copyright © 2006-2021 contoural, inc. confidential


Our Presenters

James Merklinger, Esq., President, ACC Credentialing Institute – Having served ACC more than 20 years in a variety of key roles, in 2017, Jim was named president of the ACC Credentialing Institute. In this role, he is responsible for establishing standards that guide ACC's in-house counsel certification program. Most recently, Jim served as ACC's vice president and chief legal officer. He represented ACC on all legal issues affecting the association, including mergers with the Australian Corporate Lawyers Association and the Corporate Counsel Middle East.

Mark Diamond, ACC Data Steward. – Mark Diamond is founder of the Association of Corporate Counsel’s Data Steward Program. An industry-recognized expert in Information Governance he has worked with more than 35% of the Fortune 500 implementing governance and compliance strategies. Mark has a degree in computer science and spent the first part of his career working as a software development engineer.


Potential Topics

Why Client Data at Law Firms Are At RiskTraditional Information Security Assessments Are Difficult to Conduct for Law FirmsIntroducing ACC Data Steward ProgramSteps for Taking Advantage of Data Steward


Why Client Data at Law Firms Are At Risk


Companies’ Most Sensitive Information Lives at Law Firms

Secure Corporate IT EnvironmentLaw Firm 1

Law Firm 2

Law Firm 3…

• Trade Secrets• Contracts• Non-public Financial Information• Litigation Strategies• Acquisition Targets• Employee Personal Information• Regulatory Activity• Corporate Strategy• Board Activity• Confidential Settlements• …


Most In-house Legal Departments Are Not Assessing Their Law Firm Security or Doing It Infrequently

68%

32%

2021 ACC Legal Department Survey

Do not assess law firmsDo assess law firms -6% only at onboarding

-5% every 2- 3 years-11% some firms annually-10% as needed


Law Firms Holding Sensitive Client Data Face Cyberattacks

March 12, 2021 – Law firms are increasingly an attractive target because of the nature of their business. In the course of corporate legal and M&A work, litigation and other legal services they perform, law firms and in-house legal teams collect tons of confidential corporate information and sensitive data like tax returns. They can suffer reputational and financial losses if they are breached, especially if data is exposed.

April 6, 2021 – Michigan State sent out an email to just under 350 people yesterday notifying them that Title IX case files from Michigan State were a part of a data breach of Bricker and Eckler Law Firm, which assisted in Michigan State’s Title IX investigations, Michigan State’s Title IX Communications Manager Christian Chapman said.

April 23, 2021 -- Cyber attacks and data loss are the top two risks

facing directors & officers, with pandemic-related changes in

working practices heightening these concerns, according to a

global survey from broker Willis Towers Watson and law firm

Clyde & Co.

Cyber Attacks and Data Loss Are Top 2 Risks

Facing Directors & Officers: WTW SurveyMarch 11, 2021 – The Microsoft Exchange Server hack may expose firms that still haven't transitioned to cloud email services. But while some are confident firms have protected themselves accordingly, cybersecurity experts aren't quite as convinced

Cyber Experts Warn Law Firms Likely Compromised in Microsoft's Exchange Server Hack

The Deceptikons group is the second major hacker-for-hire mercenary group exposed this year after Dark Basin.

Kaspersky: New hacker-for-hire mercenary group is targeting European law firms

Jones Day Hit by Data Breach as Vendor Accellion Hack Widens

February 16, 2021 – Law firm Jones Day says hackers got their hands on confidential client data and firm communications when an outside vendor’s file transfer system was breached.

50% of In-house Legal Departments Said Assessing Their Law Firms Was a Top Priority in 2021-2022 – ACC 2021 Survey


Lawyers Have a Professional Responsibility to Ensure Security of Sensitive Legal Information

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

-- ABA Model Rule of Professional Conduct 1.1

Comment to Rule 1.1: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.

Additional Model Rules:

• Model Rule 1.15 (safekeeping property), which requires lawyers to protect trust accounts, documents and property the lawyer is holding for clients or third parties.

• Model Rule 1.4 (communication), which requires lawyers to take reasonable steps to communicate with clients after an incident.

• Model Rule 1.6 (confidentiality), which covers issues dealing with confidentiality of the client-lawyer relationship.

• Model Rule 5.1 (lawyer oversight), which addresses the added responsibilities of a managing partner or supervisory lawyer.

• Model Rule 5.3 (nonlawyer oversight), which addresses the responsibilities of those in supervisory capacities who are nonlawyers.


Traditional Vendor Risks Management Methods Are Difficult to Apply to Law Firms


“Do-it-yourself” Assessments Require Significant Resources and Expertise

Company acquires generic security questionnaire

Sends to all law firms, follows up to complete

Reaches out to individual firms to clarify responses

Companies determine acceptable security

Companies work with each firm to remediate

Process should be restarted at a minimum

annually

New threats must be monitored, firms

reassessed“We were only assessing 12 firms and my paralegal spent probably 8-10 hours a week for six months on the assessments.” – Senior Counsel, Global Retailer


Information Security Challenges Reduce Options and Impact Diversity

“Every year our company finds out about new law firms and eDiscovery providers. We’d love to include these firms in our RFPs for new projects, as they are offering innovative approaches and the extra competition keeps rates in check. But we just don’t have the resources to vet their security profiles. Pretty much we have to limit bids for new business to our existing providers.” – Assistant General Counsel, Fortune 500 Company


ACC Data Steward Program


Introducing ACC Data Steward

Dynamic Always-up-to-Date PlatformEliminates time-consuming annual refresh processes.

Legal Industry-specific Collection of Global Security StandardsControls are refreshed as new risks emerge

Law Firm Assessment, Scoring and BenchmarkingService free for law firm clients

Law Firm Report Card

Developed and Maintained by Industry Consortium of Information Security Experts

Integrates with In-house Vendor Risk Management Systems


How the Program Works

1. Law firm licenses access to DSP self-assessment. $1495 annual subscription per client up to six clients..

2. Law firm conducts self-assessment in DSP-Exchange SaaS platform. Firms may also engage independent ACC-approved assessors to validate results.

3. Platform provides both high-level scoring on scale of 0-100 as well as drill down-detail.

4. Through assess-once/share-many firms shares assessment results with their clients in-house legal and security teams. Assessments can be shared with any clients (do not have to be ACC members).

5. Any single client or entire groups of clients can request firms to upgrade specific areas of security through DSP Exchange.

6. Firms update DSP Exchange on a regular basis as their security profile changes. Scores update immediately.

7. ACC releases updated versions of controls as new threats emerge.

Law Firm DSP Exchange Assessment and Reporting Platform Corporate Clients


Law Firm Assessment Results View

Industry-standard

controlMinimum Threshold for optional accreditation

Link to detailed description of control

Controls Met

Scope of assessment

High-level compliance

score

Issues or exceptions to the controls


Sample Data Steward Core Module Control

CATEGORYSUBCATE

GORYREFERENCES TO OTHER STANDARDS

Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.DS-1: Data-at-rest is protected

- CIS CSC 13, 14- COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07,

DSS05.03, DSS06.06- ISA 62443-3-3:2013 SR 3.4, SR 4.1- ISO/IEC 27001:2013 A.8.2.3- NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28

CONTROLS

Data at Rest. Does the organization:(1) Define an information classification scheme that specifies categories of data-at-rest requiring

protection (e.g., PII, PHI, Client Confidential), with consideration given to data provided by and work product about clients/customers.

(2) Implement procedures for protecting such data, such as restrictions on allowed storage media, access to media, media in transit, or chain of custody.

(3) Define and implement encryption technology and strength as appropriate for the categories of data-at-rest requiring such protection.

(4) Implement procedures for managing cryptographic key generation, distribution, storage, access, and destruction.

Response options: Our organization meets:- 0 of 4 requirements- 1 of 4 requirements- 2 of 4 requirements- 3 of 4 requirements- 4 of 4 requirements- N/AMinimum Threshold for Accreditation: Meets requirements (1) - (3).

