A growing trend in the legal profession is the outsourcing of legal work to third-party providers. Also known as legal process outsourcing, legal outsourcing has enabled law firms to increase profit margins while decreasing the costs to clients. However, legal outsourcing is not without risk. The privacy and security of client data, as well as issues of legal privilege, must be taken seriously when lawyers consider utilizing the services of a legal outsourcing firm.
Types of Work Being Outsourced
Law firms are outsourcing a variety of legal work to outside providers. Except for legal research, most of the work tends to involve tasks that are repetitive or time consuming. These are situations where the project will require more hours to perform than the firm can handle or the cost of doing it in-house is simply too high. For example, many bankruptcy and immigration lawyers utilize the services of paralegals in India to prepare the forms required to process their cases. Civil litigators outsource records review and e-discovery compliance, while personal injury firms in class action lawsuits outsource the collection of data, the classification of claims, sending notices, and distribution of client payments. Many transactional lawyers outsource the initial drafts of contracts and due diligence work.
In addition to outsourcing repetitive or labor-intensive tasks, some firms outsource projects that revolve around legal research. This may involve drafting a motion or brief on an issue to be filed with a trial court, or it may be as complex as the research and writing of an appellate brief. This kind of work typically involves fewer privacy issues than some of the other kinds of work being outsourced, but it requires a higher level of skill to accomplish the task at a competent level.
Not All Data Is the Same
The degree to which an attorney needs to be concerned with privacy largely depends on the kind of data and information being shared with the outsourced provider. When an attorney hires a researcher to write a memorandum on a particular legal issue, there are few privacy issues at stake. The researcher is merely researching the law as it applies to facts that are already a matter of public record or will be public as the case moves forward. However, when a firm hires an outsourcing company to prepare the paperwork for matters such as immigration, bankruptcy, or taxation, the information being shared changes dramatically. Rather than dealing with public information, the outsourcing firm is now being given sensitive information such as Social Security Numbers, dates of birth, bank account numbers, and other private data. This data has to be protected and handled in a way that minimizes the risk of harm to the client.
Rules of Professional Conduct
In August 2012 the American Bar Association (ABA) House of Delegates adopted Resolution 105C to address growing concerns over privacy and confidentiality in the outsourcing process. This Resolution amends the comments to ABA Model Rules 1.1, 5.3, and 5.5 to address the obligations of an attorney who outsources legal work. Two additions to the comments are particularly relevant to attorneys who outsource legal or paralegal work, one dealing with outsourcing to outside lawyers and the other addressing outsourcing to nonlawyer assistants.
Rule 1.1 Competence. First, Paragraph 6 was added to the Comments on Rule 1.1 Competence to explain a lawyer’s duties when outsourcing work to a lawyer outside the firm. Paragraph 6 states:
Before a lawyer retains or contracts with other lawyers outside the lawyer’s own firm to provide or assist in the provision of legal services to a client, the lawyer should ordinarily obtain informed consent from the client and must reasonably believe that the other lawyer’s services will contribute to the competent and ethical representation of the client. See also Rules 1.2 (allocation of authority), 1.4 (communication with client), 1.5(e) (fee sharing), 1.6 (confidentiality), and 5.5(a) (unauthorized practice of law). The reasonableness of the decision to retain or contract with other lawyers outside the lawyer’s own firm will depend upon the circumstances, including the education, experience and reputation of the nonfirm lawyers; the nature of the services assigned to the nonfirm lawyers; and the legal protections, professional conduct rules, and ethical environments of the jurisdictions in which the services will be performed, particularly relating to confidential information.
Two important points should be taken from this Comment. First, the Comment says that attorneys “should ordinarily obtain informed consent from the client.” In other words, the ABA believes your ethical duty includes telling the client you are subcontracting the legal work out to an outside provider. Second, the language in the last section concerning the reasonableness of the decision to outsource seems to require the attorney to investigate the credentials of the lawyers being used as well as the laws and ethical rules that govern the jurisdiction where the work will be done.
Lisa Solomon, an attorney in New York who provides legal research and writing services to law firms, observed that, “Since the legal protections, professional conduct rules, and ethical environments of all 50 states are similar, the practical effect of this comment is to impose on lawyers additional due diligence requirements when outsourcing overseas. This may make international outsourcing impractical for solos and small firms.”
Rule 5.3 Responsibilities Regarding Nonlawyer Assistants. The second new comment to consider is Comment 3 to Rule 5.3 Responsibilities Regarding Nonlawyer Assistants. Comment 3 states:
A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client. Examples include the retention of an investigative or paraprofessional service, hiring a document management company to create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and using an Internet-based service to store client information. When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law). When retaining or directing a nonlawyer outside the firm, a lawyer should communicate directions appropriate under the circumstances to give reasonable assurance that the nonlawyer’s conduct is compatible with the professional obligations of the lawyer.
