If you’re a frequent reader of the blog, or just a follower of eDiscovery case law, you’ve probably heard about Harleysville Insurance Company v. Holding Funeral Home. (We’ve written about it here and here and included it in webinars here and here, for example.) The case involved the unsecured sharing of confidential documents during litigation, documents which—of course—ended up in the wrong hands, leading the magistrate judge to rule that privilege had been waived.
Now that ruling has been reversed. Michael Simon explains the reversal, and its implications, below.
In the last couple of webinars that I have done with Logikcull, we made much of the rather shocking case of Harleysville Insurance Company v. Holding Funeral Home, Inc., No. 1:2015cv00057 (W.D. Va. 2017), where Magistrate Judge Pamela Meade Sargent, on February 9, 2017, held that an insurer could not force the return of an inadvertently produced, privileged documents. Those documents, an entire casefile created by the insurer’s investigators, had been uploaded to an unsecured Box folder and shared with an unsecured link. That link, without any password protection, was then inadvertently shared with a third party and later produced to the defense. The defense in turn produced it back to the plaintiff later in the litigation, cluing them in to their mistake.
In perhaps one of the best judicially-generated metaphors of the year – at least within the eDiscovery world – Magistrate Judge Sargent likened the plaintiff insurer’s action of leaving the document in an unsecured online Box folder as:
[Plaintiff] has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to image an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.
By making the case file publicly accessible through Box, the magistrate judge ruled, the plaintiff had waived privilege and work-product protections to any documents in the file.
As we also noted, the insurer did still win something of a victory—a pyrrhic one perhaps—in that the Magistrate Judge entered monetary sanctions against the defense counsel for failing to follow the rules requiring proper inquiry and consultation with the court before making use of what was an obviously privileged document.
On October 2, 2017, District Court Judge James Jones overruled the Magistrate Judge’s ruling and held that any privilege waiver was inadvertent, and barred the defendant from making any use of the file. (Hat tip to Ride the Lightning for recently covering the new development.)
However, as we will also see, Judge Jones may have made a pyrrhic victory for plaintiff even more so, in that while the insurer was able to block any use of its confidential file, which thanks to further details from the District Court we know had no “smoking gun” content, the monetary sanctions were vacated—making this an expensive victory.
The Magistrate Judge’s Decision
To recap the case – and our coverage – as briefly as possible for this complicated situation: it started with a declaratory judgment action by an insurance company that refused to pay on a fire that destroyed a funeral home, citing signs of arson. The insurer worked with the independent National Insurance Crime Bureau (NICB) during its investigation. One of the insurer’s investigators uploaded a video of the fire scene to an unsecured Box file sharing site and then sent an email to their NICB contact to “share” the link to the Box file. That email had a confidentiality notice on it, the kind of standard one that we all see in law firm emails.
Seven months later, the same employee used the same unsecured Box site to share the insurer’s confidential claim file with their outside counsel. The insurer uploaded the claim file to the very same Box folder. The insurer’s outside counsel reviewed the claim file, and left it there. It is worth noting that NICB was not notified that the Box folder now had the confidential claim file on it, and they never accessed.
The next month, counsel for the funeral home sent a subpoena to NICB for documents relevant to the case. NICB’s response included the original email from the insurer to the NICB that shared the link to the video, thinking that only the video was there. Since the claim file had been uploaded in the meantime, this gave defense counsel access to it, and that very same day they downloaded and read it. Plus, they shared it with all of the other defense counsel, their clients and even law enforcement officials in a related criminal case as well.
The insurer might never have found out about this, except that—astonishingly—defendant produced the claims file back to the insurer in the defendant’s discovery production a few months later. Within a few days, the insurer’s counsel requested the destruction or return of the file, which defendant refused to do. Plaintiff then filed a motion seeking the return of the file and sanctions against defendants.
Magistrate Judge Sargent found that disclosure was “was inadvertent under Virginia state law, in that Harleysville unknowingly provided access to information by failing to implement sufficient precautions to maintain its confidentiality.” The Magistrate Judge found that all of the factors for whether privilege had been waived went against plaintiff, especially the critical factor as to whether reasonable precautions were taken:
With regard to the reasonableness of the precautions taken to prevent the disclosure, the court has no evidence before it that any precautions were taken to prevent this disclosure. (emphasis in the original)
Magistrate Judge Sargent was also particularly taken, and not in a good way, with the fact that the file was exposed to the entire Internet, because anyone could have accessed the file had they known the correct URL. However, as we personally noted earlier how anyone could have simply guessed the correct URL, when specific Box files have complex hyperlinks comprised of 32 random alpha-numeric characters, fails to understand the Infinitesimally-small possibility of such an event happening (spoiler alert: this will be important!).
