Legal operations professionals are regularly reminded to consider security as they engage with outside counsel, vendors, and other third-party providers. Recently, the Association of Corporate Counsel (ACC) published its Model Information Protection and Security Controls for Outside Counsel,while the ABA issued a revised formal ethics opinion regarding security and protected client information (Formal Opinion 477). Articles continue to provide additional context to help professionals frame a thoughtful diligence process and discussion with external providers. (See e.g., Five Critical Security Controls to Consider for Corporate Counsel Evaluations.)
Law firm and department legal professionals collaborate with IT, security, and privacy colleagues to evaluate and integrate technology solutions. Although the details of security evaluations are best left to IT and security professionals, there are few steps that legal operations professionals can take to streamline the process.
- Understand your internal security requirements: How does your company evaluate the security of third party providers? If possible, try to understand the approach of your IT/InfoSec team. You do not want to move too far down the diligence phase only to find that your external provider will not be able to manage your data in line with company standards. Understand the high level requirements and the best timing to get your IT team involved. Company procurement teams may already share these requirements on your vendor portal.
- Ask your third-party provider for their standard security requirements responses: Law firms and legal vendors are all too familiar with security audits and requests for information security procedures. Many will have a standard (Information Security Requirements (ISR)) response. Ask for it. Although the form of the response may differ, the substance should cover many of the common issues you want to consider. You can find some requirements and similar documents via a simple Google Search. (See e.g., Barclay’s, AT&T, JP Morgan, and Intel.) Your mileage may vary, depending on your company industry and stage/maturity, and the nature of your data and information.
- Create a checklist: Although I like checklists, everyone has a different approach. You may find a high level checklist I created a few years ago helpful (Flying in the Clouds: A Checklist to Help You Navigate Your Way) or you may prefer a more detailed listing to help you consider the issues relevant to your situation. If you prefer the latter approach, I offer below a draft ISR that I’ve used over the years to help me reflect on some of the issues.
The following is by no means exhaustive (much less perfect). Although framed as an agreement, there are typically security-related provisions contained in the relevant agreement or in a standard attachment used by a company. Thus, the following is incomplete and will NOT serve as a final document to sign with an external provider. That said, I’ve found it helpful when I start discussions with external providers. I share it in case it helps you explore the issues the next time you consider security and working with external provider. In return, if you have something more robust, I’d welcome a copy.
Information Security Requirements (“ISRs”)
COMPANY requires its external partners and suppliers to implement reasonable security measures to protect COMPANY information and data (collectively “Data”) from unauthorized access, modification, disclosure, use or loss. These Information Security Requirements (ISRs) constitute minimum standards for the protection of COMPANY’s Data. These ISRs are not a substitute for [the Supplier’s] own security policies, which may be more robust than these requirements. “SUPPLIER” includes [supplier] and its subcontractors that have access to COMPANY Data.
SUPPLIER represents that it complies with the following COMPANY requirements:
I. Security Management
- Security policies & standards: SUPPLIER shall have in place and maintain documented security policies and standards, in accordance with industry best practices, to manage the handling of COMPANY Data and to ensure compliance with these ISRs. COMPANY has the right to obtain copies of SUPPLIER’s applicable policies at any time during the course of COMPANY’s agreement with SUPPLIER.
- Security assessments & audits: SUPPLIER shall allow COMPANY, or a mutually agreeable third party [at COMPANY’s cost], to perform security assessments or audits of the SUPPLIER’s security procedures and adherence to these ISRs. If these audits reveal any material deficiencies in the agreed upon security procedures, SUPPLIER shall take appropriate corrective actions to resolve those issues according to a mutually agreed to remediation schedule.
- Security notifications: SUPPLIER shall maintain a documented security notification process and inform COMPANY of any activities that may have an identifiable or reasonable probability of adversely impacting the security of COMPANY Data. SUPPLIER will notify COMPANY of any such security breach within 24 hours.
- Security audits: SUPPLIER acknowledges that COMPANY’s governing or regulatory agencies may request an audit of the SUPPLIER’s business practices, as though it were an extension of COMPANY, when SUPPLIER stores, processes, or transmits COMPANY Data.
