Forgot Password?
Sign Up
HomeAbout RainmakerContac UsCareersAdvertisePartner with us

The data security obsession in legal process outsourcing

Aju John

In late 2008, Mark Ross, a director of LawScribe – one of the world’s leading legal process outsourcing (LPO) providers, conducted a survey during a webinar on the ethical implications of offshoring legal work. Forty nine per cent of the attendees felt that issues relating to security and client confidentiality were foremost among the legal and ethical issues that concerned them about LPO. He recently told me that this was not an isolated instance. “I have conducted numerous polls asking US counsel specifically what their major concerns are relating to outsourcing legal work overseas. Time and again, the major concern is the security of client-confidential information.”

This despite the obvious flaw in their concern, pointed out by Stefan Belinfanti in a March 2006 article: far more sensitive data has been outsourced for years. Surely, legal data like summons or complaints and other discovery material did not require significantly higher protection than data coming out of financial institutions or the revenue services. Even so, leading outsourcing companies had taken the general paranoia about data security in the legal profession to another level and Belinfanti refers to several studies which showed that the outsourcing process was as secure, and at times even more secure, than having the same services performed in-house.

Michael Sahyoun, the Chief Technology Officer at QuisLex, another prominent LPO provider, told me that his services are often held to a much higher standard  than those of  US and Western European companies. “For instance, litigation document reviews conducted in the US have much looser security controls if any. Reviewers have unfettered access to the internet, to their personal email accounts and to messaging applications, exposing client to the possibility of data leakage.”

Heavy investment in security infrastructure

These arguments have not convinced too many and the LPOs are not very concerned with trying to understand why they are held to a higher standard of security. Mark Ross says that all of LawScribe’s clients demand high standards of data security and client confidentiality, and is reconciled to why it is so. “Our clients are inevitably US attorneys. They are responsible to their own clients and we in turn must shoulder that responsibility on their behalf.” Michael Sahyoun is not too concerned about why certain documentation requires high standards of security and confidentiality. “During the course of our work, we have access to highly confidential information like the communications of executives of large corporations, sensitive pricing information in contracts and upcoming M&A activity”, he says. Kanti Prabha of United Lex adds to this list: customer information, documents related to ongoing litigation, contract documents, and intellectual property information. The importance given to data security management on the websites of LPO providers like QuisLex, LawScribe, Bodhi Global, United Lex and Pangea3 stand testimony to the industry’s seriousness about these client concerns.

The Bodhi Global website refers to “internationally recognised and audited” data security protocols, and “adequate procedures” that deny unauthorised access, loss, destruction, theft, use or disclosure of data. For instance, documents cannot be downloaded or printed or accessed from outside the Bodhi facility. Pangea3’s website talks about “a top notch security management team and information security procedures.” The QuisLex website says that client data is hosted in a tier-one facility offering both physical protection : including biometric access controls, state of the art surveillance systems and 24/7 security guards; and network protection: including multiple firewalls, strong data encryption, and password protection. Offshore facilities are built on a “Redundant-Everything” infrastructure, including network, internet and power backups. LawScribe’s website details all the physical security measures that they use – including the requirement of a formal ID to enter premises, closed-circuit security cameras, the prohibition of personal communications or data recording devices, and even the prohibition of handbags and purses, as well as the proper destruction and storage of paper documents. At workstations, all removable drives are disabled from the domain controller and access to external internet protocols limited by the administrator, while users are only entitled to use their own specific log-in details. Software installation is disabled except to system administrators and only they may change hardware configurations. Printing is also disabled without prior authorisation and clearance. While all incoming and outgoing mails are monitored on exchange server, all attachments are filtered. Other standard measures taken by the leading players include 24X7 monitoring of secured servers, regular anti-virus scans and updation of virus definitions, live documentation of the physical elements in networks, secure Virtual Private Networks (VPN) connectivity for exchange of information, security cameras and non-disclosure agreements with employees.

Layered demand for security?

Mark Ross told me that his clients “whether large or small corporations or law firms, in-house counsel or outside counsel”, uniformly insist on high standards. Michael Sahyoun agrees. “All clients are exhibiting increasing sophistication in their security measures.” Kanti Prabha told me “whether it is an RFP based selection process or a relationship based engagement, the need for data security and client confidentiality is not undervalued”. Sakthivel Venkatraman, the Managing Director of Cobra Legal Solutions gave me a few examples. According to him, his clients – mostly Fortune 500 companies, routinely demand the results of the latest third-party penetration tests, information regarding the method of segregation of data from other “client environments”, information about anti-virus protections and practices, password policies and the controls enforced on passwords in terms of complexity, encryption and periodic expiry, details of the confidentiality agreements with vendors and employees, details of business continuity and disaster recovery procedures, capacity to store and destroy documentation, extent of security guard coverage and details about incident response procedures in the event that information is inappropriately disclosed, to name a few.

