Attorney-client privilege waived when non-password protected files stored online

Nicole Black, BridgeTower Media Newswires

Lawyers have been using cloud computing for nearly a decade now. Nearly 30 different jurisdictions, including New York, have issued ethics opinions permitting lawyers to store confidential client data in the cloud as long as reasonable steps are taken to ensure that the data is secure. But what steps must be taken to ensure that the data is securely stored? And if the data is not adequately protected, then how might that affect a pending case?

Some of these questions were answered in Harleysville Insurance Company v. Holding Funeral Home Inc., a decision handed down by the United States District Court, Western District of Virginia, last month (http://tinyurl.com/mcl5qxp). Issues considered in the case were whether the attorney-client and work product privilege were waived when defense counsel accessed data (via a link found in discovery documents) stored by the plaintiffs online in an unprotected Box.net account.

At the outset, the court acknowledged the ever-changing state of technology in the 21st century and the necessary obligations of those who choose to take advantage of it. Interestingly, the language used by the court echoed the language typically used by ethics committees who have opined in recent years on the obligations of lawyers to stay abreast of changes in technology.

“The technology involved in information sharing is rapidly evolving. Whether a company chooses to use a new technology is a decision within that company’s control,” the court said. “If it chooses to use a new technology, however, it should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”

In reaching its decision, the court noted that the fact that the data stored online in this case was not protected by a password was pivotal.

“(T)he information uploaded to this site was available for viewing by anyone, anywhere who was connected to the internet and happened upon the site by use of the hyperlink or otherwise,” the court said. “In essence, Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to image (sic) an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”

Next, the court concluded that because the data was not stored in a password-protected account, the attorney work product privilege likewise did not apply: “Harleysville’s disclosure should not be considered ‘inadvertent’ under federal law. Harleysville has not claimed that its agent’s posting of its Claims File to the Box Site was not an intentional act. Also, based on my reasoning above, I cannot find that Harleysville, or its counsel, took reasonable steps to prevent its disclosure or to rectify the situation. Therefore, I find that Rule 502 does not apply in this situation to prevent a waiver of the work-product doctrine.”

Finally, the court considered whether defense counsel’s conduct in viewing the unprotected Box file was unethical. The court concluded that the defense counsel’s actions warranted sanctions because “defense counsel should have realized that the Box Site might contain privileged or protected information … and should have contacted Harleysville’s counsel and revealed that it had access to this information.”

So the lesson to be learned from this case is that it is critical to ensure that any information you store online is adequately protected. By using platforms designed for lawyers that are encrypted and password protected, you’re able to meet your ethical obligations and avoid waiving any privileges related to that data. The key is to ensure that you understand the technology that you’re using and that you take sufficient steps to vet any third-party providers who will be housing your client’s information.

—————

Nicole Black is a director at MyCase.com, a cloud-based law practice management platform. She is also of counsel to Fiandach & Fiandach in Rochester and is a GigaOM Pro analyst. She is the author of the ABA book “Cloud Computing for Lawyers,” coauthors the ABA book “Social Media for Lawyers: the Next Frontier,” and co-authors “Criminal Law in New York,” a West-Thomson treatise. She speaks regularly at conferences regarding the intersection of law and technology. She publishes three legal blogs and can be reached at niki@ mycase.com.