Corporate legal departments are feeling the pressure of increasing data and regulations involved in litigation, but as a business department, the primary goal will always be the bottom line. It’s generally more cost-effective and a more efficient use of resources to outsource legal work like ediscovery, specifically review, to outside counsel via a law firm or service provider. However, it is well-known in the legal world that law firms have poor cyber security and are often slow to adopt legal technology. For legal and IT departments who contract legal work to outside counsel, this creates data breach vulnerabilities and increases the risk of leaking sensitive information. “Many firms don’t have user awareness training, and have limited to no policies on information security,” Amanda Ciccatelli of Inside Counsel writes.
When a security breach can cause consequential financial loss for your business (in lawsuits, court sanctions, reputation damage, etc.), ensuring data security is paramount. With those concerns in mind, many corporate legal departments are planning on outsourcing less and bringing more legal work in-house, but there are simpler ways for corporations to ensure data security without hurting their bottom line.
We’ve laid out three ways to make sure your business and outside counsel are handling sensitive data correctly:
1) Secure Information: Corporations secure their servers, employee devices, wifi, and cloud access with encryption, passwords, firewalls, and more. Does your outside legal counsel do the same? Panelists at the 2016 Association of Corporate Counsel said in-house counsel aren’t properly vetting their outside counsel defenses. “You really need to be doing some diligence around what the law firm is capable of doing with [your] information,” said Mary Blatch, the ACC’s director of government and regulatory affairs. When you outsource legal review, your sensitive data is in third-party hands and at a higher risk for a data breach, so make sure you hold outside firms to the same security standards your organization uses (or better). Ondrej Krehel, the founder of LIFARS LCC, an international cybersecurity firm, provides a list of questions to ask your law firm to determine what technology they’re using and what protocols are in place to protect your data. Some of the most relevant questions include:
- What technologies are used for encryption, authentication and authorization?
- How secure are law firm physical premises?
- Where is data stored and safeguarded?
- Who has access to backup procedures and keys?
- What are all compliance frameworks that are utilized there?
2) Ensure Compliance: With increasing regulations surrounding PII due to HIPAA, GDPR, DSAR, etc., and the growing amount of electronic data, it’s hard enough to keep up with maintaining compliance. Additionally, an outside law firm might not be as aware of unique industry regulations the way you and your own legal department are. For example, missing personal data in redaction can be disastrous and costly, with fines up to $1.5 million and possibly imprisonment up to one year under HIPAA. Ensure your service provider or law firm is utilizing the latest advancements in legal technology and technology-assisted review to locate and protect your most vulnerable data.
3) Mitigate Risks: While many corporations are hoping to mitigate risk by bringing more and more legal work in-house, this might be an overreaction. Rather than outsourcing less, smart corporate legal departments are adding legal project managers (LPMs) to their team to work closely with service providers and law firms. The LPM knows the business far better than outside counsel, knows where to keep a close eye, and can work quickly and effectively to solve problems in a timely, painless manner while protecting the bottom line. According to Corporate Counsel, “LPM… provides in-house counsel with insurance that outside counsel is committed to controlling legal expenses and avoids the need for day-to-day oversight of their work.” The LPM is able to assess and mitigate risks at the outset or run damage control, taking action when necessary to minimize impacts on costs, scheduling, or people.
Corporations go to great lengths to protect their data, but that concern for security doesn’t always translate to third parties like outside counsel. Rather than spending more to build up corporate legal departments, in-house counsel and IT departments can work together and follow the few simple steps we laid out above to ensure data security without hurting the bottom line.