Principle 6 - Security and Confidentiality

DRAFT – UNDER DEVELOPMENT – PLEASE COMMENT

The Principle

Service Providers should establish and implement procedures to ensure the security and maintain confidentiality of all Client ESI, communications and other information.

The Corollary

Clients should work with Service Providers to ensure that reasonable measures, appropriate for each engagement, are established and implemented by all concerned parties to secure and maintain confidentiality of all ESI, communications and other information.

Guidelines

1. Service Providers should develop policies and procedures for ensuring the security and integrity of Client ESI, confidential communications and other information.




2. Service Providers should exercise reasonable diligence to remain knowledgeable and competent in regards to best practices related to privacy and data security in all aspects of handling Client ESI, confidential communications and other information.




3. Prior to engagement, Clients should make reasonable inquiry of their Service Providers regarding the level and types of security measures that the Client deems appropriate for that specific engagement.




4. Prior to engagement, and upon inquiry by a prospective Client, Service Providers should make full disclosure of all standard security measures implemented by the Service Provider, as well as security measures available and recommended for that specific engagement.




5. Service Providers should implement reasonable measures to secure their facilities from unauthorized physical access.




6. Service Providers and Clients should implement reasonable measures, appropriate to Client requirements, in connection with securing ESI, confidential communications and other information from unauthorized logical access.




7. Service Providers should implement reasonable measures, appropriate to Client requirements, to secure ESI, confidential communications and other information contained on portable devices taken outside the Service Provider’s facilities.




8. Service Providers working internationally or with Client ESI coming from international sources must be capable of complying with applicable foreign data privacy laws related to security and confidentiality.




9. All ESI, communications and other information received from a Client should be presumed by a Service Provider to be confidential unless otherwise stated in writing (See also, Principle 1 – Professionalism).




10. Service Providers have the duty to promptly notify Clients of the unauthorized release, disclosure, or loss of Client ESI, confidential communications or other information in the custody of the Service Provider.




11. Upon request of a Service Provider, Clients should not disclose to any unrelated party any of the Service Provider’s proprietary or confidential information provided to the Client in connection with an engagement or prospective engagement.




12. Service Providers and Clients should agree in writing to the disposition of Client ESI, confidential communications or other materials upon the termination of any engagement, including its return or destruction.

Discussion

The principle of confidentiality is deeply rooted not only in the basic expectation that Client information will be protected from disclosure to unauthorized parties, but also with due regard to the applicable evidentiary issues. We thus give significant attention to the principle of confidentiality in this Model Code, and the requirement for Service Providers to take reasonable and affirmative steps to preserve the confidentiality of Client ESI, communications and other information.

We repeatedly use the phrase “ESI, communications and other information” in this Principle, with the intent that confidentiality shall broadly cover all case/matter related materials, either in electronic or hard copy form, as well as Work Product, and electronic or verbal communications related to the engagement.

Specifically, we consider case/matter related materials to include all forms of ESI, as well as hard copies, collected from or provided to a Client or its Service Provider as potential evidence in a legal case, investigation, or other legal matter.

Likewise, we consider Work Product to be broadly inclusive of all engagement related documents, including, but not limited to, RFI/RFP’s and responses, instructions, project specifications and scoping documents, chain of custody materials, status reports, etc.

We intend the term “communications” to be inclusive of electronic or verbal exchanges by or between the Client and Service Provider, as well other related and authorized parties involved in a case/matter. We firmly believe that such exchanges should be presumed confidential unless designated otherwise by the litigant or its counsel, without regard to whether such exchanges fall under the legal definition of attorney-client privilege or work product.

Guideline 7 addresses implementing reasonable procedures to secure portable devices. Such devices are not limited to those containing Client ESI, such as USB hard drives, but is rather intentionally intended to broadly cover all portable devices containing confidential communications and other information, such as laptops and personal communications devices including today’s PDAs, Blackberry’s, iPhones, as well all similar devices that are yet to be invented. We intentionally do not distinguish one portable device from another, as all ESI, communications and other information must be safeguarded from unauthorized access or release. The issue of whether reasonable safeguards extend beyond password protection to full disk / flash memory encryption should be considered in light of Guidelines 3 and 4 above.

Guideline 6 is complimentary to 7, but addresses implementing reasonable measures in securing ESI, confidential communications and other information from logical security penetration, either while the ESI is housed or in transmission. Because transmission of such ESI is between at least two parties, determination of what is reasonable applies equally to both Service Providers and Clients. As such, all parties should determine what reasonable measures should be applicable to the case/matter, and apply those measures across the board.

As a practical matter, we take notice that certain Service Providers have implemented physical and logical data security in accordance with such recognized certification standards as SAS70 or ISO-27001. Clients should be aware that under those standards, the Service Providers cannot operate their security programs below certain thresholds. As a corollary, we recommend that Clients strive to ensure that data security is consistently maintained above certain minimal levels amongst all Service Providers throughout the case/matter.