Core Module Data at Rest Control

• More than 160 Controls• CMMC Level 4 Compliant• Based on NIST and ISO• Ability to add client-specific

customer controls• Advanced Module, Privacy Modules

being created

“We reviewed the Data Steward Core Module against our current questions and it was excellent. The Core Module provided better coverage and we particularly liked how it was much more objective.” – Director, Information Security, Global Life Sciences Company


In-house Resources Commitment

Assessed Law Firm Panel Size Traditional “Do-it-yourself” Model Utilizing Data Steward

50 Firms and Providers .25 to .5 Full-time-equivalent Annually

30 – 40 Hours Annually


DSP Exchange Information Can Be Downloaded into Internal Repositories

DSP Exchange Assessment and Reporting Platform

Corporate Clients

Company Internal Vendor Management System


Data Steward Program Traction

Law Firm Participation• Program has been presented to 50% of

AMLaw 100• 2 Firms Not Interested• 10 Firms Have Signed Up/Actively

Evaluating• Remaining 35+ Firms Will

Participate When Directed by Clients

• AMLaw 200 and smaller Firms• 90 Firms Will Participate When

Directed by Clients• Remaining Are Very Interested,

Want To See What Others Do

Corporate Legal Department Users• Currently 12 large and mid-sized

corporations piloting program• 3 -5 firms per pilot• Pending successful pilots, all plan to roll

out program to the firms on their panels

• Total 2000+ individual firms on collective panels.


Remediation is Easier with a Crowd

Law Firm

Single Corporation Driving Remediation Against

Client’s Unique Controls

Law Firm-owed Remediation Plan

Client-driven Remediation Plan

Multiple Corporations Driving Remediation Against Industry-

standard Controls

Common, Standardized Controls, Remediation Workflow

Law Firm

Client-owed Remediation Plan

Traditional Approach

ACC Data Steward


Data Steward Program Validation Methods

OR

Validation Level Action Validation

Basic Validation Law Firm Completes Self Assessment - Dashboard made available to clients

Attested Validation Law Firm Attestation and Frequent Updates

- Provides attestation on answers to self-assessment

- Optional required update periods, e.g. every month, quarter, etc.

Evidence-b Validation Law Firm Uploads Evidence of Compliance

- Artifacts of compliance loading onto Data Steward Exchange Platform

- Clients can review evidence of compliance

Assessed Validation Law Firm Engages ACC-approved Independent Assessor

Four-day assessment by independent third-party assessors

Accredited Validation Independent Assessor + Meets Minimum Standards

Firms become ACC Accredited


Steps for Taking Advantage of Data Steward Program

Socialize Socialize the Data Steward Program with key stakeholders within your company including:- Legal and Legal Operations, Information Security, IT- ACC can present Program to your internal team

Engage Engage law firms to participate in Data Steward- Email firms to indicate interest in program (sample emails available

from ACC)- Co-host 20-minute introductory call with ACC and law firms

Pilot Pilot program with 2 -4 Firms (2 – 3-week process)- Review Data Steward Core Module Controls- Compare Data Steward controls to your existing set

Launch Start comprehensive and ongoing assessment of law firms (typically 4-week launch)- Use data steward to assess firms- Use data steward to augment current assessment processes


Additional Information

Resources• Program information at www.accdatasteward.com• Data Steward Program FAQs for In-house Teams• Data Steward Core Module NIST and ISO Security

Controls• Data Steward Sample Pilot Project Plan• Data Steward Program In-house Counsel’s Guide for

Engaging Law Firms• Sample Email Communication from In-house to Law

Firms Program Indication of Interest

Contact Us [email protected]

http://www.accdatasteward.com/

mailto:[email protected]


Thank You and Questions

James Merklinger

[email protected]

Mark Diamond

[email protected]


• 250,000 users

• SOC 2 available with NDA

• Built by Compliance for Compliance

• Fastest-growing GRC Audit & Compliance platform

• Institute of Internal Auditors (IIA) Principal Partner

• Named CFO Magazine 2019 Tech Company to Watch

• Winner of the 2019 EY Entrepreneur Of the Year Award

• Pre-IPO to Fortune 100 Clients include: Walmart, BNY Mellon, United Bank, Intel, AAA, UL, Raytheon, iRobot, Intuit, Post Holdings, TripAdvisor, Truecar

Powered by AuditBoard

copyright © 2006-2021 contoural, inc. confidential

Documents