Lawyers take note: Ethical obligations to secure confidential client data extend to providers

The number of cyberattacks continues to grow every year, such that it’s no longer a matter of if, but rather when an organization might be hit. To comply with ethical obligations, lawyers must take reasonable efforts to protect their client data. This includes vetting third parties that are assisting with representation, such as alternative legal service providers who may have any access to that data.

Bar associations are taking notice, and although historically there have not been many disciplinary proceedings for failure to vet ALSP security practices, this is likely to change in the coming years. In addition to disciplinary proceedings, lawyers and law firms that fail to vet ALSPs are at risk for potential liability through class-action lawsuits, malpractice suits, bar sanctions, regulatory enforcement actions and reputational harm resulting in lost business.

The following questions should be included in lawyers’ ALSP security due diligence checklist. But it’s important to note the checklist should be regularly updated to reflect changes in legal and regulatory requirements, the nature of security threats and standard industry practices.

ALSP Security Due Diligence Checklist

Overview

• What is the ALSP’s history of data security events?
• Does the ALSP have an incident response plan?
• What business continuity plans are in place?
• Will the ALSP provide the right to audit as well as records of external security audits and third-party and penetration reports upon request?
• Will the ALSP permit the client to conduct penetration testing or audits of the ALSP’s security controls?

Certifications and Insurance

• Does the ALSP maintain security certifications such as the International Organization for Standardization’s ISO 27001, SOC 2, HITRUST, etc.?
  • Note when conducting due diligence, it is important that lawyers review the SOC 1 and 2 reports and understand that many ALSPs have unqualified reports.
• Does the ALSP have adequate insurance, including cyber liability coverage? Does it maintain a coverage limit consistent with the client?

Controls

• What access controls and related data security measures does the ALSP employ?
• What physical measures are taken to protect the security of the office environment and individual review rooms?
• What cybersecurity preventative measures does the ALSP employ, including intrusion detection software, endpoint detection response applications, whitelisting applications, periodic ransomware resiliency and breach attack simulations, multifactor authentication requirements, data encryption, cloud security controls and vulnerability remediation timelines?
• What are the ALSP’s robust data backup and recovery processes?

Staff and Training

• Does the ALSP have a dedicated in-house security team along with an appointed CISO/CSO?
• Are the ALSP employees full-time or contract employees?
• What due diligence does the ALSP conduct for its own employees, subcontractors and suppliers, especially those that might access the organization’s data?
  • Note lawyers should contractually limit subcontractors and other third parties accessing the data provided to the ALSP.
• What cybersecurity training and phishing awareness simulations are provided to employees, and is the training one-time, quarterly or annual?
• Do the ALSP employees work remotely or from a secure office environment? If employees work remotely, what measures are taken to safeguard the client’s data?

QuisLex’s associate director of legal services Megan Silverman and CTO Michel Sahyoun recently explored this topic in depth in an article published by Legal Business World’s e-magazine.