Legal Process Outsourcing (LPO): Addressing Security Concerns

By | June 13, 2023

A major concern for law firms that are considering whether or not to take the legal process outsourcing (LPO) plunge is that of data protection. Client confidentiality is so rooted in the legal culture, and is such a fundamental aspect of professional legal ethics, that the mere notion of a pair of eyes glimpsing data from across the Atlantic and Pacific oceans sends shivers up the spines of many lawyers. Yet the ironic part is that there is a group of entities whose obsession with security issues may make that of attorneys seem a trivial thing – the outsourcing companies themselves. The building and maintaining of relationships with current and future clients is the lifeblood for service providers.

As outsourcing becomes more widespread and competition in the marketplace grows, the ability to illustrate the existence (and continued use) of powerful safeguards will increasingly become one of the significant factors for companies that are deciding which provider to link up with. Consequently, the leading outsourcing companies take security concerns extremely seriously, which may explain why many domestic studies have shown that the outsourcing process is no less secure, and may in fact be even more secure, than having the same services performed in-house.

Process fidelity is definitely necessary in the legal arena, but this needs to be placed in perspective. While legal documentation does sometimes consist of sensitive information, the sensitivity often stems from the defining characteristics of litigation and practice procedures. Law firms are no different from other companies in that they do not like to have their business practices broadcasted to the general public. However, concerning the type of damage that can be caused by leaking of information, legal data is in general substantially less sensitive than other types of data that have been outsourced for years on a massive scale. When the fact that large banks, financial institutions, and even the IRS are outsourcing on an extended basis, the entire issue of data protection insofar as LPO is concerned is put into clearer perspective. Suddenly, summons and complaints and discovery materials take on a whole new light when attorneys digest the fact that extensive credit histories, records of financial transactions and tax forms are being processed by the millions overseas.

However, this is not to say that legal information should not be afforded the highest degree of protection, especially regarding issues of conflict of interest. The legal community is one that is tightly bound together and thrives on the flow of information between affiliates and adversaries. On a regular basis, members of the defense bars network with members of the plaintiff bars. Moreover, many of the same lawyers frequent the same courtrooms in the same venues, and attend the same continued legal education courses and alumni events. Thus in order to be supremely effective, outsourcing models must place great emphasis on separation of competing interests.

The question therefore becomes: How can a law firm be assured that they are not outsourcing work to a company that is also working on the same matter for opposing counsel? While the chances of this happening may be somewhat slim, it is still a viable concern. The fact that most providers are obligated to keep the identity of their clients confidential makes it difficult for a firm to ascertain whether a current adversary is outsourcing work to the same provider.

Protections for the outsourcing firms can certainly be put into place. First and foremost, the contract between provider and client should make it absolutely clear that the provider must inform the client as soon as it learns of any possible conflict issues.

Second, the firm should make sure that the provider it chooses is able to clearly articulate – and, if possible, demonstrate – the security safeguards it has implemented to ensure the validity of the process. These safeguards should be included in the statement of work agreement, in list format, along with the additional provision that the security devices must be maintained for the breadth of the contract. Thus determination of liability of the contracting parties for any security breach that results in measurable damages will be easier to ascertain.

Third, due to the fact that technology and business procedures must often become intertwined in order for the outsourcing process to run efficiently, the security program used by the vendor should exist on both the physical and virtual levels for it to be as comprehensive as possible. It would be somewhat contradictory for an outsourcing company to rely on the fact that the production staff for two adverse law firms exists in separate offices, on separate floors or even in different cities. The very premise behind the outsourcing process is that physical separation is not a complete bar to the sharing of information – as such, a company cannot on one hand praise the concept that geographical differences are no longer barriers to the exchange of information and data, while relying strictly on geographical barriers as the only security measures put in place by the company. There is no doubt that physical separation of the production staff for adverse businesses is a good step; however, virtual separation is needed as well in order to create a robust security model.

Important questions that law firms may need answered before an outsourcing program is initiated include: How does the provider structure their production units? Are these units separated, and if they are, along what lines does the separation occur? What is the architecture of the physical premises where the work takes place? What kind of office equipment exists in that location? What types of things are prohibited from being brought to the work site? What tracking and auditing features are used in the technology that allows the process to take place? Who is responsible for the tracking and auditing? The general rule of thumb is that if the question is important enough for the attorney to ask, then it should be included in the written contract.

Once the above questions and issues are addressed to the inquiring firm’s satisfaction, the ties can be loosened and the dress shoes put on the desk, because one major aspect of the outsourcing phenomenon has been resolved. True, other issues do abound, but this one is a biggie. If the security concerns can be alleviated, then one huge step has been taken towards reaching the ultimate goal of commencing a mutually beneficial business relationship.