with client data as long as it is encrypted (which it would be on our laptops, mobile devices and external media).”