Not All Data Is the Same: Understanding Your Data Privacy Obligations in Legal Outsourcing

Legal Process Outsourcing (LPO) arrangements often involve the management of large volumes of personal information about an organization's customers or employees.

Legal Process Outsourcing (LPO) arrangements often involve the management of large volumes of personal information about an organization's customers or employees.

Often, this information includes highly sensitive information, such as financial and medical data, payroll and benefits information, and even personal social security numbers. When attorneys are exploring LPO as a way to improve the operations of their legal departments or law practices, the privacy and security of client data, as well as issues of legal privilege, must be addressed.

The Type of Legal Outsourcing and Jurisdictions Matter

The degree to which an attorney needs to be concerned with data privacy largely depends on the kind of data and information being shared with the outsourced provider. When a firm hires an LPO provider for matters involving immigration, bankruptcy, intellectual property or contracts management, steps much be taken to ensure the security of confidential client information. If the LPO has been given sensitive information such as social security numbers, dates of birth, bank account numbers, and other private data, this data has to be protected and handled in a way that minimizes the risk to the client.

Conduct Due Diligence

Both inside and outside counsel must understand the laws of the country where the data originates as well as the laws of the country where the data will be processed. It is important to fully understand the privacy laws and rules within the jurisdiction where the work is actually being performed. In the US, lawyers that outsource also need to ensure that they comply with the requirements of applicable state laws. Given the multi-jurisdictional nature of outsourcing, proper due diligence is necessary.

Questions to Ask

When hiring an LPO provider, there are several questions to ask to help ensure data security:
• What are the qualifications of the people performing the work, and what screening process did they undergo before being hired?

• Do employees sign confidentiality agreements?

• What kind of supervision and quality control procedures do you have?

• What procedures does the company use to protect the confidentiality of private data?

• What kind of physical security is provided for protecting client data from theft or misuse?

• Does the company have a system for identifying potential conflicts of interest?

• Has the company had any privacy or security breaches in the past, and, if so, what steps were taken to address them?

Vendor Contracts Are Important

Once due diligence is complete, the company or law firm must ensure that vendor contracts include proper protections such as contractual provisions related to confidentiality, appropriate use, data security, audit rights, insurance and remedies. Depending on the amount and sensitivity of the data being processed, ongoing vendor monitoring and management is also essential.

In particular, when outsourcing off-shore, it is recommend that the company develop a formal crisis plan for responding to any misappropriation of personal data.

This plan would contain an analysis of legal remedies available in the jurisdiction. It would identify both local legal resources that could be called upon quickly as well as the legal remedies in the event of a security incident or breach of contract.

Fortunately, industry studies regularly show that the leading Legal Process Outsourcing providers take security concerns seriously, and they may even have more security measures than the law firm or company. That said, it is always a best practice to review all security protocols to reduce risk and ensure compliance.