Monday, February 27, 2017

Judge finds party waived privilege by placing information on unprotected file sharing website

Earlier this month a federal magistrate judge in Virginia held that placing privileged materials on an unprotected file-sharing site waived a plaintiff's attorney-client privilege and work product protection for those materials.  The case is called Harleysville Ins. Co. v. Holding Funeral Home, Inc.  (also here).  For more details, go to 33 Law. Man. Prof. Conduct 76.  The ABA Journal has more information here.

Although some jurisdictions are divided on the issue of whether accidental disclosure automatically waives the privilege, in this case the judge held that the party's actions "were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web."

1 comment:

  1. The judge's analysis contains a significant, basic flaw although I believe he reached a sound decision. That flaw gives the inaccurate impression that "anyone with access to the internet" can download files shared from services like Box.com, Dropbox and Google Drive even without having the actual links.

    The opinion stated: "[T]he information uploaded to this site was available for viewing by anyone, anywhere who was connected to the internet and happened upon the site by use of the hyperlink or otherwise."

    Not true. There is no "otherwise." Only someone with the link could access the files. It was not, as the judge stated, like "leaving its claims file on a bench in the public square."

    Anyone who did not have the link would have to correctly guess the 32-character share link name consisting of letters and numbers. According to grc.com/haystack.htm, it would take an average of 10 trillion trillion trillion centuries to find the link at one thousand guesses per second (higher speeds aren't practical for an online brute force attack).

    So a better analogy might be leaving on a public bench an indestructible briefcase with a combination lock consisting of 32 wheels with 36 numbers/letters on each wheel.

    It does not appear that the judge or attorneys understood how impossible it would be for "anyone with access to the internet" to access the files. Search engines cannot find files that do not have published hyperlinks. Crawlers, even ones with brute-force capabilities, couldn't find randomly-named links 32 characters long.

    I believe the judge correctly decided the case, citing this opinion: "The court in Walton plainly stated, 'waiver may occur if the disclosing party failed to take reasonable measures to ensure and maintain the document's confidentiality, or to take prompt and reasonable steps to rectify the error.' 694 S.E.2d at 552."

    The investigator's error was not the use of a service offering sharing links or even failing the require a password to use the link. The real error was failing to protect the Box.com link and related files after emailing the link. It is a simple step to set an expiration date, revoke a link, or delete the files from the site.

    The link is like an ultra-strong combination to a locked briefcase. Leave that lying around in someone else's inbox and you have a potential problem. That is what happened here. The recipient of the email containing the link turned it over to the opposing party in response to a document request.

    If the investigator had password-protected the link and sent the link together with the password via email, the events would have unfolded exactly the way they actually did with the "public" link. No one without the email could have accessed the files in either scenario.

    Not raised in the opinion was the issue of using email to send confidential information or links. It is 2017 and high time that attorneys and others use secure email or other secure services for confidential communications and file transfers.

    ReplyDelete