Introduction
Over the last five years the legal process outsourcing industry has begun to take off, with global law firms and corporation, including Simmons & Simmons, Microsoft, Allen & Overy, BT, and Rio Tinto announcing major LPO initiatives. The outsourcing of legal work does raise specific legislative compliance and ethical issues in relation to the outsourcing of lawyer's obligations to his client. Until recently the relevant regulatory bodies in the UK, the Solicitors Regulation Authority (SRA) and the Law Society, have been virtually silent bystanders as market acceptance of legal outsourcing on both sides of the Atlantic has gathered momentum.
It is worth noting that the focus of this article is on legal process outsourcing and a lawyer's accompanying ethical and compliance obligations when outsourcing substantive legal support services, such as legal research, drafting, contract review, drafting and management, document review, legal due diligence support, writing legal memoranda and drafting patent applications.
There is, of course, a degree of overlap with the outsourcing by a lawyer of administrative support functions such as finance and accounting, HR, library services, transcription, document coding and clerical support, particularly when client confidences are disclosed.
UK lawyers would do well to keep themselves abreast of developments on the other side of the Atlantic, as the overriding principles governing both US and UK lawyers’ compliance where their ethical obligations are remarkably similar in both jurisdictions. While not professing to be a definitive “how to” guide to ethical and legislative compliance, this article will provide some practical suggestions aimed at ensuring that UK lawyers avoid falling foul of their obligations.
Lessons learned from the United States
In the US, six Bar Association Ethics Committees and the American Bar Association (ABA) Standing Committee on Ethics and Professional Responsibility have issued opinions discussing the outsourcing of legal work. They have all concluded that US lawyers can outsource legal work while satisfying their ethical obligations. Arguably, the opinion that carries the most weight is the one released by the American Bar Association in August 2008. It is noticeably supportive of outsourcing both generally and for lawyers. It comments that: “The outsourcing trend is a salutary one for our globalised economy”. The Digest to the New York Opinion succinctly captures the major ethical considerations under generally prevailing US rules, even though each state has its own rules they are similar to each other. It states:
“A New York lawyer may ethically outsource legal support services overseas to a non-lawyer, if the New York lawyer (a) rigorously supervises the non-lawyer, so as to avoid aiding the non-lawyer in the unauthorized practice of law and to ensure that the non-lawyer's work contributes to the lawyer's competent representation of the client; (b) preserves the client's confidences and secrets when outsourcing; (c) avoids conflicts of interest when outsourcing; (d) bills for outsourcing appropriately; and (e) when necessary, obtains advance client consent to outsourcing.”
Current UK guidance
In the UK there has been recognition recently at the Law Society that detailed consideration of this growing trend is necessary. Most recently its International Department established an ad hoc LPO committee to examine legal outsourcing in detail. It met key stakeholders (general counsel, law firms, LPO providers and consultants) on a number of occasions to obtain a broad perspective and formulate ethical guidelines. The committee's remit is to recommend to the Law Society and the Solicitor's Regulation Authority (SRA) best practice for firms considering LPO. It is anticipated that more detailed guidance will be forthcoming in the near future.
The SRA did recently issue the first public statement on the ethical implications associated with legal outsourcing, although the guidance is limited. The statement appears to permit the practice of legal outsourcing contingent on the outsourcing lawyer's compliance with his or her existing ethical obligations. The SRA released the following statement towww.LPOEthics.com:
“Where law firms are outsourcing some of their legal or administrative work to other law firms or non law firms, the SRA's guidance is that this is allowed on the basis that all relevant rules are complied with (Solicitors’ Code of Conduct 2007) and that the arrangement is made transparent and is agreed with the client”.
Particular rules which would apply in legal outsourcing are:
• Rule 4 Confidentiality
• Rule 2 Client Care and Costs Information
• Reserved activities/legal work must not be carried out by non lawyer organisations
• Indemnity insurance provision to cover acts/omissions resulting in issues of negligence or inadequate professional services
In accepting work from clients, the firm must always consider whether it should be outsourced at all, as they should have the necessary resources and competency to undertake the tasks. In summary a firm must act in the best interests of their clients and comply with their core duties.
