The Association of Corporate Counsel (ACC) recently released a set of guidelines intended to serve as a benchmark for law firm cybersecurity practices. The guidelines include information retention, return, and destruction, data handling and encryption, data breach reporting, physical security, employee background screening, and cyber liability insurance. The requirements were developed based on corporate law departments’ experiences and with input from several law firms.
The ACC’s issuance of the guidelines follows a sharp increase in reported data breaches involving law firms, including some widely reported data breaches occurring in the last year. According to the American Bar Association’s 2016 TechReport, one in four law firms with between 10 and 49 attorneys or over 500 attorneys reported that their firm had experienced a data breach, and 20% of firms with between 100 and 499 attorneys had also experienced a data breach.
The ACC’s press release accompanying the issuance of the guidelines noted the concerns consistently raised by chief legal officers (CLOs) and general counsel regarding privacy and data breach issues. Citing the ACC Chief Legal Officers Survey, the press release observed that since 2014, the percentage of CLOs and general counsel identifying data breaches as “extremely” important has risen from 19 percent to 26 percent. The goal of the guidelines is to provide a consistent approach for companies seeking to evaluate their outside law firms’ data security practices, and to aid in the development of standards for security audits.