Policy, Program and Procedures

Expand all | Collapse all

Law Firms

  • 1.  Law Firms

    This message was posted by a user wishing to remain anonymous
    Posted 21 days ago
    This message was posted by a user wishing to remain anonymous

    How are you addressing law firms?  Given law firms and their individual lawyers are subject to binding ethical and legal obligations to maintain the confidentiality of everything they learn in their legal representation, and attorneys can be disbarred for not maintaining the confidentiality of client communications, which are legally protected by the attorney -client privilege.  My thought is we would handle those we might use to address litigation differently from those that are providing "operational services" by simply carving out any requirements for infosec reviews for those only used to address litigation while performing a full infosec review (e.g., policies and/or third-party audits as may be available).  Our legal team is suggesting infosec reviews are not necessary in either case.


  • 2.  RE: Law Firms

    Posted 20 days ago
    Attorney-client privilege communications are protected in litigation discovery, but those communications can still be obtained with a subpoena or through deposition. It's only communications between attorney and client that are protected so, without more context, it's hard to say how much InfoSec audits/reviews would be impacted by attorney-client privilege. In fact, a third party performing that review is likely in the interest of PROTECTING attorney-client privilege from being accessed by non-privileged parties. And I say all of this without going into the likelihood of there being a LSA and/or NDA being in place to set parameters of what can and cannot be audited or disclosed...


  • 3.  RE: Law Firms

    Posted 19 days ago
    Edited by Brittany Padgett 19 days ago
    Attorney firms utilize Case Management systems which contain restricted and confidential information that requires sufficient physical and logical controls that should be evaluated for sufficiency when reviewing a firm- What does the firm have access to, who in the firm is permitted to access it, and does the firm have sufficient policies, procedures and controls to demonstrate an acceptable level of keeping data protected. ​We tier firms based on risks - from amount of cases handled, to level of spend but if the firm is using a case management system we do review it to ensure that we are comfortable with the firm's ability to protect data.  Be Well!

    ------------------------------
    Jenn Wilkinson
    Vice President
    Strategic Vendor Management
    Cenlar FSB
    ------------------------------



  • 4.  RE: Law Firms

    This message was posted by a user wishing to remain anonymous
    Posted 15 days ago
    This message was posted by a user wishing to remain anonymous

    Thank you for your feedback.