In Part I of this article, we looked at two case examples of information being put in the “public” domain inadvertently, one via a file sharing site operated by Box, Inc. and the other involving placement of sensitive information on a website. In these scenarios, the individuals charged with safekeeping this information left sensitive and confidential information on the proverbial “park bench” for the world to view. So, is the lesson to lawyers really as simple as “don’t place sensitive information in the public domain?” Not quite.
As any litigator is aware, the discovery process can often times be onerous. Not only are you attempting to position your client’s claims/defenses as best as possible, but often times in our data driven world, the number of documents to review can be staggering. In addition to taking great care in crafting answers to interrogatories and requests for production of documents, attorneys should also take care to ensure that what is produced does not contain unnecessary and sensitive personal information. Failure to protect such information from disclosure, even the opposing party in litigation, could result in disastrous consequences, not just for the litigation, but for the lawyer and law firm.
Just ask the attorney who was tasked with reviewing document production for Wells Fargo earlier this year. It was discovered that a customer data breach at Wells Fargo occurred when the Bank’s lawyer failed to review the Bank’s entire set of discovery documents, including confidential and personal information regarding the Bank’s customers, before producing the documents to opposing counsel in litigation.
The discovery error occurred in litigation filed in New Jersey state court between two brothers who had previously worked as Wells Fargo financial advisers. During the course of the litigation, the plaintiff served a subpoena upon Wells Fargo seeking documents relating to the defendant, his brother. In responding to the subpoena, the Bank’s attorney used an outside e-discovery vendor to assist in the process and to search the email accounts of the applicable Bank personnel.
Following the search of the applicable accounts, the Bank’s attorney coordinated with the vendor to review documents identified in the search and to identify for withholding from production any documents she marked as privileged and confidential. Using the vendor’s e-discovery software to review the documents, the attorney reviewed documents and tagged those that should be marked privileged and confidential. The remaining documents were then produced without any confidentiality or protective order relating to the documents.
Unfortunately, after the document production, it was learned that a substantial number of documents, containing confidential and personal information of Bank customers were included in the production. The Bank’s attorney mistakenly failed to review the complete set of documents, because the view she was using in the vendor’s software showed only a set number of documents at one time, rather than all of the documents contained in the file. Also, the documents the Bank’s attorney flagged for redaction were never actually redacted prior to production due to a misunderstanding by the Bank’s attorney. After learning of the disclosure, the Bank’s attorney immediately sought return of the documents, but not before some of the documents were leaked to the New York Times, who ran an article on the breach. The case is currently pending in the Superior Court of New Jersey, Law Division, Atlantic County at Docket No. ATL-L-2182-16.
While this type scenario is certainly embarrassing, and may have a detrimental impact on the client’s litigation matter, such an error can have direct consequences for the lawyer/law firm responsible for the inadvertent disclosure. Continuing the Wells Fargo story, the unauthorized disclosure of the sensitive information was likely a violation of various state and federal data protection laws, each with their own set of consequences and potential fines.
Even absent the leak of documents to a public newspaper, unnecessarily disclosing such sensitive information to the opposing litigant in discovery could be a violation of various data protection laws. For instance, inadvertent disclosure of unredacted health records of a client’s employees in discovery may constitute a violation of a state data breach notification statute, as well as HIPAA/HITECH. For instance, Pennsylvania’s Data Breach Notification Statute applies to any entity that maintains personal information (including law firms), and defines “personal information” as:
(1) An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
(i) Social Security number.
(ii) Driver’s license number or a State identification card number issued in lieu of a driver’s license.
(iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
73 P.S. § 2302. A “breach” is any unauthorized acquisition or reasonable belief of unauthorized acquisition of personal information that compromises the security of that information and is likely to result in harm to any resident. Similarly, HIPAA’s Security Rule applies downstream to vendors and business associates of covered entities (including law firms) by virtue of the HITECH Act, and treats any unauthorized disclosure of health records/information as a violation. Neither law contains any exception for documents disclosed during litigation.
Other than simply paying very close attention to discovery production, inclusive of the vetting of outside discovery vendors, there are specific actions law firms can take to minimize the risk of inadvertent disclosure of sensitive and personal information and thereby minimize potential ethics issues and violations of data protection laws:
- First, only collect documents and information from the client that is necessary for the response or the litigation; do not over collect documents.
- Second, identify sensitive information (like Social Security Numbers, Credit Card Numbers, Account Numbers, Health insurance information) either by flagging the document or brightly highlighting the information itself. Even if you are dealing with a commercial case or a transactional matter, remember to review the documents for personal information that does not need to be and should not be disclosed.
- Third, properly redact personal information from the documents you will be producing. Whether your firm uses software for redaction, or whites out the sensitive information and recopies the page, ensure the redaction is complete and thorough.
- Fourth, employ quality control measures before the production goes out the door to ensure that all personal information not relevant to the litigation has been redacted properly.
- Finally, as it may be almost impossible to identify and catch every protected document in advance, even with a diligent review, secure a claw-back agreement (see, FRE Rule 502) prior to a production of documents. If possible, such as in the case of litigation, incorporate that agreement into a court order. Such an agreement will provide a basis to argue that privileges have not been inadvertently waived, and if incorporated into an order, allow for an argument that third-parties are bound as well.
Employing these steps will help minimize inadvertent disclosures of personal information and thereby reduce the likelihood of the law firm getting caught up in an accidental data breach scenario.
This article was prepared by Holly M. Whalen, Esq. and Jason McLean, Espq of Cipriani & Werner, P.C. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke USI Affinity today.