Failure to Use Basic Security Protections when Transferring Electronic Files Results in Waiver of Privilege

The Attorney/Client Privilege and Work Product Protection for a video file transferred via Box.com was lost when a client failed to use basic security precautions.  A February 2017 ruling by a Western District of Virginia magistrate judge in Harleysville Insurance Company v. Holding Funeral Home, Inc. (Case No. 1:15-cv-00057) should reinforce a requirement that lawyers use basic security protections (at a minimum) for all potentially privileged or protected communications.

  1. All Too Common Facts

There are no winners in this case. Both sides of the Harleysville Insurance matter were scolded by the magistrate judge.  In this case, an insurance investigator transferred a video file to its company’s counsel using Box.com, a popular file transfer and sharing service. To notify counsel of the transfer, the investigator sent an email that included the hyperlink to the video file.  Months later, the transmission email was produced in discovery.  Defendants’ counsel spotted and then tested the hyperlink, and immediately found the video file.

It appears from the recitation of the facts that the investigator knew how to use the basic transfer capabilities of Box.com but was never trained or instructed to use even the basic security tools. For example, Box.com allows for the creation of secure folders and the controlled access to any folder.

To make matters worse, the video file resided on the Box.com site accessible by the hyperlink for at least six months.

  1. Attorney/Client Privilege and Work Product Protection Waiver

After the access to the Box.com site and the video file were exposed, Harleysville argued that the defense counsel’s access to the file was an improper, unauthorized access to privileged information, and this should require the disqualification of defense counsel. The argument in response was that Harleysville had waived any claim of privilege or confidentiality by placing the information on Box.com without using any of the available security tools.

Attorney/Client Privilege.  The court analyzed the Attorney/Client Privilege waiver separately from the Work Product Protection issue.  Its first finding was that Harleysville waived any claim of Attorney/Client Privilege with regard to the information posted on Box.com.  The court concluded that “the information uploaded to this site was available for viewing by anyone, anywhere who was connected to the Internet and happened upon the site by use of the hyperlink or otherwise.”  The decision continues, “In essence, Harleysville has conceded that its actions were the cyber world equivalent of leaving its claim file on a bench in the public square and telling its counsel where they could find it.”

Attorney/Client Privilege issues in the case were governed by state law. Virginia law provides protection for privileged communications. See Walton v. Mid-Atlantic Spine Specialists, 694 S.E.2d 545. 549 (Va. 2010).  But this privilege is an exception to the general duty to disclose and should be strictly construed.   Continuing, the proponent of the privilege has the burden to establish that the Attorney/Client Privilege applies and that the privilege has not been waived.

The Walton case adopts a multifactor analysis for determining whether the holder of a privilege took reasonable steps to prevent disclosure and also took reasonable steps to rectify the error. The first listed factor is “the reasonableness of precautions to prevent inadvertent disclosures.”  Harleysville’s failure to take any reasonable security precautions doomed its argument from the start.

Work Product Protection.  Work Product Protection in this matter was governed by federal law.  The Harleysville Court built its analysis on the Fourth Circuit’s recognition “that the inadvertent disclosure of attorney work product, even opinion work product, can result in a waiver of its protected status.”  This guidance is tempered by additional appellate authority that holds that a waiver should occur only when an attorney’s or client’s actions are “consistent with a conscious disregard of the advantage that is otherwise protected by the work product rule.”

FRE 502(b) would protect an “inadvertent” disclosure.  But the magistrate judge reasoned the disclosure here could not be inadvertent because the investigator clearly intended to transfer the video file to Box.com.  The Court also looked to Rule 502(b)(2), which provides that the disclosure is not a waiver if the holder of the protection “took reasonable to prevent disclosure.”  Again, Harleysville was in a bad place because it failed to take any steps.

The magistrate judge was obviously troubled not only by the transfer of the video file to Box.com without any security precautions, but also by the client leaving the unprotected file on the Internet site for at least six months.  The conclusion followed that this carelessness waived the Work Product Protection.

  1. Sanctions Imposed against Defense Counsel

In the introduction to this Blog post, we noted that both sides were scolded by the Court.  The investigator’s email that included the hyperlink also included a Confidentiality Notice.  This Notice coupled with the obvious significance of the video file was sufficient for the Court to conclude that the defense counsel should not have downloaded and studied the file. The Court wrote, “by using the hyperlink contained in the email also containing the Confidentiality Notice to access the Box Site, defense counsel should have realized that the Box Site might contain privileged or protected information.”

Harleysville argued that the appropriate sanction should be the disqualification of defense counsel. The magistrate judge agreed that there was an ethical stumble, but concluded that the disqualification was an unnecessarily severe sanction. She did, however, order that defense counsel should bear the parties’ costs in obtaining the Court’s ruling on the matter.

  1. Summary and Conclusions

The immediate instruction from the Harleysville magistrate judge’s ruling is that if a party chooses to use a new technology, it will be held responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.   The Box.com facts present a straightforward set of facts—the basic security features of Box.com would, if utilized, have blocked access to the video file.

The case sets the stage for a broader set of responsibilities associated with newer and more sophisticated security technologies.  For example, now that encryption technologies are readily available, should a disclosure that would have been blocked by the use of even simple encryption be deemed a waiver of privileges?   In Harleysville, the Box.com tools were present but not utilized.  In the encryption example, the tools can be acquired and then used, but as of today are probably not widely installed.  But this could change overnight when courts understand that Microsoft has added encryption options to Outlook.   The Harleysville reasoning likely will make it a requirement, not just a recommendation, that lawyers employ encryption for potentially privileged or protected communications.

H/T to Sharon Nelson and the VSB 2017 TechShow for flagging the significance of the Harleysville Ins. Co. v. Holding Funeral Home, Inc. ruling.