Confusion over internet basics leads to ruling all attorneys dread

And a dressing down from a judge who reasons that not even a clawback order can protect you from incompetence

Editor’s note: This post was authored by Logikcull’s Alex Su, a former attorney. He can be reached at alexander.su@logikcull.com.

Privilege waivers usually involve voluminous discovery, where a needle in a haystack is accidentally shared with a party who should not have access to it. The classic example — if such an unmitigated disaster can be called “classic” — is the J-M Manufacturing case, where that company’s well-known law firm repeatedly and seemingly haplessly produced several thousand of the same smoking gun documents through a series of vendor-related errors and breakdowns.  

A recent decision in the case Harleysville Insurance Company v. Holding Funeral Home is far more worrisome — because it deals with a fundamental misunderstanding of how a widely-used technology works, and once again, fairly or unfairly, casts the legal profession as the Johnny-come-lately to the modern world of… the internet.

Harleysville began like any other insurance dispute – with the defendant burning down its mortuary for the money. But a surefire win for the plaintiff insurance company took a turn for the worse when its investigators posted the entire case file to a publicly accessible account on Box.com — making the link to all the case’s materials in theory available to some 3.2 billion connected to the web.

The file, plaintiff’s counsel would later admit, was not password protected, such that “any person who had access to the internet could have accessed the Box Site by simply typing in the url address in a web browser.”

Defense counsel came into possession of an email containing the Box.com link when it was inadvertently produced by a third-party, the National Insurance Crime Bureau, whom the defense subpoenaed. It was then that they discovered that, indeed, they and many others had access to the entire case file.

In yet another twist, defense counsel accidentally produced key elements of the case file they received through the subpoena back to the plaintiffs in a subsequent discovery production. (Repeat: defense counsel, having just secretly discovered an email accidentally produced to them by the other side, proceeded to accidentally produce that very same material back to the plaintiffs — tipping them off to their mistake.)  

It was then that the plaintiffs learned of their error and — in a bold move — asked the court to disqualify opposing counsel to save their asses.

Fat chance.

Instead, the Virginia federal court ruled that, by making the case file publicly accessible through Box.com, the plaintiff had waived privilege to any documents in the file that would have otherwise been protected.

In so ruling, the court opined:

[The] decision on this issue fosters the better public policy. The technology involved in information sharing is rapidly evolving. Whether a company chooses to use a new technology is a decision within that company’s control. If it chooses to use a new technology, however, it should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.


Cloud-based file-sharing tools can be a double-edged sword for litigators. On the one hand, their speed, convenience and accessibility are hallmarks of cloud. On the other, their ease of use can lead to careless mistakes — such as selecting the wrong permissions — that can be the difference between sharing documents privately, and making them readable to all.

The Harleysville case drives home two important points:

1) It is incumbent upon attorneys, regardless of the tools they choose to use, to protect client confidences. As the ABA Model Rules now state, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”

2) Attorneys are also responsible for, and bound by, the technology choices that their clients make. In this instance, counsel for Harleysville paid a big price for allowing investigators for their client to share evidence through an insecure Box.com link. The court stated, in pertinent part, that, “If [the client] chooses to use a new technology,… it should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”

As the internet has increasingly become central to evidence sharing, communication, and business in general, some law firms and practitioners have struggled to ensure that confidential information remain completely separate from the public-facing elements of their practice (such as marketing websites and client portals), and, more generally, from parties who should not have access to it. Some of this confusion arises from a fundamental misunderstanding of how internet-based systems work and may be connected to each other.

This case is a good example, but there are many others. Recently, hacks on WordPress exposed the internal IT systems of several law firms who were self-hosting the popular CMS. In Chicago, several larger law firms have been sued for failing to update IT systems that, due to their configuration, can be accessed by anyone through the internet. Those cases represent the first known examples of legal malpractice allegations arising from firms’ lax data security practices.

In Harleysville, the court pulled no punches in highlighting the plaintiff’s failure to grasp modern technology, calling its mistake “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.”

“It is hard to imagine an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web,” the court said.

Key takeaways

Here are some practical conclusions attorneys and other legal personnel should draw from the Harleysville case.

1. File-sharing tools that give the option to make document publicly accessible should, by and large, not be used for litigation or investigations, especially if the people using them are unfamiliar with how they work. Consider using a litigation tool like ShareSafe.

2. Make sure you understand the nature of how internet tools work and how and to whom they make information available before you use them. Read the terms of service, which can include caveats about whether the cloud-based company can be compelled to produce data in response to subpoena, and become familiar with how access controls and settings work. It’s also incumbent on the producing party to make sure the recipients of documents understand how the file-sharing software works.

3. Boilerplate confidentiality notices, such as those often found in email footers, are completely worthless. In Harleysville, the email containing the link to the Box.com folder included such language, and the court summarily discarded it, reasoning only that defense counsel should have been alerted to the sensitive nature of the material the email included. But it had no impact on the court’s waiver decision.

4. In some courtrooms, a FRE 502(d) order may not be the bulletproof safety net many have said it is. FRE 502 applies to “inadvertent” disclosures — a phenomenon this court suggested may not describe this error. Actions by Harleysville instead, the court reasoned, were intentional — careless and mistaken, yes, but intentional — and are thus potentially not viewed under the lense of FRE 502 and its factors for determining waiver. The court, citing McCafferty’s Inc. v. Bank of Glen Burnie, said: “when a client makes a decision—albeit an unwise or even mistaken, decision—not to maintain confidentiality in a document, the privilege is lost due to an overall failure to maintain a confidence.” In other words, bad decisions don’t equal inadvertence. They are instead intentional misguided acts for which courts have no tolerance.

Nevertheless, it is always in a party’s best interest to ask the court to enter an FRE 502(d) order, stating that disclosure of privileged documents “will not constitute a waiver irrespective of the precautions that were taken to prevent their disclosure.”

5. And finally, courts are no longer willing to cut attorneys and their technologically challenged clients slack for their inabilities to grasp this brave “new” world of digital evidence. Attorneys are under an obligation to protect client confidences, and that duty is directly tied to the ability to understand the mechanics of the internet and electronic communication platforms. Ignorance is not an excuse, as this court and others have said.

To learn more about steps you can take to protect client data, check out our whitepaper below.
New Call-to-action