How To Secure Confidential Data in Legal Outsourcing

By Michael Sonsteng, Strategic Head of Legal Process Outsourcing, Infosys BPO

The sophistication of buyers of legal services has matured in the last few years. While many more in house counsel and law firms are increasingly more comfortable with the idea of outsourcing their legal work (onshore or offshore), data security, and confidentiality remain key concerns for clients in the outsourcing space.

Legal outsourcing firms or Legal Process Outsourcers (“LPOs”) have to deal with three primary issues:

• Risk of unauthorized access to confidential data by internal and external resources.

• Risk of data transmitted to unintended recipients.

• Risk of legal ethics violations.

Stringent measures are required to safeguard clients’ interests by protecting confidential data from theft, damage, or misuse. The measures LPOs should take begin with educating the workforce, building an ethics based culture, and sensitizing people on the importance of confidentiality similar to or MORE than their onshore or in-house counterparts.

There are a number of laws and legal opinions that discuss legal outsourcing differently in different countries.

In the US, the American Bar Association Standing Committee on Ethics and Professional Responsibility (ABA_Opinion_08-451), defines key obligations for outsourcing lawyers. It states in part that a lawyer may outsource legal and non-legal support services, though the lawyer takes complete responsibility of rendering competent services to clients under Model Rule 1.1. Rules 5.1 and 5.3 holds supervisory lawyers accountable for the Professional Code of Conduct of their staff or subordinates. Rule 5.3 makes reference checks and background checks essential to establish the quality and character of employees likely to have access to client data.

Investigating the security at service providers’ premises, including computer networks along with recycling and refuse disposal procedures is often highly recommended, depending on the sensitivity of the information. While a prudent procurer of legal services should do a full diligence on their jurisdictional and in-house requirements, some compliances and certifications that legal and other outsourcers should follow include:

•Sarbanes –Oxley Act.

This 2002 legislation that reformed the code of conduct for business globally requires companies to publish financial reports (Section 302), accurate and transparent disclosures (Section 401), and to report material changes in financial conditions to public (Section 409).

•AICPA SSAE 16 (formerly SAS 70 Type II) examination.

A CPA may be engaged to examine and report on controls at a service organization. Please note that SSAE 16 is an auditor-to-auditor report and not a certification. An example of such an engagement is a report on controls over the privacy of information processed by a service organization.

•Information Security Audit.

A quality assurance and risk team as well as an external auditor should periodically audit risk items including: disabling hard drives, checking firewall effectiveness and for the latest versions of anti-virus software, clean desk and paperless environments, password protections and classification of critical documents with PII, CCTV cameras, and non-usage of camera phones and other portable media devices unless expressly permitted by a client. Any violation must be dealt with severe penalties and consequences. Additional audits may include compliance on configuration management to ensure that documents are stored per defined folder structures with proper access controls. A master configuration controller from an engagement owns the configuration management. An access control audit ensures no tailgating and unauthorized entries.

•Contractual Obligation Compliance.

An organization may install contractual obligation tracking tools for contractual compliance governance with a dedicated compliance manager. Monthly risk reporting may be shared with a client after reviewing critical obligations.

•ISO 27001.

A provider should be ISO certified after a successful audit by an accredited certification body. In order to succeed in this audit, procedures and processes have to be defined in detail to satisfy the auditor. Although focusing on the security controls alone (both from a certification and management perspective) is not sufficient, one must also focus on management controls.

References and some relevant laws:

Data Security Laws in the US:

The Right to Financial Privacy Act of 1978(“R.F.P.A”) The Right to Electronics Communication Privacy Act of 1986(“E.C.P.A”) The Computer Fraud and Abuse Act of 1984(“C.F.A.A.”) Gramm-Leach-Bliley Privacy and Safeguards Rule (“G.L.B. Act”) The Health Insurance Portability and Accountability Act California Online Privacy Protection Act The California Database Protection Act Sarbanes Oxley Act ISO 27001 international standard

Data Security Laws in the UK: Data protection Act 1998 hynov, synvise The Computer Misuse Act 1990

Data Security Laws in India: The information technology Act, 2000