Legal Support Services Deskbook
Information Security & Confidentiality
PDF Help - Information on downloading and using the PDF reader.
|Note:Due to the extreme high importance of the security and confidentiality of FDIC information and records, LSS Providers should pay special attention to the contents of this Chapter. For questions regarding your responsibility for Information Security in FDIC Legal matters, you should contact the Litigation Support Group at email@example.com.|
3.1 Maintaining Confidentiality
(a) In the course of assisting the FDIC, LSS Providers may have access to nonpublic, confidential information. The FDIC has defined a broad category of such information in any form, paper or electronic as "Sensitive Information" in FDIC Directive System Circular 1360.9. LSS Providers, including all employees or contractors must comply with FDIC Directive System Circular 1360.9. This includes an understanding of 1) all categories of Sensitive Information, as defined in the Circular and set forth below1; and 2) FDIC Information Security policies and procedures as set forth in the Circular.
(b) LSS Providers are responsible for the security and confidentiality of all Sensitive Information which you may have access to. As LSS Providers for the FDIC, you must take appropriate measures to ensure that all personnel are trained and familiar with this responsibility. Protecting the security and integrity of Sensitive Information extends to all personnel and any experts or other subcontractors that you may hire (with prior Legal Division approval only) in any FDIC legal matter. Due to the role and mission of the FDIC in the United States monetary and banking systems, Sensitive Information may include a broad spectrum of disparate information and records from multiple sources. LSS Providers’ adherence to a strong and effective client confidentiality and information security policy is a critical part of your FDIC relationship.
(c) LSS Providers must supply the Legal Division with the name and contact information of your Chief Information Security Officer or equivalent as well as a backup contact, either of whom can be reached without delay.
1Sensitive Information is defined in Circular 1360.9 as (To ensure the latest update, check this link: Circular 1360.9):
(1) Information that is exempt from disclosure under the Freedom of Information Act (FOIA) such as trade secrets and commercial or financial information, information compiled for law enforcement purposes, personnel and medical files, and information contained in bank examination reports (see FDIC Rules and Regulations, 12 C.F.R. Part 309, for further information);
(2) Information under the control of FDIC contained in a Privacy Act system of record that is retrieved using an individual’s name or by other criteria that identifies an individual (see FDIC Rules and Regulations, 12 C.F.R. Part 310, for further information);
(3) PII about individuals maintained by FDIC that if released for unauthorized use may result in financial or personal damage to the individual to whom such information relates. Sensitive PII, a subset of PII, may be comprised of a single item of information (e.g., SSN) or a combination of two or more items (e.g., full name along with, financial, medical, criminal, or employment information). Sensitive PII presents the highest risk of being misused for identity theft or fraud;
(4) Information about insurance assessments, resolution and receivership activities, as well as enforcement, legal, and contracting activities; and
(5) Information related to information technology specific to the FDIC that could be misused by malicious entities (e.g., firewall rules, encryption and authentication mechanisms, and network architecture pertaining to the FDIC).
|Note: Failure to follow the directives outlined in this Chapter may result in termination of the firm’s LSA or other sanctions that the FDIC deems appropriate under the contract, at law or in equity|
(d) The FDIC may contact you to assess the strength of your company’s cybersecurity measures, protections, policies or procedures. This may include telephone contacts, email questionnaires, review and evaluation of your Information Security directives, policies and procedures or on-site reviews by FDIC staff.
(e) All LSS Providers must be in compliance with the American Bar Association (ABA) Model Rules of Professional Conduct, Rule 1.6 (americanbar.org), which mandates minimal standards of conduct with respect to confidentiality of client information. This duty of client confidentiality includes maintaining the security and integrity of records in paper or electronic format.
(f) All LSS Providers must have in place a secure computer network. Your network should have significant resistance to intrusions and sensitive detection capability to identify possible attacks by any method. The FDIC may contact your firm regarding the security of your computer network, as set forth above in subsection 3.1(d). Any deficiencies noted, as defined in the sole discretion of the FDIC will need to be promptly corrected. See the Note above subsection 3.1(d).
(g) All LSS Providers must have internal policies and procedures on Information Security, data back-up, data breaches and the handling, use and disposition of confidential client information ("Security Plan"). The Security Plan should, at a minimum, require the following:
1) Periodic Risk Assessments - LSS Providers should conduct and fully document periodic internal risk assessments in order to identify reasonably foreseeable threats to information security.
2) Appropriate Security Programs - These should consist of reasonable physical, technical, and administrative security measures to manage and control identified risks.
3) Periodic and Recurring Training & Education - Mandatory periodic employee
training should be certified by the employee and documented by the firm. This training should enhance staff understanding of the roles and responsibilities regarding data, physical and administrative security. 4) Testing/Monitoring - LSS Providers should periodically test the sufficiency of security measures. This includes testing or monitoring of systems, as well as records review of system activity, audit logs, access reports and security incident tracking reports.
