If you were like me, you probably got one of these emails this weekend from a number of companies that were exposed to a hack from their outsourced email campaign company, Epsilon Interactive.
Here’s one example I got from Robert Half Legal:
So far, I’ve received one from Robert Half, BestBuy, McKinsey & Co., and AbeBooks. However, according to Mashable, the list extends to many well know companies including, Kroger, TiVo, US Bank, JP Morgan Chase, Capital One, Citi, Ritz-Carlton Rewards, Walgreens, LL Bean, the Home Shopping Network, and many, many more.
The idea that so many well-known and respected companies were using this single-source for their email campaigns made me wonder about the risks that are involved with this type of outsourcing and how substantial the effects of a single company’s compromised information has on the multiple companies that use the services. The outsourcing of this type of service makes perfect sense when looked upon by a single company, but at what point does the risk overwhelm the benefits when an outsourcing company becomes a single point of failure for multiple companies?
This made me wonder about the outsourcing needs for law firms. On an individual law firm basis, it may make perfect sense to outsource a number of processes. However, when we stand back and look at the risks that an outsourcing company takes on for its entire customer base (multiple law firms) then the risks to the individual firm become greater. For example, if multiple law firms were to outsource their email systems to a single cloud-based system, or outsource all e-discovery to a single provider, or keep data from their client relationship management (CRM) tool on an outsourced system, the initial risk may seem very low, and the benefits very high. However, the risk may actually be much higher than you anticipate as more firms outsource their information to a single vendor.
Now, before you start thinking that I’m totally against outsourcing certain processes, there are a number of good reasons why firms outsource processes. Outsourcing, when used in the right way, can create a much more efficient process, can be overall less expensive, and can be scaled up and down according to the needs of the firm. Even the chances of someone hacking into the information can be far less likely from a well established outsourcing company’s system when compared to the chances of a law firm’s local information being hacked. So, there are substantial benefits to outsourcing that make perfect sense when looking at your firm’s individual risk/benefit analysis.
The issues that confront an outsourcing group like an Epsilon, however, bring in risk factors that perhaps firms do not contemplate initially because they tend to think of their individual risks only, and not the risks that might happen if the firm’s data is compromised and then commingled with data from a peer firm’s compromised data. Just think of the conflicts checking that would have to occur if you had to include client representation from other firms’ because their information was compromised along with your own. It would be almost impossible to clear a conflicts check in a scenario like that.
In many cases, efficiency will breed more efficiency, and in the outsourcing world, that means that fewer and fewer companies will be the “go to” companies for law firms to use. The potential for problems with putting alll those eggs in one basket could create situations similar to what happen to the major news networks during the 2000 elections when they all relied upon the Voter News Service to project exit-polling from the Florida election and projected Al Gore as President. As with that situation, there existed a single point of failure where one company influenced (embarrassed) many reputable other companies because of a single event.
The thing to remember is that when you place your eggs in a basket with other law firms through an outsourcing company, just remember that your risks have expanded beyond what is contained within your individual egg shells. If your eggs and your competitors eggs get dropped, you are all now responsible for the resulting mess. Once those eggs are scrambled together, you won’t be able to separate your individual eggs from all the others that were in the basket. Remember to add that scenario to your next risk analysis when outsourcing your firm’s processes and information.