The Association of Corporate Counsel’s Data Steward Program (DSP) is a service offered by ACC to assess, benchmark and accredit law firms and legal service providers on their information security capabilities. This service is offered directly by ACC and is not a co-branded or co-marketed service from another vendor. The ACC Data Steward Program utilizes industry-standard information security controls specifically selected for client data security at law firms. In an innovative assess-once/leverage-many model law firms’ security capabilities are evaluated and managed on a secure, always-up-to-date platform. The Data Steward Program aims to create an assessment that is relevant, comprehensive and saves both in-house teams and law firms tremendous time and resources over current questionnaire-spreadsheet processes.

The Association of Corporate Counsel (ACC) is a global legal association that promotes the common professional and business interests of in-house counsel who work for corporations, associations and other organizations through information, education, networking, and advocacy. With more than 45,000 members in 85 countries employed by over 10,000 organizations, ACC connects its members to the people and resources necessary for both personal and professional growth. By in-house counsel, for in-house counsel.® For more information, visit www.acc.com and follow ACC on LinkedIn, Twitter, and Facebook.

ACC has established itself as a trusted source of high-value information for its members. As an organization comprised of law firms’ clients, ACC intends to establish the Data Steward Program as a global legal industry standard for evaluating law firm security capabilities.

Companies provide extremely sensitive legal information to their law firms and legal service providers that if breached poses a material threat. Increasingly cybercriminals are attacking firms to gain access to this sensitive client data. Assessing and evaluating law firm security is a difficult, cumbersome and resource-intensive process, both for companies and their firms. The ACC Board of Directors saw a need for a smarter, more effective and efficient approach and authorized development of the Data Steward Program to meet this emerging threat.

The Data Steward Program is provided at no cost to in-house counsel, and to law firms and legal service providers at just $1495 annually for a Base License subscription. The Base License entitles a firm to three (3) ‘client sharing’ licenses, a customizable evidence repository, secure workspace to facilitate remote client audits, and internal issue tracking and remediation management. Each additional client sharing license is $495 annually, with unlimited sharing capped at $9995 for firms supporting a very large number of client assessments and audits.

The Data Steward Program is free for all in-house counsel, including those who are not currently ACC members.

1. Law firm licenses access to DSP self-assessment.
2. Law firm conducts self-assessment in the Data Steward SaaS platform. Firms may optionally apply for ACC Accreditation by engaging independent ACC-approved assessors to validate results.
3. Platform provides both high-level scoring on scale of 0-100 as well as drill down-detail.
4. The Dashboard view allows firms to share assessment results with their clients’ in-house legal and information security teams. One self-assessment can be shared with all of a firms’ clients.
5. Firms update Data Steward on a regular basis as their security profile changes. Scores update immediately and can be reviewed by clients in real time.
6. ACC releases updated versions of controls as global standards change and new threats emerge.

The Data Steward Program is emerging as a legal industry standard, with technical controls based on global frameworks such as NIST and ISO, embedded in a secure software platform that can support law firm self-assessments, client audits, and ACC Accreditation. This approach is not only advantageous for in-house counsel, but has significant benefits for law firms of all sizes around the globe.

• For Large Firms, Data Steward reduces the risk, time and money spent on dozens, even hundreds of one-off client questionnaires and security audits. Data Steward’s assess-once/share-many approach allows firms to answer and update a single set of security controls for review by all of their clients. This focuses client expectations and management investments on the same security objectives, and allows IT to redirect technical resources from completing questionnaires to completing security projects.
• For Regional and Smaller Firms, Data Steward ‘s industry-standard assessment can be used to overcome any presumption that larger firms or peer competitors are more secure, by transparently demonstrating the firm’s security posture to clients and potential clients. The industry-standard assessment also gives law firms a concrete roadmap for investing in client security objectives.
• For Global Firms, Data Steward’s security controls are mapped to the ISO 27001 international standard, overcoming any presumption that U.S. or local competitors are more secure, and ensuring compliance with data security objectives that are complementary to data privacy requirements.

Fifteen percent (15%) of larger companies have invested in a Vendor/Third-Party Risk Management System. These software programs are used by a company to assemble a centralized inventory of third-party vendors; prioritize their degree of risk to the company; conduct automated messaging with those vendors; issue and track security remediation tasks; and maintain records and documentation such as compliance reports and evaluation records. Data Steward is designed from the ground up to integrate the results of its streamlined questionnaire, which is customized for the legal industry – directly into corporate VRM/TPRM systems. Data Steward can provide reports, exports and persistent data feeds to a variety of VRM/TPRM systems, including ServiceNow, OneTrust, and others.