Based on the currently available guidance, solicitors are free to outsource a wide variety of legal support work to paralegals, trainee solicitors, temporary solicitors and offshore resources, subject of course to adherence to the Solicitors’ Code of Conduct and the relevant obligations set in it.
The rules impacting on outsourcing are detailed in Rules 1–5 and deal with: acting in clients’ best interests, providing a good standard of service, avoiding conflicts of interest and keeping client confidences and supervision. It should be noted that other than the limited statement from the SRA, detailed above, the rules in their current form refer not to true legal process outsourcing work, but rather to the outsourcing by a law firm of administrative and support functions.
Rule 4: Confidentiality and disclosure, 8(f)
If services such as word processing, telephone call handling or photocopying are outsourced the firm must be satisfied that the provider of those services is able to ensure the confidentiality of any information concerning clients. This would normally require confidentiality undertakings from the provider and checks to ensure that the terms of the arrangements regarding confidentiality are being complied with. Whilst there might be implied consent to confidential information being passed to external service providers, it would be prudent to inform clients of any such services it is proposed to use in terms of business or client care letters.
Elsewhere, the Law Society model client care letter and accompanying practice note indicates that outsourcing should be disclosed and informed client consent be obtained, consistent with duty of confidentiality.
4.1.7 Outsourcing of work
Where work on client files is outsourced, there is a risk that the outsourced provider may breach client confidentiality. Drawing attention to this risk may mitigate any breach of confidentiality which then occurs, but there is still the risk of a finding of misconduct or inadequate professional service. There must be a confidentiality agreement with suppliers. Terms and conditions should advise the client if the practice outsources work and the type of work it outsources; alert the client to the potential risks in relation to preserving client confidentiality; ask the client to state whether they object to this practice.
The practice note suggests the inclusion in the client care letter of a paragraph seeking the client's informed consent:
“Sometimes we ask other companies or people to do typing/photocopying/other work on our files to ensure this is done promptly. We will always seek a confidentiality agreement with these outsourced providers. If you do not want your file to be outsourced, please tell us as soon as possible”.
In both UK and US jurisdictions, whether within an individual State's Rules of Conduct or the ABA's Model Rules of Professional Conduct or the Solicitor's Code of Conduct, ethical rules exist that affect a legal outsourcing relationship. These rules ensure that only a lawyer, qualified in the appropriate jurisdiction, practises law within that jurisdiction or undertakes “reserved activities” that are the remit of qualified lawyers.
If a legal outsourcing company is engaged to assist in the performance of a legal task, the outsourcing lawyer must ensure that adequate supervision is in place by a lawyer within the firm competent to perform the particular legal task and to evaluate the work undertaken by the legal outsourcing company.
Although imminent guidance on both sides of the Atlantic appears to be forthcoming, this is not a foregone conclusion. Whether in the form of amendments to the Model Rules (US), Solicitor's Code of Conduct (UK) or the issuance of “best practice guidelines”, the legal profession awaits with bated breath.
UK data protection export issues
There are specific UK data protection law issues that arise as part of legal outsourcing engagements and affect whether personal data can be exported to India, the Philippines and other offshore destinations. It is beyond the scope of this article to provide a rigorous examination of the relevant legislation, but it is important to cover the key points.
The relevant piece of UK legislation is the Data Protection Act 1998 (the “Act”) which implements the 1995 EU Data Protection Directive. The Eighth Principal of the Act states:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
As far as the export of personal data is concerned, India and the Philippines do not have adequate statutory regimes in place. There are several methods available under the Act by which the requirements of the Eighth Principle can be met and the export of data to India and the Philippines can be permitted. Some of these methods are as a matter of law deemed to be compliant with the Act. Other methods involve making a determination that the approach taken is sufficient to establish “adequacy”. The methods that involve a subjective determination as to their veracity clearly do not provide the same degree of certainty.
The most common approach taken in legal process outsourcing engagements that involve the potential export of personal data to India or the Philippines is to incorporate into the Master Services Agreement with the client what are termed the “Model Clauses” This approach is compliant with the Act. The Model Clauses have been approved by both the EU and the UK's Information Commissioner as sufficient to meet the requirements of the Eighth Principle.
