Not All Data Is Created Equal: Understanding Your Data Privacy Obligations in Legal Outsourcing
Legal process outsourcing arrangements often involve managing large volumes of personal information about an organization’s customers or employees. This information often includes highly sensitive information such as financial and medical data, payroll and benefit information, and even personal social security numbers. When attorneys are exploring LPO as a way to improve the operations of their legal departments or legal practices, privacy and security of client data, as well as issues of legal privilege, must be addressed.
The type of legal outsourcing and the jurisdictions matter
The degree to which a lawyer needs to be concerned about data privacy depends largely on the type of data and information that is shared with the outsourced provider. When a company contracts with an LPO provider for matters related to immigration, bankruptcy, intellectual property, or contract administration, steps must be taken to ensure the security of confidential client information. If the LPO has received sensitive information such as social security numbers, dates of birth, bank account numbers, and other private information, this information must be protected and handled in a way that minimizes risk to the client.
Carry out due diligence
Both in-house and external counsel must understand the laws of the country where the data originates, as well as the laws of the country where the data will be processed. It is important to fully understand the privacy laws and rules within the jurisdiction where the work is performed. In the US, subcontracting attorneys must also ensure that they comply with the requirements of applicable state laws. Given the multi-jurisdictional nature of outsourcing, due diligence is necessary.
questions to ask
When hiring an LPO provider, there are several questions to ask to help ensure data security:
* What are the qualifications of the people doing the work and what selection process did they go through before being hired?
* Do employees sign confidentiality agreements?
* What kind of supervision and quality control procedures do you have?
* What procedures does the company use to protect the confidentiality of private data?
* What type of physical security is provided to protect customer data from theft or misuse?
* Does the company have a system to identify potential conflicts of interest?
* Has the company had any privacy or security breaches in the past and, if so, what steps were taken to address them?
Supplier contracts are important
Once due diligence is completed, the company or law firm should ensure that vendor contracts include adequate protections, such as contractual provisions related to confidentiality, appropriate use, data security, rights audit, insurance and resources. Depending on the amount and sensitivity of the data being processed, ongoing provider monitoring and management is also essential.
In particular, when outsourcing abroad, it is recommended that the company develop a formal crisis plan to respond to any misappropriation of personal data. This plan would contain an analysis of the legal remedies available in the jurisdiction. It would identify both local legal resources that could be quickly resorted to and legal remedies in the event of a security incident or breach of contract.
Fortunately, industry studies regularly show that the top legal process outsourcing providers take security concerns seriously, and may even have more security measures in place than the law firm or company. That said, it’s always good practice to review all security protocols to reduce risk and ensure compliance.