But this was not what I heard a few weeks ago at the Grand Hyatt during the DARE-IBM event on legal outsourcing. Arihant Patni, the CEO of Bodhi Global – another leading LPO provider and Poorvi Chothani of Law Quest, an Indian law firm and a niche provider of LPO services, were sharing the panel spotlight with Ritvik Lukose from Rainmaker. Both Arihant and Poorvi agreed that clients are not uniformly insistent on high standards of security. Poorvi noted how there is a price range with less demanding clients where the smaller LPO organisations that employ less than twenty lawyers, can provide services without spending heavily on security infrastructure. Mark Ross admits one major difference in the attitude towards security among his clients. “Our larger clients are routinely able to justify the expense involved in visiting our Indian facilities and to review our physical, data and network security measures first hand. Smaller clients rely more on references, independent auditing and documented confirmation of security policies and procedures.” Michael Sahyoun refers to the former as the “trust-but-verify” approach.

Trust but verify

“Many clients dispatch their information security teams to audit our facilities, our technologies and our processes”, he says. Companies in highly regulated industries like financial services and healthcare are the most likely to perform a ‘field security audit’. “Some of these audits can be extremely tough and thorough, but we always welcome them because they help us to continuously improve our security measures”, Michael Sahyoun said. Kanti Prabha explained it to me further. “Typically, the client has a team of representatives from their information security/IT department headed by their CIO, who visit our facilities and carry out the audit. The scope of the audit may vary from client to client but generally includes a review of the documentation for various security policies, hands on review of the security controls and conversations with various information security stakeholders at UnitedLex.”

Certifications

Michael Sahyoun is more than proud to announce that Quislex was the first LPO provider to obtain ISO 27001:2005 certification, “not because anyone asked for it, but because we knew that it would give us and our clients some extra peace of mind.” QuisLex and United Lex have also been EU Safe Harbor certified. This augments Belinfanti’s point about LPO organisations taking the security concerns of lawyers to the next level. Kanti Prabha agrees: “The ISO 27001 standard provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS) in an organisation to enable it to function effectively. The process approach for information security management presented in this standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all ISMS processes. Sakthivel Venkatraman, the Managing Director of Cobra Legal Solutions, an LPO provider awaiting ISO 27001 certification, underlines the thirst for certifications in the industry. “On the one hand, certificates give organisations the confidence that they have done enough to protect their assets and enables risk managers to gain credibility in the eyes of management. Certificates are also proof to the outside world – to clients, suppliers, shareholders etc., that their information is secure and the organisation is worthy of their trust.” By giving clients the chance to compare global products and solutions which have been checked and verified with the same criteria, “as a loyalty instrument, it is a very effective way to attract clients”.

Ethics training

Ethics training is another area that LPOs have focused on. LawScribe , the first LPO to be accredited by a State Bar ( California) to provide MCLE (Massachusetts Continuing Legal Education) Ethics credit on the subject of the Ethical Implications of Legal Outsourcing, has championed this effort. “We are at the forefront of the LPO industry in ensuring that all our employees in both the US and India, are fully aware of exactly why our clients place such a high degree of importance on the security of their information. We believe it is important that our employees don’t just comply with a rigorous set of restrictions designed to immunize any risk of information leakage, but fully understand the ethical obligations incumbent on US attorneys, particularly as they relate to attorney and client privilege, conflicts of interest and the protection of client confidential information.” Ethics training, while it has not caught on in the LPO industry like security certification has, has been looked at with quite some interest according to Tarini Arogyaswamy of Rainmaker who had several conversations in this regard at the Lexis Nexis event for LPOs in New Delhi last week.

With measures like ethics training and security certification as well as regular investment in security infrastructure and a willingness to undergo security audits, Mark Ross may soon be able to heave a sigh of relief, and finally discard those client presentations on data security.


 

 

Feature Archives

Unanswered questions in the Limited Liability Partnership Bill - 17/11/2008

QLTS to emerge as sore point - 24/11/2008

The unfortunate status quo on appointments to the higher judiciary - 3/12/2208

Community lawyering makes waves in Pune - 10/12/2008

The impact of competition law on advertising regulations for lawyers - 17/12/2008

2009 - The year of offshore legal services? - 6/01/2009

Murmurs on the CLE front - 30/01/2009

Posts from an Indian Law School - 18/02/2009

“The only thing I did do consciously was to keep my options open” - 5/03/2009

Why you should Tweet - 18/03/2009

General corporate and M&A emerge most popular choice among law firm aspirants, 27% still unsure
- 31/03/2009

Indian law schools and the legal profession - complaints of disconnect
- 22/04/2009

The way forward on legal regulation - dealing with poor legal service
- 30/05/2009

 

 
Rainmaker T&R is a Legal Industry Leader in Recruitment, Staffing and Training