Fall 2017 issue of Horizons

Titled “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information”, the guidance aims to set minimum standards that corporate counsel can reference in the process of engaging external counsel. While the model controls are not mandated, they are meant to serve as a basis for external counsel to design their IT security environments to meet basic minimum standards required by many consumers of legal services. As it relates to the specific guidance prescribed in the model controls, firms may view the implementation of its provisions to be an insurmountable task. After all, the topic of information security is already viewed by many as a nebulous topic. Many firms maintain complex systems and processes that require constant updates and monitoring to protect against persistent antagonists attacking a law firm’s information security. For firms searching for a starting point to bolster information security, RubinBrown’s Law Firms Services Group suggests taking the following steps: Conduct a Third-Party Assessment A third-party assessment of a firm’s IT security systems calls for in-depth review of a firm’s controls focusing on sensitive data, tracking the flow of data through collection, and processing and storage.

The assessment then systematically reviews the controls in place to protect the information. The assessment methodology usually employs a combination of documentation reviews, interviews, observations and inspections to assess security controls. The overall goal of this assessment is to benchmark a firm against industry standards and practices and provide a prioritized list of action steps to consider. The recommendations can then be evaluated against the firm’s risk profile and budgeted to develop an action plan over a specified period of time. Develop a Cyber Incident Response Plan At the first sign of a data breach, the firm should be able to rely on a set of standards to thoroughly address the issue. The development of a response plan should be dependent on the feedback from a third- party assessment as to the areas associated with varying levels of risks. At the first sign of a data breach, the firm should be able to fall back on a set of standards to guide management’s steps to thoroughly address the issue.

Fall 2017

35