The ACC developed a Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (“Model Controls”) to help in-house counsel as they set/manage expectations regarding the types of data security controls vendors should employ to protect client confidential information. Worth a read. Reminds me of a short checklist I provided a few years back regarding cloud computing that was more focused on information security requirements as legal professionals consider working with vendors (Flying in the Clouds: A Checklist to Help You Navigate Your Way).

ACC Issues Guidelines for Law Firm Cybersecurity Measures