Avoiding the worst case scenario: Balancing cost and data security
A few cost-saving decisions can leave the corporate client unhappy and outside counsel fired and potentially brought up on ethics charges.
October 11, 2013 at 04:00 AM
7 minute read
The original version of this story was published on Law.com
Part 1 of this series, “Avoiding the worst case scenario: Data theft during discovery” can be found here.
While most lawyers tend to become ostriches when they hear buzz words like “cybersecurity,” it may be time they pull their heads out of the sand. There are many scenarios in which corporate clients' data is at risk, and it is up to their outside counsel to ensure that protection. A leak of corporate privileged data can cause catastrophic results, and no outside counsel wants to be responsible when that happens. The next real-world scenario below describes how a few cost-saving decisions can leave the corporate client unhappy and outside counsel fired and potentially brought up on ethics charges.
Scenario 2:
You are a large startup technology company with a big ERISA problem. Although you are a startup, you already have a major presence in the social media industry. As a player in the social media world, you are very sensitive to the protection of data, knowing if a slip-up happens, it only takes one tweet, post or email to end your business. You turn to outside counsel, ABC Firm, to handle the case. The case takes place outside jurisdictions where your outside counsel has an office, so you also hire two other firms as local counsel. To stay on budget, you implore all counsel to be cost-conscious, to seek out cost-saving measures and to reduce the hourly charges associated with the case team attorneys.
In order to share work product across the spectrum, the lead counsel, ABC Firm, has decided to use an e-discovery service provider to house all the documents. To share work product easily, ABC Firm determines that it is most cost-effective to have all documents housed on one document repository which lives on a provider's server. As corporate counsel, you automatically assume that all documents turned over will be as safe as you keep them on your internal servers.
ABC Firm receives bids from several service providers and chooses the lowest, as it is far lower than any other company's. That provider is hired, but no one from ABC Firm ever asks any questions about this vendor's data security measures. ABC Firm also hires contract attorneys to supplement the review work and in turn reduces hourly charges pursuant to your request. ABC Firm never asks the contract attorney agency if it does any conflict checks or background checks on transient staff. ABC Firm pats itself on the back for saving you hundreds of thousands of dollars by using such outside providers.
In order to comply with the discovery orders, you must collect hundreds of HR files, which include names, addresses and Social Security numbers of many of your employees. These are turned over to ABC Firm, which in turn sends these files to the provider for processing and uploading to the review database. These sensitive documents go up on the review platform and are then checked by the contract attorneys for responsiveness.
Two weeks after the review begins, several of your employees have had their identities stolen. It seems odd that it happened to so many employees in one company, so suspicion arises. After several complaints to HR and thousands of dollars spent on hiring an investigator to find out if there is someone internally stealing this personal identifiable information (PII), you call outside counsel to discuss the situation. ABC Firm then realizes that both the e-discovery provider and contract attorneys had access to this information. ABC Firm keeps this realization to itself in fear that you will not only fire the firm but potentially bring it up on ethical violations.
Weeks later the investigator you hired figures out that the identities were in fact all stolen by one individual working as a contract attorney at the agency hired to review the documents. It turns out the individual had a previous record of theft in another state. The individuals whose identity had been stolen spend thousands of dollars and countless hours dealing with the issue. They seek reimbursement from you as it was your turning over of the files that compromised their PII. You are fuming as you have to reimburse all the employees plus pay the investigator fees. You are also upset that outside counsel never brought this to your attention after you mentioned the problem. You not only fire outside counsel, but you bring the firm up on ethical violations.
The ABA model rules dictate that an attorney's obligation of supervision extends to lawyers and nonlawyers in the firm, as well as to third-party service providers. The ethical obligations regarding security of confidential client information also extends to supervision of these providers. The comments to the rule (Rule 1.18: Duties to Prospective Client) state that, “[w]hen using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer's professional obligations . . . including . . . the terms of any arrangement concerning the protection of client information.”
In negotiating contracts with third-party providers, attorneys must be sure that their ethical obligations regarding technological safeguards of client information, as well as any possible added requirements in the attorney-client engagement letter related to such safeguards, are passed along to these vendors. In practice, this duty to supervise eliminates the once reactive and last-minute approach to contracting with outside vendors to support one's litigation. It is no longer acceptable, nor safe, to randomly select a provider based on price or relationship. The vetting of providers must now include the analysis of encryption policies, physical and virtual security measures and, most effectively, a full-scale, on-site audit. This scrutiny can add days and weeks to a litigation time frame, so it is best to conduct such evaluations well in advance to ensure the hiring of a reputable and secure provider, thus limiting exposure to ethics violations.
As outside counsel, it is imperative that you not only assess your own the data security policies, but you do the same for any third-party providers that will have access to your clients' data. If a provider is hosting client data, you are obligated to audit its security measures to ensure the safety of that data. This same obligation extends to the use of contract attorneys. It is outside counsel's obligation to ensure that conflicts and background checks are run. If a proper background check had been run in the example above, it would have found this contract attorney had a prior record. It is also recommended that references be checked to ensure that you only contract with reputable providers. Because outside counsel did none of these things in this scenario, ABC Firm most likely violated its ethical duty.
However, as corporate counsel, it is never a bad idea to be involved in these decisions, as it is ultimately your data that is at stake. You can let outside counsel seek out and negotiate terms with providers, but you should make sure that you let outside counsel know your security measures so they can be matched by anyone else touching your data. Since a data breach is good for no one, everyone should have their heads out of the sand and learn to play in the sandbox together.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Netflix Music Guru Becomes First GC of Startup Helping Independent Artists Monetize Catalogs
2 minute read
Global Software Firm Trying to Jump-Start Growth Hands CLO Post to 3-Time Legal Chief
Meta Workers Aren't of One Mind on Company's Retreat From DEI, Fact-Checking
Trending Stories
- 1No Two Wildfires Alike: Lawyers Take Different Legal Strategies in California
- 2Poop-Themed Dog Toy OK as Parody, but Still Tarnished Jack Daniel’s Brand, Court Says
- 3Meet the New President of NY's Association of Trial Court Jurists
- 4Lawyers' Phones Are Ringing: What Should Employers Do If ICE Raids Their Business?
- 5Freshfields Hires Ex-SEC Corporate Finance Director in Silicon Valley
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
