Sunday, March 5, 2017

Password protect your production, please!


Document production has always been an arduous task for lawyers. Collection and review for privileged information, followed by redaction and creation of privilege logs accounts for large chunks of time, and commensurate expense, in civil litigation. We are careful because it is important to protect our client's privileged communications and our own work-product. It would never occur to any civil litigation lawyer to simply invite access to a client's files without some prior review.

But mistakes happen. Years ago, when faxed transmissions were the latest in technology, a court was asked to determine if privilege had been waived when one law firm inadvertently faxed information to all opposing law firms. Care in use of the new technology was widely counseled as a result of the case.
And here we are, again.
It is increasingly common in our practice to share voluminous document productions via cloud based applications, such as Box and Dropbox. The risk of not implementing the most basic password protection, let alone proper vetting before an upload, is fully on display in the February 9, 2017 decision Harleysville Ins. Co. V. Holding Funeral Home, a federal district court case out of Virginia.
In connection with pretrial discovery the insurance company plaintiff uploaded privileged video files to Box.com for sharing among its own employees and a related entity. The link was not password protected and was later shared with the insurance company's lawyers who included the unprotected file in a larger production made to a lawyer for the other side, who further shared the link with other defense lawyers. The privileged nature of the cloud based files was recognized by the defense lawyers, who elected to review the files without making any disclosure to the producing party. The sharing and subsequent disclosure was inadvertent- the downloading, reading and further sharing by the opposing defense lawyers was not.
The insurance company's lawyers discovered the inadvertent disclosure when the protected folder was produced in a reciprocal production by the defense. A back-and-forth ensued among counsel involving demands for return and destruction of the electronic files. The dispute triggered the insurance company's motion to disqualify the defense lawyers.
A federal judge ruled that the lawyers did not have to be disqualified as their replacements would continue to have access to the inadvertently obtained files. But the court went a step further to sanction the defense lawyers for having downloaded, read and shared the clearly privileged items. Citing well known ethical obligations the court chided counsel for not having notified the insurance company's lawyers of the inadvertent disclosures. Ethically speaking, the matter should have stopped there- the material should have then been removed from circulation. But for the failure to act ethically, the court ordered payment of the insurance company's legal fees associated with the motion.
Of course, the further distribution of the inadvertently produced files would have been prevented by application of password protection to the particular folder.
Accidents happen, and careful lawyers make inadvertent disclosures. But even the most contentious cases are guided by ethical constraints on the unfair use of mistakenly disclosed information covered by privilege. In our own practice we recently received a large electronic production via Box.com. Notice was given by one of the other lawyers that the upload inadvertently contained privileged information. This was followed by a quick acknowledgement among all other lawyers in the case that no access would be made until the production was properly adjusted--no harm, no foul.
After thirty years of practice I take comfort in the high ethical standards of my peers, even where we disagree on the facts, law and likely outcome of a case. But there is no need to unnecessarily test the boundaries of your opponent's ethics, so set a password, please!