In the current patchwork of cybersecurity and data privacy legal requirements, it can be challenging for a professional organization to create a comprehensive privacy and security program that complies with the various (and sometimes conflicting) legal requirements and contractual obligations imposed by clients. More and more, clients are viewing the law firms and accounting firms they are using as “vendors” obligating those professional organizations to respond and comply with vendor management questionnaires.

This Session will provide a detailed explanation of core components of a security and privacy program, methods to ensure that the program can be altered to fit new requirements as they come into place, and how to transfer risk whenever possible. The Session will include a discussion on Written Information Security Policies, Departmental and Employee Policies, Risk Management Programs, Client Contract Management Programs, Incident/Breach Response Programs, and Training. The Session will also confront the best and more efficient way to address privacy and security questionnaires from clients and how to incorporate this obligation into best practices and a marketing tool.