ACC Launches Data Steward Program to Assess Law Firm Data Security

Thursday, January 21, 2021

On December 8th, the Association of Corporate Counsel (ACC), which represents over 45,000 in-house attorneys in 85 countries, announced the launch of its Data Steward (DSP) program to help organizations and their law firms evaluate and share information To support information security in relation to customer data. The DSP has been in development for two years and collects contributions from attorneys, cybersecurity and data protection experts, and litigation support experts from companies, law firms, vendors and government agencies. The DSP, a voluntary program, creates a standardized framework for the “assessment, evaluation, benchmarking, validation and accreditation” of the attitudes of a law firm with regard to the data security of customers by using existing data security frameworks such as ISO or NIST, but also adapting them ” Metrics for Selection, Placement, and Compliance ”to meet the specific needs of a law firm.

The DSP was developed in response to the difficulties businesses face in ensuring that the law firms they use have adequate data security measures in place. A Fortune 500 company often has relationships with more than 500 law firms and providers. Additionally, SMBs using smaller law firms and vendors are often poorly equipped to effectively conduct privacy-related due diligence.

Of course, it is important for all service providers, including law firms, to put in place adequate administrative, physical and technical safeguards when interacting with sensitive corporate and personal information of clients and to ensure that adequate safeguards are in place to prevent and react to this Respond to data breaches. Law firms shouldn’t be surprised if increased efforts like the DSP are made to evaluate these protections on a more consistent basis. Organizations that have concerns about getting reviews and / or maintaining their privacy and security logs in an increasingly dynamic environment should review their cybersecurity risk management policies, procedures and practices sooner rather than later.

The ACC DSP has set clear goals to ensure the success of the program:

  • Accurate and thorough evaluation

    • A requirement for a “rigorous and thorough review” of a law firm’s data security status, detailed enough to enable both law firms and clients to make appropriate business decisions. This is achieved by “selecting and / or modeling controls” from established data security frameworks including ISO and NIST.

  • Value for all participants

    • The DSP wants to ensure that all relevant parties are involved in the standard hiring process. “The balanced needs of all parties have been represented (and maintained) by placing the DSP under the creative control of an ACC-sponsored working group of industry experts including ACC members, law firm partners, information security officers and CIOs of legal service providers and corporations to assess data security who truly understand the problems and practices of the legal industry. “

  • Safe platform

  • Open the standard benchmarking

  • Adaptation to the diversity of legal practice

  • Neutrality of the independent assessor

    • The DSP notes that an ACC-accredited auditor performing a review may not provide any data security prevention or correction services for that participant six months before or after an accreditation validation to ensure neutrality.

This is not the first time recently that the ACC has prioritized privacy and privacy issues for in-house attorneys and law firms. In 2017, the ACC published Model Information Protection and Security Controls for External Consultants who hold Company Confidential Information (“the Model Controls”) data security guidelines to “allow internal consultants to set expectations with external vendors, including external consultants help. The model controls addressed a wide range of privacy-related actions including: data breach reporting, data processing and encryption, physical security, employee background verification, information retention / return / destruction, and cyber liability insurance. The model controls are designed to serve as a “best practice” standardizing the protocols companies implement when interacting with third-party vendors who may have access to sensitive company information. In many ways, the DSP is a continuation of this initiative.

The DSP can be initiated in two ways: 1) a law firm can volunteer to participate and conduct a self-assessment, or 2) an ACC corporate member or prospective member can invite a law firm to participate. Even before the start, companies invited their law firms and legal vendors to an evaluation. 2020 proved that data protection and security risks need to be prioritized across industries.

Jackson Lewis PC © 2020National Law Review, Volume XI, Number 21

Comments are closed.