Episode 36: The ACC Data Steward Program; Addressing Data Security

Welcome to Archive360's Information Management 360 Podcast. This week's episode is titled the ACC Data Steward Program Addressing Data Security. My name is Bill Tolson and I'm the Vice President of Global Compliance and e-Discovery at Archive360. Joining me today are Bill Schiefelbein, a ACC Data Steward Program Administrator, and Jim Merklinger, President of the ACC Credentialing Institute. Bill and Jim, welcome. We have a really interesting topic today that you obviously are very familiar with, but it's the ACC Data Stewards Program and I'm really interested in hearing more about it.

So, law firms are increasingly a focus of cyber criminals because of the law firm's work with client companies in the course of corporate legal, M&A work, litigation, and other legal services they perform. Law firms and in-house legal teams collect large amounts of confidential and sensitive corporate information and sensitive data like M&A activities, tax related information, and e-discovery data sets. If breached, law firms can suffer a huge reputational and financial damage, especially if sensitive information or if sensitive client data as well is exposed and stolen. In 2021, the average ransomware payouts exceeded $1 million according to a report from the security firm CrowdStrike.

I know that's going up because I do talk to lots of law firms on a regular basis as well as law enforcement organizations. Yes, law firms are a major target because of what we just said. An October American Bar Association report found that 29% of law firms reported a security breach and more than one in five said that they weren't sure if there has ever been a breach. So, they weren't even aware if they had been attacked. That's understandable. Lack of strong security tools and practices probably are a factor and we'll get a little bit more into that.

The 2020 ABA legal technology survey report revealed that only 43% of law firms used file encryption. Less than 40% used email encryption, factor authentication, and intrusion prevention, and less than 30% used full disk encryption and intrusion detection. One of the largest law firm data breaches of all time occurred back in 2016 in which more than 2.6 terabytes of data or 11.5 million documents were extracted from the international law firm of Mossack Fonseca, headquartered in Panama, otherwise known as the Panama Papers.

So, obviously, all law firms are a target for cyber criminals, especially the smaller ones with little or no IT support that if they did have that IT support, at least some, they would have some protection against constantly changing and the complex types of cyber attacks that are going every day. Attorneys and law firms have never been known as early adopters of technology, at least the ones that I've had a lot to do with.

Some states are beginning to recognize this just recently in response to the increasing cyber risks. Attorneys that practice in the state of New York are now required to take at least one CLE course in cybersecurity, privacy, and data protection. Our two guests today are addressing this problem with a new cyber service for law firms and corporate legal departments. So, let's get into the discussion on the Data Steward Program. First though, Bill and Jim, we've talked about ACC. Can you briefly describe what ACC is?

Yeah, the Association of Corporate Counsel is a voluntary bar association for lawyers that work in corporate legal departments. The organization has over 44,000 lawyers that are members working in 85 different countries in a little over 10,300 corporate legal departments.

Yeah, one of the important things, I think, Jim, about ACC is I've been in the legal technology space for over 30 years and there's been a lot of efforts over the last 10 to 15 years to do something to standardize everybody's approach to measuring their data security and reporting it and publishing it to clients and so on. For one reason or another, it's usually failed. The standardization that you need in the industry is not really effectively done by the law firms themselves.

ACC is critical to this because it's the organization of those in-house attorneys who hold the strings for the industry. So, if they agree and they use Data Steward or something like it to set a standard, then everybody else can follow. So, it's really been important that ACC sponsor this as opposed to other very viable security organizations.

Yeah, it sounds like and I've been involved both with law firms and e-discovery technology for a long time as well as cybersecurity and privacy. I saw this come up and one of people that we both know, [inaudible 00:05:33] mentioned it to me a while ago. I thought, "Wow, that is really an interesting program that is really needed these days." So as much detail as you want, talk about ACC. Can you talk about what the Data Steward Program is? What's it focused on? Who is it focused on those, kinds of things?

The ACC Data Steward Program was designed to provide a measurement for corporate legal departments to evaluate the data security of their law firms. Of course, for the law firms, it allows them to showcase their security profile to their corporate clients. ACC felt there was a need to focus specifically on the practice of law. So, we designed this set of controls ability to measure and provide the information on a secured platform for the in-house community.

There's really three different levels to what the program does. At the very base level, it's got a standardized self-assessment that law firms would use to compare their current practices against industry standard frameworks and that self-assessment. To the extent that in-house counsel do anything today, there's about a third of in-house counsel do something to assess the security of their law firm platforms. Of course, there's some interesting issues in that we can discuss, but that 30% are generally sending out questionnaires and asking the law firm to self-assessment. So, there's a self-assessment base. In the program, we've also got incredible capabilities who are built on the audit board platform in which clients could audit a law firm's compliance.

