The rules of engagement of law firms for many companies, known as Outside Counsel Guidelines (OCGs), are appropriate and helpful in most situations. The guidelines set forth the expectations of the client, potentially avoiding uncomfortable situations. While OCGs can frustrate the practice of law and often unnecessarily reiterate the ethical obligations of attorneys, overall, they improve the attorney-client relationship.

Yet, often OCGs contain privacy and data security obligations that do not match the reality of practicing law and servicing a client. These obligations often come from an IT department or compliance professional who goes to extreme lengths to ensure they cannot be blamed if there is a data incident. This attitude and approach have created an OCG problem for law firms.

I am responsible for reviewing and negotiating the privacy and data security obligations of OCGs for my law firm. I enjoy that responsibility because I often get to collaborate with in-house counsel that, in most cases, have never read these requirements. The things that I hear from in-house counsel most often are “they really say that,” “that makes no sense, how could you agree to that,” and “nobody has ever raised these concerns.” Protecting data is outside most in-house counsel’s job responsibility, so these responses are normal.

My firm takes data security extremely seriously, and we are supported by firm management. When I speak with the employees responsible for ensuring the data security of a client, they leave that conversation knowing that their data is adequately protected. We have never failed to successfully negotiate OCGs so that they accurately reflect our practices and procedures, while at the same time meeting the client’s requirements.

But that does not mean every conversation and negotiation is without its challenges. Clients would benefit greatly from the following suggested approaches. While the list is not exhaustive, it is based on the terms in OCGs that I most commonly encounter that do not match the reality of practicing law and servicing a client.

Deletion of Data

OCGs often require the law firm delete all client data at the end of a matter. This is an appropriate request in many industries, but it makes no sense in the context of a law firm. I assure you that in-house counsel comes back to their outside counsel for work product the in-house no longer has. Additionally, work product from a previous matter can be immensely helpful and efficient when working on subsequent matters. Having that information assists the law firm and the client when addressing questions or problems that arise following the representation. Your in-house counsel wants your attorney to be able to provide that prior work product to them.

For the law firm, just like the client, we also have a Records Retention Policy with data retention schedules. We do not want to be in possession of client data longer than necessary. We also want that information so that we can answer questions about decisions that were made during the representation. Frankly, we also want this information to defend ourselves against allegations and claims made against you or us.

Lastly, some data simply cannot be deleted. Data that is contained in backups cannot be retrieved, data in databases often cannot be isolated without “breaking” the database, and the process of removing email from disaster recovery solutions is often the equivalent of launching a nuclear weapon, if possible, at all.

My solution to this is to revise so that we are permitted to keep copies of client data that is contained in our backups, as well as in accordance with our ethical obligations and our written Records Retention Policy. I do agree to take that data out of “production” if requested, so that the data is not otherwise easily accessible.

Notification of Data Incidents

Often OCGs will say the law firm will “immediately” notify the client of a data incident, or within 24 hours. This is arbitrary and not in line with the accepted international standard of 72 hours. It also does not match reality. If a data incident has occurred, the client should want our professionals completely focused on containing and stopping that data incident, not being distracted by a quick notification and dealing with the follow-up questions.

Related to this, sometimes a client will want to know about a data incident even if it does not involve their data. This is overreaching and it would lead to us exposing confidential information about other clients.

My solution to this has been to disclose to clients a data incident within 72 hours of confirmation of the incident, and only if that data incident involved the client’s data.

Forbidding Disclosure of a Data Incident

Similar to notification of a data incident, at times client will say that unless required by law we cannot notify any third party of a data incident unless the client approves the notification and its content. This position creates a slew of issues. First, we cannot have any one client prevent us from notifying other clients of a data incident. Second, we must have a consistent message to all impacted parties, and we could not allow a single client to dictate that message. Finally, we cannot have an outside party dictating the timing, messaging and approach of an incident response when those things can impact potential claims against us.

When I have asked the client’s security professionals if they agree to allow customers to dictate the timing and notification of a data incident to third parties, they have responded “of course not.”

My solution has been to agree that the firm will not notify any third party of a data incident (unless required by law) if only that client’s data is involved, and in any event not to make any public statement that indicates that the client was impacted.

Audits and Assessments

Firms should agree to complete periodic data security questionnaires and assessments. They should also agree that clients can come on premises and conduct and review those questionnaires and assessments.

They should not agree that clients can do a physical audit of their systems. Those systems contain the data of all of clients, and it would be a breach of ethical duties (as well as the OCGs of several other clients) to allow access to those systems. Certainly, the client making this audit request would not want the firm giving audit access to other clients when it comes to their data.

Similarly, firms should agree to provide an executive summary of a data security audit, an ISO 27001 certification, or a penetration test. Under no circumstance should the firm provide a full copy of an audit, an ISO 27001 certification, or the results of a penetration test to a client – really any third party.

My solution has been to agree to complete data security questionnaires and assessments, provide executive summaries of audits, ISO 27001 certifications, and penetration tests, and to forbid access during an audit to any system that contains the data of another client or data for which the firm otherwise has a confidentiality obligation.

Approval of Third-Party Vendors

On very rare occasions, a client may indicate that they want to approve any third-party vendor that will have access to their data. I understand this request, and I agree that a client should be able to choose to not have their data in the possession of that vendor.

What firms should not agree to is that you can veto a vendor that it has chosen. We choose vendors extremely carefully, we conduct extensive security audits, and the last thing we want is to experience a data incident.

My solution has been one of two approaches. I will carve out vendors that have access to the data of many clients, such as Microsoft, Mimecast, Relativity, and reprographic and trial service vendors. I agree that if the vendor is a client-specific solution, the client should be involved in that decision.

In the rare instances the above approach has not been accepted, I will agree to provide notice (but not an approval right) of new vendors that may have access to that client’s data in the future.

No Client Data Outside of US Borders

There are two flavors to this. The first is that we will not store client outside of the United States. The second is that we will not allow any individual to take client data outside of the U.S.

My solution has been (1) to agree not to store client data outside of the U.S., as long as I can have it processed temporarily outside of the U.S. (excluding regulated data), and (2) create an exception that we can allow individuals to travel with client data as long as it is encrypted (which it would be on our laptops, mobile devices and external media).

I believe that as long as OCGs contain privacy and data security terms that are drafted in a bubble by data security professionals that do not appreciate the unique circumstances of the attorney-client relationship and law firms in general, these problems will persist and likely grow.

By expressing these concerns, I am hopeful that both clients will be aware of these issues and the bases for the concerns, and also that law firms that simply do not read the data security obligations will come to appreciate they are agreeing to terms that they simply cannot (and should not) accept.

Reprinted with permission from the August 21, 2023, issue of Corporate Cousel© 2023 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.