The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/984836
21 WWW.ILTANET.ORG Getting IT Involved I became involved in reviewing OCGs when they were starting to transform into the more comprehensive format we now ssee more oen, aer a lawyer reached out to me when a new set of OCGs from a large client were full of "new stuff " that he thought seemed unusually specific. What used to be a document about administrative details and time and billing standards now included this section: "Data Security Requirements for Vendors, Contractors, and Suppliers." "No big deal" I thought. We had strong technical security controls in place, and previous audits with clients ensured that we met a diverse range of security requirements. Besides, when I hear "guidelines" I think of that line in Pirates of the Caribbean where Captain Barbossa quips, "The Code is more what you call guidelines, than actual rules…" When I reviewed the guidelines, though, I found an array of specific requirements around encryption, breach notification, access limitation and other specific governance controls. I figured they were not the only client with whom we were agreeing to specific terms, so I pulled more guidelines from a number of other clients and found all kinds of requirements: » Personal Information may not be stored or maintained on portable media or devices without [client's] prior wrien approval. [If use of portable media is approved], Personal Information must be encrypted in accordance with all applicable legal and regulatory requirements, including use of strong cryptography. » [In the event of a data breach], Supplier shall be responsible for the costs associated with notification of affected individuals and the provision of any required consumer remedies, such as credit monitoring or ID the insurance. » The Supplier shall use Multi-Factor Authentication for access to systems holding Secret information, for remote User virtual private network access and administration of core infrastructure. » Except for disclosure that may be required by law, or to enable the provision of Services (such as court filings) and then with [Client's] consent, Outside Counsel will only allow persons with a need to handle [Client] Data to perform services for [Client] to access or handle [Client] Data, and shall remain responsible for any handling of [Client] Data within its custody or control by its employees, workers or contractors. Those do not look like guidelines to me - those look like rules. And that last one was in a document titled "Global Legal Outside Counsel Billing & Staffing Policy," which obviously had additional data privacy and information security requirements that have nothing to do with billing and staffing. This is the kind of stuff to which I was used to responding in client audits - and now these clients were doing us a favor by firing a warning shot across the bow to let us know specifically what they expected us to do, and what I would expect them to ask about in the event they decided to audit us. For what it is worth, now that the scope of OCGs has generally expanded, I have also noticed a slight downturn in the frequency of client audits. JON WASHBURN Jon Washburn is the Director of Information Security at Stoel Rives LLP. Since 1997, he has held a number of leadership roles in IT infrastructure, security and information management, successfully deploying national and international technology and data governance solutions. To discuss whitelisting your applications, browser extensions, Chrome plug-ins or scripts, contact Jon at jon.washburn@stoel.com. Why I Read Outside Counsel Guidelines CASE STUDIES