So, the law firm would upload evidence of compliance and the in-house counsel can compare that to the requirements and say yes or no and conduct a full on audit as opposed to 5 or 10 days onsite. It can all be done remotely. At the third level, there's an ACC accreditation option in which an independent assessor would do that same audit or assessment of the law firm's compliance and then give them the thumbs up or down on whether they actually have met the requirements that they self-assessed. So, self-assessment, audit, accreditation are three different levels.

Yes. Is the ACC Data Steward Program an annual accreditation? Is it a one-time thing?

Yeah, the base license to the program is the annual subscription in which you fill out the questionnaire once, self-assessment once. You can then share it with all of your clients, which is a lot different than today where every single client is sending them a one-off questionnaire. Some of them pretty onerous and the law firms just love the fact that they can fill out a questionnaire once. So, they subscribe to the platform, they fill out a questionnaire. Then whenever and however a client wants to see those results, they can simply update it from time to time and clients can see that.

The audit option is just taken advantage by in-house counsel at no additional cost, but basically, the law firm would create an audit environment, secure environment where they would upload all evidence of compliance and then again admit one of their in-house counsel to come in and see what evidence they have and do an audit right there. That's no additional cost just built into the platform. The third option is the accreditation where we have an independent assessor assess the evidence of compliance. If they get accredited, the accreditation is good for three years.

Very similar to the way that ISO 27001 certifications are conducted as basically every three years, you do a full audit. Then from year to year, the law firm has an option of having a light refresher audit or none at all over a period of three years. That's a one-time fixed fee that is very, very modest compared to what they might pay for their ISO certification process.

I've gone through your material and we've talked before. Tell me if I'm wrong. The accreditation is open to obviously law firms, but I think also corporate legal departments as well as eDiscovery service providers. Is that true?

Well, the legal departments are not accredited. It's their law firms and of course any entity that's getting sense of information from a legal perspective. So, eDiscovery service providers could do this. Arbitrators could. Certainly, law firms was the focus. It was developed with the in-house counsel perspective in mind, but of course, we included law firms and experts in this area to make sure that we are creating something that's useful to everyone involved.

The high level outline is in any corporation, look, the majority of resources are going against security within the enterprise. I'd call it just enterprise security. There's always a unit that is focused on third-party risk management. What do we do about the security of all of our data that's sitting at thousands of vendors globally? Law firms are one type of third party that often gets ignored. General counsel cares about it, but maybe the IT third-party risk management group does not. So, for the benefit of in-house counsel, who are the clients, the law firms are the ones that we're asking to self-assess and/or get accredited so they can assure their clients that they are a secure place to store that corporate data.

You mentioned those security questionnaires that we all get vendors and as service providers like law firms and alike, and they can be just absolutely owner. We've seen them. We've received them as a vendor where there's well over 1,400 to 1,500 questions. You can imagine the amount of work those take because they're all worded differently. They're asking for slightly different things.

So, I think what you mentioned is now you're creating a standard that if a law firm basically says, "Yes, we're accredited by ACC Data Steward Program," then hopefully, that would stop the security questionnaires coming in and taking all of that time. Do you see client companies or maybe even the request in an outside counsel guideline from a company to a law firm that they're starting to say, "We want you to be accredited"?

We have seen people include actually reference to the ACC Data Steward Program in their outside counseling guidelines. What we found in general though is that, as Bill mentioned earlier, there's about 30% of the in-house community, there's some form of evaluation of their law firms. A significant portion or another 50% have said they want to evaluate the firms but did not know what approach to use. Many of them don't even have the background they admitted to do so. What we found is that some provide in their written outside counsel guidelines or engagements even, letters, some form of them attesting that they're protecting the data, but no actual standards. Then there are some that actual have questionnaires.

As you mentioned, we interviewed... When doing the research to start this, there was a law firm that told us they turned down a client because they didn't want to fill out the 1,400 questionnaire. We found from interviewing law firms also saying that there's some that currently evaluator fill out 200 to 250 questionnaires a year and it takes approximately staff time $3,000 to $5,000 to fill out. So, imagine the expense. So, the law firms are quick to say, "Hey, this would be great. I don't want one more questionnaire. Let's get a standard." ACC's uniquely positioned because our members are their clients. So, we can come from the client side saying, "We'll accept this."