- Security assessments: With prior notice, SUPPLIER shall allow COMPANY, or a mutually agreeable third party, to remotely run a non-invasive network security scanner as one indication of the adequacy of security of the SUPPLIER’s web server. The SUPPLIER shall take appropriate corrective actions to resolve those issues according to a mutually agreed to remediation schedule.
II. Personnel Security
- Security training: SUPPLIER commits to training all of its employees and subcontractors that will have access to COMPANY Data regarding COMPANY’s requirements and the procedures and controls reasonably necessary to comply with these ISRs. The individuals that will have access to COMPANY’s Data, as well as evidence of their training, will be documented and made available to COMPANY at COMPANY’s request.
- Background checks: SUPPLIER shall conduct background checks on any of its employees or subcontractors prior to assigning them to positions in which they will have access to COMPANY’s Data.
III. Physical Security
- Physical access: SUPPLIER shall restrict access to, control, and monitor all physical areas in the SUPPLIER’s premises that contain COMPANY’s Data, including areas where personnel have access to COMPANY’s Data, or equipment that processes or stores this Data.
- Documentation: SUPPLIER shall maintain a documented authorization and logging process for all persons who maintain or have access to the SUPPLIER’s secure physical areas. Minimum requirements for this process include:
a. Detailed reporting of access to the secure areas, including identities, dates and times.
b. Periodic testing of the of the physical security processes
c. Restricted access to secure area by outside services personnel; only when accompanied by authorized Company personnel
d. Systems capable of monitoring and logging alarms at secure area entry points, including video surveillance.
3. Service location: SUPPLIER shall not change the location(s) where COMPANY Data is stored under these ISRs without prior consent from COMPANY.
IV. System Security
- Unauthorized access: SUPPLIER shall maintain system access control mechanisms to prevent unauthorized access to COMPANY’s Data and to limit access to only those Personnel identified and assigned access to this Data.
- Authentication: SUPPLIER personnel with access to COMPANY’s Data must have an individual and unique account that authenticates that individual’s access to the Data. This account shall be different than the individual’s standard, corporate assigned network account.
- Passwords: SUPPLIER shall ensure that permanent accounts/User IDs used to access COMPANY Data have passwords that comply with COMPANY’s password requirements as follows:
a. Length: >=  characters
b. Complexity: including any 3 of these 4 requirements: upper case, lower case, number + special character.
4. System administration: System administrative access (also known as root, privileged, or super user) to systems containing COMPANY Data shall be restricted to those individuals requiring such high-level access in the performance of their jobs.
5. Remote access: To the extent the SUPPLIER provides remote access to COMPANY Data, COMPANY requires the SUPPLIER to use and enforce multi-factor authentication for such access.
6. Terminating access: Access for SUPPLIER’s personnel to COMPANY Data will be revoked within twenty-four (24) hours of the end of the personnel’s need to access them, the personnel’s end of employment with SUPPLIER, or the end of the applicable agreement between COMPANY and SUPPLIER.
7. User deletion: SUPPLIER and COMPANY shall have a written process in place regarding how to ensure deletion of COMPANY user IDs who are no longer COMPANY employees or who no longer require access. A written process governing the addition of COMPANY users to the system shall also be in place. SUPPLIER shall provide COMPANY with reports detailing user additions and deletions on a [monthly] basis. SUPPLIER must have the capability to provide these reports on a more frequent basis at the request of the COMPANY.
8. Audit trails: SUPPLIER shall implement audit trails to monitor access to COMPANY Data. SUPPLIER will provide such audit logs to COMPANY as requested.
9. Firewalls: SUPPLIER shall have in place an application proxy or stateful inspection firewall to protect the server(s) and systems where COMPANY Data resides.
10. IDS/IPS: SUPPLIER shall have in place in an active mode an Intrusion Detection and Prevention System for servers and systems containing COMPANY Data, either host-based or network-based, and incident response procedures to negate unauthorized hacking attempts.
11. Anti-virus: SUPPLIER shall ensure that there is current anti-virus software running on all servers and systems containing COMPANY Data, and that the most recent updates to the software are applied.
