Not All Data Is Equal: Understanding Your Data Privacy Obligations In Legal Outsourcing
Legal process outsourcing agreements often involve managing large volumes of personal information about an organization’s customers or employees. Often this information includes highly sensitive information such as financial and medical data, payroll and benefits information, and even personal social security numbers. When lawyers are exploring the LPO as a way to improve the operations of their legal departments or legal practices, client data privacy and security, as well as legal privilege issues, must be addressed.
The type of legal outsourcing and jurisdictions matter
The degree to which a lawyer needs to be concerned with data privacy largely depends on the type of data and information being shared with the outsourced provider. When a company contracts with an LPO provider for matters related to immigration, bankruptcy, intellectual property, or contract administration, steps must be taken to ensure the security of confidential client information. If the LPO has received sensitive information, such as social security numbers, dates of birth, bank account numbers, and other private data, this data must be protected and managed in a way that minimizes risk to the client.
Carry out due diligence
Both internal and external counsel must understand the laws of the country where the data originates, as well as the laws of the country where the data will be processed. It is important to fully understand the privacy laws and rules within the jurisdiction where the work is performed. In the US, subcontracting attorneys must also ensure that they comply with the requirements of applicable state laws. Given the multi-jurisdictional nature of outsourcing, due diligence is necessary.
Questions to ask
When contracting with an LPO provider, there are several questions to ask to help ensure data security:
* What are the qualifications of the people doing the work and what selection process did they go through before being hired?
* Do employees sign confidentiality agreements?
* What kind of supervision and quality control procedures do you have?
* What procedures does the company use to protect the confidentiality of private data?
* What type of physical security is provided to protect customer data from theft or misuse?
* Does the company have a system to identify potential conflicts of interest?
* Has the company had any privacy or security breaches in the past and, if so, what steps were taken to address them?
Vendor contracts are important
Once due diligence is complete, the company or law firm should ensure that vendor contracts include appropriate protections, such as contractual provisions related to confidentiality, appropriate use, data security, rights auditing, insurance and resources. Depending on the amount and sensitivity of the data being processed, ongoing monitoring and management of providers is also essential.
In particular, when outsourcing abroad, it is recommended that the company develop a formal crisis plan to respond to any misappropriation of personal data. This plan would contain an analysis of the legal resources available in the jurisdiction. It would identify both local legal resources that could be quickly called upon and legal remedies in the event of a security incident or breach of contract.
Fortunately, industry studies regularly show that major legal process outsourcing providers take security concerns seriously, and may even have more security measures in place than the law firm or company. That said, it’s always a good practice to review all security protocols to reduce risk and ensure compliance.
