Outsourcing Offshore: Cutting Costs at the Expense of Security?
It’s been estimated that companies with annual revenues over $1 billion spent more than $50 million in legal fees last year. Although electronic discovery (e-discovery) costs have not been pinpointed, they are widely thought to comprise a huge chunk of overall legal fees; in fact, according to a study conducted by Fulbright & Jaworski, lawyers for companies with revenues topping $100 million listed e-discovery costs as their biggest concern.
In response, major companies, including Cisco Systems and Morgan Stanley, have begun outsourcing to India and other offshore countries, where foreign lawyers review documents at a lower cost. Sure, we all understand the desire to cut costs, but if companies aren’t careful, they may incur costs far greater . . .
Obvious concerns about outsourcing to foreign jurisdictions include quality control, issues of professional liability, breaches of attorney-client privileges, and facilitating the unauthorized practice of law. Remember, China, India, and other popular offshore locations lack stringent U.S. data protection and information security laws; moreover, many also lack adequate judicial systems to remedy a problem once it occurs . . .
Francoise Gilbert, of the Silicon Valley-based IT Law Group, recently commented on this issue in her lecture, The Law of Privacy and Data Security, hosted by the Bar Association of San Francisco. Ms. Gilbert stressed that U.S. companies need to make sure their outsourcers abide by U.S. law, and U.S. companies need to closely supervise their outsourers.
For example, if an information security breach occurs at a U.S. company’s foreign call center, the U.S. company remains ultimately responsible; this would be true even if the call center signed a contract to adequately screen and supervise its employees. It’s also important to realize that a breach could occur even if the call center acted in good faith to abide by the contract.
A further example: a call center that conducts background checks on prospective employees might not discover criminal records due to limited search capabilities. So, if an employee committed a crime in a neighboring county, this record would not turn up during the search, she would be hired, and if she uses customer credit card information for fraudulent purposes, guess who pays?