We work on educating and informing our membership that this tool is available to them and in many cases explain to them actually how you would use it. Because I said the membership themselves, they're not experts in cybersecurity. They know they need to validate it and make sure they've done something to check on the security profile of their law firms, but they don't know exactly how to go about it. In many cases, our members are departments of one. They may be very large corporations, but it's just a one person show and they're limited in resources. So, our tool is useful for anyone to evaluate and look at a score, or as Bill pointed out earlier, you could even do an audit if you wanted to spend the time on it.

But what's also important is we found that the small law firms who are not going to spend $100,000 to get an ISO certification normally don't have the opportunity to demonstrate their security profile to prospective clients. This process allows basically any size law firm to participate. It's not cost-prohibitive. That was also very important for our Board of Directors to make sure we don't create a standard that's a barrier to entry to any size law firm, because as you know, there's over 40,000 law firms, just the United States alone.

Certainly, the Am Law 100 are probably spending a lot of time in this issue anyway and they could easily do it, but then there's tens of thousands that they're not going to seek an expensive way of demonstrating their profile unless of course the client is asking for it. Related to that, I had heard from some of the clients that because their existing process was so tedious, so onerous on their own staff that they did not onboard law firms on ad hoc basis. So, there was a set period of time when they go through this and then new firms are brought in. The challenge there was that it's not competitive. So, that if an issue comes up where they want to bid it out or look for a firm, they might have a creative solution or even more cost-effective.

They can't use them because they're not part of the approved panel of firms and you have to wait until the next go round to even reach out to them. So, that is by their own protocols a barrier to entry. With the ACC Data Steward Program, the law firms can share the results on anyone and they control who they share it with. So, once a firm goes through it, they're not filling out 240 different questionnaires. They can fill out one and send it out to their clients. So, it's a cost-effective way of managing an essential standard now. Everyone has to demonstrate one way or another. It's just increasing every day. More and more people are requesting it.

One of my questions, I've run law firms a lot over the many years. Like I mentioned and maybe I was speaking out a term, but usually attorneys in law firms are not early adopters when it comes to technology.

Not at all. No.

Obviously, because you guys are involved in starting up this, you saw a market need obviously, but it used to be that law firms didn't think too much of it. I remember not too long ago, it was probably five, six years ago maybe where it started becoming more noticeable. I'm pretty sure the FBI has put out several notices, especially three, four, five years ago saying law firms are a major target because of all the reasons we've already given. Law firms especially need to be up in front of the learning curve for cyber. In fact, I remember a story that a partner from a medium-sized law firm was at a conference that the FBI was at and he was talking to one of the directors of the FBI about this. I think this FBI director said something to the effect that law firms are major target.

Oh, by the way, you've been a target too. Did you know that? The partner said, "No, not really aware of it. How much information did they get?" I forget the exact wording, but he said, "How much did they get from us?" The director said, "All of it." He said, "Well, what do you mean?" He says, "Everything from all of your servers, we found on a Chinese system. It was everything that you had." At least his partner and probably many people in the company didn't know that it had happened. So, I think that that was starting to really raise the eyebrows.

Well, it goes back to what you mentioned in the introduction. There's been surveys. The ABAs looked at the idea, and that really if someone responds that they haven't had a breach, that just means they don't know about it. Unfortunately, that's just the reality. It's not something we're saying they're doing something badly, but it's just on everyone's radar now or it is a growing concern. Even to the standpoint of where you're seeing board governance policies saying, what are we doing about cybersecurity? The board needs to be informed. If a company's developing a compliance program, what are they doing to evaluate these risks and let the board know?

So how do you let the board know? Do you just say, "Oh, I trust this law firm"? That's not really a good answer. How do you ensure in this case, the law firms, the third parties who have sensitive information, have done everything they can? Look, nothing's going to be perfect. There're always going to be breaches, but what's interesting is that many companies for decades have been evaluating their vendors and third parties. That's not new. It's just that we found that in many cases, because the legal department's responsible for engaging law firms, if they had an enterprise risk group or something, they just let legal alone. Nobody wants to go by any of the lawyers. They keep them away.

So, what happens is that the law firms are just going about business serving their client. The legal departments weren't engaging in law firms. Many of them were not checking unless they were in a regulated industry. Certainly, the financial institutions, the pharma, they've been doing this for a long time, but outside of that, many are not. So, we recognize that need. It's interesting is that it wasn't deliberate, it wasn't nefarious. It just happened that because legal was responsible for hiring law firms, they were usually left out of the process. The vast majority of the time is what we found.

