Risks Associated with Outsourcing
When legal work is outsourced, there must be a lawyer with direct supervisory authority over the outsourced work. That lawyer’s responsibility cannot be delegated. Lawyers should use caution to ensure they are satisfying their ethical obligations when outsourcing legal work.
Ethical obligations of the supervising lawyer include the following: (1) Ensure that tasks are delegated to competent individuals, and then oversee the appropriate execution of the project; (2) provide the client with information regarding the outsourcing arrangement; (3) safeguard the client’s confidential information; (4) check for potential conflicts of interest; and (5) avoid assisting in the unauthorized practice of law. These ethical obligations are not excused or waived during a pandemic.
Confidentiality Concerns
One of a lawyer’s core ethical obligations is to safeguard client confidential information. Most of the attention on this obligation focuses on lawyers’ use of technology. Just as lawyers need to ensure that the technology used internally at the law firm or the corporation safeguards client confidential information, lawyers also have a responsibility to vet an outsourced provider for the same purpose. Lawyers should take reasonable efforts to safeguard client confidential information from inadvertent or unauthorized disclosure by training outsourced providers and by having them sign confidentiality agreements.
With increased use of vendors for information technology services and support, lawyers should be aware of privacy protections used by vendors to protect confidential client information. Lawyers outsourcing information technology services will likely be transmitting large amounts of confidential client information to vendors, resulting in data breach or cyberattack risks. Digital data transmission and storage by a vendor should be vetted to ensure appropriate data security measures are in place and confidential client information won’t be intercepted and exploited.
Examples of reasonable efforts to ensure data security include cybersecurity systems such as anti-virus software, encryption, VPNs, and firewalls installed on a computer system that will be transmitting, receiving, and storing client information. In addition, data privacy and protection policies—and proper training on these policies—are also important measures to protect data from phishing or other types of cyberattacks. Supervising lawyers should regularly audit outsourced vendors’ data security measures.
Outsourcing Legal Services Insights: Data Security
In February 2020, a class action administration services company was the subject of a ransomware attack. The company shut down access to its servers to protect client information as it worked toward securely bringing its systems back online. During the shutdown period, many clients could not access their data or send new data. A class action complaint was filed in May 2020 alleging that the ransomware attack resulted in a data breach of personal information.
In October 2019, a company that provides legal case management software solutions was the target of a ransomware attack that prevented access to its electronic records. While the company resolved the security breach, law firms and lawyers were not able to access legal documents hosted on the vendor’s platform. As a result of the incident, at least one law firm had to file a request for more time to meet a filing deadline.
Ransomware, malware, phishing, and hacking have become more common forms of attacks against law firms, especially in times of crisis. The best way to prevent cyberattacks is to keep technology up to date and people appropriately trained in order to protect data.
During a crisis, lawyers are obligated to continue to render legal services competently and diligently, and safeguard client confidential information. The choice of whether to delegate work to an outsourced provider should be based on whether it allows lawyers to continue to render legal services competently and diligently, and safeguard client confidential information at a reasonable cost.