The Legal Industry Has Finally Created a Data Security Standard of its Own
By Kenya Parrish-Dixon, Empire Technologies Risk Management Group | December 07, 2020 at 07:00 AM
This article is reprinted from its original publication in Law.com Legaltech® News.
After two years of groundwork and input from attorneys, cybersecurity and privacy experts and litigation support experts from corporations, law firms, vendors and government, the ACC Data Steward Program has arrived.
Introduction
The Association of Corporate Counsel is a professional organization comprised of in-house counsel serving the needs of in-house counsel. It has been in existence, in various forms, since 1983 and is currently an international organization with 45,000 members. After the Federal Trade Commission’s litigation support infrastructure was overhauled and all of its data pushed into a FedRAMP authorized cloud, the ACC began working with the consultants from the FTC project to create a data security program for the legal sector.
The first step was to establish a Data Steward Program in-house advisory board, a working group, and a controls committee. These panels were comprised of industry leaders who are attorneys, cybersecurity and privacy experts and litigation support experts from corporations, law firms, vendors, and government. The mission was to mirror the security protocols that the federal government and other industries were using to secure data in a reasonably priced, defensible, and efficient process. After two years of groundwork and input from these expert bodies, the ACC Data Steward Program has arrived.
The Current State of Affairs
Currently, corporations are struggling with managing data security requirements for their law firms. A Fortune 500 company may have relationships with 500 law firms and vendors. Each of those firms and vendors then becomes a repository for that company’s data. Typically, the corporation will provide a data security spreadsheet or a document outlining the data security requirements for a repository holding the corporation’s data to the law firm. The law firm then designates an individual, hopefully a security expert, to fill out the spreadsheet or attest to the controls. Each company has a different set of controls on their spreadsheet.
Some companies audit their firms’ controls; most will not. An audit will usually involve a penetration or pen test; many will not. Even so, pen testing is a great start but nowhere near the end of an audit. Larger firms will promote an ISO 27001 certification as proof of due diligence. Still, the rest of the data security program may be neglected or missing after such a herculean and expensive effort.
Smaller firms and vendors often miss the boat entirely with regard to data security. The IT professional at the firm is tasked with filling out spreadsheets for clients, and that would be great if the companies understood each of the controls and followed up when a response was inappropriate or presented a risk. Most companies do not have the resources to manage all the issues presented by these well-thought-out spreadsheets. It all amounts to a good try but falls short of actual due diligence.
Over the past decade, other industries have designed and implemented data security or cybersecurity standards and/or regulations for how to manage and secure data. For instance, the banking industry has regulations and protocols for handling banking data. Health care was one of the first fields out of the gate to implement data security standards, and those have evolved over the last decade. Publicly traded companies have due diligence requirements that include data security and privacy. But the legal industry has trudged along with standards being pushed only by individual clients with clout. The spectrum of data security requirements in the legal industry stretches from ironclad to nonexistent.
This is where the ACC Data Steward Program comes in with a core industry standard and a single controlled repository for law firms to assess and benchmark their security posture. Additionally, law firms may seek accreditation from highly skilled accreditors, and companies can require a core controls audit, if desired.
The New Standard
The ACC Data Steward Program (https://www.accdatasteward.com/) kicked off in August of this year, during the COVID-19 pandemic and an unprecedented number of data breaches at law firms. According to the program’s website, the program offers “a standardized framework for assessing, scoring, benchmarking, validating and accrediting a law firm’s posture regarding client data security. It then enables secure and easy sharing of this profile with the firm’s clients or potential clients.”
The program leverages controls from leading industry frameworks like the NIST Cybersecurity Framework, supplemented by NIST 800-53 (Rev. 4) controls (largely the basis for the government’s FedRAMP program), ISO 27001 and other industry standard control frameworks that pertain to the legal environment. Law firms that are already ISO 27001 certified, or respond often to multiple client questionnaires, will find the initial assessment to be far easier than starting from scratch.
The law firms’ responses to each security control are visible to the companies seeking an assessment from the law firm. Access to the assessment, however, is controlled by the law firm, thereby giving firms full say over when and to whom they provide their assessment. The firm has to input the information only once and then grant access to any client it wants to see the results. This gets rid of the multiple spreadsheets that are a waste of time and money. It also allows corporations to request that all their firms participate so that they can see the benchmark score and compare the security posture of each firm.
The DSP Core Assessment is just the beginning for this program. Future modules will include specialized controls for privacy, health care and financial records. One of the overarching concerns of the board has been for the cost to use the program to be an overall savings compared to the cost of repeatedly filling out spreadsheets. This program provides an opportunity for validated due diligence with regard to data security in the legal industry.
How It Works
The DSP Core Assessment is initiated in one of two ways: First, a law firm can volunteer to participate and conduct a self-assessment. The results of the self-assessment would only be visible to the firm, thus allowing the firm to work on its controls until it gets a score deemed satisfactory. Then the firm can optionally request an independent validation by an ACC-accredited assessor to receive the ACC DSP Core Assessment Accreditation, which is active for three years. The firm could then release the results of the self-assessment to clients and advertise its accreditation.
Second, an ACC member or prospective member can invite a law firm to participate. ACC member companies can create or completely replace their current data security assurance process for law firms and instead request that some or all their firms complete a DSP Core self-assessment, receive accreditation, or undergo a complete Core controls audit. The results of each assessment will be held in the ACC’s secure DSP repository, and the firm can release the results if it chooses to do so.
Corporations are lining up to begin inviting their firms to undergo self-assessment. For companies that have retained even one law firm, the ACC DSP is an efficient way to review, manage and audit a law firm’s data security posture. The DSP will quickly become the gold standard for the legal industry because it is the solution that companies asked for and helped create. The future of data security in the legal industry is here.
Kenya Parrish-Dixon is the General Counsel and Chief Operating Officer of Empire Technologies Risk Management Group (https://etrmgroup.com/), a cybersecurity, Information Governance, eDiscovery, and Managed Review corporate holding company. She was a member of the ACC DSP working group and the resident FedRAMP expert during the development of the ACC Data Steward Program. The ETRM Group is an accredited and recommended service provider for the program. Ms. Dixon can be reached at Kenya.dixon@etrmgroup.com