It is further important to note that the Act binds the UK customer (law firm or corporate client engaging in LPO) who, as the person who “determines the purposes for which and the manner in which the personal data is, or is to be, processed”, will be deemed to be a data controller under the Act. In virtually all legal process outsourcing arrangements the LPO provider would be deemed to be a data processor under the Act. This distinction is important, because:
• Most of the obligations under the Act apply to the data controller, not the data processor, including the core eight data protection principles;
• The data controller is responsible for determining how the personal data should be processed and the data processor must follow the data controller's instructions; and
• The data controller is responsible under the Act for the data processor's acts in processing the personal data.
The obligations of the LPO provider are to process personal data in accordance with the instructions of the data controller and to ensure that such processing is carried out with “appropriate technical and organisational security measures”.
Recommended proactive steps an LPO provider should take to ensure compliance with the above include:
• Complying with internationally recognised independent security standards such as ISO 2700;
• Inviting client appointed third party information security auditors to inspect the LPO provider's operations;
• Appointing an in-house data protection officer. This ensures that the client has a single point of contact at the LPO provider.
Limitation of liability
An interesting dilemma for law firms is whether the firm is able to limit its liability with a corporate client, where the corporate client mandates the utilisation of an LPO provider for certain legal functions and contracts directly with the LPO provider. This contractual arrangement is not uncommon practice particularly in the arena of large-scale document review.
For example, envisage the scenario where a corporate client contracts directly with the LPO company to undertake a first pass review of a significant volume of electronic documents, whilst instructing its outside counsel law firm to undertake a second level review and to provide comprehensive case strategy and advocacy.
Both statute (s 60(5), Solicitors Act 1974), and the Solicitors’ Code of Conduct (rule 2.07) restrict a firm's ability to limit liability to its clients, but these rules only apply to work that falls within the scope of the client engagement i.e. detailed within the retainer agreement. The law firm is perfectly capable of excluding a particular task from the scope of legal services which it has been retained by its client to perform. In this scenario, if a particular task is excluded, the Solicitors Act and Code of Conduct would not apply. It then becomes a risk versus reward consideration on the part of the corporate client, who is free to instruct the LPO provider and outside counsel to undertake distinct and separate legal tasks relating to the same matter and to accept that each will be liable for its own work.
The engagement letters must define clearly who is responsible for a particular task. This is where in practice difficulties may arise particularly, as in the example stated above, where the law firm has been engaged to undertake a second level review. The practical reality of a document review engagement is that it is a fluid, interactive process, with ongoing communication, deliberation and consultation between the parties. The wording in the retainer agreements of the parties would require extremely careful drafting to ensure the proper allocation of liability.
Furthermore, if the law firm has played a role in the selection or recommendation of the chosen LPO provider, there remains the possibility of a claim for either negligent selection or negligent misstatement. In the scenario where the law firm is performing a second level review of work initially undertaken by the LPO provider it would appear difficult for the law firm to exclude its duty of care, as it is clearly accepting some responsibility for the work performed by the LPO provider. The law firm could limit the potential for such claims in its terms of engagement with the client, by expressly excluding liability in relation to the tasks being performed by the LPO provider. Alternatively, the law firm could require the LPO provider to indemnify it for any loss suffered as a result of the provider's negligence.
Conclusion
UK law firms contemplating legal outsourcing are well advised to discuss with their LPO providers the proactive steps both parties must take to ensure compliance with the Data Protection Act. Incorporation of the Model Clauses are also a must when outsourcing to either the Philippines or India (two of the most common offshore LPO destinations). In addition, as discussed above, although with extremely careful drafting and delineation of responsibilities in the client retainer letters, limitation of liability may be possible in an LPO engagement, law firms must be aware of the practical difficulties of such a separation and the remaining possibility of a claim for negligent selection or misstatement.
Disclaimer
This article contains suggestions and thoughts about legal ethics in the field of legal outsourcing. Nothing in this article should be construed as legal advice or be interpreted to advance a policy or impose a duty or obligation. All statements in this article are the opinions of the author.
