copyright © 2006-2021 contoural, inc. confidential
TRANSCRIPT
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 1
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 2
Our Presenters
James Merklinger, Esq., President, ACC Credentialing Institute – Having served ACC more than 20 years in a variety of key roles, in 2017, Jim was named president of the ACC Credentialing Institute. In this role, he is responsible for establishing standards that guide ACC's in-house counsel certification program. Most recently, Jim served as ACC's vice president and chief legal officer. He represented ACC on all legal issues affecting the association, including mergers with the Australian Corporate Lawyers Association and the Corporate Counsel Middle East.
Mark Diamond, ACC Data Steward. – Mark Diamond is founder of the Association of Corporate Counsel’s Data Steward Program. An industry-recognized expert in Information Governance he has worked with more than 35% of the Fortune 500 implementing governance and compliance strategies. Mark has a degree in computer science and spent the first part of his career working as a software development engineer.
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 3
Potential Topics
Why Client Data at Law Firms Are At RiskTraditional Information Security Assessments Are Difficult to Conduct for Law FirmsIntroducing ACC Data Steward ProgramSteps for Taking Advantage of Data Steward
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 4
Why Client Data at Law Firms Are At Risk
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 5
Companies’ Most Sensitive Information Lives at Law Firms
Secure Corporate IT EnvironmentLaw Firm 1
Law Firm 2
Law Firm 3…
• Trade Secrets• Contracts• Non-public Financial Information• Litigation Strategies• Acquisition Targets• Employee Personal Information• Regulatory Activity• Corporate Strategy• Board Activity• Confidential Settlements• …
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 6
Most In-house Legal Departments Are Not Assessing Their Law Firm Security or Doing It Infrequently
68%
32%
2021 ACC Legal Department Survey
Do not assess law firmsDo assess law firms -6% only at onboarding
-5% every 2- 3 years-11% some firms annually-10% as needed
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 7
Law Firms Holding Sensitive Client Data Face Cyberattacks
March 12, 2021 – Law firms are increasingly an attractive target because of the nature of their business. In the course of corporate legal and M&A work, litigation and other legal services they perform, law firms and in-house legal teams collect tons of confidential corporate information and sensitive data like tax returns. They can suffer reputational and financial losses if they are breached, especially if data is exposed.
April 6, 2021 – Michigan State sent out an email to just under 350 people yesterday notifying them that Title IX case files from Michigan State were a part of a data breach of Bricker and Eckler Law Firm, which assisted in Michigan State’s Title IX investigations, Michigan State’s Title IX Communications Manager Christian Chapman said.
April 23, 2021 -- Cyber attacks and data loss are the top two risks
facing directors & officers, with pandemic-related changes in
working practices heightening these concerns, according to a
global survey from broker Willis Towers Watson and law firm
Clyde & Co.
Cyber Attacks and Data Loss Are Top 2 Risks
Facing Directors & Officers: WTW SurveyMarch 11, 2021 – The Microsoft Exchange Server hack may expose firms that still haven't transitioned to cloud email services. But while some are confident firms have protected themselves accordingly, cybersecurity experts aren't quite as convinced
Cyber Experts Warn Law Firms Likely Compromised in Microsoft's Exchange Server Hack
The Deceptikons group is the second major hacker-for-hire mercenary group exposed this year after Dark Basin.
Kaspersky: New hacker-for-hire mercenary group is targeting European law firms
Jones Day Hit by Data Breach as Vendor Accellion Hack Widens
February 16, 2021 – Law firm Jones Day says hackers got their hands on confidential client data and firm communications when an outside vendor’s file transfer system was breached.
50% of In-house Legal Departments Said Assessing Their Law Firms Was a Top Priority in 2021-2022 – ACC 2021 Survey
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 8
Lawyers Have a Professional Responsibility to Ensure Security of Sensitive Legal Information
A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
-- ABA Model Rule of Professional Conduct 1.1
Comment to Rule 1.1: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.
Additional Model Rules:
• Model Rule 1.15 (safekeeping property), which requires lawyers to protect trust accounts, documents and property the lawyer is holding for clients or third parties.
• Model Rule 1.4 (communication), which requires lawyers to take reasonable steps to communicate with clients after an incident.
