“Better Call Saul!”

I’m watching the Breaking Bad marathon last night when a commercial comes on mentioning a familiar company. Although I couldn’t find the 30 second spot telling me to go to BringAClaim.com, I did find the 2 minute video from the firm behind Bring A Claim, San Antonio based, Watts Guerra, LLP, that describes the settlement agreement that entitles, “more than 100 million Americans who could be entitled to statutory damages of $100 to $1000 for each proven willful violation of the Fair Credit Reporting Act.”

It seems that Lexis wasn’t just having a problem with this issue, but according to KrebsOnSecurity, was hacked by a serious cyber criminal organization, along with Dun & Bradstreet, and Kroll Background America, Inc., where millions of social security numbers and business information were stolen and sold. The KrebsOnSecurity report, based on a seven month long investigation, reports that the Lexis breach seems to have been one where someone on the inside installed a program called NBC.exe in order to gain access to the system and download the personal data.

Perhaps the most alarming thing that Krebs’ reports is that there are over a thousand “customers” (AKA, Bad Guys) going through the hacked data:

The database shows that the site’s 1,300 customers have spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Seems that Walter White wasn’t the only one having a bad year. But, remember, you may be entitled to damages, so you better call Saul… er, Watts Guerra.

If you were like me, you probably got one of these emails this weekend from a number of companies that were exposed to a hack from their outsourced email campaign company, Epsilon Interactive.

Here’s one example I got from Robert Half Legal:

So far, I’ve received one from Robert Half, BestBuy, McKinsey & Co., and AbeBooks. However, according to Mashable, the list extends to many well know companies including, Kroger, TiVo, US Bank, JP Morgan Chase, Capital One, Citi, Ritz-Carlton Rewards, Walgreens, LL Bean, the Home Shopping Network, and many, many more.

The idea that so many well-known and respected companies were using this single-source for their email campaigns made me wonder about the risks that are involved with this type of outsourcing and how substantial the effects of a single company’s compromised information has on the multiple companies that use the services. The outsourcing of this type of service makes perfect sense when looked upon by a single company, but at what point does the risk overwhelm the benefits when an outsourcing company becomes a single point of failure for multiple companies?

This made me wonder about the outsourcing needs for law firms. On an individual law firm basis, it may make perfect sense to outsource a number of processes. However, when we stand back and look at the risks that an outsourcing company takes on for its entire customer base (multiple law firms) then the risks to the individual firm become greater. For example, if multiple law firms were to outsource their email systems to a single cloud-based system, or outsource all e-discovery to a single provider, or keep data from their client relationship management (CRM) tool on an outsourced system, the initial risk may seem very low, and the benefits very high. However, the risk may actually be much higher than you anticipate as more firms outsource their information to a single vendor.

Now, before you start thinking that I’m totally against outsourcing certain processes, there are a number of good reasons why firms outsource processes. Outsourcing, when used in the right way, can create a much more efficient process, can be overall less expensive, and can be scaled up and down according to the needs of the firm. Even the chances of someone hacking into the information can be far less likely from a well established outsourcing company’s system when compared to the chances of a law firm’s local information being hacked. So, there are substantial benefits to outsourcing that make perfect sense when looking at your firm’s individual risk/benefit analysis.

The issues that confront an outsourcing group like an Epsilon, however, bring in risk factors that perhaps firms do not contemplate initially because they tend to think of their individual risks only, and not the risks that might happen if the firm’s data is compromised and then commingled with data from a peer firm’s compromised data. Just think of the conflicts checking that would have to occur if you had to include client representation from other firms’ because their information was compromised along with your own. It would be almost impossible to clear a conflicts check in a scenario like that.

In many cases, efficiency will breed more efficiency, and in the outsourcing world, that means that fewer and fewer companies will be the “go to” companies for law firms to use. The potential for problems with putting alll those eggs in one basket could create situations similar to what happen to the major news networks during the 2000 elections when they all relied upon the Voter News Service to project exit-polling from the Florida election and projected Al Gore as President. As with that situation, there existed a single point of failure where one company influenced (embarrassed) many reputable other companies because of a single event.

The thing to remember is that when you place your eggs in a basket with other law firms through an outsourcing company, just remember that your risks have expanded beyond what is  contained within your individual egg shells. If your eggs and your competitors eggs get dropped, you are all now responsible for the resulting mess. Once those eggs are scrambled together, you won’t be able to separate your individual eggs from all the others that were in the basket. Remember to add that scenario to your next risk analysis when outsourcing your firm’s processes and information.