As to the work product doctrine, Magistrate Judge Sargent found that FRE 502(b) did not protect the plaintiff either. The actions taken by the insurer’s employee to share the file on the Box folder were deliberate, and thus could not be termed “inadvertent.” Moreover, the Magistrate Judge found that the insurer and its counsel did not take appropriate actions to protect the file or to rectify the problem after they became aware of it.
In the end, the Magistrate Judge found that plaintiff waived both its attorney-client privilege and work product doctrine protection.
As we noted, the Magistrate Judge did enter monetary sanctions against defense counsel for failure to properly follow the requirements of FRCP 26(b)(5) and 45 in handling the clearly designated privileged documents.
The District Court Overrules the Finding of Waiver and Vacates the Monetary Sanctions
District Court Judge James Jones conducted a lengthy review of the lower court’s decision, holding a second evidentiary hearing and even allowing the parties to present expert testimony as to the monetary sanctions issue. In terms of the privilege issue, Judge Jones also provided further factual details that were left out of the lower court order, which had great impact upon the court’s analysis:
- While the confidential claims file contained important information, it contained no “smoking guns” that could tilt the case for one party or another (please keep this in mind when we start adding up the costs of all of this battle later on)
- NICB never knew that the insurer had re-used the Box folder to post the claims file, as they never accessed the folder after obtaining the video, and thus when they produced the email to the defense counsel, they thought that they were only sharing access to the non-privileged video; while this could have been ascertained from the Magistrate Judge’s decision (if one walked very carefully through the factual timeline), the District Court made this important point very clear
- The Box folder used by the insurer’s employee was not, as the Magistrate Judge’s opinion seemed at times to imply, a seemingly irresponsible act of an employee using “Shadow IT” (unknown and unsanctioned by the company) to BYOC (“Bring Your Own Cloud”) but was instead part of the insurer’s licensed private Box set up
- As well, the Box system for the insurer had the capability to set up password protection, so that the insurer’s employee who used the system to share the files here had reason to believe that that the file was actually protected (even though it wasn’t)
- The insurer’s employee had reason to believe as well that each “sharing” email URL was unique, in that the URL sent to NCIB would not be the same as the one sent to the outside counsel
- Further, the employee expected that the sharing email sent to NICB from Box would have been encrypted and expired within five to ten days, like other emails sent from the insurer’s system
- And, as to that employee, while ultimately the District Court’s decision lets him off the hook for the disaster, the court still faults him for making some fundamental mistakes – while for the first time in these opinions mentioning his full name (I would repeat it here, but I am trying—if not always successfully—to become a nicer person . . . really)
Moreover, as to the issue of whether someone could have possibly accessed the Box folder simply by guessing the URL, Judge Jones showed that he is vastly better than many judges, even the US Supreme Court Justices, at understanding math. Judge Jones first noted that the URL was not searchable on Google, and thus one could not just “Google it” to find the folder. What one can Google (and maybe Judge Jones did) is the odds for guessing a random 32 character alphanumeric string:
These parameters mean that there are 6.3340287 x 1049 (63,340,287,000,000,000,000,000,000,000,000,000,000,000,000,000,000) possible “sharing” links.
Based upon this impressive number (and impressive math skills for a judge, too), Judge Jones found that “[t]he security of the Box Folder, then, is inherent in the nature of the URL,” which brings us back to our original, oh-so-colorful folder on a park bench metaphor (which I admit that I just had to use over and over in webinars). Judge Jones had his own, similar metaphor that was just a little more . . .”grounded”:
In this context, the magistrate judge’s analogy of Harleysville leaving the Claims File in a briefcase on a public park bench and telling its counsel where it could be found, is inapposite. Practically speaking, it would be impossible for anyone, let alone a particular person connected with the case, to accidentally stumble across the Box Folder. As far as real-world equivalents go, it is more appropriate to characterize the briefcase as having been buried somewhere in a large park, technically publicly-accessible, but for all practical purposes, secured.
Based upon the newly-ascertained evidence from the second hearing, along with the previously obtained facts, Judge Jones found that the attorney-client privilege was not waived. In addition, based upon FRE 502(b), whether using the well-known “five factors” test of Mt. Hawley Ins. Co. v. Felman Prod., Inc., 271 F.R.D. 125, 133-36 (S.D. W. Va. 2010), or a more basic reasonableness assessment, the court found that any disclosure was inadvertent, proper precautions were taken and plaintiff’s counsel acted promptly and properly to rectify the situation.