At the corporations, it's really just a resource issue. That third party risk management function with responsibility for somehow assessing the security of 10,000 vendors, legal often just would fall between the cracks. A lot of different kinds of vendors would fall between the cracks. The corporate resources just couldn't assess them all. I mean, the general counsel is highly aware of the kinds of data that they're sending out to these law firms and they just need a reliable, standardized 100% access. Everybody's using it. It's not so much to check up on the law firms. It's just to have a way of showing we've done our due diligence and we're actually working it. That's been one of the biggest values for the in-house counsel.

On the law firm side, I know what you're saying, Bill, I've been a CIO at Dorsey & Whitney, Williams & Connolly, Managing Director with eDiscovery at Howrey. I've been inside the law firms for a long time. It's one thing to talk about the way law firms a little slow to adopt technology, but often because they're trying to figure out, "How does that really help you with revenue?" I'm a professional services firm, but it's a different thing when you're talking about cybersecurity. I find that usually the risk management functions, a combination of the CIO, COO, risk management partners are really highly attuned to the issue, but they don't always know exactly how...

When every single corporation is sending them a questionnaire, it's a totally different one-off process. We spend all their times just trying to keep up with those questionnaires. As you mentioned, a lot of them are big onerous things that are being repurposed by the corporation. We have law firms receiving questionnaires that say something like, "How do you handle the data from your ATM machines?" Well, they don't have ATM machines, but if the law firm says no or not applicable, they get automatically scored low and they look bad to the client. So, there's that thing going on.

What Data Steward does for them is also gives them a standardized approach. I mean, we should talk about our committees at some point and how this was developed. It wasn't ACC per se, but they would need a standardized approach. So, they go, "Well, what's being expected? Out of all these clients, some are sending me questionnaires. Another thousands of them are sending me outside counsel guidelines. I don't even know where those guidelines documents are. They're sitting in some partner's lap. How am I supposed to know what are the core things that I need to comply with?"

We can all agree with IT. They should budget for it. It's a budgeting thing for the law firm IT as well. What are we being held to? What's the standard set of expectations? Let's at least get those straight. So, it really is a helpful thing to both in-house counsel and law firms because they fall between the cracks and there's no standardized way for them to do due diligence and show compliance. So, that standardization was really key from the very beginning.

Yeah, no, that's a great point. That is a huge productivity saver. Like I say, for any vendors now, including service providers that because of all the new types of cyber theft going on because of the new versions of ransomware and extortion ware where they go in and number one, steal all the data they can and then they encrypt everything and they give you the ransom, but if you don't pay the ransom, then they're going to release all your client's data under the dark web. This is in combination with the data privacy laws like GDPR, like various state ones that are coming up, all of these things where they get into data privacy, but how are they actually protecting the data?

By the way, the new versions of extortion, where is we're going to release everything on the dark web and then tell the authorities that we got all your information and released it and you're going to be fined out of existence. It was funny, several years ago, my company belongs to the Cybersecurity Tech Accord, which is an international group of companies that concentrate on data security and so forth.

I had written a blog form basically saying, what if a new version of ransomware came out and steal stolen data before they encrypted everything and then release it on the dark web, but take that next step and for example, call or send some message to the GDPR authorities saying, "Hey, we just released all this data from company X, Y, Z. You might want to have a talk to them and maybe fine them"? Literally, three months later after I wrote that, the first documented case of that actually happened. So, this stuff is progressing very, very, very quickly. Well, obviously, your organization will keep ahead. Obviously, you're not suggesting cyber security to people, but you're looking at how they're approaching it. Are they meeting industry practices, all of those kinds of things?

But this stuff changes so rapidly. It's probably going to be relatively a cat and mouse game for you guys and others to know what's going on a day-to-day basis because it does change so fast. I've focused on data privacy as well. To me, data privacy and data security go hand in hand. You can't have data privacy without effective data security, especially with law firms, but one of my issues has been even at the GDPR level, but also the state data privacy bill level and I've interviewed I think five state senators on this podcast, the ones that have authored the data privacy laws and a couple of representatives.

It's funny, I don't know if you've had a chance to look at the data privacy laws from Colorado, Utah, Virginia, Connecticut, those kinds of things, but they're all maybe the same. They all use some of the same descriptions and stuff, but not completely. So, each one is different. So, you can't pick a high watermark when California's. Then all the rest of them are fine. That doesn't work with this stuff, but what I'm getting around to is one of my issues with all of these laws and [inaudible 00:25:32] security, for example, PII or sensitive information, they all use almost exactly the same terminology. Must use reasonable security practices. To me, that is not potentially prescriptive enough to say, "Well, why don't they say all sensitive data must be encrypted while in transit or at rest"?

