Suppose Lawyer A is in litigation and, in response to a request for documents, opposing counsel (Lawyer B) sends a link to a file stored in a service like Dropbox.* When Lawyer A opens the file using the link, he or she discovers the link provides access to B's client's documents which were not expected to be disclosed and are likely to be considered confidential.
This is what happened in a recent case in New York called Pursuit Credit Special Opportunity Fund, L.P. v. Krunchcash, LLC (May 30, 2024), in which the lower court determined that Lawyer A was required to notify Lawyer B that the link contained folders that "counsel knew or should have known were confidential or privileged." The court imposed a sanction on defendants and their counsel for accessing and downloading the folders from Dropbox.
The order was affirmed in an opinion (available here) that is about seven sentences long. It cites, among other things, NY's rule 4.4(b) which is based on the equivalent Model Rule which states that "[a] lawyer who receives a document or electronically stored information relating to the representation of the lawyer's client and knows or reasonably should know that the document or electronically stored information was inadvertently sent shall promptly notify the sender."
So, going back to our initial question: in those circumstances, Lawyer A had a duty to inform Lawyer B that Lawyer B had inadvertently disclosed documents. That much is clear. But nothing else is, and the incident raises a number of interesting question not addressed by the court.
First of all, why does the court refer to the documents as privileged? The court refers to the documents in question as "corporate files." What were these documents? If they were corporate records that the client gave the lawyer to store, there is no reason to believe that they are protected by the attorney-client privilege, so calling them so would be a mistake. But I am willing to proceed on the assumption that even if not privileged, they could be considered confidential.
Next, in addition to the duty to inform the other side of their mistake, did Lawyer A have a duty to delete the link immediately or could Lawyer A have looked at the documents to confirm they were privileged before doing anything else? The rule does not address that, and the comment to the Model Rule explicitly states that the rule does attempt to decide whether the lawyer who receives the information has a duty to return (or in this case delete) the document (or link to it).
The court's opinion suggests that the lawyer had a duty "to sequester the inadvertently disclosed files" (which I guess means the lawyer could keep them but not look at them) but the court does not cite anything in support of this suggestion.
And then there are the questions related to the conduct of the lawyer who sent the link to begin with, which the court does not discuss. It can be argued that this lawyer violated their duty of confidentiality and their duty of competence by disclosing protected information by mistake. Could the lawyer be subject to discipline for this? In theory, Yes; absolutely. But. as you know, the reality is that an isolated act of negligence will not likely lead to discipline.
Could the lawyer be liable in tort for negligence? Again, in theory yes since the conduct is clearly a breach of duty, but whether there is an actionable cause of action depends on whether the conduct caused an injury and it does not sound that that was the case in this instance. Lucky for the lawyer!
I am willing to bet that the ABA has issued an ethics opinion exploring some of the issues that arise out of a situation like this and the application of a rule like Model Rule 4.4(b) but I have not searched for it.
________________
* If you don't know what Dropbox is, this post is for you because you may be in violation of the rule regarding competence since competence requires you to at least "keep abreast of . . . the benefits and risks associated with relevant technology" and Dropbox is pretty old technology.