Attorneys Create New Control Framework
The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released a new control model to help organizations interact with outside parties when dealing with sensitive information. This is among the many new business domains areas where vendor risk management has become a key issue.
The the Control framework entitled Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information were developed to provide a baseline list of security measures and controls that legal departments may consider requiring of outside vendors. While the control framework is not enforced in any way, it does provide strong suggestions as to what are considered essential practices when legal teams interact with other legal teams.
Highlights and Key Compliance Requirements
Unlike other Control frameworks, the ACC focuses on the exchange of confidential information between two parties. To this extent, it does cover some gaps that are often overlooked in third-party contracts, such as the requirement to return data or provide evidence of proper destruction.
The Controls are organized into 13 separate control areas, ranging from (1) Policies and Procedures to (13) Subcontractors. Unlike other Control frameworks, the ACC framework does not appear to be aligned with other recognized frameworks such as ISO 27002 or the NIST Cyber Security Framework.
The Key Control of Information Security Policies
The first Control area (1) security policies and procedures requires the Third Party to have written information security policies. These policies must then cover the areas of the ISO 27002:2013 standard :
Outside Counsel shall have in place internal security and privacy policies designed to protect the security, confidentiality, and integrity of Company Confidential Information or other information of a similar nature that include: security policy; organization of information security; asset management; human resources security; physical and environment security; communications and operations management; access control; information systems acquisition, development, and maintenance; information security incident management; business continuity management; personnel training; and compliance.
These are the security Control areas of the ISO 27002:2013 Standard (although the ACC does not specifically refer to the standard by name). This essentially means that the outside party must have a complete security compliance program in place.
On-Demand Compliance
One of the other key requirement contained in Section 1 is the requirement for security awareness training for employees. Not only is training required, but the Third Party must be prepared to provided evidence:
Outside Counsel shall provide and maintain information security training for all employees and provide a summary of such training to Company upon request.
This is one of several key controls that point to the need for the organization to be able to respond with evidence of control effectiveness. A similar control points to the need for organizations to be “certified” against a standard of best-practice.
If Outside Counsel has not achieved ISO27001 certification, Company may request that Outside Counsel undertake the certification process and provide Company with evidence of certification when attained.
This additional requirement to validate from a trusted third party will most likely create an extra time and expense burden on most firms. Certifications such as SOC audits take many months and require substantial investments.
Cyber Liability Insurance
One dramatic new Control area actually requires the other party to purchase cyber liability insurance. This is perhaps in recognition of the fact that most organizations are not properly prepared to handle a data breach, especially the down-stream costs.
Outside Counsel will obtain and maintain in force at all times cyber liability insurance with an insurance company having a minimum credit rating of A- from Standard and Poors or other equivalent rating agency, with a minimum coverage level of $10,000,000.
Third Party Vendors
Like many other frameworks, the ACC places specific focus on third party vendors and subcontractors. The framework goes so far as to call out specific types of vendors commonly used by legal teams:
Outside Counsel shall be responsible for all subcontractors used by Outside Counsel that have access to Company Confidential Information. […] For the avoidance of doubt, this section pertains to, without limitation, reprographics vendors, off-site storage vendors, and cloud server hosting facilities.
This requirement is not new, but should be part of any solid compliance program. However, calling out specific vendor types is a good way to provide additional guidance in specific areas such as legal, human resources or audit. Typically the controls are focused only on IT.
Just Another Framework?
One could reasonably ask this question: Why another framework? The information security and data privacy world is heavy with frameworks. (HIPAA, ISO 27002, NIST CSF, FFIEC, etc.) In that sense, the ACC does duplicate a lot of existing work and will probably create even more confusion. Where it does contribute is filling in some existing gaps in key Control areas, such as data handling, contracts and third party liability.
Easy IT Compliance from Information Shield
Compliance Shield can be used to dramatically reduce the time and effort of complying with the Control requirements of the ACC. Our Common Policy Library (CPL) provides complete coverage for the security areas required for both in-house and outside counsel. The built-in Security Awareness Training addresses the specific need to train employees and provide evidence of such training. Incident Response plans and features enable any firm to more effectively respond to and recover from information security events. Compliance Shield also automates vendor risk management, reducing the time and effort required to assess vendors. And finally, being able to demonstrate a robust information security program can likely help reduce the cost of maintaining cyber liability insurance.