It must use multifactor authentication or some of those basic things. The senators and staff really push back and say, "Well, we can't get too specific because then people will think we're locking them into a specific vendor's technology," which is not the case. If you have an opinion for your clients, law firms and stuff, because if they're holding PII and they get breached, then all of a sudden, they're looking at the unpleasant end of the law as well.

Yeah, I can speak to that. When you look at data privacy and just an enormous proliferation of those statutory schemes going on, both here and abroad, they really have two components to them and you've outlined them well. One is what data security should go around personal data, personal information, et cetera. Then there's that second set of rules that aren't really in the data security realm of just all those data subject rights to delete and rights to be forgotten and all those kinds and notice if we do this or that. That stuff is very privacy centric. Usually, most of the data security statutes and regulations are... I mean, Department of Labor just came out with their own set of standards.

But if you go look at them, they're basically a shallower knockoff of the NIST Cybersecurity Framework. So, basically people when they're looking at data security are looking at the frameworks that are still... This is what Data Steward does too. This cybersecurity framework, NIST 853, ISO, and there's a couple other global frameworks, but basically those are the ones. What they are is if you go back and look at them, I'm not going to say abstract, but they allow flexibility for all the different kinds of data and the different kinds of organizations out there. So, what they're going to say is, for example, PCI or PII, they're going to say you must have a data classification of framework within your organization that is appropriate to the data that you are managing.

So, if you're not managing PII or PCI, which many law firms in Alabama are not, for example, you don't worry about it. It implements pretty well. So, within a large organization full of that data, it would be a very high classification for which then the other data security rules kick in to say, "Well, if you've got something that's really high, you should do X, Y, Z like encryption." Great example. You surely should be encrypting your PCI, PII, but in transit and in encrypting when it's in place. I agree with you, but I think that the data security rules do get implemented well by organization if they pay attention. I know if I've got PII, I've got an elevated form of data that is going to have to meet an elevated requirements with my other data security controls.

So, generally, if you rely on those large global frameworks, ISO and NIST, you're going to have pretty good rules in place. It's only when you follow those that you end up with some of the messes yet, but I think the frameworks are fine and they change a little less often than the privacy frameworks. Although there's a proliferation of data security frameworks now too, SEC and DOL.

The FTC, yeah. I started talking about my thoughts on the whole reasonable security question when it comes to the data privacy laws. Somebody pointed me at the Sedona conference paper on what's the legal definition of reasonable security, which I was surprised actually existed. I actually read through it. It actually defines reasonable security in an algorithm, which I thought was really interesting the way that Sedona put it together, but I still think encryption is a real old technology that still works. It's not vendor specific, but I apologize for getting us off a little bit.

I have just one comment on that. Because we were interested too when we were first developing our own frameworks in what Sedona was doing and Sedona is the perfect vehicle, for example, what they did with eDiscovery law, where the net output is within the bailiwick of judges, magistrates, and law firm lawyers. What should be the rules around eDiscovery and evidentiary and blah, blah, blah? When they get outside, we had this same issue at ACC. We had to make this decision right off the bat and Jim supported it all the way. ACC should not be writing its own data security framework. We needed to be following the global standards, NIST, ISO, et cetera, tailored for the legal profession definitely, but we absolutely did not want to write our own controls.

So, the key thing for us was to have committees of people who know this area. So, we had a controls committee, we had a working group, both of which were combinations of CIOs, CISOs, cybersecurity attorneys, et cetera, mainly on the law firm and vendor side. Then every piece of the controls and the program design was fed up to an in-house advisory board that said yes or no, your proposals are going to work. No, go back and rework this. So, that whole committee structure took ACC right out of it. Those are the committees that made the decisions and those are the ones who are looking at what's really important for law firms. Hey, we don't need these specific controls around ATM machines, that thing.

Just to go back to something Jim said, our initial effort is what we call the core assessment, because we said, "Look, the scope for this should be every law firm, large and small, should be expected to comply with these controls. What are they?" We had members of thousand plus lawyer law firms and we had 10 attorney law firms on there. It has worked incredibly well. We've had probably dozens of Fortune 500 organizations looking at our controls and comparing it to their own. There's going to be some, we assume at some point, will say, "Now you're missing this and that," but so far, they've met the need. It's because we started with the right people and the right structure. It wasn't really a lawyer product.

Well, the whole point and this is a great best practice when working on this stuff or coming up with new stuff is you got to ask potential clients, "What are the things they're working with?", not walk in and say, "Hey, this is all the stuff that you need to know and we know everything." Gathering that information from the various constituents or possible constituents helps you put together a more broad acceptable framework. That's really an interesting thing. We were talking a couple minutes ago, but you mentioned, I forgot to ask, is the Data Steward Program just in North America? Is it international?

