Banner artwork by Association of Corporate Counsel
As in-house information security and privacy counsel for Kutak Rock, tell us about your role. How do you describe your responsibility to the firm and its clients?
Kutak Rock is an AmLaw 150 law firm with more than 550 attorneys practicing in 19 US offices. The firm represents corporations, financial institutions and businesses of all sizes, and governmental and municipal agencies in transactional matters and business disputes and litigation. Given our client mix and the priority our clients place on ensuring their data is well-protected, Kutak Rock has invested significantly in meeting our clients’ information security requirements.
Having previously led the firm’s Privacy and Data Security practice group and having counseled clients on privacy and data security compliance for many years, I had the privilege to transition into the role as Kutak Rock’s in-house information security and privacy counsel, with responsibility for ensuring that our information security program remains at the forefront and our clients’ expectations are fully met.
I work closely with our extraordinarily capable IT security team, our HR team, and senior firm management to ensure we maintain the systems, training, and personnel that keep our firm ahead in an increasingly challenging information security environment.
You spoke at the 2022 ACC Annual Meeting about the firm’s involvement with the ACC Data Steward Program. What key takeaways can you offer law firms and in-house counsel about the program?
Assessing a law firm’s information security environment can be enormously time- and resource-intensive for clients. We understand the challenges from our experience with Kutak Rock’s own vendor management program.
The ACC Data Steward Program offers in-house counsel and their law firms the opportunity to leverage a one-to-many model that allows law firms to complete a single assessment that’s relevant and accessible to all their clients, and allows in-house counsel to have the benefit of a rigorous, detailed, and thoughtfully developed assessment tool that provides an apples-to-apples comparison of the information security capabilities of all the law firms they employ, with minimal effort on the part of the in-house legal department.
As strong advocates for the program, we’re happy to make ourselves available to answer questions from in-house counsel and law firms about the Data Steward Program process and benefits.
What changes have you witnessed in how clients are evaluating their law firms’ privacy and security practices?
I’ve seen enormous changes during the time I’ve been in my current role, as clients’ awareness and concern regarding privacy and security have continued to increase and their cybersecurity requirements have grown more sophisticated and detailed. It’s been several years now since law firms were identified as a potential “soft target” for cybercriminals, and clients’ demands have, understandably, evolved in response.
Many more companies are including detailed security and privacy stipulations in their outside counsel guidelines, and an ever-increasing number are conducting assessments to validate compliance. While most assessments are still in questionnaire form, we have several clients that use external auditors to confirm questionnaire responses, which is the same process the ACC Data Steward Program uses to validate law firms’ security measures and grant accreditation. We’re excited to see clients begin to adopt the Data Steward Program as their standard, in lieu of one-off questionnaires and audits.
Kutak Rock was an early participant in the ACC Data Steward Program. What in-house challenges does the Data Steward Program resolve for Kutak Rock and what are its benefits for your clients?
One-off assessments are a huge challenge for us, both because of the time and resources each one requires and because many are generic to all vendor types and not law firm specific, meaning the questions frequently miss the mark.
With the ACC Data Steward Program, we have been able to complete a single, comprehensive questionnaire and audit that are specific to the legal sector and validate our information security program in manner meaningful for all our clients.
What was your experience completing the ACC Data Steward Program core assessment questionnaire and then undergoing the external audit to attain ACC Accreditation? How well does the Program align with outside counsel guidelines issued by Kutak Rock’s clients?
The ACC Data Steward Program has been exceptionally easy to work with — they walked us through each step of the process, and their law firm specific questionnaire is tailored to precisely ask the questions our clients need answered, while omitting the questions in other, generic questionnaires that aren’t relevant to legal services providers. The program’s auditor was professional, thorough, and efficient. We feel good about the process, as well as the outcome.
Kutak Rock has made the considerable investment of time and resources to become an ISO 27001 Certified law firm. How does the ACC Data Steward Program align with the firm’s security strategy and its clients’ stringent requirements for keeping their data safe?
ISO 27001 and other global information security standards, such as the NIST framework, underlie the ACC Data Steward Program assessment, so our existing ISO 27001 Certification facilitated our ACC Accreditation. Because the Data Steward Program questionnaire had been carefully tailored to focus on the needs of legal departments, it aligned almost perfectly with Kutak Rock’s information security program.
What process did Kutak Rock use to evaluate the ACC Data Steward Program and how did the firm assess and approve its up-front investment? How will you measure the Program’s return on investment?
It was a client that originally approached us and asked Kutak Rock to participate in the Data Steward Program pilot, which we were pleased to do. Once we successfully completed the questionnaire, saw how the scoring works, and experienced the capabilities of the platform, we could see the benefit to both the firm and our clients, so investing in becoming Accredited was an easy decision.
For us, the return on investment will occur when more of our clients adopt the ACC Data Steward Program to assess their law firms. Although we — not our clients — bear the cost of participating in the Data Steward Program, we expect the payoff to come as the number of costly one-off assessments we undergo is reduced and we can redeploy those IT resources to our active security measures.
How does Kutak Rock plan to inform its clients of the benefits of participating in the ACC Data Steward Program in lieu of relying on outside counsel guidelines or utilizing one-off data security questionnaires?
Our plan is to reach out to our clients to let them know Kutak Rock is now ACC Accredited, the assurance that provides, and the benefits of adopting the ACC Data Steward Program as their standard.
Although many companies have a separate third-party risk management or vendor vetting function, we feel in-house counsel will be interested to learn more about how the Data Steward Program is thoughtfully tailored to address the unique issues confronting legal services providers and their clients.
Disclaimer: The information in any resource in this website should not be construed as legal advice or as a legal opinion on specific facts, and should not be considered representing the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical guidance and references for the busy in-house practitioner and other readers. Information/opinions shared are personal and do not represent author’s current or previous employer.