Law firms and the risks of outsourcing

padlock-597495_1920As the legal sector undergoes transformation and seeks help in using new technology to manage cases, third-party organisations are increasingly being given access to business critical information. There are a number of drivers for this, including the introduction of alternative business structures (ABS), which are now allowed to offer legal services. This has increasingly driven larger law firms to use technology to maintain their historic advantage.

The potential introduction of online courts will affect small firms the most, which will, in turn, drive them to increase their capabilities to submit digital evidence securely. The evidence that lawyers use to support their arguments is undoubtedly going to consist of more digital information, such as data from mobile phones, electronic correspondence, and many other sources.

Where technology transforms the value of all this digital information is in the use of eDiscovery services

eDiscovery refers to the presentation of electronic information as evidence in legal cases or government investigations. Because electronic evidence is often associated with information beyond the scope of the given case, it needs to be handled carefully to avoid presenting information that should otherwise remain confidential. eDiscovery services are often outsourced because it is difficult to make a business case for investment in an emerging technology and the expert personnel required, especially when it may be usurped if a better solution emerges. And, of course, using a supplier brings its own potentially severe risks, because of the consequences of an information security failure by a supplier.

eDiscovery technology is designed to process client data, which is often the most confidential, contentious or market-sensitive information a law firm owns. Client data forms the heart of high-value cases (both in financial and reputational terms) both for law firms and their clients. The technology may involve data being created and processed in a virtual environment, and managed by a third party to the eDiscovery supplier, which is yet another step away from the law firm’s control.

Law firms should ensure they take a holistic approach to their risk assessment of eDiscovery services. Although a strong appreciation of IT and cyber security concepts is required, the fundamental issue is how risk is managed so that clients can be assured that their law firm is complying with their requirements. The key to ensuring that technology is used effectively is to ensure there is a consistent, firm-wide approach and a high degree of oversight from the law firm’s risk management teams. Some of the threats they should consider are summarised below:


Accidental threat

  • Internal
    • Human error
      • Inadequate training by a supplier leads to data being mishandled and its legal admissibility being compromised.
      • Confusion over different client requirements leads to data being mishandled.
      • Courier delivers portable media to a wrong address, leading to loss or compromise of information.
    • System malfunction
      • A supplier has inadequate or poorly maintained IT infrastructure, which leads to processes crashing and missed deadlines.
    • Process error
      • A supplier uses a technical process that the other side disputes, leading to the evidence being ruled inadmissible.
    • Regulation
      • A supplier ‘offshores’ information for processing, leading to the information becoming inadmissible.
    • Lack of liability
      • Unlimited liability leads to a law firm suffering a successful and high-value claim (beyond its insurance cover) from a client, for a mistake emanating from a supplier.
    • Conflict issue
      • A lack of conflict checking by a supplier leads to confusion with similar work from opposing sides of a case, and evidence being exposed to the other side to the detriment of the law firm.
  • External
    • Natural disaster
      • A flood/fire at a service provider destroys information on which a law firm was relying.
    • Utility outage
      • A power cut at a service provider’s facility leads to interruptions in processing information required for a court-imposed deadline.

Deliberate threat

  • Internal
    • Arson
      • A disgruntled service provider’s employee sets fire to a production facility.
    • Theft
      • A disgruntled service provider’s employee copies a law firm’s sensitive client information and seeks to sell it to the media.
  • External
    • Hacking
      • Annotated documents are accessed through a supplier’s IT systems and exposed to the opposing side in a case.
      • A law firm misses a court-imposed deadline owing to a breach at a supplier and suffers reputational loss.
    • Malware
      • Ransomware locks a supplier’s system, leading to a law firm’s data becoming unavailable and to a court-imposed deadline being missed.
    • Hi-tech crime
      • A supplier’s emails are intercepted, leading to a law firm’s virtual data room login credentials being compromised, and sensitive M&A information being exploited for insider trading.
    • Fraud
      • A law firm suffers financial loss as a result of a vishing attack, which gained information from a supplier’s IT systems.
    • Protest groups
      • Contentious information is exposed following a tip-off from a disgruntled service provider employee.

About IT Governance

IT Governance is a global provider of information security solutions, and has helped law firms of all sizes (and across multiple locations) achieve their information security objectives through a mixture of tools, training, consultancy and penetration testing. We can help you with our affordable, fixed-price solutions too.

Contact us on 0845 070 1750 or at servicecentre@itgovernance.co.uk to discuss your information security requirements with one of our advisors today.