Our recent OBLICAlert recommended the use of proactive risk management when working with third-party contractors. One of the most important steps is verifying the confidentiality and cyber security protections utilized by those third parties, as discussed below.
Ohio Adv. Op. 2009-6 indicates that while the Ohio Rules of Professional Conduct don’t prohibit outsourcing legal or support services, they do impose significant ethical requirements when outsourcing. Protection of client confidences including against a cyber breach is governed by Prof. Cond. R. 1.6, which requires advance consultation with the client to discuss the measures the law firm has or will take to inform third parties providing services of the necessary requirements of confidentiality.
ABA Formal Opinion 477R Securing Communication of Protected Client Information specifically examines the ethical duties relating to the use of vendors providing communication technology. As reflected in Comment  of Prof. Cond. R. 5.3, when using such services, the lawyer must make reasonable efforts to ensure that the services are provided in a manner compatible with the lawyer’s professional obligations.
The OBLIC Cyber Toolbox provides extensive resources to assist attorneys with mitigating risks in this digital era. Here is guidance for identifying and managing vendor risks from a checklist for Vendor Security Controls in the Cyber Toolbox:
- Does the vendor have a written Information Security Policy?
- Does the vendor have a written Access Control Policy or similar written procedures?
- Does the vendor have a written Password Management Policy or similar written password management procedures?
- If the vendor permits its employees, contractors, or other third-parties to connect their personal devices to the vendor’s networks and/or systems, does the vendor protect against the risks unique to the personal devices?
- Does the vendor provide adequate policies and procedures to ensure that its data, as well as organization data, are retained for the time period required by applicable laws, regulations, industry standards, and contractual requirements?
- Does the vendor provide sufficient policies and procedures to monitor how sensitive business information and personal information is collected and used to ensure compliance with applicable laws, regulations, industry standards, and contractual obligations?
- Does the vendor provide sufficient policies and procedures to comply with eDiscovery requirements and other litigation holds?
- Does the vendor have adequate policies and procedures to ensure that terminated employees have their access to the vendor’s networks and systems revoked and are required to return all identification and access cards as well as vendor-owned computing devices, equipment, and sensitive information?
- Does the vendor provide adequate policies and procedures for the proper disposal of data so that it is no longer accessible, readable, usable?
- Does the vendor have adequate risk assessment policies and procedures in place?
- Does the vendor have a written Security Incident Response Plan in place to respond to suspected and actual information security incidents?
- Does the vendor require employees to certify receipt and understanding of the polices and provide its employees with training in its information security policies and procedures at least annually?
- Does vendor effectively assign responsibility for physical security, information security, and privacy compliance to officers and other qualified individuals?
Visit the OBLIC Cyber Toolbox for additional Best Practices to Manage Vendor Risks. As always, if you have questions, please feel free to contact us at OBLC.
|Gretchen K. Mote, Esq.
Director of Loss Prevention
Ohio Bar Liability Insurance Co.
|Merisa K. Bowers, Esq.
Loss Prevention Counsel
Ohio Bar Liability Insurance Co.
This information is made available solely for loss prevention purposes, which may include claim prevention techniques designed to minimize the likelihood of incurring a claim for legal malpractice. This information does not establish, report, or create the standard of care for attorneys. The material is not a complete analysis of the topic and should not be construed as providing legal advice. Please conduct your own appropriate legal research in this area. If you have questions about this email’s content and are an OBLIC policyholder, please contact us using the information above.