• Model Rule 1.6 (confidentiality), which covers issues dealing with confidentiality of the client-lawyer relationship.
• Model Rule 5.1 (lawyer oversight), which addresses the added responsibilities of a managing partner or supervisory lawyer.
• Model Rule 5.3 (nonlawyer oversight), which addresses the responsibilities of those in supervisory capacities who are nonlawyers.
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 9
Traditional Vendor Risks Management Methods Are Difficult to Apply to Law Firms
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 10
“Do-it-yourself” Assessments Require Significant Resources and Expertise
Company acquires generic security questionnaire
Sends to all law firms, follows up to complete
Reaches out to individual firms to clarify responses
Companies determine acceptable security
Companies work with each firm to remediate
Process should be restarted at a minimum
annually
New threats must be monitored, firms
reassessed“We were only assessing 12 firms and my paralegal spent probably 8-10 hours a week for six months on the assessments.” – Senior Counsel, Global Retailer
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 11
Information Security Challenges Reduce Options and Impact Diversity
“Every year our company finds out about new law firms and eDiscovery providers. We’d love to include these firms in our RFPs for new projects, as they are offering innovative approaches and the extra competition keeps rates in check. But we just don’t have the resources to vet their security profiles. Pretty much we have to limit bids for new business to our existing providers.” – Assistant General Counsel, Fortune 500 Company
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 12
ACC Data Steward Program
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 13
Introducing ACC Data Steward
Dynamic Always-up-to-Date PlatformEliminates time-consuming annual refresh processes.
Legal Industry-specific Collection of Global Security StandardsControls are refreshed as new risks emerge
Law Firm Assessment, Scoring and BenchmarkingService free for law firm clients
Law Firm Report Card
Developed and Maintained by Industry Consortium of Information Security Experts
Integrates with In-house Vendor Risk Management Systems
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 14
How the Program Works
1. Law firm licenses access to DSP self-assessment. $1495 annual subscription per client up to six clients..
2. Law firm conducts self-assessment in DSP-Exchange SaaS platform. Firms may also engage independent ACC-approved assessors to validate results.
3. Platform provides both high-level scoring on scale of 0-100 as well as drill down-detail.
4. Through assess-once/share-many firms shares assessment results with their clients in-house legal and security teams. Assessments can be shared with any clients (do not have to be ACC members).
5. Any single client or entire groups of clients can request firms to upgrade specific areas of security through DSP Exchange.
6. Firms update DSP Exchange on a regular basis as their security profile changes. Scores update immediately.
7. ACC releases updated versions of controls as new threats emerge.
Law Firm DSP Exchange Assessment and Reporting Platform Corporate Clients
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 15
Law Firm Assessment Results View
Industry-standard
controlMinimum Threshold for optional accreditation
Link to detailed description of control
Controls Met
Scope of assessment
High-level compliance
score
Issues or exceptions to the controls
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 16
Sample Data Steward Core Module Control
CATEGORYSUBCATE
GORYREFERENCES TO OTHER STANDARDS
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
PR.DS-1: Data-at-rest is protected
- CIS CSC 13, 14- COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07,
DSS05.03, DSS06.06- ISA 62443-3-3:2013 SR 3.4, SR 4.1- ISO/IEC 27001:2013 A.8.2.3- NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28
CONTROLS
Data at Rest. Does the organization:(1) Define an information classification scheme that specifies categories of data-at-rest requiring
protection (e.g., PII, PHI, Client Confidential), with consideration given to data provided by and work product about clients/customers.
(2) Implement procedures for protecting such data, such as restrictions on allowed storage media, access to media, media in transit, or chain of custody.
(3) Define and implement encryption technology and strength as appropriate for the categories of data-at-rest requiring such protection.
(4) Implement procedures for managing cryptographic key generation, distribution, storage, access, and destruction.
Response options: Our organization meets:- 0 of 4 requirements- 1 of 4 requirements- 2 of 4 requirements- 3 of 4 requirements- 4 of 4 requirements- N/AMinimum Threshold for Accreditation: Meets requirements (1) - (3).
