The increased ease and availability of systems for online storage and file transfer has made it much simpler for lawyers to exchange documents with their customers quickly. A consumer can simply upload documents to Dropbox, Google Drive, or any number of file sharing sites that can be accessed quickly and easily, instead of sending a banker’s box of documents. But, as two recent court rulings demonstrate, sharing of online files often poses threats that the right of the attorney-client may be unintentionally waived. When protected information is shared through online services, it is important for corporate counsel to be aware of these risks and take measures to protect the attorney-client privilege.
With a few exceptions, as long as the communications are confidential and made for the purpose of receiving legal advice, the attorney-client privilege covers communications between a lawyer and her client. Because the protection only applies when communications are confidential, if the information is revealed to a third party, one way that the privilege may be waived is. Even an inadvertent disclosure will waive the right in some circumstances. One of the key considerations considered by courts to decide if an inadvertent disclosure waives the right of attorney-client is whether appropriate measures have been taken to secure confidential communications.
A federal court in Virginia addressed the issue of whether a corporation took appropriate measures to secure privileged communications sent through an online file-sharing site in a pair of recent decisions. “The employee of the plaintiff used an online file sharing service named “Box” in Harleysville Insurance Co. v. Holding Funeral Home, to send a video of a fire scene to a third party. Several months later, the employee submitted the entire investigative file of the complainant to his outside attorney using the same connection he used to send the video to the trade group, including memoranda representing the investigation of his lawyers and legal review of the allegations at issue. The opposing party received an email showing the connection sent to the trade association in the process of investigation and discovered that the investigative file was available for download. When the complainant found that the defendant had accessed a copy of the investigation file, the attorney-client privilege was asserted and the defendant was ordered to delete the file. The defendant claimed that the right was waived because the records were available for download on the website for file sharing and there were no passwords or other access restrictions.
A magistrate judge agreed with the defendant and found that, in view of the records in the investigation file, the complainant had waived his attorney-client privilege. The court emphasized that on a website that was not password protected and could be accessed by anyone who found the connection or actually stumbled across the website, the privileged materials of the plaintiff were available for months. “The court compared the actions of the complainant to “leaving its arguments on a public square bench.
The decision was appealed to a district judge, who overturned the judgment of the magistrate and ruled that the plaintiff did not waive the privilege. The district judge found that even though those precautions were not ultimately successful, the employee took appropriate precautions to avoid disclosure of the investigative file. In particular, the judge found that the employee of the link plaintiff sent to download the file was equivalent to a password because it included 32 characters randomly picked, making it almost impossible for someone to come across the download page. He also noted that the employee (erroneously) assumed that he was introducing other security features to restrict who could access the files being submitted and that within five to ten days the file would be automatically deleted.
The research used in these rulings by the court highlights the types of protections that should be used when submitting files electronically to defend against the waiver of attorney-client privilege. When sending privileged materials, general counsel and other company staff should take as many of these precautions as possible.
To make sure, use following tips:
– Using reputable websites for exchanging documents only.
– Every time documents are submitted, use a unique web connection.
– To protect against someone guessing the link, use randomly-generated web links. The better the longer!
– Set a timer that, after a few days, would automatically delete files.
– To access the web address or to encrypt and password-protect the files themselves before they are posted to the website, you always need a password.