For the remaining 85% of companies that have not invested in a VRM/TPRM system, Data Steward does provide the full range of messaging, assessment, remediation, documentation, and auditing capabilities that will allow the company to engage with its law firms

In developing this Program ACC solicited feedback from smaller firms, and it was overwhelmingly positive. These small firms expressed concern that many large corporations might incorrectly assume that they do not have adequate security and exclude them on bids involving highly sensitive information. Furthermore, the current process for evaluating firms is so cumbersome that often companies would restrict bidding new business to the few, established firms they had already evaluated, limiting the opportunity for new firms to bid on new projects. The Data Steward Program levels the playing field and has received strong support from both large and small firms.

The ACC Data Steward ‘Core Assessment’ controls were selected and arranged by an ACC Working Group, Controls Committee, and In-house Advisory Board comprising legal industry CIOs, CISOs, attorneys skilled in cybersecurity, and other information security professionals from corporate legal, law firms, and legal service providers — many of which had experience with ISO certification and FedRAMP authorization.

The scope of the Core Assessment was defined as those controls with which the industry can expect ALL law firms and legal service providers, large and small, to comply. The committees organized the controls using the NIST Cybersecurity Framework (NCF) because it is publicly available, addresses the private sector, and is mapped to key frameworks such as NIST 800-53, ISO 27001, CIS, COBIT and ISA.

Overall, the Data Steward Core Assessment addresses 160+ distinct security controls. To date, dozens of Fortune 500 organizations have vetted the controls and found them to be commensurate with their own. A copy of the controls is available upon request.

Law firm assessment results are stored on the Data Steward SaaS platform, a dynamic, highly secure portal that includes a dashboard of each firm’s compliance results , an evidence repository for proof of compliance, and other detailed information such as:

• An overall security score based on each firm’s assessment, with scores ranging from 0 to 100
• A defined scope within which the firm’s assessment is valid, such as specific countries in which the firm practices, certain regional offices and data centers, and so on
• A detailed list and brief explanation of any issues or exceptions where the firm does not comply with a particular control, or to which it responded ‘not applicable.’.
• Detailed scoring and responses for each individual control
• An evidence repository in which firms can upload proof of compliance — such as policy or procedure documents, configuration screen shots, etc. – for internal tracking purposes, as well as supporting remote client audits.

All law firm assessments and supporting documentation are managed through a highly secure, industry-leading compliance platform, AuditBoard. AuditBoard is used by thousands of companies and 250,000 users to manage compliance audits and assessments.

No, law firms can grant access to internal management as well as individual client personnel, and these results may be viewed by any group within the company including legal operations, InfoSec, risk management, etc.

ACC presents a high-level score and the associated detail. However, determining the minimum level of security required for any particular law firm or matter is left up to the legal department. ACC’s views its role as providing information, but not telling a company which law firm it should or should not use for any given matter.

Companies can specify how often they would like their firms to update their self-assessments in the Data Steward Platform. Most companies are having their firms update their controls at a minimum monthly or quarterly. Law firms can display and clients can view a firm’s “Last Update” date on the law firm’s Profile page.

The Data Steward Program offers the following levels of validation:

The Data Steward platform has capabilities for companies to easily manage and track remediation for literally hundreds of firms simultaneously. The transparent and objective scoring of security controls provides clear, prescriptive actions firms need to take to increase their security capabilities and scores. Likewise, as the Program provides the capabilities for many clients to evaluate a firm’s capabilities using the same controls, law firms are more likely to be proactive in addressing any security. Furthermore, the assess-once/share-many model relieves individual clients from having to push their firms to make improvements.

For any questions or to subscribe contact ACC Data Steward Program Administrator, Bill Schiefelbein, by emailing info@accdatasteward.com

The following additional resources are available to in-house legal teams by sending an email to info@accdatasteward.com:

• Data Steward Core Module Controls – A collection of 160 NIST and ISO-based security controls that comprise the Program’s Core module.
• ACC Data Steward Sample Pilot Plan – A sample plan detailing the program pilot for in-house legal and information security departments.
  • ACC Data Steward In-house Counsel’s Guide and Email Templates for Engaging Law Firms