It's actually the standards that are applicable regardless of where you are. We actually have multinational law firms that have already gone through the credit issue program and ACC's members themselves are around the world. So, the concerns and the ability to measure are not uniquely US and certainly not any specific jurisdiction. We don't have anything that is say, country specific, although we do model after NIST, but that has a broad appeal. We had of course people involved who do business around the world in our advisory boards.

In fact, you've brought up the NIST thing a couple of times, which I'm somewhat familiar with in that I do work with federal agencies as well. Between the NARA, National Archives directive M-19-21, telling all agencies to digitize everything and then President Biden's executive order in May of 2021, it's Executive Order 14028 and basically said all agencies must now rise to this new cybersecurity requirements and also move to the cloud, but the main purpose was cybersecurity requirements. That included multifactor authentication, systems that were designed on zero trust, data encryption.

So, the Feds in all of their agencies have basically said, "Okay, now this is the new base. You have to at least be doing this." Then the executive order then points at several NIST requirements to say, "For designing software, your vendors must follow these and supply chain, all these other kinds of things." But usually, the standard federal agencies tend to lag the Pentagon and defense their way ahead in some of this stuff. But I was very surprised, pleasantly surprised that they had set this new bar, which I thought was really interesting.

Yeah, I think those were the FISMA standards. Then to the extent you wanted to take a function, which many of the federal agencies wanted to do and even state, if you wanted to take it to the cloud, then you had to only be using FedRAMP authorized vendors. That's probably one of the most difficult and expensive certification and authorization programs out there. Now the state governments who are all atomized, doing their own things have generally come together very recently and said, "You know what? Let's just do FedRAMP for the states." They call it StateRAMP now. You just adopt the FedRAMP method for any functions you want to take from state based systems to the cloud somehow. So, they're doing all that.

Just one comment on the global aspect of this, actually, it was Jim's requirement early on and he's saying ACC is all about global. So, we definitely made sure that the controls that we were adopting were equally applicable. They're coming from NIST or ISO. It doesn't matter because abroad, they think ISO and they ask the question, "Was this US specific?" No, but it they're really interchangeable. They're all covering the same topics and issues. What we find is that this issue and the need to resolve it is a really hot issue in the US. I would say it's the Commonwealth countries, UK, Australia, New Zealand, Canada, yes too, where you get NIST level interest, where they're very, very interested, maybe a little bit following the US.

Getting into the EU, you start to lose traction on their interest in this because they feel like GDPR is covering it all. You get a lot of those comments. We assume this will all roll much more globally, but definitely, their early interest is US law firms and companies that are US based a lot of times. One other way we anticipated this is in our platform, you not only have a self-assessment, you can literally have up to 10 self-assessment, same base license where you say, "Look, my US system's in really great shape. I got a score of 93%, but I want to do a separate one for my EU systems, because in EU data centers, they're maybe a little less secure."

So look, if you're Baker McKenzie, you might have one of these self-assessments for each continent and they might have different scores. So, that way, their clients can look at whichever one they care about. Do I care about Brazil or do I care about EU and see a different response from Baker McKenzie if Baker McKenzie wanted to do that? So, we built that jurisdictional specific globalization ability into the self-assessments as well.

One of my thoughts was are there different levels of accreditation? What's the average length of time it takes for a firm to say, "Yeah, we're good"?

I think we really spend a lot of effort with the committees trying to figure out how to turn that, because many of the firms have ISO certification and it's a very, very difficult process. What we wanted to do is to streamline it to basically achieve the same function. The initial effort for many of these firms is actually coming up with the documentation that proves their compliance. It could be a screenshot. It could be a policy document. Often you'll find more of those documents in the larger firms. The smaller firms are often just as secure, but what they have is a series of practices but not necessarily policy or procedure documents to prove it. So, there's some of that. What's going to count as evidence? That can take them a couple months to get it all up in there.

Of course, from then on, they never have to change it. They just update it, but it takes them a couple months. Then it's a three-day process for our independent assessor to review and comment on, give them issues. They usually go away for a couple weeks or a month and fix those things, come back. Maybe we'll have a live session over Zoom or something and pull it together for them. So, that's how the process works. It's good for three years. Some clients, some in-house counsel would like us to also have a light refresher annually where you just have a one-day session where you go in and check how are you doing on some of these things, what ISO does as well. So, that we're considering.

