Principle 6 - Security and Confidentiality

UNDERGOING REVISION

6.1. Principle

Service Providers shall establish and implement procedures to ensure the security and maintain confidentiality of all client materials and communications. Service Providers should maintain the confidentiality of client information and ESI, disclosing such information only when authorized by the client.

6.2. Corollary

Clients shall properly designate confidential materials and work with Service Providers to ensure the secure transfer of information during the engagement.

6.3. Best Practices

6.3.1. Policies & Procedures

Service Providers should develop policies and procedures for ensuring the security and integrity of client information.

6.3.2. Knowledge & Competence

Service Providers should exercise reasonable diligence to remain knowledgeable and competent in regards to best practices related to privacy and data security in all aspects of handling Client information and data.

6.3.3. Inquiry Before Engagement

Prior to engagement, Clients should make reasonable inquiry of their Service Providers regarding the level and types of security measures that would be applicable to each engagement.

6.3.4. Disclosure

Upon inquiry by a prospective Client, Service Providers should make full disclosure of all security measures that would be employed for a particular engagement.

6.3.5. Protection Against Unauthorized Access

Service Providers should implement reasonable measures to secure their facilities from unauthorized access.

6.3.6. Securing Data on Portable Devices

Service Providers should implement reasonable measures appropriate to Client requirements to secure ESI and confidential communications contained on portable devices taken outside the Service Provider’ facilities.

6.3.7. Securing Data During Transmission

Service Providers should implement reasonable measures appropriate to Client requirements in connection with securing ESI and confidential communications during transmission between locations.

6.3.8. International Issues

Service Providers working internationally or with Client data coming from international sources must be capable of complying with applicable foreign data privacy laws related to security and confidentiality.

6.4.9. Notification of Unauthorized Release, Disclosure or Loss

Service Providers have the duty to promptly notify clients of the unauthorized release, disclosure, or loss of Client ESI or confidential communications in the custody of the Service Provider.

6.4.10. Disclosure of Proprietary Information

Upon request of a Service Provider, Clients should not disclose to any unrelated party any proprietary information, including pricing, provided to the Client in connection with an engagement or prospective engagement.

6.4.11. Disposal of ESI at the End of Engagements

Service Providers and Clients should agree in writing to the treatment of Client ESI upon the termination of any engagement, including its return or destruction.

6.4. Discussion

Upon request of a Client, a Service Provider has a duty to make reasonable disclosure of details concerning their security infrastructure and protocols so that the Client may make informed decisions concerning the security of their confidential information.

If there is a breach of security that compromises the security of client data, Service Providers have a duty to promptly inform the Client of the nature and extent of the breach and take reasonable action to correct it.

Portable devices such as laptops, Smartphones and PDAs that contain Client ESI or confidential communications are more easily subject to loss and theft, and must be reasonably secured to prevent disclosure in the event that device falls into the hands of unauthorized individuals.

Service Providers should preserve the confidentiality of client information and, as applicable, preserve the integrity of all privileges providing against the disclosure of such information. This sub-principle is rooted not only in the basic client expectation that client information will be treated confidentially, but also with due regard to evidentiary privileges that may apply to such information.

In most cases, the work of Service Providers is supervised or managed with the assistance of one or more attorneys representing the client. Service Providers receiving client information in this context should exercise reasonable measures to keep the information confidential and refrain from disclosing the information unless expressly authorized by the client. The scope of information that should be kept confidential includes, but is not limited to, the name and contact information of the client, scope of the engagement, the facts underlying the engagement, and all ESI associated with the work of the Service Provider.

6.5. Examples

6.5.1. Knowledge & Competence

6.5.1.1. Example

There are ample opportunities for Service Providers to remain up to date on privacy and security laws related to ESI. These opportunities include participating in industry groups; receiving industry publications, both free and for pay; and attending industry conferences, meetings and webinars.

6.5.1.2. Example

Prior to soliciting clients or performing work for them, Service Providers should have policies and procedures for ensuring that client ESI are only accessible and viewable by individuals authorized by the Service Provider to perform services for the client.

6.5.1.3. Example

Most Service Providers are likely to have information received from more than one client at a given time. For this reason, Service Providers should have a reliable system in place for organizing and storing client information, so that it is not intermingled with information received from other clients.

6.5.1.4. Example

Service Providers should develop disaster recovery plans to be applied to client information.

6.5.2. Inquiry Before Engagement

6.5.2.1. Example

Service Providers must employ security professionals who exercise due diligence in implementing the most effective security measures appropriate for the ESI being processed.

6.5.2.2. Example

Service Providers should conduct their operations in a secured environment that adequately protects outsiders from entering the premises and obtaining access to client information. The realm of possible security measures to be considered includes building access security (building and/or office keys, access cards, etc.), identification cards, employee screening, onsite cameras or video, computer passwords, and data access security.

6.5.2.3. Example

Service Providers should encrypt client information, so that it can only be viewed by authorized individuals.

6.5.3. Disclosure

6.5.3.1. Example

Client contacts Service Provider and requests processing of highly sensitive trade secrets in preparation for litigation. If Service Provider is also processing the opponents/ ESI and there are inadequate measures in place to ensure there is no commingling (for example, if Service Provider had security breaches in the past), the Service Provider must alert the client.

6.5.4. International Issues

6.5.4.1. Example

Service Provider receives delivery of sensitive personal information from the European Union but the service provider is not a Safe Harbor. Service Provider should inquire whether the ESI was collected and transferred for processing under an exception provided by the country of origin’s privacy laws. Service Provider should also ensure that any transfers of data are protected by each European Union Member State’s data protection directives.

6.5.5. Disposal of ESI at the End of Engagements

6.5.5.1. Example

Service Provider is negotiating the scope of services to be provided to the client. In connection with the service provider agreement, the Service Provider should clarify the conditions upon which the Service Provider may destroy ESI (e.g. final resolution of the matter). Absent such an agreement, the Service Provider should obtain client consent prior to destroying ESI.