Selecting the right consulting firm for a restructuring, class action, or mass tort engagement is critical — and the decision requires careful risk assessment and due diligence. To gauge risk tolerance, consider:

• What data is being collected, and are there legal and ethical reasons to protect it?
• What activities are being performed by the consulting firm, and what are being outsourced?
• How would the Court react to either extended outages of the call center or case website?
• How would the Court react to a data breach involving the information that’s being collected?
• What would be the impact of a data breach?

While often used to measure the effectiveness of internal controls, SAS 70 reports actually were designed to address only financial reporting (and supporting computer systems). As a result, thorough due diligence should also evaluate:

• Information security audits based on established standards relating to the claims and notice administration systems, as well as disaster recovery planning efforts
• Sarbanes-Oxley and other business process audits relating to the claims and notice processes and procedures
• Fraud prevention efforts and regulatory compliance regarding payments
• OAFC compliance efforts to detect suspicious transactions