“It’s a real threat and can really do some serious damage. These guidelines are meant as sort of a road map to find some common ground here on expectations,” said Brennan Torregrossa, vice president and associate general counsel at the pharmaceutical company GlaxoSmithKline, who helped draft the cybersecurity guidance.
Torregrossa said GSK general counsel Dan Troy once mused about having an established standard of guidelines rather than having to regularly haggle with law firms over cybersecurity. For law firms, it would mean setting a foundation for cybersecurity practices rather than creating individual protocols for each client.
The in-house association attached a couple of disclaimers to its guidelines. Corporate counsel should not use the model as a substitute for “legal analysis and good judgment; company’s internal requirements and policies; or regulatory provisions.” And the group said that the model guidelines are not meant to establish any industry standards.
Several in-house legal teams and law firms participated in drafting the cyber guidelines but Torregrossa declined to identify them in an interview, citing promises made while soliciting their feedback.
Cybersecurity protocols vary across the legal industry, Torregrossa said. Some firms will be better prepared to adopt the standards than others. He said one part of the guidance could create tension between inside and outside counsel: A suggested requirement that law firms report any actual or suspected breach within 24 hours to a designated contact at the client company.
“What I think is particularly interesting, and what I think really does go above and beyond anything in any agreement, is getting consensus on when a client should be notified of a breach of a law firm’s servers and information,” Torregrossa said.
“A day is a very quick turnaround and a quick time to decide to notify a client of a breach or a suspected breach. I think it does set some guidelines between the firm and the client that, at least in my experience, have been difficult to navigate in discussions” with firms, he added.
The ACC’s guidance, titled “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information,” comes on the heels of a recent survey showing that two-thirds of top company lawyers view cybersecurity as “very” or “extremely” important.
Since 2014, the percentage of top in-house lawyers characterizing data breaches as “extremely” important rose from 19 percent to 26 percent this year.
“We are increasingly hearing from ACC members, at companies of all sizes, that cybersecurity is one of their chief concerns, and there is heightened risk involved when sharing sensitive data with your outside counsel,” said Amar Sarwal, the ACC’s vice president and chief legal strategist. “With these Model Information Protection and Security Controls, the in-house bar, with the help of outside counsel, is taking the lead on sharing established best practices to promote data security.”
Read more:
Chinese Nationals Charged With Hacking Firms to Steal M&A Info
Are Law Departments Letting Law Firms Off the Hook With Cybersecurity?
Lessons for Legal: Inside the Cybertheft Faced by Two Large Firms