A recent decision from a federal magistrate judge in Virginia highlights the need for businesses—and their attorneys—to understand the technology their employees use and the risks associated with that technology, especially when confidential information is involved. The plaintiff in Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15 cv 00057, 2017 U.S. Dist. LEXIS 18714 (W.D. Va. Feb. 9, 2017), used an online file-sharing service to exchange files with multiple users (including its counsel) at different times. Because the plaintiff did not limit access to the files by means of a password requirement or other control, opposing counsel was able to obtain the plaintiff’s confidential legal files. Describing the plaintiff’s actions as equivalent to publishing the files on the Internet, U.S. Magistrate Judge Pamela Meade Sargent held that both the attorney-client privilege and work-product doctrine had been waived. The court also sanctioned the defendant’s counsel for improperly accessing the unsecured files and not notifying opposing counsel of their privileged nature.
Notably, the Harleysville court indicated that both the plaintiff and its counsel should have recognized that the files were unprotected and acted sooner to preserve confidentiality. Indeed, an unintended disclosure like that in Harleysville is highly avoidable. With respect to file-sharing technology specifically, businesses should implement effective controls, such as password protections and file-availability time limits, to prevent unauthorized disclosure of confidential information. With respect to technology generally, businesses should adopt and enforce a comprehensive program of information-security policies, and then train employees on those policies. Law firms would also do well to adopt these practices, as they will enable attorneys to better meet their own confidentiality obligations and to identify risks in their clients’ practices.
Harleysville’s Failure to Limit Access to Files Results in Inadvertent Disclosure
In Harleysville, Harleysville Insurance Company (Harleysville) sought a declaratory judgment that it did not have to cover the claim of Holding Funeral Home, Inc. (Holding) for a 2014 funeral-home fire. An investigator for Nationwide Insurance Company (Nationwide), which owns Harleysville, uploaded a video about the fire damage to the file-sharing service of Box, Inc. (Box). On September 22, 2015, the Nationwide investigator sent an e-mail to a contact at the National Insurance Crime Bureau (NICB) with a hyperlink to the Box site. Although that e-mail contained a “confidentiality notice” indicating the e-mail contained privileged and confidential information and was subject to restrictions on its unauthorized disclosure or use, the file placed in the Box site was not password protected and was accessible by anyone who used the hyperlink.
Several months later, in April 2016, the Nationwide investigator used the same Box site to upload Harleysville’s entire claims file and Nationwide’s entire investigation file relating to the fire loss for the purposes of providing those files to Harleysville’s counsel. The investigator then sent an e-mail to Harleysville’s counsel with the same hyperlink he previously gave to the NICB contact.
In May 2016, the NICB responded to a subpoena from Holding by producing documents received from Harleysville, including the Nationwide investigator’s e-mail with the Box hyperlink. Holding’s counsel then used the hyperlink to access the Box site, which at that point contained the entire claims files of Harleysville and Nationwide. Holding’s counsel downloaded and reviewed those materials without providing any notice to Harleysville’s counsel.
Harleysville’s counsel did not discover the disclosure of the files on the Box site until October 27, 2016, after reviewing a thumb drive of discovery that Holding had produced in August 2016. In its initial review of that production, Harleysville’s counsel discovered it contained materials that were potentially privileged that the defendant had inadvertently produced. After contacting defense counsel and upon their request, Harleysville’s counsel destroyed the privileged documents that had been produced by the defense. For some reason, Harleysville’s counsel did not discover that the thumb drive also contained its own client’s claims file until late October. On November 2, 2016, Harleysville’s counsel requested that Holding’s counsel destroy its copy of the claims file, but by that time Holding and all of its counsel had reviewed the materials that were posted to Box. At some point thereafter, the plaintiff finally disabled the Box site.
Harleysville filed a motion to disqualify Holding’s counsel, arguing that defense counsel had improperly used the hyperlink to gain unauthorized access to Harleysville’s privileged materials. Holding opposed the motion, countering that Harleysville’s placement of the materials on Box, where it could be accessed by anyone, waived any claim of privilege or confidentiality. Although it conceded the files had been intentionally uploaded to Box, Harleysville argued that it had not waived privilege because it never authorized or intended disclosure of the files to anyone other than the NICB and its own counsel.