In the event that confidential communications or other information become part of the public record, Service Providers should nonetheless maintain confidentiality absent express release by the Client, or as otherwise provided in a written contract between the parties, such as a Confidentiality and Non-Disclosure Agreement.

Examples

1. Example – Best Practice 1a: There are ample opportunities for Service Providers to remain up to date on privacy and security laws related to ESI including groups such as EDRM and The Sedona Conference. Publications such as Law Technology News are provided at no cost to anyone who wishes. Events such as Webinars produced by technology companies and meetings such as LegalTech give Service Providers methods of remaining current.
2. Example – Best Practice 1b: Service Providers should always assume that client information is intended to be kept confidential. This assumption should dictate the conduct of Service Providers and employees. As such, Service Providers and their employees should never disclose their clients or information received from their clients without prior authorization.
3. Example – Best Practice 1c: Service Providers and their employees should refrain from discussing clients or client information in public areas.
4. Example – Best Practice 2a: Prior to soliciting clients or performing work for them, Service Providers should have policies and procedures for ensuring that client ESI are only accessible and viewable by individuals authorized by the Service Provider to perform services for the client.
5. Example – Best Practice 2b: Most Service Providers are likely to have information received from more than one client at a given time. For this reason, Service Providers should have a reliable system in place for organizing and storing client information, so that it is not intermingled with information received from other clients.
6. Example – Best Practice 2c: Service Providers should develop disaster recovery plans to be applied to client information.
7. Example – Best Practice 2d: A Service Provider contracts with a highly regarded Fortune 500 Company whose business has the potential of attracting the attention of potential customers. Service Providers should obtain prior authorization from the client before advertising the business relationship.
8. Example – Best Practice 3a: Service Providers must employ security professionals who exercise due diligence in implementing the most effective security measures appropriate for the ESI being processed.
9. Example – Best Practice 3b: Service Providers should conduct their operations in a secured environment that adequately protects outsiders from entering the premises and obtaining access to client information. The realm of possible security measures to be considered includes building access security (building and/or office keys, access cards, etc…), identification cards, employee screening, onsite cameras or video, computer passwords, and data access security.
10. Example – Best Practice 3c: Service Providers should encrypt client information, so that it can only be viewed by authorized individuals.
11. Example – Best Practice 3d: A Service Provider intends to contract with a law firm that is handling a litigation matter for its client. In connection with the contract, Service Provider should memorialize in writing the terms relating to the confidentiality of the information to be received prior to beginning work.
12. Example – Best Practice 3e: Service Providers should require their employees to sign confidentiality agreements relating to client information as a condition of employment.
13. Example – Best Practice 3f: Service Providers should train their employees on appropriate measures for ensuring the confidentiality of client information.
14. Example – Best Practice 3g: Unless deemed necessary to service the client, Service Providers should take measures to prevent client information from being circulated within the company. When possible, client names and projects should be restricted to authorized individuals and code names should be assigned to the clients and associated projects.
15. Example – Best Practice 4a: Client contacts Service Provider and requests processing of highly sensitive trade secrets in preparation for litigation. If Service Provider is also processing the opponents/ ESI and there are inadequate measures in place to ensure there is no commingling (for example, if Service Provider had security breaches in the past), the Service Provider must alert the client.
16. Example – Best Practice 4b: Service Providers should encrypt all client information, so that it can only be accessed by authorized individuals.
17. Example – Best Practice 5a: Service Provider receives delivery of sensitive personal information from the European Union but the service provider is not a Safe Harbor. Service Provider should inquire whether the ESI was collected and transferred for processing under an exception provided by the country of origin’s privacy laws. Service Provider should also ensure that any transfers of data are protected by each European Union Member State’s data protection directives.
18. Example – Best Practice 5b: A Service Provider performs processing work for a client who has requested that the relevant data be returned as soon as possible electronically. Service Provider may send the data to the client electronically, but should encrypt the data and institute other appropriate security measures.
19. Example – Best Practice 6: Service Provider accidentally sends privileged documents to opposing counsel. Service Provider must inform the client as to the security breach as soon as reasonably possible.
20. Example – Best Practice 7: Service Provider is negotiating the scope of services to be provided to the client. In connection with the service provider agreement, the Service Provider should clarify the conditions upon which the Service Provider may destroy ESI (e.g. final resolution of the matter). Absent such an agreement, the Service Provider should obtain client consent prior to destroying ESI.
21. Example – Best Practice 8: Service Provider receives client data and reviews and codes the data for eventual production. Periodically, such as on a daily and weekly basis, as dictated by best practices, Service Provider should backup, mirror and/or replicate the data and associated work to ensure its integrity in the event the primary storage fails.