Know Your Ethical Obligations to Conduct Security Due Diligence
By Megan Silverman and Michel Sahyoun Conducting due diligence in the selection of alternative legal service providers is a critical component of a lawyer’s ethical obligation to maintain reasonable security for client confidential information. However, it is also one of the most difficult tasks that law firms will undertake.
Security is often not a high priority when lawyers select an ALSP, because the client will prefer the lower-cost providers and it can be difficult to assess one vendor’s security vis-à-vis another vendor. In addition to researching whether the ALSP can efficiently and cost-effectively perform the required work, however, lawyers must ensure that data security is a priority for the vendor by conducting due diligence on the security practices of the ALSP to assess whether the ALSP has the policies and procedures in place to appropriately protect the data that will be entrusted to it.
Rule 1.6(c) of the American Bar Association’s Model Rules of Professional Conduct provides: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Legal ethics rules in every state similarly require lawyers to reasonably protect client confidential information. The Sedona Conference Journal articulated a reasonable security test by proposing a rule similar to that of Judge Learned Hand: “An information steward’s information security controls for personal information are not reasonable when implementation of one or more additional or different controls would burden the information steward and others by less than the implementation of such controls would benefit the claimant and others.”
Under the ABA rules, lawyers are required to provide competent representation and to ensure client information is kept confidential. These requirements come into play when you are choosing an ALSP, because under ABA Model Rule 5.3 when lawyers use service providers outside the firm to assist in rendering legal services to the client, the lawyers must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyers’ professional obligations. Thus, lawyers have an ethical duty to perform due diligence on any vendor that they contract with which may be accessing client data.
The ABA issued an opinion on Model Rule 1.6 that what constitutes a reasonable effort is not a “hard and fast rule,” but rather a flexible set of factors that are weighed on a case-by-case basis. The ABA opinion’s factors to be weighed are similar to the Sedona Conference’s and include the sensitivity of information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients. The ABA committee stresses that attorneys should assess the risk of inadvertent disclosure of client information before connecting to unsecure networks, using computers and servers without antivirus software and sending unencrypted communications. A lawyer’s assessment of these risks extends to the due diligence required when selecting ALSPs as well.
Lawyers should include some or all of the following questions in their ALSP security due diligence checklist, while noting that the checklist should be regularly updated to reflect changes in legal and regulatory requirements, the nature of security threats and standard industry practices.
ALSP Security Due Diligence Checklist
What is the ALSP’s history of data security events?
Does the ALSP have an incident response plan?
What business continuity plans are in place?
Will the ALSP provide the right to audit as well as records of external security audits and third-party and penetration reports upon request?
Will the ALSP permit the client to conduct penetration testing or audits of the ALSP’s security controls?
Certifications and Insurance
Does the ALSP maintain security certifications such as International Standards Organization’s ISO 27001, SOC 2, HITRUST, etc.?
Note when conducting due diligence, it is important that lawyers review the SOC 1 and 2 reports and understand that many ALSPs have unqualified reports.
Does the ALSP have adequate insurance, including cyber liability coverage? Does it maintain a coverage limit consistent with the client?
What access controls and related data security measures does the ALSP employ?
What physical measures are taken to protect the security of the office environment and individual review rooms?
What cybersecurity preventative measures does the ALSP employ, including intrusion detection software, end point detection response applications, whitelisting applications, periodic ransomware resiliency and breach attack simulations, multifactor authentication requirements, data encryption, cloud security controls and vulnerability remediation timelines?
What are the ALSP’s robust data backup and recovery processes
Staff and Training
Does the ALSP have a dedicated in-house security team along with an appointed CISO/CSO? Are the ALSP employees full-time or contract employees?
What due diligence does the ALSP conduct for its own employees, subcontractors and suppliers, especially those that might access the organization’s data?
Note lawyers should contractually limit subcontractors and other third parties accessing the data provided to the ALSP.
What cybersecurity training and phishing awareness simulations are provided to employees and is the training one-time, quarterly or annual?
Do the ALSP employees work remotely or from a secure office environment? If employees work remotely, what measures are taken to safeguard the client’s data?
Evidencing the priority bar associations are beginning to place on cybersecurity and technology, New York and 39 other jurisdictions now specifically mandate technology competence as a component of lawyers’ ethical obligations. Effective January 1, 2023, all attorneys in New York must take continuing legal education courses on cybersecurity topics as a condition of practicing law in New York. One of the key topics covered by New York’s new cybersecurity training mandate is vetting and assessing vendors relating to policies, protocols and practices on protecting electronic data.
As the number of cyberattacks grows exponentially each year, it is not a matter of if, but rather when an organization might be hit. In order to comply with ethical obligations, lawyers must take reasonable efforts to protect their client data, including vetting third parties that are assisting with representation. Bar associations are taking notice, and although historically there have not been many disciplinary proceedings for failure to vet ALSP security practices, this is likely to change in the coming years. In addition to disciplinary proceedings, lawyers and law firms that fail to vet ALSPs are at risk for potential liability through class-action lawsuits, malpractice suits, bar sanctions, regulatory enforcement actions and reputational harm resulting in lost business.
About the Authors
Megan Silverman (l) serves as associate director of legal services at QuisLex. She has 11 years of experience overseeing eDiscovery and review both in the U.S. and India and has managed the end-to-end life cycle for eDiscovery and review for dozens of Fortune 100 companies and top law firms. Silverman earned her Juris Doctor from the University of Chicago Law School and is admitted to the New York bar. She also earned her Environmental Law LLM from Lewis & Clark Law School.
Michel Sahyoun (r), CTO of QuisLex, leads its technology, security and data protection efforts and was instrumental in QuisLex being the first LPO to obtain internationally recognized certifications in those areas. Sahyoun also leads the technology innovation group, utilizing cutting-edge technology to provide optimized solutions for clients. He has over 20 years of experience in risk management and in designing, building and deploying mission-critical applications for Fortune 500 companies. Prior to joining QuisLex, he was vice president and senior architect of risk management at JPMorgan Chase. Sahyoun holds Master of Engineering degrees in computer science and operations research from Columbia University. #MeganSilverman #MichelSahyoun #serviceproviders #ALSP #duediligence #dataprotection #security #confidentialinformation