Sharing Is Caring (Until It's Not): Proper Use Of File-Sharing Sites
March 25, 2019
Today, people share information constantly. E-mail is the most popular means of sharing information in a professional setting, but many businesses and law firms also use “share sites” to send and receive files, particularly large files. Law firms often need share sites to collaborate with others on document-intensive projects like transactions or document productions. Law firms spend significant time evaluating these platforms, not only to determine which is most suitable to meet the needs of their clients but to evaluate the platform’s ability to secure a client’s confidential, sensitive and/or and privileged information. The case examined below is a cautionary tale that illustrates the importance of understanding and properly using file-sharing technologies.
The United States District Court for the Western District of Virginia, in Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017), emphasized the need for lawyers to understand the technologies used by their clients and the risks associated with those technologies,[1] especially where confidential information is involved. Without exercising care, lawyers might be faced with a situation where “loose” use of technology inadvertently results in waiver of the attorney-client privilege or work-product doctrine.[2]
In Harleysville, an insurance company (“plaintiff”) sued representatives of the insureds (“defendants”) for making material misrepresentations to the plaintiff during the investigation of a fire loss claim.[3] During the investigation, plaintiff and the National Insurance Crime Bureau (“NICB”) communicated using an online file share site operated by Box, Inc. (the “Box Site”) to exchange confidential information and sent an email containing an unencrypted hyperlink to provide access to that information without imposing a password requirement.[4] As a result, anyone with access to the hyperlink could access the information, which the court later described as the “cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.”[5]
Unfortunately for the plaintiff, defendants’ counsel was able to obtain the plaintiff’s confidential legal files on the share site after receiving a subpoena response. [6] Included in the subpoena response was an email from the plaintiff to NICB containing the hyperlink to the share site, which at the time the email was sent contained only a non-confidential video.[7] By the time the defendant accessed the hyperlink, however, the claims file relevant to the case had been uploaded to the share site.[8] Defendants’ counsel reviewed and downloaded the plaintiff’s confidential legal files without notifying plaintiff’s counsel of the possible unintentional disclosure of the claims file and its potentially privileged nature.[9]
Plaintiff’s counsel also provided a thumb drive in response to a request for production of documents but later discovered that the thumb drive mistakenly contained potentially privileged information.[10] Plaintiff’s counsel alerted defendants’ counsel and requested that the disclosed privileged documents be destroyed.[11] Upon further review, plaintiff’s counsel realized that the thumb drive also contained a file entitled “NICB Video,” which was the claims file.[12] When plaintiff’s counsel contacted defendants’ counsel to request that the file be destroyed, defendants’ counsel admitted that it had already reviewed the materials available on the Box Site.[13]
As a result, the plaintiff immediately disabled the Box Site and filed a Motion Requesting the Disqualification of Defendants’ Counsel.[14] In its motion, the plaintiff argued that defendants’ counsel’s access to the claims file was an “improper, unauthorized access to privileged information requiring disqualification of all defense counsel of record.”[15] The court, however, found that plaintiff’s counsel’s failure to limit access to the files by means of a password requirement or other additional protections constituted a failure to take reasonable steps to protect the information, which resulted in a waiver of the attorney-client privilege and work-product doctrine.[16] The court also sanctioned defendants’ counsel for accessing the unsecured information without notifying plaintiff’s counsel of the possible production of privileged information.[17] The court found that because it had held that the plaintiff waived the attorney-client privilege and work-product doctrine by disclosing the claims file, a disqualification of counsel would be an extreme sanction where substitute counsel would end up having access to the same information.[18] Therefore, the court gave a more lenient sanction, requiring defendants’ counsel to bear the cost of obtaining a ruling on the matter presented.[19]
File-sharing sites can be an effective tool for transmitting information between parties, but improper use of a share site can also expose a client to the risk of unintentional disclosure of confident, sensitive or privileged information. Counsel must take the time to understand the technology utilized for a client to protect against such risks, such as by using password protection and encryption and imposing time limits to access files. To best serve their clients, lawyers should implement specific protections and controls on their own technologies used for sharing files and encourage their clients to do the same. The more time spent understanding these technologies and assessing their associated risks, the less likely you or your client will engage in the “cyber world equivalent of leaving [your case files] on a bench in the public square.”
Author: Nicole C. Johns, Associate, Commercial Law Group
© March 2019 Jackson Kelly PLLC
[1] Mem. Op. at 10, Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017).
[2] Id.
[3] Id. at 1.
[4] Id. at 2.
[5] Id. at 9.
[6] Id. at 16.
[7] Id. at 2.
[8] Id. at 3.
[9] Id.
[10] Id.
[11] Id.
[12] Id.
[13] Id.
[14] Id.
[15] Id. at 4.
[16] Id. at 7–9.
[17] Id. at 13–16.
[18] Id. at 17.
[19] Id.