According to the ACC, the Data Steward Program (DSP) offers “a standardized framework for assessing, scoring, benchmarking, validating and accrediting a law firm’s posture regarding client data security. It then enables secure and easy sharing of this profile with the firm’s clients or potential clients.”

The Data Steward Program uses a standards-based approach that includes:

  • Infosec frameworks
  • Defensible due diligence
  • Highly secure profiles and scores with controlled disclosure
  • An open industry standard process
  • A level playing field for law firms

Law firms and corporate legal departments can expect the following outcomes when participating in the DSP.

Infosec frameworks: The program leverages controls from leading industry frameworks like the NIST Cybersecurity Framework, supplemented by NIST 800-53 (Rev. 5) controls used by the government for the FedRAMP program, ISO 27001 and other industry standard control frameworks that pertain to the legal environment. Law firms that are already ISO 27001 certified – or that frequently respond to client security questionnaires – will find the initial assessment to be easier than starting from scratch.

Due diligence: Any time an organization complies with a formalized data security program, they can be assured of some level of defensibility if their processes come into question. The DSP offers that assurance to law firms that, up until now, have not had an industry standard to model against.

Secure profiles and scores: Law firms’ responses to each security control are visible only to the companies they provide access to for review. The results of the self-assessment are private and secure, and law firms have full control over when and who receives their assessment. A firm must input the information only once, and then grant access to any client or potential client it wants to see the results. The DSP eliminates the need for spreadsheets to manage this information, which took resources away from more important work. It also allows corporations to request that all firms participate so they can see the benchmark score and compare the security posture of each participant firm.

Industry standards. The working group of experts that convened starting back in 2018 developed the DSP process and will continue to maintain it. The working group included members from in-house counsel, law firms and legal service providers, which assures that each group’s perspective is considered. Until now, standards were based on individual needs of each corporation, not industry standards.

Level playing field. Until now, law firms did not have a consistent and standardized set of security protocols to follow – unless they had taken the time and expense to become ISO 27001 certified. The DSP has changed that, giving law firms a way to measure, improve if necessary and communicate their security practices that is less time-consuming and expensive. By participating in the DSP, law firms are on a level playing field with any other firm, large or small, when it comes to security. More importantly, client data will be safer than ever before.

For more information on joining the Data Steward Program, contact the ETRM Group at, call 202-900-1906, or click here.