In this ever-changing digital world, the phrase “paper discovery” takes on a whole new meaning. Gone are the days in which a party in litigation serves upon the opposing party Interrogatories and Requests for Production of Documents and then 30 days later boxes of paper documents arrive on the attorney’s doorstep. Instead, in today’s world, we, our clients and colleagues in the legal profession frequently exchange information by electronic means, including texts, e-mails and digital files. In doing so, we need to be aware of the risks associated with such communications and exchange of information. Lawyers need not only be cognizant of the risk of intruders or hackers entering their technology systems, but must also be cognizant of and on guard against errors or mistakes involving the transmission of electronic data that could occur throughout discovery and the litigation process.
Earlier this year, a Virginia judge ruled that putting sensitive materials on an unprotected file-sharing website waived any attorney-client privilege or attorney work product protection in the documents. In Harleysville Ins. Co. V. Holding Funeral Home, Inc., C.A. No. 15-00057 (W.D. Va. February 9, 2017), Harleysville Ins. Co. filed a declaratory judgment action seeking a determination that it was not liable on its insurance policy because a fire which destroyed Holding Funeral Home’s property was caused by arson. Holding countersued for breach of contract and insurance bad faith. Harleysville is owned by Nationwide Insurance Company.
During the course of the case, a Nationwide investigator uploaded a video of the fire scene to an internet-based, electronic file-sharing site operated by Box, Inc. The investigator then sent an e-mail to the National Insurance Crime Bureau (“NICB”) with a hyperlink to access the video on the Box website. While the email contained a boilerplate confidentiality notice, the information was not password protected.
Several months later, the investigator placed files containing Harleysville’s entire claims file and Nationwide’s entire investigation file on the Box site to be accessed by Harleysville’s counsel. The investigator sent an email to Harleysville’s counsel with the same hyperlink sent to NICB to be used by counsel to access the claims and investigation files. Again, the information was not password protected.
Subsequently, counsel for Holding Funeral Home issued a subpoena to NICB requesting its entire file related to the fire. NICB produced electronic copies of all documents received from Harleysville including a copy of the email from Harleysville’s investigator containing the hyperlink to the Box website. Upon receipt, defense counsel used the hyperlink to gain access to the Box site, downloaded and reviewed the entire claims and investigation files without notifying Harleysville’s counsel that it had accessed and reviewed potentially privileged information. Defense counsel later produced in discovery a thumb drive containing the claims and investigation files in a file entitled “NICB Video”. Harleysville’s counsel realized that the information had been inadvertently produced and requested that defense counsel destroy their copy of the claims and investigation files.
Harleysville then requested the Court to disqualify defense counsel based upon the alleged improper and unauthorized access to privileged information. Defense counsel argued that Harleysville waived any claim of privilege by placing the documents on the Box website without password protection where it could have been accessed by anyone.
Following an analysis of both Virginia and federal law regarding privilege, the Court concluded that Harleysville had waived the attorney-client privilege by placing the information on the Box website. In doing so, the Court stated:
I find that Harleysville has waived any claim of attorney-client privilege with regard to the information posted to the Box Site. It has conceded that the Box Site was not password protected and that the information uploaded to this site was available for viewing by anyone, anywhere who was connected to the internet and happened upon the site by use of the hyperlink or otherwise. In essence, Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to image an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.
Harleysville, at *13-14. The Court further rejected Harleysville’s assertion of the attorney work product protection.
While the Court denied Harleysville’s Motion seeking disqualification of defense counsel, Magistrate Judge Pamela Meade Sargent did not let defense counsel off the hook completely. Concluding that defense counsel should have contacted Harleysville’s counsel and revealed it had access to the information and should have asked the Court to determine whether any claim of privilege or protection had been waived with respect to the information prior to making use of it. The Court ruled that defense counsel was to reimburse Harleysville’s counsel costs incurred in bringing the Motion.
A similar event was addressed by the United States District Court for the Eastern District of Pennsylvania in Arkeyo, LLC v. Cummins Allison Corp., C.A. No. 16-4720 (E.D.Pa. June 28, 2017). In that case, Arkeyo, the creator of software to be integrated into coin counting machines manufactured by Cummins filed a motion for a preliminary injunction seeking to prevent Cummins from selling any machines which included any software derived in whole, or in part from the Arkeyo software during the pendency of its suit against Cummins alleging breach of contract and other claims.
In response, Cummins asserted that the information sought to be protected by Arkeyo was not subject to trade secret status as Arkeyo had previously published the software to its own website without taking any steps to protect the confidentiality of such information. During the course of discovery, it was learned that Arkeyo’s software had been posted on its website without taking any of the industry standard precautions to protect the confidentiality of its software. Arkeyo did not give the web page a random name nor did it post the ZIP file on its secure HTTPS website. Instead, it posted the ZIP file on its open, public website. Further, the software was not encrypted or password protected and there were no matures used to prevent executable code from being decompiled into human readable source code. The software was not marked confidential nor was there any language identifying conditions for use of the software. Notably, there was no mention of whether Arkeyo’s posting of the software to its website was inadvertent or intended.
The Court concluded that Arkeyo could not demonstrate a likelihood of success on its claim that Cummins violated the Illinois Trade Secrets Act, stating “[s]imilar to the plaintiff in Harleysville, Arkeyo committed the cyber equivalent of leaving its software on a park bench. It posted its software for fifteen months on the internet and made it publicly available to anyone who simply typed the "new_software" URL into a web browser, without taking any affirmative measures to prevent others from using its proprietary information.” Arkeyo, at *17.
These recent events highlight the necessity of lawyers to take reasonable precautions to protect a client’s information and data. It is, after all, our duty to our clients to protect such information. ABA Model Rules of Professional Conduct, Rule 1.6. In each case, a lawyer should undertake “reasonable efforts” to protect against the inadvertent or unauthorized disclosure of client information.
Educate yourself and those who assist in your cases regarding technology used in your practice and implement appropriate policies and procedures relating to E-discovery and the use of digital technology in your practice. In Part II of this Article, we will review additional cases and discuss specific steps you can take to reduce this emerging technology risk.
This article was prepared by Holly M. Whalen, Esq. of Cipriani & Werner, P.C. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke USI Affinity today.