One other thing, we're working with an organization, they do wonderful webinars for all of their firms. They tend to be smaller firms, lots of them. They're telling them about cybersecurity and you got to do this, you got to do that. Their feedback from their customers are that's great. I have no idea how to implement this. Give me a solution. So, they've got a solution that if you use it, it's really, really secure. One of the things we've talked about is maybe we accredit the platform. So, hey, if you use this platform to the extent you do for any data in that platform, we'll accredit it and you can use that in your marketing.

We have not done that yet, but that's the thing as well. We talk about doing something like that for Office 365. If you use it, then use it right, but it's really tough to accredit that platform, because there's so many configuration mistakes that people can make. But accrediting a platform is something that we've talked about as well. If I use it and use it exclusively, am I secure? You want to be able to say yes. That helps the smaller firms.

That is really an interesting thought and an interesting point. I think it's fantastic. But accrediting the platform, if a law firm is using a certain platform within the firm to manage records for example or manage eDiscovery data sets, whatever it happens to be, and you guys could go in and accredit that platform, maybe you would help probably vendor to do that, but I think that that really opens up a lot of possibility. I mean that would be a huge benefit both for vendors of law firm software and things like that, but like you say, even for Microsoft 365 or Azure or AWS, the certain applications within there, wow, I think that's really fantastic.

At least you can take huge data sets off the table. For example, if all the PII and PCI are stored in a particular system, we know it's secure. If it's all in there, you could accredit that fact, even your own product, Archive360. I would think to the extent that you've got some of the biggest volume of data that law firms deal with in archive systems or in eDiscovery systems, relativity, that thing.

So, we're at the level where we're thinking about it for these holistic systems where all the firm's data are contained in this system and not so much systems, this records management system, this email system. But it really helps to go there, because what it does is it tells the law firm, "Look, use that system and just raise your right hand, sign an affidavit saying, 'We use it exclusively. All our data's in there, et cetera.'" That can give the clients a lot of assurance when otherwise they don't know where your data's at within the organization, is it configured, et cetera.

Well, and like you say, I mean software applications, things like that are built on different architectures. Like I mentioned before, zero trust architecture is now a level set at the federal government. I think it is a lot within industries as well, but you mentioned our platform. Yeah, we're a big cloud archive. We deal with lots of law firms. They use us to store data sets or attorney work product after certain amount of time. They just want to archive it and keep it around, but there's a lot of sensitive data in there and it's being managed and everything in the background on Azure or something like that. But for that software to have potentially an ACC accreditation for cyber security would be a huge benefit I think for everybody. That's a fantastic thought.

It dovetails with accreditation for the law firm where you're focused on policies and practices and permissions and so on, but yet the data's all sitting generally in five different repositories, let's say. If you can double up and say, we not only are policies and practices and our instant response, all of that, our backup plans, et cetera, all get accredited by ACC, but if they're also working with accredited platforms where an assessor would come in and really dig into the configuration, have you done this and this and this and this to make sure that-

Do you have access controls and do you encrypt and all of that stuff? Yeah, I think that that is just a natural partnership with the firm being accredited. I think that's fantastic. I know we're running up against time here in a couple minutes. I wanted to get a couple other things in here. The Data Steward program is live now, correct?

Yeah, it is live. It took a while to bring the fruition, then we rolled it out. We have some of the biggest law firms in the world are already through the accreditation and some small ones that not everyone knows about.

Yeah, I was going to say, do you have any success stories? Obviously, you can't mention firms or anything, but it sounds like it has gotten the right amount of mindshare and it's being pursued. I think you probably hope it's going to become a standard for this thing.

One of the best results we've come across is companies that actually had processes already in place who evaluated their program versus the one that we created and even to the point of mapping the controls within the ACC Data Steward Program to their existing controls and have come back and said, "Yours is better and we want to use it." That's a great outcome because you would think some of the companies that already had processes in place, maybe the last to adopt, but they actually said, "We know how tedious this is and what a burden it is. If we can use this process, it would make life a lot better for us."

Because really it's a lot of work, but most people don't get hired to evaluate law firm's data security programs. Nobody wants to do that. It's just necessary as part of their course of doing business, but then they have the real job to do. It's just a starting point. So, they move on and they get to the business of whatever they're engaging in that law firm for.

Well, I'm thinking in my own mind, I'm sitting here thinking the ROI on this has to be probably pretty easy to prove and it's probably pretty massive, because like I say, most companies these days have experience with these massive security questionnaires that you got to put people on. It's taking up productivity. It's costing. If you're doing that 10, 100, 500 times a month, then the cost of that versus the cost of being accredited with you guys for every three years or whatever it happens to be, the ROI on that just has to be massive.

