If you upload files without password protection to a file sharing site (such as Box.com or Dropbox), is it the same as leaving documents on a bench in a public square? One magistrate judge thought so but another judge weighed in and thought otherwise. Regardless of who is right (we tend to agree with the latter judge), there are precautions lawyers should take to keep information saved on file sharing sites private.
In Harleysville Ins. Co v. Holding Funeral Home, Inc., Case No. 1:15cv00057 (W. D. Va. February 9, 2017), an insurance coverage dispute ended up in court when an insurer denied a funeral home’s fire damage claim concluding it was arson.
During his investigation of the fire, an insurance company investigator uploaded surveillance video to Box.com and sent a link to the National Insurance Crime Bureau (NICB). The investigator did not password protect the file and did not set sharing restrictions. As a result, anyone with the link could access the video. A few months later, the insurance investigator uploaded the entire claim file to the same Box folder and sent the link to the insurance company’s lawyers.
In response to a document subpoena from the funeral home attorneys, among other documents, the NICB provided a copy of the email with the Box link. Attorneys for the funeral home used the link and examined the material uploaded to Box, including the claim file, but did not alert the insurance company’s attorneys they had access to the files.
When the insurance company learned the funeral home’s lawyers accessed the claim file on Box, they sought a sanctions order from a magistrate judge disqualifying the funeral home’s attorneys. The insurance company argued the attorneys should be disqualified from the case for impermissibly viewing information protected by the attorney client privilege and attorney work product doctrine. In response, attorneys for the funeral home argued that the insurance company waived any privilege in the claim file because the Box link was not password protected or otherwise restricted.
The magistrate agreed that by sharing the information with an unsecured Box link, the insurance company waived any privilege in the material. The judge concluded that even though sharing the material with opposing counsel was unintended, to maintain the privileged nature of information, reasonable precautions must be taken to prevent disclosure.
The magistrate found no evidence that any precautions were taken to prevent unintended disclosure of the information believing that the insurance company’s “actions were the cyber world equivalent of leaving its claims file on a bench in a public square and telling its counsel where they could find it.”
However, the judge’s opinion did not lay all blame at the feet of the insurance company. While it did not disqualify the funeral home’s attorneys, it did sanction them in the form of costs.
The opinion noted that both civil procedure rules and rules of professional conduct obligate attorneys to notify opposing counsel when they receive information that appears to be privileged. The magistrate believed that it should have been apparent to the funeral home attorneys that information in the Box account was privileged and they should have either let opposing counsel know they had access, or filed a motion with the court to establish that the information was not privileged.
Thankfully for the insurance company, the magistrate did not have the last word. Both parties asked a district court judge to review the magistrate’s decision, he concluded that saving the claim file on Box without limiting access did not waive its privileged nature. The district court judge did, however, agree that while the funeral home’s attorneys should not be disqualified, their conduct was sanctionable.
The court noted that when privileged documents are inadvertently disclosed, courts must decide whether disclosure waives privilege in the documents. The judge noted that “[a]n inadvertent disclosure may occur where a document is produced ‘knowingly, but mistakenly'” or by failing to implement sufficient precautions to maintain confidentiality. He concluded that permitting the funeral home’s attorneys access to the claims file via the Box account was unknowing and inadvertent.
The judge also concluded that there was no waiver of privilege because the judge believed the insurance company’s efforts to maintain the confidentiality of the information in the Box account were reasonable. The judge noted that the Box link by which the funeral home’s attorneys accessed the claims file was not searchable via internet search engine and access to the files was limited to users with the specific link.
The judge noted that “[a]lthough any person who knew the URL could access the Box Folder without a password, as a practical matter, the URL itself function[ed] as a password” because it contained a string of 32 randomly generated characters.
As a result, the court disagreed with the Magistrate’s park bench analogy:
In this context, the magistrate judge’s analogy of Harleysville leaving the Claims File in a briefcase on a public park bench and telling its counsel where it could be found, is inapposite. Practically speaking, it would be impossible for anyone, let alone a particular person connected with the case, to accidentally stumble across the Box Folder. As far as real-world equivalents go, it is more appropriate to characterize the briefcase as having been buried somewhere in a large park, technically publicly-accessible, but for all practical purposes, secured.
Despite the magistrate’s original decision in this case, lawyers should not be reluctant to utilize technology in their practices. In fact, lawyers are obligated to keep up with technology but must ensure any technology they use has safeguards to protect confidential client information.
So, if you want to use file sharing services, how can you restrict access to the information? There are a few ways.
First, files themselves can be password protected (for instance, by creating a password protected zip file), and for many file sharing services, the links themselves may be password protected. Additionally, settings on some file sharing services permit users to set expiration dates for links.
But there are also other non-tech ways for lawyers to protect client information. For instance, using clawback agreements may help prevent waiver of attorney client information. The court in this case found a waiver of privilege because the insurance company took no reasonable precautions to restrict access. Under Federal Rule of Evidence 502, even if privileged information is disclosed inadvertently, the privilege is waived unless the party wanting to protect the privilege establishes they took reasonable precautions to prevent the disclosure. With a clawback agreement, parties can agree that there is no waiver of attorney client privilege or attorney work product protection for any disclosure regardless of any precautions taken to protect against it.
To learn more, check out this article for a detailed discussion of clawback agreements.