Avoiding the worst case scenario: Balancing cost and data security
A few cost-saving decisions can leave the corporate client unhappy and outside counsel fired and potentially brought up on ethics charges.
October 11, 2013 at 04:00 AM
7 minute read
The original version of this story was published on Law.com
Part 1 of this series, “Avoiding the worst case scenario: Data theft during discovery” can be found here.
While most lawyers tend to become ostriches when they hear buzz words like “cybersecurity,” it may be time they pull their heads out of the sand. There are many scenarios in which corporate clients' data is at risk, and it is up to their outside counsel to ensure that protection. A leak of corporate privileged data can cause catastrophic results, and no outside counsel wants to be responsible when that happens. The next real-world scenario below describes how a few cost-saving decisions can leave the corporate client unhappy and outside counsel fired and potentially brought up on ethics charges.
Scenario 2:
You are a large startup technology company with a big ERISA problem. Although you are a startup, you already have a major presence in the social media industry. As a player in the social media world, you are very sensitive to the protection of data, knowing if a slip-up happens, it only takes one tweet, post or email to end your business. You turn to outside counsel, ABC Firm, to handle the case. The case takes place outside jurisdictions where your outside counsel has an office, so you also hire two other firms as local counsel. To stay on budget, you implore all counsel to be cost-conscious, to seek out cost-saving measures and to reduce the hourly charges associated with the case team attorneys.
In order to share work product across the spectrum, the lead counsel, ABC Firm, has decided to use an e-discovery service provider to house all the documents. To share work product easily, ABC Firm determines that it is most cost-effective to have all documents housed on one document repository which lives on a provider's server. As corporate counsel, you automatically assume that all documents turned over will be as safe as you keep them on your internal servers.
ABC Firm receives bids from several service providers and chooses the lowest, as it is far lower than any other company's. That provider is hired, but no one from ABC Firm ever asks any questions about this vendor's data security measures. ABC Firm also hires contract attorneys to supplement the review work and in turn reduces hourly charges pursuant to your request. ABC Firm never asks the contract attorney agency if it does any conflict checks or background checks on transient staff. ABC Firm pats itself on the back for saving you hundreds of thousands of dollars by using such outside providers.
In order to comply with the discovery orders, you must collect hundreds of HR files, which include names, addresses and Social Security numbers of many of your employees. These are turned over to ABC Firm, which in turn sends these files to the provider for processing and uploading to the review database. These sensitive documents go up on the review platform and are then checked by the contract attorneys for responsiveness.
Two weeks after the review begins, several of your employees have had their identities stolen. It seems odd that it happened to so many employees in one company, so suspicion arises. After several complaints to HR and thousands of dollars spent on hiring an investigator to find out if there is someone internally stealing this personal identifiable information (PII), you call outside counsel to discuss the situation. ABC Firm then realizes that both the e-discovery provider and contract attorneys had access to this information. ABC Firm keeps this realization to itself in fear that you will not only fire the firm but potentially bring it up on ethical violations.
Weeks later the investigator you hired figures out that the identities were in fact all stolen by one individual working as a contract attorney at the agency hired to review the documents. It turns out the individual had a previous record of theft in another state. The individuals whose identity had been stolen spend thousands of dollars and countless hours dealing with the issue. They seek reimbursement from you as it was your turning over of the files that compromised their PII. You are fuming as you have to reimburse all the employees plus pay the investigator fees. You are also upset that outside counsel never brought this to your attention after you mentioned the problem. You not only fire outside counsel, but you bring the firm up on ethical violations.
The ABA model rules dictate that an attorney's obligation of supervision extends to lawyers and nonlawyers in the firm, as well as to third-party service providers. The ethical obligations regarding security of confidential client information also extends to supervision of these providers. The comments to the rule (Rule 1.18: Duties to Prospective Client) state that, “[w]hen using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer's professional obligations . . . including . . . the terms of any arrangement concerning the protection of client information.”
In negotiating contracts with third-party providers, attorneys must be sure that their ethical obligations regarding technological safeguards of client information, as well as any possible added requirements in the attorney-client engagement letter related to such safeguards, are passed along to these vendors. In practice, this duty to supervise eliminates the once reactive and last-minute approach to contracting with outside vendors to support one's litigation. It is no longer acceptable, nor safe, to randomly select a provider based on price or relationship. The vetting of providers must now include the analysis of encryption policies, physical and virtual security measures and, most effectively, a full-scale, on-site audit. This scrutiny can add days and weeks to a litigation time frame, so it is best to conduct such evaluations well in advance to ensure the hiring of a reputable and secure provider, thus limiting exposure to ethics violations.
As outside counsel, it is imperative that you not only assess your own the data security policies, but you do the same for any third-party providers that will have access to your clients' data. If a provider is hosting client data, you are obligated to audit its security measures to ensure the safety of that data. This same obligation extends to the use of contract attorneys. It is outside counsel's obligation to ensure that conflicts and background checks are run. If a proper background check had been run in the example above, it would have found this contract attorney had a prior record. It is also recommended that references be checked to ensure that you only contract with reputable providers. Because outside counsel did none of these things in this scenario, ABC Firm most likely violated its ethical duty.
However, as corporate counsel, it is never a bad idea to be involved in these decisions, as it is ultimately your data that is at stake. You can let outside counsel seek out and negotiate terms with providers, but you should make sure that you let outside counsel know your security measures so they can be matched by anyone else touching your data. Since a data breach is good for no one, everyone should have their heads out of the sand and learn to play in the sandbox together.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFormer Capital One Deputy GC Takes Legal Reins of AIG Spinoff
Legal Departments Dinged for Acquiescing to Rate Hikes That 'Defy Gravity'
4 minute readApple Disputes 'Efforts to Manufacture' Imaging Sensor Claims Against iPhone 15 Technology
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250