Ari Kaplan recently spoke with Kenya Parrish-Dixon, a member of the ACEDS Global Advisory Board and the General Counsel and Chief Operating Officer for Empire Technologies Risk Management Group, a cybersecurity, information governance, eDiscovery, and managed review consulting company. Following are excerpts from their conversation, which is available to listen to in its entirety here.
Tell us about your background and the genesis of the ETRM Group.
I was a litigator for many years at a large international law firm, primarily in the health space. Then I started my own eDiscovery law firm for a short period of time, when I was asked to help the FDIC with their end-to-end Information Governance Program. I left there and went to the Federal Trade Commission, where I gutted and rebuilt their litigation support infrastructure. I was asked to go to the White House to help them move from a policy-based organization to being a litigation-based organization.
I have, over the years of my career, purchased about $40 million of goods and services for the federal government. It’s a very difficult, lengthy and bureaucratic process to acquire goods and services in the government. I wanted to find a way within the private sector to offer to the government the litigation support goods and services that I needed when I was there.
That’s what we’re building here at Empire Technologies Risk Management Group. It’s a holding company, and we are growing to meet all the requirements to protect data, including cybersecurity, information governance, information assurance, risk management, eDiscovery, and even paper scanning and conversion. We are trying to provide everything to the government that they would need with regards to litigation support data.
How has the pandemic impacted the perception of cybersecurity, information governance, and eDiscovery?
The White House is the most attacked entity in the United States, so I learned a lot just by being in the room with the information security people. Once I got back out to the private sector working with law firms, I was a little shocked how lax data security is on this side of the business world. The pandemic created a sudden understanding that you had to figure out where your assets were, where your employees were sitting and what they were connecting to, how they were connecting to the network, whether that connection was safe, what applications were they using, and were they using non-approved applications. How do you manage all of this data when all of your employees are at home? Who has access to the laptop and the phone? Are you still preserving data appropriately? Are you able to collect and produce all this data remotely?
There were some basic steps that needed to be taken, like resetting the password on your router, so people could set up a workstation at home and be moderately secure.
There’s a lot that that hasn’t been done, particularly in the legal environment, to protect data. That’s what we’re trying to help law firms and corporations manage, while also allowing lawyers to practice law without too many hindrances. You can shut everything down, but you still have to be able to work. I think the pandemic made everyone aware. Then of course, law firms are getting breached, and corporations are very concerned about this.
The ETRM group has been an early participant in the Association of Corporate Counsel’s new Data Steward program. How will that initiative impact the challenges that your clients are facing?
This initiative was really driven by corporations. The Association of Corporate Counsel has about 45,000 members over more than 10,000 organizations right here in the United States alone. Their members were saying, “We have this process that is really unwieldy, for those of us that have a process, and the rest of us don’t have a process at all for knowing what happens to our data when we send it to vendors and to law firms.” Law firms were being breached long before COVID and corporations were wondering, ”What does that mean for our data?”
This initiative was based on work that was done at the FTC. I worked with some consultants at the FTC to help me create a FedRAMP environment for the litigation support data. Pushing data into the cloud has been something that the government does, but it hasn’t done it frequently, and FedRAMP was designed to make sure that if you’re going to push federal data into the cloud, you’re doing it securely.
FedRAMP requirements come out of the National Institute of Standards and Technology (NIST). NIST is a Department of Commerce organization that puts out standards for everything in the science world, including cybersecurity. It has cybersecurity and privacy frameworks.
That was the genesis for how we were going to build the Data Steward Program for the Association of Corporate Counsel. The Association of Corporate Counsel thought they were the right body to do this because pushing cybersecurity or information security to law firms has to come from the client. Corporations have said that General Counsel’s offices need a way to monitor what law firms are doing.
We developed 175 core protocols, which law firms can use to do a self-assessment. A law firm can join the Data Steward Program and pay the full price for full membership and do a self-assessment and get accredited. The program gives the firm a benchmark or grade and corporations can look at that information and determine whether or not the firm is meeting their requirements.
We think this is an industry game changer because it’s a transparent process and is inexpensive and less time-intensive compared to other certification programs like ISO 27001. This is a very different program because you don’t just get a report and an accreditation or certification at the end. It’s a system that’s malleable. You can use it on a day-to-day basis to go in, change security responses, recreate your policies, change/edit/revise your policies, change the standard of the security protocol or configuration that you’re referring to, add or delete them depending on the client, and add sites.
As a member of the ACEDS Global Advisory Board and a CEDS certified professional, do you see the Data Steward Program as part of a larger validation trend?
There’s a trend for people to become experts in software, processes, and fields. The Data Steward Program is different because it validates that you have certain controls in place that secure data. It’s a little bit different, but I think there is a trend to move towards more certification. For instance, SharePoint is a Microsoft product. Microsoft is only one company; SharePoint is only one application that they sell and that we use but having a SharePoint certification is really helpful if you’re using SharePoint as a primary tool for your organization. For our accreditations, you may not see more accreditations or validations for environments. I think we’ll have the Data Steward program, SOC 2, and ISO 27001 to cover the gamut. I don’t know how many more meaningful certifications or accreditations you’re going to be able to get for an environment. You’ll certainly see more certifications for individuals. You’ll see the CISSP, and different certifications for privacy and as technology changes. But you probably won’t see many more accreditations for environments.
Listen to the entire interview here: