Ignorance of the Technology is No Excuse; Businesses Have a Duty to Ensure Confidential Information Cannot be Accessed
Harleysville Ins. Co. v. Holding Funeral Home, Inc., 2017 U.S. Dist. LEXIS 18714 (W.D. Va. Feb. 9, 2017) In this arson insurance fraud claim, the plaintiff moved the court to disqualify the defendant’s counsel for violating the attorney-client privilege and work-product doctrine. For the purpose of sharing information electronically, a senior investigator for the plaintiff’s parent company uploaded surveillance video footage to a shared file site, and sent an email to the National Insurance Crime Bureau (“NICB”). The email contained a URL link to the video, along with a standard confidentiality disclosure. Several months later, the plaintiff uploaded all claim and investigation files to the same site, and sent the same URL link to plaintiff’s counsel. The uploaded files were not password protected, and the plaintiff later conceded that “any person who had access to the internet could have accessed the [site] simply by typing in the URL address in a web browser.” In response to a subpoena, the NICB sent the defendant a copy of the email containing the link, which defense counsel accessed and downloaded. The defendant argued that the plaintiff waived its privilege by placing the information on a site with open access. Applying state law to the privilege doctrine, the court considered the “reasonableness of the precautions to prevent inadvertent disclosures,” the “time taken to rectify the error” and the “extent of the disclosure,” and found that the attorney-client privilege was waived. The court called the plaintiff’s disclosure “vast”, likening it to “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.” Likewise, the court held that the plaintiff also waived work-product doctrine protection under Federal Rule of Evidence 502. The court reasoned that the plaintiff’s disclosures were not inadvertent, as the action of posting the information online was not unintentional. Additionally, the plaintiff knew the information was not protected, and “did not take reasonable steps to prevent its disclosure or to rectify the situation.” The court also advised that under public policy, it is the responsibility of businesses who choose to use evolving technology to know how to use it and to ensure confidential information cannot be accessed by anyone not entitled to view it.