Law firms engage a variety of vendors and third parties in their practices, including document review services, e-discovery providers, temporary staff and lawyer services, cloud storage providers, recruiters and placement services, and more. These arrangements have various risk management aspects, including preserving confidentiality; data security; unfavorable contract terms such as defense and indemnification obligations; and, in some instances, personnel management and conflict of interest concerns.

At the 2022 Law Firm Symposium in Chicago, Aon loss prevention team member Mark Webster moderated Managing Vendor, Outsourcing, and Other Third-Party Relationships. Featuring Marty Kaminsky of Greenberg Traurig, LLP, Pam Webster of Buchalter, and Julie Wells of Bracewell LLP, this panel discussed strategies for managing law firms’ relationships with vendors and other third-parties. We recap below some of the insights from the panel, touching on professional responsibility issues, the vendor selection process, vendor service agreements, and data security concerns.

I. Professional Responsibility Issues

Law firms may ethically outsource both legal and nonlegal services. Indeed, a client’s representation might require a vendor’s assistance if a law firm cannot itself deliver necessary services like e-discovery or privacy law compliance. The key is for outsourcing lawyers to take care that a vendor’s conduct is compatible with their own ethical obligations.

Law firms should exercise reasonable care in selecting competent vendors, but they must also adequately supervise their performance through active control and frequent communication. Designating someone within the firm who has sufficient expertise to oversee the vendor ensures that a vendor never works in isolation. If a client directs a firm to use one of its preferred vendors, a firm should still assign a lawyer to manage the work—even if the firm cannot bill the client for the supervision.

Competency and supervision are not the only ethical duties to consider. Vendor fees must be reasonable. The corollary is that, while a law firm may be able to competently perform a task in-house, the associated expense may not result in a fair bill. In such circumstances, a firm should investigate available outsourcing solutions that are more cost efficient.

Law firms also have a duty to preserve confidentiality when outsourcing to third parties. An enforceable commitment to secure the client’s information as part of the services agreement, as well as written reminders to vendors regarding lawyers’ confidentiality duties, are sensible steps. Law firms should also consider how client information will be handled and stored, and whether vendor employees will have access to it. Depending on the services, firms may need to inquire whether a vendor is performing any work for parties adverse to their client.

The engagement agreement is a useful tool to make appropriate disclosures to clients about outsourcing arrangements, such as notifying clients about the firm’s use of vendors for services that involve access to their information and outlining how the firm will charge the client for related expenses. Lawyers must typically obtain a client’s informed consent to release confidential information to a vendor, particularly when close supervision is not feasible. Absent client authorization, law firms may not markup vendor fees.

II. Vendor Selection Process

As part of the vendor selection process, law firms should draw on the knowledge of people within the firm who practice in the relevant area or who understand the specific issues. Consultants can also be a valuable resource to guide firms through the process if firms lack the related expertise in-house.

When evaluating potential vendors, a law firm should assess the vendor’s reputation, qualifications and experience, the quality of its services, its financial stability, security measures in place to protect confidential information, and the terms of the services agreement. It is worthwhile to check references, identify the owners of the company, interview members of the vendor’s principal team, and speak with other law firms that have used the vendor.

Implementing a formal vendor selection process should generate more reliable due diligence and allow for easier comparisons between vendors and documentation of the decision process along the way. Due to the emergence of outside counsel guidelines, however, clients may direct law firms to use a list of approved vendors that clients have already vetted or have bargained with for special financial terms.

III. Vendor Service Agreements

A law firm’s approach to reviewing and negotiating vendor service agreements will necessarily depend on the size and resources of the firm, and the nature and importance of the specific vendor. It is prudent for law firm general counsels to lean on lawyers and staff within their firms who are more conversant in the relevant services. Larger law firms with a contract group to handle everyday vendor contracts should bring any provisions that pose a heightened risk to the general counsel’s attention.

Some vendors propose one-sided contracts and follow a “take-it-or-leave-it” approach, while others are willing to discuss law firms’ concerns. Either way, law firms must carefully review these contracts because vendors may attempt to limit their liability, impose steep penalties for early termination or hiring a vendor’s employees, and require indemnification beyond losses that are proximately caused by a firm’s negligence. A firm also must be comfortable with a vendor’s forum selection and choice of law provisions, as well as any clause mandating arbitration of disputes.

Other contractual provisions that merit extra attention include work product ownership rights; access to stored information if the relationship is interrupted or terminated; notification requirements if the vendor suffers a security incident or receives a third-party subpoena; and the vendor’s liability insurance limits. To the extent possible, it is useful to identify the vendor’s subcontractors that will be part of the contract and require them to comply with any policies and provisions imposed upon the vendor.

Most law firm policies governing vendor selection and management require lawyers to obtain the approval of the firm’s chief operating officer, general counsel, or other designated individual before signing any contract. From a firm protection standpoint, it is generally preferrable to have the client sign the vendor contract and assume responsibility, although there may be situations where a firm strategically signs the vendor contract to bolster its position that its communications with the vendor are protected by the attorney-client privilege.

IV. Data Security Concerns

Breaches attributable to outside vendors are one of the most frequently reported claims among Aon’s law firm cyber insurance clients. To ensure that vendors can reasonably protect law firm and client information, firms should verify vendors’ data breach history, security controls and recoverability methods, and even cyber insurance coverage. If a vendor relies on subcontractors to access or store information, then law firms should also inquire whether those entities have sufficient security protocols in place.

Some law firms rely on their IT department to handle vendor security due diligence and seek related assurances and certifications. Other firms create vendor security checklists based on client outside counsel guidelines and the firms’ own expectations, and then ask vendors to demonstrate that they can satisfy those requirements. A third option is to outsource the assessment of vendors’ security measures and qualifications to an expert.

Most reputable vendors will provide commitments in their agreements to adhere to applicable data privacy and security laws, regulations, and industry standards. Nevertheless, monitoring the chosen vendor’s security measures on a periodic basis is necessary to satisfy lawyers’ supervisory obligations over non-lawyers. Not even the most diligent law firms can foreclose the possibility that a vendor will suffer a data beach or similar security incident. Law firms do not need to be perfect, but they must be prepared to establish that they took reasonable steps to find competent and reliable vendors.

Contact

The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article or to learn more about our Loss Prevention services, please contact Matthew Corbin or Mark Webster.

Matthew Corbin
Managing Director
Kansas City







Mark Webster
Senior Vice President and Executive Director
Kansas City

Loss Prevention Team

Matthew Corbin Senior Vice President and Executive Director
Kansas City
+1.816.698.4660
[email protected]

Jennifer Finnegan Senior Vice President and Executive Director
New York
+1.609.203.4903
[email protected]

Sarah O’Neill Executive Director and Senior Vice President
London
+44.(0)20.7086.0421
[email protected]

Mark Webster Senior Vice President and Executive Director
Kansas City
+1.913.201.3446
[email protected]