Ethics & Risk Management in the Digital Age for Lawyers and Law Firms

March 8, 2017

By: Cecil E. Morris, Jr. and John M. Tanner

 

Ethics and risk management in the digital age have been topics of discussion in our last two annual seminars on Developments in Ethics for In-House Counsel.  See Colo. RPC 1.1, cmt. [8] (expands the duty of competence to include a duty to stay abreast of changes in law and practice and changes communications and other relevant technologies); 1.6(c) & cmts. [18] & [19] (expands the lawyer’s duty of confidentiality to include a duty to avoid inadvertent disclosure); and 4.4(b) & cmt. [2] (extends the definition of “document” for purposes of inadvertent disclosure to include electronically stored information).  See also Calif. State Bar Comm’n on Professional Responsibility and Conduct, Formal Op. 2015-093 (ethics and digital discovery).

A recent decision from the United States District Court for the Western District of Virginia illustrates some of the dangers.  Harleysville Ins. Co. v. Holding Funeral Home, Inc., 2017 U.S. Dist.  LEXIS 18714 (W.D. Va.  Feb. 9, 2017).  Harleysville underscores two important points:  the handling of digital information without sufficient care can result in the waiver of attorney-client privilege and work product protection, and the lawyer who gains access to such information without authorization has ethical duties after reviewing it.

Harleysville Insurance Co. filed an action for declaratory judgment that it was not obligated to pay for the fire losses to its insured Holding Funeral Home, because the fire was intentionally set.  Harleysville moved to disqualify defense counsel for its insured on the ground that defense counsel had improperly accessed Harleysville's entire claims file, including information that was privileged and/or protected work product, which was kept on a third party file-sharing website.  In the end, the motion to disqualify was denied, but both the lawyers for Harleysville and defense counsel lost.  On the one hand, the court held that Harleysville had waived the attorney-client privilege and the attorney work product protection by keeping the claims file on the file-sharing site without password protection.  On the other hand, the court concluded that defense counsel acted improperly by failing to notify Harleysville that they had seen the documents on the file-sharing site.

First is the issue of waiver.  After the fire, Harleysville's investigator uploaded surveillance videos and later the entire claims file to a third-party file-sharing site, Box, Inc.  Later, the investigator emailed a link to that site to an investigator with the Crime Bureau of Harleysville’s parent company, National Insurance (“NICB”).  Later, Harleysville’s investigator emailed the hyperlink to Harleysville's counsel, who accessed the site more than once without having to use a password.

During discovery, defense counsel issued a subpoena to NICB for its entire file relating to the fire.  In response, NICB produced all the documents it had obtained from Harleysville, including the email from the investigator to NICB with the link to the file-sharing site.  Soon after receiving the documents including that email, defense counsel accessed the file-sharing site.  Defense counsel downloaded the claims file and reviewed it, but did not notify Harleysville's counsel that they had done so or that they had reviewed potentially privileged and protected information.

Later, in response to a discovery request from Harleysville, defense counsel produced a thumb drive containing a host of documents, including the claims file.  When Harleysville's counsel reviewed the documents on the thumb drive and discovered this, they contacted defense counsel and requested that defense counsel destroy all copies of the claims file.  By that point, however, all of defense counsel had reviewed the claims file, and they had shared it with defendant.  Subsequently, Nationwide disabled the file-sharing site, so that it was no longer accessible to anyone, and then Harleysville moved to disqualify defense counsel.

In ruling on the motion, the magistrate judge concluded that Harleysville had waived the attorney-client privilege and work product protection by uploading the claims file to the file-sharing site without establishing password protection or other security measures.  Applying the multi-factor test for waiver by inadvertent disclosure, the court concluded that Harleysville had failed to take reasonable measures to protect the information.  Indeed, the court concluded that no precautions were taken.  In this regard, the court reasoned that Harleysville's actions were in essence "the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it."  2017 U.S. Dist. Lexis 18714,*13.  Further, the court concluded that Harleysville failed to take prompt remedial action to correct the disclosure, because even Harleysville's counsel knew for months that the site was accessible to anyone, without the need for a password, but did not act.

The second issue in Harleysville involves the ethical duties of defense counsel when they accessed the file-sharing site and reviewed the documents in the claims file without authorization.  Although the court denied Harleysville's motion to disqualify, it concluded that defense counsel acted improperly and, as a sanction, ordered them to pay Harleysville’s fees and costs in bringing the motion.  More specifically, the court concluded that defense counsel should have notified Harleysville's counsel when they accessed and reviewed documents of Harleysville that appeared to be privileged or protected.  Additionally, the court concluded that defense counsel violated Rule of Professional Conduct 3.4, which prohibits a lawyer from knowingly disobeying a rule of a tribunal, namely, Federal Rule of Civil Procedure 26 (b)(5)(B).  This Rule allows a party who has inadvertently produced privileged or protected documents to notify the receiving party, and it requires the receiving party, after being so notified, to promptly return, sequester, or destroy the specified information and any copies it has; it prohibits the receiving party from using or disclosing the information until the claim is resolved; and it requires the receiving party to take reasonable steps to retrieve information if the party disclosed the information  before being notified.  The disclosing party can then present the information to the court under seal for a determination of the claim.

For more information, contact Cecil Morris at (303) 894-4424 or cmorris@fwlaw.com, or Jack Tanner at (303) 894-4495 or jtanner@fwlaw.com.