The Commentary sets out principles and guidelines for lawyers
and law firms. This follows the publication, in July 2015 of a
public comment version of those guidelines. The Commentary is a
further example of the "guidelines and principles
approach" that a number of regulators and industry
associations have implemented over the last two years. These go a
long distance toward setting the common law duty of care, on an
industry by industry basis. This Commentary is no exception.
The Commentary recognizes that effective privacy in information
security varies with the nature of the information, the needs of
the client and the circumstances which information is held, among
other factors. It does not allow for a "one size fits all
solution". The Commentary therefore sets out principles by
which individual service providers can determine their own best
policies and practices.
Section 1 of the Commentary provides a brief statement of seven
relevant principles which, taken together, recognize the obligation
of legal services providers to understand their privacy
obligations, the need to assess risks, and the need to develop (on
the basis of that assessment) reasonable and appropriate policies
and practices. Assessments and policies should be conducted on a
"reasonably foreseeable" basis. Policies should require
regular training, ongoing monitoring, and mechanisms for
reassessment going forward.
In Section 2 the Commentary identifies major sources of the duty
to protect private and confidential information. These include (in
the US context in which the Commentary was written) the ethical
rules applicable to attorneys, federal and state laws and
regulations, foreign statutory and regulatory requirements,
common-law liability, and contractual obligations.
Section 3 of the Commentary provides direction on conducting a
security assessment - and in particular the task of identifying and
evaluating assets, profiling and assessing risk, and treatment and
mitigating risk. Useful suggestions are made about the way in which
and manner in which risks should be identified and assessed, and
the way in which security needs should be ranked.
In the final substantive section, the Commentary sets out
guidelines for policies and practices that address privacy and
information security. It proposes a six step approach, beginning
with the identification of the types and sources of information
that must be protected, proceeding through the development of
information security policies and practices and, ultimately,
"preparing for the worst".
The Commentary includes two appendices - one on privacy and
security in the healthcare industry and another on privacy and
security in the financial services industry. These summarize
applicable (US) regulatory regimes and discuss the impact that
those regimes may have on law firms as service providers.
Taken as a whole, the Commentary is a very useful — and
arguably seminal — contribution to the arsenal which law
firms need to develop in order to deal with information security
and privacy issues in a dynamic technological environment. It
will go some distance in setting the standard of care for legal
service providers generally.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).