Law firms hold some of their clients’ most sensitive information. And because of this, they face very real threats. As an FBI special agent highlighted in the National Law Journal: “We have seen over the last three years an increase in the targeting of law firms. As client companies become targets, their security becomes stronger. Softer targets to go after are law firms."
Clients know that their information is at risk. And, facing their own regulatory and data privacy obligations, they are increasingly mandating much more stringent controls for all vendors who manage their sensitive information, including law firms. To enforce these controls, clients regularly issue outside counsel guidelines that include the rights to audit and verify firm confidentiality management practices.
Examples of Published Outside Counsel Guidelines:
- “Bank of America reserves the right to review, test, and audit information and data protection plans and procedures of outside counsel and any third party in privity with outside counsel who accesses Bank of America confidential information."
- "…to confirm your compliance with these Policies... We may request an audit to verify... You agree to exercise reasonable care to keep all non-public or Microsoft Confidential information... secure from (i) disclosure to third parties and (ii) access by your employees except on a need-to-know basis. From time to time, we may communicate more specific data security 'best practices' and other policies..."
- “Wal-Mart reserves the right to audit compliance with these Guidelines. Audits may be announced or unannounced. Audits may consist of visits to the Outside Counsel Office where the work is being performed and review of the relevant files. The law firm’s performance will be routinely reported and discussed with the Relationship Partner.”
- "Don't send confidential documents to unattended printers, copiers or fax machines – they will be seen by others for whose eyes they are not intended."
Intapp Client Audit Readiness Evaluation (CARE) Consulting Services
For qualified law firms that expect to face client information security audits or take on engagements with audit rights, Intapp provides assessment and preparation services specifically designed to support organization preparation and compliance.
The CARE program includes technical and business process assessments specifically designed to address common client requirements. It reviews issues including perimeter security, external threat prevention/detection, internal confidentiality management and reporting capabilities.
Tailored recommendations include specific actions and enhancements including internal practices, policies and awareness building with the aim of addressing specific client requirements and improving firm responses to RFPs.
In some instances, firms have shared report documentation with clients to validate their commitment to and emphasis on compliance. Leveraged in conjunction with prudent risk controls, this program supports firm efforts to demonstrate vigorous safeguards and respond to client panel selection questionnaires and RFPs in a cost effective and timely manner.