Corporate Counsel Group Issues Law Firm Cyber Guidance

By Michael Greene, Bloomberg BNA

The Association of Corporate Counsel (ACC) has issued its first-ever guidelines on the basic data security measures that in-house counsel should expect from their law firms, in the wake of reported data breaches at Cravath Swaine & Moore LLP, Weil Gotshal & Manges LP and other firms.

Some of corporate America’s most sensitive information resides with its lawyers, making law firms prime targets for hackers. The ACC’s guidance addresses issues such as data encryption, breach reporting and security review rights.

General counsel are very concerned about their law firms’ cybersecurity, in part because some observers view the firms as the “weak link in the chain right now,” Amar Sarwal, ACC vice president and chief legal strategist, told Bloomberg BNA. In-house counsel should be applying as much rigor as they can on how their outside counsel maintain confidential information, Sarwal said.

General counsel contacted by Bloomberg BNA said many large companies now are holding regular conversations with their main outside counsel on cyber issues.

Much of the discussion focuses on hashing out terms for the protection of confidential information, Brennan Torregrossa, vice president and associate general counsel at GlaxoSmithKline plc, told Bloomberg BNA.

The ACC guidelines are a step towards standardizing some key terms so that law firms aren’t getting thousands of different demands from their clients, said Torregrossa, whose legal department assisted in developing the guidance.


Law Firm Audits.

Zurich North America, a commercial insurance and risk management company, requires its outside counsel to comply with privacy and information security laws and regulations, and to provide a process for reporting suspected or actual breaches, according to Vice President and Assistant General Counsel Edward Paulis III.

Zurich also requires its retained law firms to undergo an audit of their data security measures, similar to the audits vendors must undergo, Paulis said in an email.

“The threat of a cybersecurity breach is a crucial issue, and should be addressed up front in the retention process,” Paulis said. “A law firm that is unable or unwilling to engage in a conversation about the law firm’s data security can expect not to move forward in the retention process.”


Big Law Vulnerabilities.

The U.S. government in December announced charges against Chinese hackers for allegedly breaking into the servers of seven major international law firms, including Cravath and Weil Gotshal. Panamanian law firm Mossack Fonseca & Co. made headlines when hackers in 2016 leaked information that the firm was helping some of its clients evade taxes.

Big law firms are the most vulnerable to hackers, according to an American Bar Association survey. The ABA found that 26 percent of firms with 500 or more attorneys that responded to its survey experienced a security breach in 2016.

Meanwhile, a 2016 Zurich North America and Advisen Ltd. survey of risk management officers suggests that a growing number of companies view their general counsel as the “go-to” person for handling compliance issues related to data breaches.

In-house counsel also should track merger activity between law firms, Sarwal said. A company may solve its cybersecurity issues with one law firm after which the firm merges with another, whose system is totally different, he said.

To contact the reporter on this story: Michael Greene in Washington at

To contact the editor responsible for this story: Yin Wilczek at

For More Information

The ACC Model Guidelines are available here.