Related to that, we looked at when we created and selected the controls and built the scheme to make it as objective as possible. I'm really surprised that some of the companies have shared evaluations that are subjective, which means you still have to evaluate the answers. If you have an 800+ questionnaire, which I have to admit when I first looked into this, I didn't think anybody would have something that large, but now I've learned that it's very common. As you mentioned, there's some much larger than that. If it's not based on an objective scoring, it's got to be a nightmare to go through all those things and then it's hard to do an apples to apples comparison.

So, even within that framework, they may be very excited about their 800 questions. We had one that told us they were excited because they got it down from 1,000 to 850. I was like, "Wow, great." The idea behind it is that "How do you have an easy measurement?" Just because you can collect that answer, are you just checking the box or is there a way to really evaluate and compare? If it's subjective, it's possible, but it's hard. Then you have to rely on someone's judgment, and then maybe two years later, that person's gone.

Best example of that is one of the industry standard questionnaires that many corporations follow, they customize a little bit. One of the questions goes, "Do you, the law firm, collect personal data?" They almost always do. So, they say, yes. If yes, please describe. Now, what is that? So now, all of a sudden, you've got an attorney involved and questionnaires that on average take $3,000 to $5,000 of staff time is now shooting through the roof because somebody's got to write a memo on it. Who's going to review that in the information security department at the client? It's just somewhat, I'm not going to say lazy, but yeah, if you got a great answer, it really tells you something, but you're not going to get that.

You're going to get a lawyerly worded, short as they can possibly make it response and nobody knows how to evaluate it. So, that was one of the things the controls committee look at first. Let's eliminate open-ended questions in favor of we do or we don't comply with the following control. That has made a big difference, I think. Just one related point there, going back to something you mentioned earlier, Bill, I was surprised not only at the success of these controls. They've gone much further to map onto big law firm's needs than I thought, but the other surprise was how effective this was with small law firms. One of our first, if not our first customer, a couple years ago was a small firm of about 12 attorneys I think at the time.

They were competing though with very large law firms. The presumption by the clients was, "Well, the large organization is going to have better data security." The truth of the matter is actually not, because the smaller firm, basically, it's a simpler footprint. They had an outside IT managed services who were managing it, who were very competent in answering the questionnaires and coming up with evidence and so on. So, they ended up actually in at least the same competitive position with their larger competitors just by going through the work they got accredited and that really helps them to compete. It's definitely worked and probably the best self-assessment I've seen so far was from a Brazilian firm that had a partner in the firm.

I kept saying, "Where's the IT person who's going to work with us on this?" That partner did incredibly transparent and explanatory every control they complied with and did not comply with. Here's why. Very, very thorough. That was a 20-attorney firms. So, it's pretty impressive what they can pull together. It's the solos that are sometimes more difficult because they just really are non-technical. Just working at laptop.

What you just said should set smaller law firms minds at ease that just because company X, Y, Z, which is multinational and has 5,000 lawyers and thousand IT folks, the fact that a knowledgeable attorney in a small firm could impress you like that, which should open the eyes of the small firms and say, "Yeah, that'll help me compete," because obviously, they're probably getting hit with the same security questionnaires that the big guys are.

That's right. They actually came to the table because one of the top five software manufacturers, you'd recognize the name, wanted them to do this, but you know that that company has all of the large firms, Silicon Valley firms, whatever, working on this. So, they really had to compete and it was a very honest assessment, which huge points for that as well. So, yeah. It's working better for the large firms than I thought and better for the small firms than I thought. I think that's a big win and thanks to those committees that worked on it.

Oh, yeah, no, I think this whole thing is fantastic because I've been concentrating on data privacy here for a couple years now and my work with law firms has really made these risks obvious to me. Jim and Bill, I think that we're going to have to wrap up this edition of the Archive360 Podcast. I really want to thank you for an interesting and really fun discussion today on this subject of data security and privacy for law firms and corporate legal departments and so forth. You guys setting up what amounts to a standard for law firms to meet so they can offload all of this onerous security questionnaires and so forth.

If anyone has questions on this topic or like to talk to a subject matter expert, please send an email mentioning this podcast to info, I-N-F-O, @archive360.com. We'll get back to you just as soon as possible. Also, check back at the Archive360 resource page for new podcasts with leading industry experts on various subjects including data security, data privacy, information management, and archiving, records management, eDiscovery, and regulatory compliances among others. With that, Bill and Jim, it's been fantastic. I'm really excited about the service that you're offering, so thank you very much.

Thank you.

Bill, thank you. I appreciate the opportunity to speak with you.