Not All Data Is Created Equal – Understanding Your Data Privacy Obligations In Legal Outsourcing
Legal process outsourcing agreements often involve the management of large volumes of personal information about an organization’s clients or employees. Often times, this information includes highly sensitive information, such as medical and financial information, benefits and payroll information, and even personal social security numbers. When attorneys are exploring LPO as a way to improve the operations of their legal departments or legal practices, the privacy and security of client data, as well as issues of legal privilege, must be addressed.
The type of legal outsourcing and jurisdictions are important
The degree to which an attorney should be concerned about data privacy depends largely on the type of data and information that is shared with the outsourced provider. When a business hires an LPO provider for immigration, bankruptcy, intellectual property or contract administration matters, steps must be taken to ensure the security of confidential customer information. If the LPO has received confidential information, such as social security numbers, dates of birth, bank account numbers, and other private information, this information should be protected and handled in a way that minimizes risk to the client.
Conduct due diligence
Both internal and external attorneys must understand the laws of the country where the data originates, as well as the laws of the country where the data will be processed. It is important to fully understand the privacy laws and rules within the jurisdiction where the work is actually performed. In the US, outsourcing attorneys must also ensure that they comply with the requirements of applicable state laws. Given the multi-jurisdictional nature of outsourcing, due diligence is necessary.
Questions to ask
When hiring an LPO provider, there are several questions to ask to help ensure data security:
* What are the qualifications of the people doing the job and what selection process did they go through before being hired?
* Do employees sign confidentiality agreements?
* What kind of supervision and quality control procedures do you have?
* What procedures does the company use to protect the confidentiality of private data?
* What type of physical security is provided to protect customer data from theft or misuse?
* Does the company have a system to identify potential conflicts of interest?
* Has the company had any privacy or security breaches in the past and, if so, what steps were taken to address them?
Vendor contracts are important
Once due diligence is completed, the company or law firm needs to ensure that vendor contracts include adequate protections, such as contractual provisions related to confidentiality, proper use, data security, rights audit, insurance and repairs. Depending on the amount and sensitivity of the data being processed, ongoing monitoring and management of the provider is also essential.
In particular, when outsourcing abroad, it is recommended that the company develop a formal crisis plan to respond to any misappropriation of personal data. This plan would contain an analysis of the legal remedies available in the jurisdiction. It would identify both local legal remedies that could be quickly turned to and legal remedies in the event of a security incident or breach of contract.
Fortunately, industry studies regularly show that major legal process outsourcing providers take security concerns very seriously, and may even have more security measures in place than the law firm or company. That being said, it is always good practice to review all security protocols to reduce risk and ensure compliance.
No Comment