The District Court then turned to an additional, almost equally lengthy review of the monetary sanctions imposed by the Magistrate Judge. Without going into great detail on this issue here (perhaps in a futile attempt by me not to make this article too long), the District Court judge agreed with the Magistrate Judge that defendant’s counsel had violated not just the applicable Federal Rules concerning the use of clearly privileged information, but also the specific ethical rules as well as rules barring any seemingly improper conduct. While, like the Magistrate Judge, the District Court declined to disqualify defense counsel, the court vacated the monetary sanctions and instead entered an order barring use of any of the confidential information or what could be derived therefrom—and blocking the use of any other party in any other action.
Even If This Is a Victory for the Insurer, It Is a Very Costly One, on Many Levels
It is always tempting, and we often see some declaring that this sort of ruling represents a great victory for the prevailing side. Perhaps this is victory, as the insurer did, in the end, get what they wanted most: an order preventing the other side—and indeed anyone—from using the confidential information. But before we start to wonder when the party will be held, let’s consider the cost of all of this for plaintiff to be put back into exactly the position that they were before they accidentally let this confidential information slip out of their hands.
First, as noted above—and by the court—this battle did not concern information that would have turned the case for either side. There were no “smoking guns” here, and the case file did have some useful stuff, but the court noted more than once that this wasn’t ultimately a battle over the fate of the lawsuit itself.
Yes, it is of course true that as a lawyer, you never want the other side to know what you are thinking and your case strategies. But here, the insurer could have still lost again on this motion could still have won the case. That alone should set the stage for any considerations as to what the insurer had to spend to block the use of the file.
Further, the District Court vacated the monetary sanctions award, where defense counsel had to pay the costs for obtaining the court’s ruling in the matter. Thus, the insurer now has to bear these costs themselves, again, for just being put back in the same position as they were before their errors.
Finally, the plaintiff insurer only got what it wanted after two sets of evidentiary hearings, before the Magistrate Judge and before the District Court. That’s two expensive sets of briefings and arguments. As well, the insurer had to retain and pay for its own expert testimony. The court described plaintiff’s expert as having:
served for 15 years as Assistant Bar Counsel for the Virginia State Bar, prosecuting ethics complaints, and now specializes in lawyer’s professional responsibility issues, including the defense of lawyer discipline prosecutions. . .
. . . but I think perhaps I can describe this more pithily and on-point: “not cheap.” And, of course, we cannot forget that defendant had their own expert, which plaintiff’s counsel had to prepare for and cross-examine.
So, let us be clear: this was an expensive victory, likely well into the six-figures, and all for plaintiff to be able to block the use of information that in all likelihood wasn’t going to change the results of the case.
All of that of course leaves aside the human costs of all of this. Relationships get strained. Careers get broken. The sleepless nights of those dragged into this grow longer. I admit that we often seem cavalier about this stuff, as we blithely recount the nightmares of others, but perhaps this is the time to take a few moments just to emphasize. Because yeah, it’s really got to suck to be that guy.
Thus, the lessons to be learned here remain the same: you need to use better technology to secure your confidential information.
We have presented Harleysville as the prime example of why lawyers and their staff need to use technology that is simpler and better, to handle case management and eDiscovery issues. The decision of the District Court vacating the Magistrate Judge’s dramatic decision certainly robs some of that drama from this example, but it doesn’t change the fundamental point: Complicated and difficult technology can cause tremendous problems. The employee who made the mistake that led to this disaster – and make no mistake that it was and still is a disaster – thought that he was doing everything right:
A review of Box, Inc.’s website reveals that such security precautions are available, and the evidence adduced at the second hearing showed that [employee], who was inexperienced with the Box, Inc. service and who lacks a technical background, believed he was implementing them.
People make mistakes. Systems fail. Processes get skipped. But those mistakes, failures and omissions don’t necessarily have to lead only to disaster. Only poorly designed systems do that. For both case management and eDiscovery you need a system that lets you build security into the process, and fail by default in ways that don’t lead to month after month of expensive motions just to get your data back.
This post was authored by Michael Simon, an attorney and consultant with over 15 years of experience in the eDiscovery industry. Principal at Seventh Samurai and Adjunct Professor at Michigan State University College of Law, he regularly writes and presents on pressing eDiscovery issues. He can be reached at firstname.lastname@example.org.