5) Review and Adjustment - LSS Providers must respond timely to any threats or risks that arise during these periodic internal reviews. This includes, when appropriate, FDIC notification, as further specified in this Deskbook.
6) Third Party Consultants - To comply with the obligations imposed by law, FDIC policy, or other applicable standards, LSS Providers should consider the engagement of technical consultants, when necessary.
Each LSS Provider must customize your Security Plan to meet business, legal and client needs. Every business is unique, so you may need additional security measures not referenced in this subsection 3.1(g). This subsection 3.1(g) is only intended to aid LSS Providers in considering your responsibilities for safeguarding FDIC Sensitive Information. This subsection does not create or expand on any formal FDIC Information Security policy, nor does it provide any safe harbor for LSS Providers.
(h) Since LSS Providers are responsible to ensure the security and integrity of FDIC records, especially Sensitive Information, a copy or detailed explanation of the Security Plan must be supplied to the Legal Division or other FDIC component upon request. Any deficiencies noted, as defined in the sole discretion of the FDIC, will need to be promptly corrected. See the Note above subsection 3.1(d).
(i) As stated above, your firm is solely responsible to ensure the security of FDIC records, especially Sensitive Information that may be supplied or made available to you and all consultants, experts, or other contractors that you with Legal Division authorization may hire. To better protect LSS Providers, the FDIC requires that your firm obtain the signature of all such third-party contractors on a Confidentiality Agreement in a form substantially identical to this Confidentiality Agreement - PDF. Such agreements should be retained in your firm’s records.
(j) In order to adequately secure all FDIC electronically stored information ("ESI"), particularly Sensitive Information, whether it originated from the FDIC in any capacity, or was received from any other party in litigation, or from any third party, all such ESI must be hosted and produced utilizing an appropriate FDIC-approved vendor under the direction of and authorized by the FDIC Legal Division’s Litigation Support Group. Further, any and all employees, consultants, experts or other contractors who will have access to any ESI must be properly credentialed with the vendor hosting and producing said ESI. If you have any questions concerning this subsection 3.1(j), please direct them to the Litigation Support Group at firstname.lastname@example.org, as further described below in section 3.2.
3.2 Using FDIC’s Litigation Support Group on Legal Matters
(a) All LSS Providers retained on an FDIC Legal matter must coordinate with the Litigation Support Group (LSG) of the Legal Information Technology Unit to conduct an early legal matter assessment to identify potential sources of responsive records, custodians, screening criteria, search parameters, review processes, and scope of production. The early legal matter assessment must also consider the resources to be applied in responding to requests for FDIC records or testimony.
(b) In addition, prior to any release or disclosure of FDIC records or information, all LSS Providers must first consult LSG, and diligent efforts must be made to assure that highly-confidential or Sensitive Information has been identified and reviewed and appropriate protective measures taken, so that only the correct records will be produced or disclosed.
(c) LSG will also work with you and help to coordinate any data hosting issues or requirements that may arise as to ESI described above in subsection 3.1(j). If ESI issues are present, it is important to coordinate early in the progress of the legal matter. Close communication with LSG is imperative in this situation.
3.3 Careful and Secure Handling of FDIC Information & Records
The Legal Division mandates that LSS Providers and related vendors exercise prudent care in their handling and use of FDIC information, including but not limited to:
(a) always using encryption technology when transmitting confidential "Sensitive" information to anyone outside of your internal network, including to the LSG, other sources inside of the FDIC or to your subcontractors or other consultants;
(b) promptly notifying the LSG (email@example.com) of any breach or possible breach or loss of FDIC information;
(c) ensuring the physical security of FDIC information and records in any format, i.e. keeping Sensitive Information out of plain sight, locked in cabinets, behind password-protected screensavers, only on encrypted media, and using extreme caution when transporting any FDIC information away from your office; and(d) understanding that you are solely responsible for ensuring the security and integrity of FDIC information by all vendors and subcontractors your firm uses.
3.4 FDIC-Supported Resources for Using Encryption Technology to transmit Confidential "Sensitive" Information.
(a) Zix Mail
Contact LSG for further information on using Zix Mail.
Your Information Technology staff should be able to instruct other staff members on how to receive and properly transmit secure documents using PKZip for Windows.
3.5 Other Resources
(a) ESI is especially vulnerable due to its abundance, portability and the instant transferability of vast amounts of information. The ABA has therefore published resource materials and offers Continuing Education courses on cyber and data security at their web site: www.americanbar.org. These resources supply quality guidance for LSS Providers in taking reasonable steps to meet your responsibilities in securing FDIC information. All of your employees should be familiar and conversant with ABA guidance and publications on cyber and data security.
(b) The Association of Corporate Counsel and a group of its members has published a Model Information Protection and Security Controls for Possessing Company Confidential Information (the 2017 Model Controls). While the Legal Division has not adopted or sanctioned the 2017 Model Controls, LSS Providers may find them helpful in updating your Security Plans, practices and procedures.