Make Sure Attorneys Protect Your Company's DataPosted 2017-05-03 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Companies need to pay attention to the technology their attorneys use to house their confidential information and make sure they use that tech in the right way.
In a recent lawsuit, Harleysville Insurance Company v. Holding Funeral Home, the insurance company's investigators wanted to share information electronically and posted the case file in a publicly accessible account on Box.com. That did not sit well with the court.
This case has repercussions that may affect many companies, as Michael Simon, the principal of Seventh Samurai, a legal technology consulting firm, explained to Baseline. A former trial attorney, and an adjunct professor at Michigan State University College of Law, Simon has written dozens of articles on e-discovery and legal technology topics.
Baseline: Why should companies care about the Harleysville Insurance Company v. Holding Funeral Home lawsuit?
Michael Simon: Because it shows how their attorneys can make serious mistakes using simple, cheap and easy-to-use technology in what should be routine ways. Attorneys for one of the parties in the case, an insurance company disputing whether it had to pay a claim for the destruction of the insured business (there were allegations of arson), posted critical confidential information to a cloud file-sharing service without properly protecting that information. As a result of this mistake, the other side in the litigation obtained that confidential info and was able to read it—and presumably use it against the insurer in the case.
When the attorneys for the insurer requested that the court force the other side to give that information back, the judge denied the request with the following scathing quote: “In essence, Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”
Baseline: Do you expect other companies to be held liable for confidential information they store in the cloud?
Simon: I hate to be the stereotypical attorney, but we need to be very clear about that term “liable” here: There is nothing in this ruling holding anyone liable for anything as we use that term in the law (meaning that someone has been judged guilty of some wrongful act that requires them to provide compensation to the wronged party). In this case, the issue was whether the insurer could get the confidential information back from the other side after accidentally allowing them to get a copy of it. The judge denied the insurer’s request to get the report back, which means that the other side would get to use it against them.
While that may not sound as dramatic as someone being held liable for something and having to turn over money to the other side, in the legal world, this is considered a disaster for the attorneys involved. Attorneys have a duty to maintain client confidentiality, and inadvertently turning over to the other side something that is, in legal lingo, considered “privileged” is a huge error. It’s a way to lose clients, and there are plenty of instances where clients have indeed fired their attorneys over such a mistake.
Baseline: Why isn’t the cloud provider responsible?
Simon: Simple, because the cloud provider did nothing wrong. The attorneys misused the cloud provider’s technology. The attorneys should have encrypted the confidential files, but failed to do so. The attorneys should have prevented anyone other than those involved in the litigation on their own side from seeing the information, by using a secured form of communication. Instead, they sent an ordinary email and then turned over that email to the other side during discovery. These mistakes by the attorneys allowed the other side to obtain the confidential information. The cloud provider did nothing wrong.
Attorneys have an ethical duty to understand the technology they are using, and to use it correctly. If the attorneys in this case were not prepared to take the proper steps to use this simple file-sharing site in the right way, then they should have used better technology that would have protected their confidential information for them.