The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/984836
23 WWW.ILTANET.ORG Why I Read Outside Counsel Guidelines CASE STUDIES whether or not the client is including representation requirements, add one - flagging that field to require a mandatory aachment if the box is checked. While the administrative assistant submiing the maer might find it repetitive, this is a good safety measure to catch when clients make changes to their guidelines. This is how we discovered that one client, who did not change their billing or staffing model or the title of their guidelines document – in fact, the client le the body of the guidelines completely alone - had amended their information security requirements from two paragraphs to more than 81 controls in an aached appendix. (They recently changed it again and now have more than 100 controls in their "Legal Service Agreement.") » If you do not already manage your encryption program to meet the "best possible test" scenario, like FIPS 140-2 compliance, ensure that you understand what a client means when it requires "strong cryptography" by checking with the client lead on the client's regulatory obligations, then verifying that the encryption you employ in transit and at rest will meet its expectations. » Make sure it is clear how the client defines an "incident" and a "breach" and that you can reasonably meet their notice requirement. I have seen clients require that they be notified of every potential event that might affect their data (not just an actual incident), and some GCs might include language around liability for the law firm in the event the incident is caused by outside counsel. If you come across this kind of language in the guidelines, ensure that whoever manages business risk for your firm has negotiated terms with which they are comfortable. In cases where clients are trying to reduce their risk but appear unfamiliar with all the security and privacy terms and protections they reference (for example, when we see requirements that seem nebulous or incomplete) this can also be a good client service opportunity. » Be careful not to miss a client's specific records governance requirements, especially around retention. Some clients might require specific disposition of physical and electronic records once a maer closes, such as sending a copy of all electronic records and returning all original paper. These requirements should be highlighted in the section discussing end of representation requirements but I have also seen them buried in litigation billing requirements. P2P