Peer to Peer Magazine

22 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2018 CASE STUDIES Why I Read Outside Counsel Guidelines I made a list of some of our more security- conscious clients, found their guidelines documents and performed an internal audit of each one to ensure we were meeting their information security requirements. For example, if a client specified that we "restrict physical and logical access to confidential information and IT systems supporting the services to the minimum levels of access and privileges required to perform a function or role," I made darned sure we had those workspaces (and access to the maer's paper records) locked down to only people working on that client's maers. Fortunately we did not have any scary surprises, but this certainly highlighted a risk that the client lead might miss, misinterpret or neglect to communicate while onboarding a new client or opening new maers for an established client that has updated its guidelines (or rules). To mitigate that risk, we worked with our conflicts and IT teams to ensure that I (with responsibility for both information security and governance) and our firm counsel (business risks in general) automatically receive an email notice with the guidelines document aached every time the "outside counsel requirements" checkbox gets ticked on our new maer intake form. This has helped us ensure that proper maer security is set and information governance requirements are properly communicated from the start. Since the Association of Corporate Counsel (ACC) published their "Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information" in March of last year, we have seen GCs make even more sweeping changes to their outside counsel guidelines, with some copy/pasting entire requirements sections from this ACC document. If I had not been dialed in to the client intake process, I wonder if we might have missed some of these, especially with clients with whom we have become comfortable working, and even more so in cases where no other requirements, like billing or staffing, significantly changed. So what should you do? If the people in your firm that manage information security and governance are not already connected with your client and maer intake processes (I am looking at you too, records department) I recommend the following steps: » Ensure there is a gate in the client intake workflow where someone confirms whether or not a client's OCGs specify any information security or governance control requirements. If they do, ensure that someone qualified can sign off that those controls are being met by your firm before you begin the engagement. Remember, they might not be titled "Guidelines for Outside Counsel", so it's a good idea to aach any supplemental information the client provides. » Build processes that guarantee those same qualified people get sent a copy of any guidelines documents that come in. The soware solution that runs our new maer intake process automatically sends the email alert whenever client requirements documents are submied for a new maer (other negotiated changes that do not necessarily require documents, like simple rate changes, do not generate this alert.) If you are a smaller firm that has not automated new maer intake, just make sure you cc the right people. » If you do not currently have a mandatory radio buon on your electronic intake forms to indicate I made a list of some of our more security- conscious clients, found their guidelines documents and performed an internal audit of each one to ensure we were meeting their information security requirements.

• Cover