The rules of engagement of law firms for many companies, known as Outside Counsel Guidelines (OCGs), are appropriate and helpful in most situations. The guidelines set forth the expectations of the client, potentially avoiding uncomfortable situations. While OCGs can frustrate the practice of law and often unnecessarily reiterate the ethical obligations of attorneys, overall, they improve the attorney-client relationship.

Yet, often OCGs contain privacy and data security obligations that do not match the reality of practicing law and servicing a client. These obligations often come from an IT department or compliance professional who goes to extreme lengths to ensure they cannot be blamed if there is a data incident. This attitude and approach have created an OCG problem for law firms.