A growing number of professionals routinely share large files via cloud-based, file-sharing technology that puts them at serious risk of waiving claims of privilege, trade secrets, or proprietary information if litigation should arise in the future.
In the recent case of Harleysville Insurance Company v. Holding Funeral Home, Inc., a federal judge ruled that this common practice of sharing documents can be the “cyber world equivalent of leaving [privileged documents] on a bench in a public square and telling its counsel where they could find it.”
The judge went on to state, “It would be hard to imagine an act that would be more contrary to protecting the confidentiality of information than to post the information to the worldwide web.”
The facts of the underlying claim were not uncommon. There, a funeral home and insurance company were involved in litigation over the denial of a fire claim. The insurance company claimed the fire was intentionally set and denied coverage.
The insurance companies’ senior fire investigator sought to share his investigative file with his colleagues at the National Insurance Crime Bureau, and uploaded it to a common file-sharing program on the internet. He then sent an email to the NICB containing a hyperlink to the folder.
The cloud-based, internet folder was not password encrypted. Anyone with the hyperlink could access the entire contents of the folder. The investigator, however, included the following commonly-used statement in his email, presumably believing it was sufficient to maintain the confidentiality of his investigative file:
CONFIDENTIALITY NOTICE: This email contains information that is privileged and confidential, and subject to legal restrictions and penalties regarding it unauthorized disclosure and other use. You are prohibited from copying, distributing or otherwise using this information if you are not the intended recipient. If you received this email in error, please notify me immediately by return email, and delete this e-mail and all of its attachments from your system.
The investigator, thereafter, chose to upload the insurance companies’ entire claim and investigative file to the same Box, Inc. folder so that it could be accessed by the insurance companies’ litigation attorneys. The insurance companies’ attorney downloaded the entire file, including the senior investigator’s original email to NICB that contained the original hyperlink.
In response to written discovery requests from the defendant, the insurance companies’ attorneys produced the senior investigator’s email to the NICB as part of written disclosures. The email, of course, contained the hyperlink to what now included the insurance companies’ entire claim and investigative file. Defense counsel used the hyperlink to access the folder and downloaded the insurance company entire claim and investigative file, which included arguably privileged information.
After discovering the inadvertent disclosure, the insurance company sought to disqualify defense counsel and obtain a court ruling that its claim and investigative file as protected by the attorney-client privilege and the work product doctrine. The defendant argued that the insurance company had waived any privilege by disclosing the hyperlink to the folder in the senior investigator’s email.
The court first addressed whether the privilege was waived under state law, ruling the insurance companies’ disclosure was “inadvertent,” but nonetheless, any privilege was waived because the insurance carrier “knowingly provided access to the information by failing to implement sufficient precautions to maintain the confidentiality.”
The court concluded:
“It does not matter whether this employee believed that this site would function for only a short period of time or that the information uploaded to the site would be accessible for only a short period of time. Because of his previous use of the Box Site, this employee either knew – or should have known – that the information uploaded to the site was not protected in any way and could be accessed by anyone who simply clicked on the hyperlink.”
The court further concluded that the insurance company’s counsel also knew – or should have known, the information was readily available on the internet to anyone with access to the hyperlink.
Applying state law, the court held any privilege was waived because “waiver may occur if the disclosing party failed to take reasonable measures to ensure and maintain the documents confidentiality, or to take prompt and reasonable steps to rectify the error.” Virginia law mirrors many other state jurisdictions.
The court finally concluded the insurance company waived its right under Fed.R.Civ.Evid. 502, that to assert a work product privilege because neither it nor its defense counsel took reasonable steps to prevent its disclosure or rectify the situation.
The court concluded, “the agent’s actions in posting the Claims File where it could be accessed by anyone on the internet is certainly a release of protected information in way that did not limit its future use.”
The court went further, however, to justify its opinion as fostering the better public policy, concluding:
“The technology involved in information sharing is rapidly evolving. Whether a company chooses to use new technology is a decision within that company’s control. If it chooses to use a new technology, however, it should be responsible for ensuring that its employees and agents understand how the technology works, and more importantly, whether the technology allows unwanted access by others to its confidential information.”
As admitted by the court, the outer boundaries of what constitutes a waiver of privilege arising from the use of file-sharing technology is evolving. Few, if any, state or federal courts have specifically addressed the question of waiver or unauthorized access by opposing counsel.
For now, the use of encryption and other password protected, secured portals would seem to be the best practice for professionals who choose to share files that may contain documents that may be protected by privilege, proprietary information, or trade secrets. At minimum, any documents shared through unencrypted, cloud-based, file-sharing technology should be immediately removed from the internet after shared to prevent unintended disclosure and waiver of any rights to privilege.
Best risk management practice, for now, calls for every professional or firm that chooses to use a cloud-based, file-sharing program to consult with outside legal counsel to develop and implement stringent, internal protocols to protect privileges and other rights, and every professional should insist that all internal risk management teams, insurance carriers, and outside litigation attorneys do the same.
Timothy B. Soefje is Managing Member and head of the professional liability section at the boutique firm of Seltzer │Chadwick │Soefje, PLLC based in Dallas, Texas. For regular information about professional liability matters, follow him on Twitter at @TimSoefje and search #ProfessionalLiability. For more information, visit us at www.realclearcounsel.com or contact him at firstname.lastname@example.org.