Maybe you heard about an insurance case in which sides both sides got sanctioned over inadvertent exposure of confidential information – facilitated by a nonlawyer associate. This story skims the surface of a deep reservoir filled with unhappy tales about the many ways electronically stored information (ESI) can get away from you.
For legal practitioners, putting privileged information into the hands of employees is a fact of life. Outside investigators, expert witnesses, and other third-party service providers are another necessity.
Habeas Hard Drive will share some thoughts on tightening control of ESI when it travels though many hands, but first, here’s the story.
The relevant cast of characters are: Attorneys for the Plaintiff (Harleyville), an insurance company seeking a ruling to support denial of a claim on a fire that was deliberately set; An investigator for the parent company, Nationwide Insurance (Thomas Cesario); The National Insurance Crime Bureau, an entity that supports the insurance industry by collecting and providing crime data (NICB); NICB’s employee (Wes Rowe); Defense attorneys for the claimant (Defense). In a passive role, we have the file-sharing site Box, Inc. (Box), used as a convenient method for storing and sharing information electronically.
Investigator Cesario was working for Nationwide, parent company of Plaintiff insurance company Harleyville. Cesario uploaded a video of the fire scene to the file-sharing site Box. He then provided a hyperlink for access to the Box site via email to Rowe at the NICB.
There was no password for the Box account, only the link. The email from Cesario to Rowe contained a routine confidentiality notice, including a prohibition on copying or distribution of the material. Rowe accessed the Box site twice, and downloaded the video once.
Months later, Cesario uploaded some additional material intended for review by Harleyville attorneys, consisting of the insurance claim file and the fire investigation file. He also provided the same hyperlink he’d sent to NICB. No password. Just click and view.
Several weeks later, Defense issued a subpoena ordering NICB to produce the entire file related to the fire. In response, they received the files, but also received a copy of the email from Cesario to Rowe containing the link to the Box account. Despite the confidentiality notice, Defense reviewed the contents without notifying the opposing legal team that they’d received potentially privileged information.
The exposure of the documents was revealed to Harleyville after several months, when it received a thumb drive from Defense with documents that included its own privileged data.
Harleyville then moved, unsuccessfully, to have Defense disqualified.
But Judge Pamela Meade Sargent slammed both sides. Harleyville had waived privilege by failing to take reasonable steps to protect privileged data, she said. The judge characterized the unsecured Box account as the digital equivalent of leaving the case files on a park bench.
Defense was errant as well, she said, and was ordered to pick up the tab for the ruling.
The pertinent portion is reproduced below, or you can read the entire decision yourself here. (See notes 1 and 2, below.)
HOW A BUSINESS ASSOCIATES AGREEMENT CAN BE USEFUL
Information has a way of slipping its leash, and the data security folklore is full of stories about costly, devastating third-party screw-ups, and fatal mistakes by employees, whether well-intentioned or otherwise.
For employees the answer is training, supervision, and leading by example with best practices for handling ESI. But for outsiders, with whom you have no daily influence, Habeas Hard Drive recommends litigators adopt a practice by medical providers, who also deal with a wide variety of outsiders, and also have ultimate responsibility for HIPAA violations.
In healthcare, a “Business Associates Agreement” is used to put third parties on notice of their obligation to project confidential healthcare information. Similarly, law firms should obtain agreements from vendors and other third parties which make explicit the obligation to protect privileged and confidential information. The agreement establishes that confidential information is to be used only in the course of performing specific tasks for which the contractor was engaged by the law firm. It should also spell out technical requirements for safeguarding the information from misuse, and the consequences for failure to do so. This puts the law firm and the business association on track to comply with relevant legal ethical duties.
IMPROVE INFORMATION GOVERNANCE
The Harleyville story, and similar incidents that end up in the headlines have their roots in poor information governance.
“Information governance” is the set of policies and controls organizations use (or should be using) to manage and protect their information assets. That protection includes information-handling procedures that limit risk of data exposure, reduce legal liability, and comply with regulations.
Information governance is a challenge for every company, large and small. ESI has made the task even harder for litigators, who bear the ultimate responsibility for a breach of confidential data, and have less control than they’ve ever had over its custody.
Qualified information security experts can help craft internal information governance procedures. Such experts can also offer help with training, and with specific language for Business Associate Agreements with best practices for third parties.
While there is no licensing requirement for information security experts, industry experts often point out that “the IT people” are not information security experts. IT people are focused on delivering information services on time and on budget. Information security is a difference discipline. Qualifications for information security may include any of the following certifications:
- Certified Information Systems Security Professional (CISSP)
- Global Information Assurance Certifications (GIAC)
- Information Systems Audit and Control Association Certifications (ISACA)
Excerpts from: MEMORANDUM OPINION, PAMELA MEADE SARGENT, Magistrate Judge
Case No. 1:15cv00057, United States District Court, W.D. Virginia, Abingdon Division
February 9, 2017
Note 1: excerpts from holding on waived privilege:
With regard to the reasonableness of the precautions taken to prevent the disclosure, the court has no evidence before it that any precautions were taken to prevent this disclosure. The employee who uploaded Harleysville’s Claims File to the Box Site had used the site previously to share information with a third-party, the NICB. It does not matter whether this employee believed that this site would function for only a short period of time or that the information uploaded to the site would be accessible for only a short period of time. Because of his previous use of the Box Site, this employee either knew — or should have known — that the information uploaded to the site was not protected in any way and could be accessed by anyone who simply clicked on the hyperlink. Despite this, this employee purposefully uploaded the Claims File to the Box Site, making it accessible to anyone with access to the internet, thus making the extent of the disclosure vast….
Harleysville concedes that no action was taken any earlier than this date to block access to the Claims File despite the fact that Harleysville’s counsel, themselves, used the unprotected hyperlink to access the Box Site to download the Claims File sometime after it was uploaded on April 26. Therefore, they, too, knew — or should have known — that the information was accessible on the internet. The court in Walton plainly stated, “waiver may occur if the disclosing party failed to take reasonable measures to ensure and maintain the document’s confidentiality, or to take prompt and reasonable steps to rectify the error.” 694 S.E.2d at 552.
Based on these facts, I find that Harleysville has waived any claim of attorney-client privilege with regard to the information posted to the Box Site. It has conceded that the Box Site was not password protected and that the information uploaded to this site was available for viewing by anyone, anywhere who was connected to the internet and happened upon the site by use of the hyperlink or otherwise. In essence, Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to image an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.
Note #2 Excerpts from holding on disqualification of defense:
….The court holds that, by using the hyperlink contained in the email also containing the Confidentiality Notice to access the Box Site, defense counsel should have realized that the Box Site might contain privileged or protected information. This belief should have been further confirmed when defense counsel realized that the Box Site contained not only the Video, but Harleysville’s Claims File. That being the case, defense counsel should have contacted Harleysville’s counsel and revealed that it had access to this information.
Based on the decision that the posting of the Claims File to the internet waived any attorney-client privilege or any work-product protection over the information contained in the file, I find that the disqualification of defense counsel is not warranted in this situation. The disqualification of counsel is an extreme sanction….. I find that the more reasonable sanction is that defense counsel should bear the cost of the parties in obtaining the court’s ruling on the matter.