Failure to Limit Access to Files Available on the Internet Waived Privilege
Applying Virginia state law and precedent, the court found that, although Harleysville’s disclosure was inadvertent, it nonetheless waived the attorney-client privilege. The evidence showed that Harleysville failed to take “any precautions” to prevent disclosure of the information uploaded to Box. The court noted that the Nationwide employee had previously used the Box site and therefore knew or should have known that the information was unprotected. The disclosure was “vast” because the information was available to anyone who had access to the Internet. In addition, because Harleysville’s counsel used the unprotected hyperlink to access the information in April 2016, the court found that they knew or should have known the information was accessible on the Internet (but failed to take any remedial action until access to the site was finally blocked six months later). For similar reasons, the court also held that Harleysville had waived the work-product privilege under federal law.
Significantly, the court described the failure to password-protect the materials on Box as “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.” The court found it “hard to imag[ine] an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”
As a matter of public policy, the court urged businesses to exercise caution when using “rapidly evolving” technology to share information. Because a company controls the decision on whether to use new technology, it “should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”
Defense Counsel Acted Improperly by Accessing Files Despite Privilege Flags
The court also criticized the conduct of Holding’s counsel, finding they acted improperly in accessing the Harleysville materials. The court assigned significance to the fact that the e-mail that contained the Box hyperlink had included a confidentiality notice that “should have provided sufficient notice to defense counsel that the sender was asserting that the information was protected from disclosure.” According to the court, Holding’s counsel should have realized, based on the confidentiality notice in the e-mail, as well as the extent of the materials on the Box site, that the materials were subject to privilege or other protection. Accordingly, they should have notified Harleysville’s counsel and sought a determination from the court regarding privilege and other protections before using or disseminating the information. Holding’s counsel had even consulted the state bar ethics hotline about the access, undermining their claims that they believed the access was proper.
Harleysville sought disqualification of Holding’s counsel, but the court found it not warranted because substitute counsel would have access to the same information in light of the privilege/protection waiver. Instead, the appropriate sanction was for Holding’s counsel to bear Harleysville’s costs to seek the court’s ruling on the matter.
Technology Provides the Problem but Also the Solution
Although Harleysville involves the pitfalls of file-sharing services, the case offers lessons that are applicable to the use of any new technology. Simple precautions can avoid, or at least mitigate the damages from, the risks that technology poses to confidential information.
To begin with, a business would be wise to require its employees to use only technology that the company has vetted and approved. The company should consider whether the service has the security features and other criteria that the business deems appropriate in light of the sensitivity of the information at issue and the threats to it as identified by the company. Because many file-sharing services operate in the Cloud, with respect to that particular technology this may include analysis of such questions as: What security protections are utilized, and how frequently are they tested and updated? Where will the service provider store the company’s information? Who will have access to the files and under what conditions? How long will the provider retain the data? How and when are backups conducted?
In addition to requiring that employees use only a company-approved file-sharing service, the company may also determine that employees’ use should be subject to certain security controls available within the service. For example, as Harleysville demonstrates, access to confidential files should be restricted (and perhaps tracked) by requiring the authorized users to enter a password or log-in information to obtain the files. Access can be further restricted by requiring multifactor authentication by which a second user-identifying factor beyond a password is necessary to gain access.
Another potential security control is to limit access to folders within the service to persons designated as authorized users. Separate folders can be established for specific target users. As to external users, this can limit permitted users to viewing only that information to which they are intended to have access. On an internal basis, limited access can serve to enforce ethical walls and need-to-know policies within the company. As a further precaution, the business can require that confidential information be encrypted before it is placed in a file-sharing service. That way, only intended recipients who have been given both access to the folder within the file-sharing service and the encryption key can access the sensitive information.