This Comment indicates that a law firm must do more than simply find the best quote on an outsourced paralegal service. Before outsourcing work to an outside nonlawyer provider, the attorney must consider the credentials of the provider, the nature of the services, how client information will be protected, and the legal and ethical rules that will apply in the jurisdiction where the work is performed.
Not all outsourcing is done overseas. One of the ways that lawyers and law firms outsource legal work is through the use of attorneys licensed in the United States. Sometimes this is by hiring attorneys through a legal temp service, whereas in other situations it may be a direct contractual hire. Companies such as Axiom Global Inc. may be hired not only for legal temp services, but also for outsourcing legal work on a large scale. In some cases, corporations skip the stage of engaging a law firm and go directly to legal outsourcing companies such as Axiom to handle many of their legal matters.
Others provide legal outsourcing services as a specialized form of law practice. For example, solo attorneys Lisa Solomon and Corinne A. Tampas both work for law firms across the country as independent contractors, hired to handle specific legal research and writing projects.
Tampas, who calls herself an “onshore outsource attorney,” believes hiring onshore is superior to sending legal work overseas. She explains that “as a U.S. attorney I have to live by the same ethical obligations as the hiring attorney, and it is easier for the hiring attorney to have control.” Solomon similarly observes that, “Comments received by the ABA Ethics 20/20 Commission reveal (anecdotally, at least) that solo and small firm lawyers overwhelmingly prefer to outsource domestically rather than internationally.”
Despite the convenience and security of onshore outsourcing, outsourcing overseas has a significant advantage when it comes to price. India in particular is a popular source of legal outsourcing services because of its citizens’ advanced English skills and the similarity of its legal system to ours.
Several laws in the United States regulate the use of health care information and financial data, but these laws would not be helpful when privacy violations happen overseas. However, India recently enacted new privacy laws imposing both civil liability and criminal punishment for certain privacy violations. Legal outsourcing providers can be subject to civil liability for failing to use reasonable security practices and procedures when handling sensitive personal data or information if their failure results in harm to any person. It is also now a crime in India for a person to disclose sensitive personal information without the consent of the person or in breach of a contract with the knowledge or intent that the disclosure would cause wrongful gain or loss. This increased level of liability would seem to satisfy the concerns raised in the ABA Comments over the laws of the jurisdiction where the outsourced work is being performed. However, counsel still should ensure that proper data security procedures are followed and that the services are conducted in a competent manner.
One of the larger providers of legal outsourcing services in India is SDD Global Solutions. Unlike some outsourcing services that are entirely foreign corporations, SDD Global Solutions is managed by the law firm of SmithDehn LLP. Many law firms hire SDD Global Solutions because their processes and procedures are being overseen by a U.S.-based international law firm.
Vidya Devaiah, managing director of SDD Global Solutions, recommends that “The main considerations that an attorney should keep in mind when hiring an outsourcing provider are the hiring policies and training policies of the firm. This will help ensure quality work product. If the concern is about data security on a large scale, then it is often best to pay a site visit to the firm and assess the security measures firsthand.” Devaiah says SDD Global Solutions’ office is secured, with restricted access only through the use of an electronic swipe card, and each employee has access only to certain areas. Also, employees sometimes access data from the client’s servers and do not store that data on their own computers. In addition to such security measures, Devaiah says that “security, for the most part, lies with the people.” For this reason, SDD Global Solutions is very selective in its hiring process and subjects every candidate to an extensive background check before offering employment.
Questions to Ask
If you are considering hiring a legal outsourcing company, there are several questions to ask before choosing a provider.
- What are the qualifications of the people performing the work, and what screening process did they undergo before being hired?
- Will the work be performed in the United States or overseas?
- Do the employees work in an office or from their homes?
- Do employees sign confidentiality agreements?
- What kind of supervision, review, and quality control is included in the process?
- What are the relevant privacy laws and rules within the jurisdiction where the work is being performed?
- What procedures does the company use to protect the confidentiality of private data?
- What kind of physical security is provided for protecting client data from theft or misuse?
- Does the company have a system for identifying potential conflicts of interest?
- Has the company had any privacy or security breaches in the past, and, if so, what steps were taken to address them?
Outsourcing some of the tasks performed by your law firm can be an effective means of increasing efficiency and profitability. Although caution must be exercised to protect the security of confidential client information, attorneys should explore legal process outsourcing as a means of improving the operations of their law practices.