Many corporations today are struggling with managing data security requirements for their law firms. A Fortune 500 company may have relationships with 500 law firms and vendors, and while smaller corporations may work with fewer firms, they still must manage the data security requirements for each. No matter the size of the company, this important obligation can be burdensome. For these reasons, the Association of Corporate Counsel founded the Data Steward Program.
Each outside firm a legal department works with is a repository for that company’s data. Typically, the corporation will provide to each law firm a data security spreadsheet or a document outlining the requirements for a repository holding the corporation’s data. The law firm then designates an individual, likely an IT or security expert, to fill out the spreadsheet or attest to the firm’s security controls. Often, though, companies did not understand the controls and did not necessarily follow up when a response was inappropriate or presented a risk. Most companies have not had the resources to manage all the issues presented by these well-thought-out spreadsheets. It all amounts to a good try, but it falls short of actual due diligence. Before the ACC’s Data Steward Program, there was no standardized set of security controls.
Some companies audit their firms’ controls. An audit usually involves a penetration test, but not always. Pen testing is a great start but should be nowhere near the totality of any auditing process. Larger firms maintain their ISO 27001 certification as proof of due diligence. Often, though, the rest of the data security program may have been neglected after such a time-consuming and expensive effort.
The ACC Data Steward Program has entered to standardize data security protocols across the industry and offers a single controlled repository for law firms to assess and benchmark their security posture. Law firms can choose to take their security posture one step further by seeking accreditation by highly skilled accreditors and companies like the ETRM Group. In doing so, these firms demonstrate to their outside legal department clients their commitment to providing the very best security protocols available in the legal industry. Corporate legal departments should plan to choose law firms who have committed to the ACC’s Data Steward Program.
ETRM Group is the first of the ACC’s accredited assessors, offering service to corporations, law firms and government agencies.
Learn more about the ACC’s Data Steward Program from our white paper. Click here to download.