Security Considerations and Priorities When Offshoring Legal Work 

Outsourcing or offshoring legal work is increasingly popular at law firms. With the right tools and processes in place, it doesn’t have to mean an increased security risk. 

Law firms have been outsourcing legal work for decades. However, with today’s cresting cybersecurity concerns, outsourcing endeavors seem riskier than ever. Legal outsourcing options have broadened to include offshoring, nearshoring, and building out internal captive consulting firms. However, though outsourcing offers many efficiencies, each brings its own security challenges that must be locked down for risk management, client protection and compliance purposes. 

Law firm IT, legal administrators and managing or technology partners must be vigilant around security issues when deciding to outsource legal work. Here are five core principles of security across various forms of legal outsourcing which can help guide firms to a low-risk, security-assured status. 

Data Classification

At its most basic level, data classification focuses on separating out general data from sensitive data. It also involves pinpointing where the data is located—where it is stored on servers and in applications, and how the data is being used. In a law firm, lawyers and legal staff who work with clients are likely to have sensitive information that is confidential or privileged, so this data requires special care. Also, if a law firm is outsourcing data to other states or countries, the firm must be mindful of adhering to compliance requirements which apply to that data. 

Data Loss Prevention

Examining data loss prevention requires looking at 3 distinct parts: 1) Data at rest (sitting idle on a disk); 2) Data in use (data being sent to/shared with someone); and 3) Data in Motion (data being transferred from one network to another). Law firms need a security platform that prevents data loss and exfiltration for all three of these parts. Work product in a law firm—primarily documents and correspondence—is truly an intellectual property (IP) issue. Proper handling of the firm’s and its clients’ data correlates to a manufacturing company’s most careful management of its company’s most precious physical assets and inventions. Data loss risk should be mitigated or eliminated wherever possible. 

Privileged Access Control

As a Managed Services Provider, Afinety operates on the premise that access should be as least privileged as possible. This means that each person at the firm should be granted the minimum data access needed to successfully complete his/her job, but no more. When working with an outsourced organization, the law firm’s IT professionals should ask the outsourcer which users need access to which data and why. Starting with a minimum and expanding access based on exceptions and specific use cases is smart security. It’s much easier to lock down more controls first and gradually grant privileges rather than granting a wide variety of data access privileges only to take them away later. 

Regulatory Compliance Including Local Privacy Laws

Local data privacy laws can throw a monkey wrench in legal outsourcing plans, especially when law firms realize that conducting work in other countries opens them up to regulatory compliance variables they did not expect. Some countries will not allow data to be moved/transferred out of the country. Others will restrict data from being hosted in another country. In the U.S., each state has its own data privacy laws, with the California Consumer Protection Act (CCPA) being the first, followed by a slew of other state-specific laws. To some extent, the outsourcing vendor has a duty to represent its compliance capabilities for the jurisdictions in which they operate. However, the law firm must have its own internal resources to verify the vendors’ claims to ensure they meet the necessary compliance standards that protect the firm and its clients from risk. 

Offshore Vendor Due Diligence

National and global security standards have created order and an atmosphere of trust in the once Wild West of offshoring. Law firms performing due diligence when vetting outsourcing vendors are well-served to look for ISO/IEC 27001 (“ISO”) security certification. ISO has become a widely accepted international standard to manage information security. The ISO standard was originally published by the International Organization for Standardization and the International Electrotechnical Commission in 2005, revised in 2013, and again revised in 2022 so it is up to date. ISO security certification has recently become more widely accepted in the United States and is a tested benchmark to look for when vetting outsourcing vendors. Requirements for ISO compliance are strict, so vendors who have received ISO certification have already cleared a high bar for security. ISO certification combined with reference checks and vendor risk assessment questionnaires will provide sufficient due diligence for the law firm when selecting outsourcing service providers. 


Law firms have many reasons to outsource legal work while still maintaining their data security. By properly administering their data classification, preventing data loss, exerting privileged access control measures, heeding regulatory compliance laws, and executing offshore vendor due diligence, firms decrease their risk and uphold security requirements. With these core principles in place, the firm can reap the benefits of outsourcing while also keeping the firm’s assets and clients well-protected. 

Kshitiij Kathurria is CISO (Chief Information Security Officer) of Afinety, a leading managed cloud and IT services provider for law firms, a Netgain Cloud company. For more than 30 years, Afinety has partnered with law firms to help them drive profitability and growth through smart technology decisions and seamlessly integrated hosted desktops. Contact Kshitiij at 

“Reprinted with permission from the December 20, 2022 edition of Legaltech News.”