Mind Your Business

4 data security considerations for GCs when engaging contract lawyers

  • Print

shutterstock_AI and contracts

Image from Shutterstock.

Contract management. Compliance updates. Discovery responses. Intellectual property portfolio management. These rote, often-time-consuming tasks can all be part of an in-house counsel’s day-to-day schedule. The problem? Many can devolve into costly time sinks for a legal department’s salaried talent.

While generative artificial intelligence has the potential to take away some of this lower-level work, it’s not quite there yet. Many workplaces do not allow the use of tools such as ChatGPT because of data security concerns. Although the legal technology sector is coming up with different applications to help general counsels, they are still a long way off from replacing actual human beings.

In light of the ever-increasing pressure from the C-suite to trim costs, in-house legal departments have gravitated toward engaging remote contract attorneys to help shoulder some of this important but comparatively lower-value work. This includes individual contract lawyers, as well as alternative legal services providers and vendors that can spread tasks across a bench of attorneys in multiple time zones and cost-efficient jurisdictions.

Leveraging remote contract lawyers and vendors, however, can have drawbacks—including increased data security risks. As we saw in the early days of the COVID-19 pandemic, giving remote workers of any type access to a company’s information technology systems only increases the possibility of costly data breaches and additional liabilities.

Given that the average cost of dealing with a security breach in 2023 reached an all-time high of $4.45 million, according to a report by software company IBM Security, data security must be top of mind when engaging contract lawyers.

Naturally, GCs must balance cybersecurity and work-access considerations to ensure that the risks of introducing new remote attorneys and vendor partners do not outweigh the benefits. When they account for these factors properly, GCs can have a reasonably safe, secure blueprint for supporting and leveraging remote lawyers to strengthen the legal function.

Mind Your Business logo

1. Manage sensitive information through strategic delegation

A key first step when engaging contract attorneys and vendors is also the simplest: Mitigate risk by assigning work involving less-sensitive data.

Often, in-house departments outsource projects to free up internal talent without thinking through the information that they share. While this is understandable, GCs should know that every task that they delegate involves disclosing at least some proprietary company data.

With that in mind, GCs should approach any fresh contract attorney or vendor much as they would a new internal hire: Assign out low-risk tasks until the outsourced talent have proven that they are trustworthy and can handle more responsibility.

In doing so, GCs must assess the sensitivity of the information involved in early assignments and the risks that could arise from sharing it. When starting with new contract lawyers and vendors, GCs should prioritize tasks involving nonproprietary, publicly known or lower-priority data that would not present substantial liability risks if disclosed. Assignments involving standardized contracts and nondisclosure agreements that the company regularly sends to clients, for example, would meet these parameters.

2. Establish security frameworks at onboarding

Once onboarded, vendor contract attorneys and individual remote attorneys will have at least limited access to sensitive corporate information, which will no doubt expand over time. To set the stage, legal departments should partner with internal IT leaders to identify and emphasize the organization’s preferred data security priorities and use that to inform the onboarding process. These preferences will vary from company to company and task to task but can encompass access controls, incident response protocols and data protection and handling practices.

When vetting a vendor, legal departments, either with their in-house personnel or an outside auditor, should examine that potential partner’s firewalls, encryption, data backup safeguards and other security features to ensure that they comply with the company’s requirements.

GCs should confirm whether the vendor’s lawyers will work on the premises—with the vendor’s equipment, security safeguards and servers—or from their personal offices with their security setups. Engaging penetration testers who can vet a vendor’s protections and leveraging dedicated vulnerability scanners can all give invaluable information on the vendor’s capabilities.

They can also negotiate well-drafted clauses into their service agreements to ensure that any vendor stays compliant throughout the engagement. Offshore attorneys are typically hired through a U.S.-based alternative legal services provider or staffing company, which would be bound by their respective contractual clauses.

Companies working with individual contract lawyers should take more of a lead in outlining their security and access needs given the absence of an intermediary and see whether the attorney would be a good fit for the proposed engagement. Given the obvious differences between an individual attorney’s security capabilities and a vendor’s security capabilities, GCs should adjust their analysis and security expectations accordingly.

Tariq Hafeez is the co-founder and president of LegalEase Solutions. He says general counsels must balance cybersecurity and work-access considerations to ensure that the risks of introducing new remote attorneys and vendor partners do not outweigh the benefits.

3. Double-check ISO and other cybersecurity certifications

Any vendor or individual remote attorney an in-house department retains must follow standard practices around data security and IT infrastructure to ensure a safe, secure and collaborative working experience. If an in-house department is considering a vendor, they should ensure that it possesses industry-recognized security certifications and abide by those standards in their client work.

While necessary certifications can vary depending on the organization’s key sectors and business needs, in-house departments should pay close attention to whether their potential outsourcing partners meet International Organization for Standardization cybersecurity standards. These international standards guide baseline security protocols for varied industry standards—including cybersecurity and IT.

The ISO certification that in-house departments should check for first is ISO 27001. This standard addresses the required frameworks for handling sensitive information, addressing security controls, and creating a robust information management system for managing, sharing and transferring data.

However, various industry data security and integrity standards could also apply depending on the company’s target sectors and the work that the in-house department is outsourcing. In-house departments engaging in federal-government-commissioned projects should ask vendors about their plans to comply with the NIST Cybersecurity Framework 2.0, which sets expectations for handling sensitive government data.

GCs in other sectors could ask potential vendors how they satisfy System and Organization Controls 1 and System and Organization Controls 2 standards, which the American Institute of Certified Public Accountants established for handling financial reporting data and privacy controls.

4. Bolstering company-side security

IBM Security’s Cost of a Data Breach Report 2023 revealed that incidents related to remote working added more than $173,000 on average to the mean cost of a data breach. Therefore, any organization experimenting with outsourcing should ensure that their cybersecurity infrastructure is robust.

A big component of successful remote work strategies? Encryption, encryption and more encryption. This tenet will be important regardless of whether a company engages a large-scale vendor or a small group of individual contract lawyers.

Ideally, a company’s remote work safeguards should integrate multifactor authentication, virtual private networks and even secure web gateways to address vulnerability factors related to an individual attorney or vendor’s internet network. If possible, they should also use remote device management systems to monitor unauthorized software updates, downloads and the like on the remote lawyer’s virtual server.

Extra protections could be necessary for remote lawyers and vendors working with sensitive data. GCs should work with the company’s IT teams to establish user access privileges for databases containing proprietary data and use “zero trust” access methods that require regular access authentication.

These methods can reduce the risk of outside attorneys compromising the company’s cybersecurity protocols while ensuring that they have the account access levels necessary for supporting the company’s efforts.

As with any outsourcing endeavor, working with remote attorneys can involve several challenges. With the right tools, testing and delegation strategies, in-house counsels can safely and securely tap into an eager global workforce to help their day-to-day operations run more smoothly.

Tariq Hafeez is the co-founder and president of LegalEase Solutions. He helps original equipment manufacturers and in-house legal and compliance teams leverage legal transformation to improve and streamline how they approach legal research, compliance, contract management and litigation analytics and support.

Mind Your Business is a series of columns written by lawyers, legal professionals and others within the legal industry. The purpose of these columns is to offer practical guidance for attorneys on how to run their practices, provide information about the latest trends in legal technology and how it can help lawyers work more efficiently, and strategies for building a thriving business.

Interested in contributing a column? Send a query to [email protected].

This column reflects the opinions of the author and not necessarily the views of the ABA Journal—or the American Bar Association.

Give us feedback, share a story tip or update, or report an error.