As law firms transform their IT operations to help manage new cases, third-party organisations are increasingly being given access to business critical information. But with outsourcing come risks.
Once a law firm has identified some of the risks of outsourcing, then the asset owner (likely to be the partner who owns the client relationship) can conduct a cost/benefit analysis. The risk assessment should enable better decisions to be made, often on a case-by-case basis, about whether the acknowledged benefits of eDiscovery technology outweigh the risks involved in outsourcing. The risk assessment should also help a law firm identify where risks can be mitigated, to improve the circumstances in which outsourcing could be used.
It may well be that tensions arise where, on the one hand, fee earners are keen to access the services to enhance their productivity without considering the risks, and, on the other hand, the risks cannot be reconciled adequately for the firm to allow the technology to be used. It is likely to be a balancing act, but law firms should never risk compromising security through a lack of oversight.
The issues you need to assess before engaging with third-party suppliers
With this in mind, law firms should assess five issues associated with outsourcing eDiscovery services before engaging with third-party suppliers. These are:
- Assess and assign the level of risk (high, medium, low) that each supplier poses to your client’s information (which could vary according to the sensitivity of the matter), then decide what assessments should be made based on that.
- Depending on the level of risk, perform financial checks on the supplier and DBS checks on key staff. Request the right to audit controls and processes. If you are relying on a supplier’s ISO 27001 certification, request the right to spot-check records from time to time.
- Clearly and concisely spell out your expectations in service level agreements that include information security issues such as access controls, nondisclosure agreements and encryption. Request the right to audit the supplier for contract compliance.
- Maintain a professional working relationship. If practicable, visit the supplier’s locations and communicate openly so their strengths are understood, and any problems that may arise can be more easily renegotiated during the contract.
- Ensure contracts have a clean break clause that includes stipulations that information assets would be returned quickly and in a useable format.
Law firms that do the necessary legwork should be able to gain the benefits that eDiscovery can provide.
Adopting information security best practice in the legal sector
The legal sector has widely adopted the international information security standard, ISO/IEC 27001 because of its holistic approach, which covers people, processes and technology as a means of countering data breaches.
Free green paper explains how to secure your law firm
IT Governance has significant experience working with law firms of all sizes and in a variety of geographical locations, helping them implement ISO 27001. To understand how your firm can achieve an internationally recognised level of cyber security with ISO 27001, download this free green paper.
- How top law firms are using ISO 27001 to grow their client base
- The ways ISO 27001 can benefit your firm
- Why stringent data security in the legal sector is a key business enabler
If you have any questions or concerns about supply chain risk management and how it can help your business achieve both greater efficiency and information security assurance, contact us today.
Contact us on 0845 070 1750 or at firstname.lastname@example.org to discuss your information security requirements with one of our advisors. today.