Core Module Data at Rest Control
• More than 160 Controls• CMMC Level 4 Compliant• Based on NIST and ISO• Ability to add client-specific
customer controls• Advanced Module, Privacy Modules
being created
“We reviewed the Data Steward Core Module against our current questions and it was excellent. The Core Module provided better coverage and we particularly liked how it was much more objective.” – Director, Information Security, Global Life Sciences Company
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 17
In-house Resources Commitment
Assessed Law Firm Panel Size Traditional “Do-it-yourself” Model Utilizing Data Steward
50 Firms and Providers .25 to .5 Full-time-equivalent Annually
30 – 40 Hours Annually
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 18
DSP Exchange Information Can Be Downloaded into Internal Repositories
DSP Exchange Assessment and Reporting Platform
Corporate Clients
Company Internal Vendor Management System
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 19
Data Steward Program Traction
Law Firm Participation• Program has been presented to 50% of
AMLaw 100• 2 Firms Not Interested• 10 Firms Have Signed Up/Actively
Evaluating• Remaining 35+ Firms Will
Participate When Directed by Clients
• AMLaw 200 and smaller Firms• 90 Firms Will Participate When
Directed by Clients• Remaining Are Very Interested,
Want To See What Others Do
Corporate Legal Department Users• Currently 12 large and mid-sized
corporations piloting program• 3 -5 firms per pilot• Pending successful pilots, all plan to roll
out program to the firms on their panels
• Total 2000+ individual firms on collective panels.
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 20
Remediation is Easier with a Crowd
Law Firm
Single Corporation Driving Remediation Against
Client’s Unique Controls
Law Firm-owed Remediation Plan
Client-driven Remediation Plan
Multiple Corporations Driving Remediation Against Industry-
standard Controls
Common, Standardized Controls, Remediation Workflow
Law Firm
Client-owed Remediation Plan
Traditional Approach
ACC Data Steward
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 21
Data Steward Program Validation Methods
OR
Validation Level Action Validation
Basic Validation Law Firm Completes Self Assessment - Dashboard made available to clients
Attested Validation Law Firm Attestation and Frequent Updates
- Provides attestation on answers to self-assessment
- Optional required update periods, e.g. every month, quarter, etc.
Evidence-b Validation Law Firm Uploads Evidence of Compliance
- Artifacts of compliance loading onto Data Steward Exchange Platform
- Clients can review evidence of compliance
Assessed Validation Law Firm Engages ACC-approved Independent Assessor
Four-day assessment by independent third-party assessors
Accredited Validation Independent Assessor + Meets Minimum Standards
Firms become ACC Accredited
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 22
Steps for Taking Advantage of Data Steward Program
Socialize Socialize the Data Steward Program with key stakeholders within your company including:- Legal and Legal Operations, Information Security, IT- ACC can present Program to your internal team
Engage Engage law firms to participate in Data Steward- Email firms to indicate interest in program (sample emails available
from ACC)- Co-host 20-minute introductory call with ACC and law firms
Pilot Pilot program with 2 -4 Firms (2 – 3-week process)- Review Data Steward Core Module Controls- Compare Data Steward controls to your existing set
Launch Start comprehensive and ongoing assessment of law firms (typically 4-week launch)- Use data steward to assess firms- Use data steward to augment current assessment processes
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 23
Additional Information
Resources• Program information at www.accdatasteward.com• Data Steward Program FAQs for In-house Teams• Data Steward Core Module NIST and ISO Security
Controls• Data Steward Sample Pilot Project Plan• Data Steward Program In-house Counsel’s Guide for
Engaging Law Firms• Sample Email Communication from In-house to Law
Firms Program Indication of Interest
Contact Us [email protected]
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 24
Thank You and Questions
James Merklinger
Mark Diamond
Copyright © 2006-2021 Contoural, Inc. Confidential materials, may not be distributed or reproduced outside of Contoural without written authorization 25
• 250,000 users
• SOC 2 available with NDA
• Built by Compliance for Compliance
• Fastest-growing GRC Audit & Compliance platform
• Institute of Internal Auditors (IIA) Principal Partner
• Named CFO Magazine 2019 Tech Company to Watch
• Winner of the 2019 EY Entrepreneur Of the Year Award
• Pre-IPO to Fortune 100 Clients include: Walmart, BNY Mellon, United Bank, Intel, AAA, UL, Raytheon, iRobot, Intuit, Post Holdings, TripAdvisor, Truecar
Powered by AuditBoard