If you share files online, whether to clients, colleagues, or opposing counsel, you’re not alone. Cloud solutions are increasingly reshaping the practice of law and one of the most common tools attorneys are gravitating towards is online file sharing. This is an especially notable trend among solos and smaller firms, where over half use either Dropbox or Google Docs for work tasks. That makes sense. Cloud-based tools often act as a “force multiplier,” allowing attorneys to do more worth less and, ultimately, to provide superior value.
But issues can arise when such tools aren’t properly used. This is especially true when the unprotected sharing of sensitive files is involved. As one federal case from Virginia recently pointed out, poor file sharing practices can lead to the same types of issues Wells Fargo recently experienced when it inadvertently sent a CD full of confidential client information to opposing counsel during discovery—without review or redaction.
The Consequences of Disclosing Privileged Files
To be maintained, attorney client privilege must be fiercely guarded. Parties that voluntarily disclose materials during discovery that would otherwise be considered attorney work product or privileged work material may waive their rights to those protections.
These parties, however, have a possible out from this if the disclosure, put broadly, occurred by accident. Under Federal Rule of Evidence 502, the disclosure of information otherwise covered by attorney work-product protections or other privileges will not waive those privileges if the disclosure was inadvertent, the party took reasonable steps to prevent disclosure, and the party promptly took reasonable steps to rectify the error—including notifying parties about the disclosure of potentially privileged materials under Federal Rule of Civil Procedure 26(b)(5)(A).
In addition, opposing parties that are notified about the potential receipt of privileged work product and other evidence do not get to “take the money and run.” They have duties under Rule 26(b)(5)(B) that restrict them from using or sharing materials that are deemed privileged. In state cases and in some federal cases, courts will also consider state attorney-client privilege laws to determine whether disclosed work product or trial preparation materials are considered fair game.
Make Sure Your Online Files Are Protected
Rule 502’s impact on file sharing came into focus during a recent federal court case from Virginia involving data stored on Box, a cloud sharing platform. The case, Harleysville Ins. Co. v. Holding Funeral Home, revolved around a Box file link that a claims associate working for the plaintiff’s parent company shared with an officer from the National Insurance Crime Bureau. Over the course of a few months, the claims associate uploaded to Box a video showing the building fire that was subject of the dispute, and then a copy of the entire claims file for the NICB to review. The file was not password-protected and could be accessed by anyone who possessed the link or who typed the link address into their web browsers. The associate’s email to the officer contained a standard confidentiality notice in the footer, but nothing more.
While the email and file link were intended for the NICB officer’s eyes only, the plaintiff produced a paper copy of the email including the link to defense counsel during discovery. Naturally, defense counsel leapt at the opportunity to “click” on the link—technically, to type the URL into their from the paper copy of the email into their browser—and review the video and claim file—all without notifying plaintiff’s counsel.
Under ordinary circumstances, the contents of the link could be treated as evidence entitled to attorney-client privilege. The court, however, found this not to be the case here. In deciding whether the defendants’ counsel should be disqualified for having accessed privileged evidence & attorney work product, the court held that the plaintiff’s failure to provide adequate safeguards for protecting the file contents undermined any claim that the disclosure was inadvertent. As the judge unsparingly characterized it, the way Harleysville treated its file permissions for the Box file contents was “the cyber equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.”
Ethical Issues That Arise From Unsafe Sharing
Those who benefit from careless disclosures, however, aren’t necessarily in the clear themselves. In addition to procedural issues, attorneys need to consider the ethical duties that arise when they receive files that may be have been sent inadvertently. Parties, for example, can be sanctioned for accessing information they knew or should have known was either confidential work product or material subject to an evidentiary privilege.
This was the case in Harleysville as well; although the court did not disqualify the defendant’s counsel, it nonetheless ordered the defendant to reimburse the plaintiff for its costs in filing and determining the motion on the grounds that its failure to notify the plaintiff of its knowledge of the Box link’s contents violated state ethics laws and Rule 26(b)(5)(B).
Under the federal rules, parties who are notified that they may have received information that could be protected a privileged or attorney work-product face a number of restrictions on what they can do with such documents—such as sequestering it & destroying copies, or taking efforts to retrieve copies it distributed. Parties that fail to follow the rule’s usage and reporting restrictions can subject themselves to court-issued sanctions.
In the end, Harleysville serves as yet another stark reminder of how poor technology habits and file protection hygiene can sabotage your client’s case. Had the claims associate set appropriate file sharing permissions, this issue would likely have never reached the federal bench. On the other hand, had the defendant’s counsel been honest about accessing the plaintiff’s potentially privileged information, the defendant would have avoided unnecessary legal fees. It only illustrates how parties on both sides of the “v.” need to educate themselves on the technology they use in practice, and underscores how pervasive a role these issues will play on cases to come.
This post was authored by Eric Pesale, the founder of Write For Law, who writes regularly about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is a graduate of New York Law School and the University of North Carolina at Chapel Hill, and recently passed the New York bar exam. Eric can be reached at [email protected] or on Twitter at @writeforlaw.