On November 13, 2015 the Working Group on Electronic Document Retention and Production of the Sedona Conference published its Commentary on Privacy and Information Security.

The Commentary sets out principles and guidelines for lawyers and law firms. This follows the publication, in July 2015 of a public comment version of those guidelines. The Commentary is a further example of the “guidelines and principles approach” that a number of regulators and industry associations have implemented over the last two years. These go a long distance toward setting the common law duty of care, on an industry by industry basis. This Commentary is no exception.

The Commentary recognizes that effective privacy in information security varies with the nature of the information, the needs of the client and the circumstances which information is held, among other factors. It does not allow for a “one size fits all solution”. The Commentary therefore sets out principles by which individual service providers can determine their own best policies and practices.

Section 1 of the Commentary provides a brief statement of seven relevant principles which, taken together, recognize the obligation of legal services providers to understand their privacy obligations, the need to assess risks, and the need to develop (on the basis of that assessment) reasonable and appropriate policies and practices. Assessments and policies should be conducted on a “reasonably foreseeable” basis. Policies should require regular training, ongoing monitoring, and mechanisms for reassessment going forward.

In Section 2 the Commentary identifies major sources of the duty to protect private and confidential information. These include (in the US context in which the Commentary was written) the ethical rules applicable to attorneys, federal and state laws and regulations, foreign statutory and regulatory requirements, common-law liability, and contractual obligations.

Section 3 of the Commentary provides direction on conducting a security assessment - and in particular the task of identifying and evaluating assets, profiling and assessing risk, and treatment and mitigating risk. Useful suggestions are made about the way in which and manner in which risks should be identified and assessed, and the way in which security needs should be ranked.

In the final substantive section, the Commentary sets out guidelines for policies and practices that address privacy and information security. It proposes a six step approach, beginning with the identification of the types and sources of information that must be protected, proceeding through the development of information security policies and practices and, ultimately, “preparing for the worst”.

The Commentary includes two appendices - one on privacy and security in the healthcare industry and another on privacy and security in the financial services industry. These summarize applicable (US) regulatory regimes and discuss the impact that those regimes may have on law firms as service providers.

Taken as a whole, the Commentary is a very useful — and arguably seminal — contribution to the arsenal which law firms need to develop in order to deal with information security and privacy issues in a dynamic technological environment.  It will go some distance in setting the standard of care for legal service providers generally.


Kevin L. LaRoche