Beyond the need for password protections, Harleysville also illustrates the risk in making files accessible for a longer period than necessary. That risk can be reduced by ensuring the online file-sharing service does not become a long-term repository for sensitive information. A business can implement policies that prescribe how long files can remain posted in a file-sharing service, or even impose settings that automatically delete files after a specified period. The person sharing the file can implement security controls within the service to limit the time the file is accessible to designated users, as well as the number of times a file can be downloaded. Some services will also permit an organization to claw back documents after having been downloaded, so that a person accessing the file has only a temporary copy of the document.
Policies and Training Are Also Important in Data Protection
Although technology is certainly an important component of a company’s overall data-protection program, having effective policies in place is another key element. A company should strive to have a comprehensive scheme of policies that is tailored to address its specific needs in terms of protecting confidential information. Depending upon the company’s goals and the categories of information at issue, the policies may address such matters as limiting access to information based upon an employee’s need to know for his or her job role, mobile-device use and bring-your-own-device programs, remote network access, secure destruction of data kept in electronic and paper format, and monitoring of employee activity within the company’s network (including infiltration and exfiltration of data to and from the network and via other technology platforms, such as file-sharing services).
However, it does little good to adopt policies if the company does nothing to enforce them. A strong first step toward enforcement is education. Employees must be trained on the company’s policies. Ideally, this will be accomplished through a company-wide program that provides security-awareness training for employees at all levels of the company, from the executive suite to the lowest-ranking staff. A company may find it is effective to have different types of events and outreach, from in-person presentations by outside consultants, to e-mails with information-security tips, to online training exercises. It is also important that employees know who to contact with questions or concerns about policies and information protection. The goal is to ensure that employees know how the company expects them to handle confidential information and to enable them to identify and respond appropriately to matters that threaten the preservation of confidentiality.
Technology controls and security training could have gone a long way toward avoiding the Harleysville scenario. The opinion did not discuss whether the Nationwide employee was authorized to use Box as a file-sharing service, with or without password protections or other controls. Nor did it discuss the Nationwide employee’s previous use of Box in detail, although the court assumed that his previous use meant he was familiar with the site and the features available to protect information on it. That may have been true (or not), depending on how often he utilized the site and how frequently it underwent updates that changed its features. In any event, the opinion suggests there were less than adequate controls and training in place. In addition, the waiver of privilege surely has a detrimental effect on Harleysville’s success in the underlying coverage litigation, but a company could find itself in a worse position if the information improperly disclosed by an employee includes that of third parties who have entrusted it with their sensitive or legally protected information. In that instance, the company may find itself having to comply with federal or state laws that require notification when certain personally identifiable information is disclosed and potentially may face litigation over the disclosure.
Harleysville informs us that law firms likewise would bode well to employ technology controls and training programs. The court signified that plaintiff’s counsel should have realized the unprotected status of its client’s files because counsel itself used the unprotected link to access the files. In doing so, the court struck at the heart of an attorney’s ethical obligation of competency, which as adopted in most states includes having knowledge concerning the risks and benefits of relevant technology. Unless Harleysville’s attorneys had previous exposure to file-sharing services and their features, the attorneys likely would not have appreciated that access controls were not in place. Likewise, if the attorneys had a subordinate employee (such as a paralegal) access the files, the attorneys would be dependent on the subordinate to realize the risk to confidentiality and raise it with the supervising attorney. A firm-wide training program could help both attorneys and staff develop their technology competence and skills in spotting vulnerabilities that threaten the confidentiality of their clients’ sensitive information.
The Harleysville court afforded great significance to the confidentiality notice in the e-mail that was used to initially forward the Box hyperlink, but the case demonstrates how ineffective that type of notice is for protecting sensitive information. It is common for businesses (attorneys especially) to include a confidentiality notice at the bottom of their e-mails. Typically, such notices are boilerplate, automatically appended at the very end of an e-mail, following the confidential message they are meant to protect, and often ignored as part of the “wallpaper effect.” Technology provides much more effective methods for protecting confidential information, such as password protection and encryption. As a lesson from Harleysville, businesses and attorneys would be well served to educate themselves about those alternatives and the pitfalls of and best practices for using them.