12. Software patches: SUPPLIER shall patch all servers and systems with all current patches deployed in the SUPPLIER’s computing environment storing or accessing COMPANY Data according to a schedule based on the criticality of each patch.
13. SSL: SUPPLIER shall use SSL, or equivalent, encryption on the web server to validate the authenticity of the server and to protect the logon authentication process. All Information shall pass over SSL.
V. Data Security
1. Servers: SUPPLIER shall store COMPANY Data on a backend database server which is physically different from the web server. The web server and backend database server shall be on different network segments and separated by a firewall that allows only authorized traffic to pass back and forth between the web server and the backend database server.
2. Encryption: SUPPLIER shall encrypt COMPANY Data while stored on the SUPPLIER’s systems, including primary and backup systems and locations. SUPPLIER shall also encrypt COMPANY Data that is in transit, moving over wired and wireless local and/or wide area networks and the Internet.
3. Information segregation: Whether physically or logically, SUPPLIER shall segregate COMPANY Data, storage and backups, from other SUPPLIER client Data in order to permit the return or destruction of COMPANY’s Data as provided for in these ISRs.
4. Data deletion: SUPPLIER shall ensure that COMPANY has the ability to specify when COMPANY Data is deleted from SUPPLIER’s systems, and to separate content and manage COMPANY Data under differing scenarios (e.g., for litigation hold).
a. SUPPLIER shall provide a method and access for COMPANY to retrieve copies of COMPANY Data from the SUPPLIER’s servers and storage for the purpose of creating COMPANY internal backups, or in the event the applicable agreement between COMPANY and SUPPLIER is terminated. Data shall be provided in a non-proprietary format that can be readily transferred to COMPANY systems or to another vendor.
b. SUPPLIER shall ensure that full backups of COMPANY Data occur on regularly scheduled intervals, but no less frequently than once per week. These backups shall be stored at a location other than the location storing COMPANY production data.
VI. Disaster Recovery
1. Redundancy: SUPPLIER shall ensure that there is a level of redundancy in the SUPPLIER’s systems to ensure the continued ability to provide access to COMPANY Data and meet applicable SLAs. This includes alternative/redundant Internet access methods.
2. Disaster recovery plan:
a. The SUPPLIER shall maintain a Disaster Recovery Plan, addressing the actions that the SUPPLIER shall take in the event of an extended outage of access to COMPANY Data. The SUPPLIER shall ensure that the Plan addresses the actions and resources required to provide for continuous operations, as well as to meet agreed to SLAs in the event of an interruption in operations. The SUPPLIER shall provide a copy of this plan at COMPANY’s request.
b. SUPPLIER shall test the Disaster Recovery Plan each time that it is revised, but not less than once every twelve months, by using any of several industry standard testing methods. At COMPANY’s request, the SUPPLIER will provide results of the most recent Disaster Recovery test.
1. If the SUPPLIER produces reports for COMPANY, the reports produced that contain COMPANY Data shall be labeled (typically adding the label to the footer is most efficient) as follows:
a. “COMPANY CONFIDENTIAL AND PROPRIETARY INFORMATION
The contents of this material are confidential and proprietary to COMPANY and may not be reproduced, disclosed, distributed or used without the express permission of an authorized representative of COMPANY. Any other use is expressly prohibited.”
b. If there are space constraints, the following alterantive label may be placed on pages 2 through the end of the report provided the full disclosure above is on page 1: “COMPANY CONFIDENTIAL AND PROPRIETARY INFORMATION.”
* [The treatment of “confidential” information and data as compared with standard “Data” needs to be considered in relation to the nature of the company information and data exchanged and the service(s) being provided. Lawyer/Counsel should consider how and when to mark reports as “confidential” or “proprietary.” Similarly, legal professionals should consider whether and how “confidential” information can and should be labeled. In short, legal professionals should not automatically affix these labels to reports.]
This article originally appeared on LinkedIn on May 18, 2017. Interested readers are invited to (1) use a link below to share this article on LinkedIn, Facebook, Titter, etc. and/or (2) visit the article on LinkedIn to share the article or their comments.
©2017 Peter Krakaur