The discovery process is particularly susceptible to data breaches, as we’ve written once or twice or three times before. Discovery, after all, involves collecting, reviewing, and exchanging extremely high-value information, often in a fast-paced, chaotic environment. Should that information get into the wrong hands, the results could be disastrous. The more archaic the methods, the greater the risk. A party who sends a production out via CD or DVD, for example, runs the risk that their information could simply be lost in transit. A party who fails to keep their discovery documents encrypted while in motion and at rest risks having them pilfered by hackers.
But sometimes, you don’t need a hacker or an unreliable courier for your most valuable information to end up where it doesn’t belong. Simple human error is more than enough.
Wells Fargo Robs Itself
The inadvertent production of sensitive client information by Wells Fargo offers the perfect illustration of this. The bank, the New York Times reported on Friday, accidentally released private information on thousands of its clients and representatives as part of a lawsuit brought by the brother of an advisor. As the Times explains:
When a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Mr. Sinderbrand expected to receive a selection of emails and documents related to the case.
But what landed in Mr. Sinderbrand’s hands on July 8 went far beyond what his lawyer had asked for: Wells Fargo had turned over — by accident, according to the bank’s lawyer — a vast trove of confidential information about tens of thousands of the bank’s wealthiest clients.
All in all, the bank sent over 1.4 gigabytes of files, including “copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them.”
Those affected were largely customers of “Wells Fargo Advisors,” the Times reports, making them some of the bank’s highest net-worth investors. Sinderbrand estimates that those customers have tens of billions of dollars invested through the bank, “all laid out in vivid detail for him as part of the discovery process in his lawsuit.”
That information included a look at client assets, mortgage information, the performance of their portfolios, and more. One file viewed by the Times showed “details on the holdings of a well-known hedge fund billionaire” who had at least $23 million invested through the bank. The files also included information on the bank’s own financial advisors, including details of the advisors’ clients, their compensation, and their performance. Sinderbrand had not requested such information.
Who Needs Bank Robbers When You Have Lawyers Like These?
There was no need for a modern day Bonnie and Clyde to separate Wells Fargo of some of its most valuable information. The bank simply handed it over on its own.
The documents were presented without any protective orders or confidentiality agreements in place. “While the documents were not filed in court, it would be perfectly legal for Mr. Sinderbrand and his lawyer to release most of the material or include it in their legal filings,” the Times writes.
When informed of the disclosure, Wells Fargo’s attorney, Angela A. Turiano, of Bressler, Amery & Ros, said that the disclosure was inadvertent. “Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted,” she wrote Sinderbrand’s lawyer.
Yes, that’s CD as in “compact disc,” meaning that this sensitive information was either sent via mail or private courier, in a format that could be easily lost, intercepted, or copied. And though the disc made it to its destination fine, it doesn’t look like the new owner is ready to send it back. “We are continuing to evaluate [Sinderbrand’s] legal rights and responsibilities,” his lawyer told the Times. “Wells Fargo has not identified what specific documents it asserts were inadvertently exposed.”
“We went through a long process of a very large email review with an outside vendor with instructions on exclusion which was spot checked,” Turiano explained. “Clearly there was some type of vendor error—which I am confirming now.”
In addition to the embarrassment of accidentally revealing your richest clients’ confidential information, the Times notes that the discovery SNAFU could trigger state and federal data privacy laws as well as possible international laws and regulations. The bank is currently asking a New York state judge to prevent further dissemination of the information, while facing increased scrutiny from FINRA and other agencies as a result of the breach.
How to Prevent Discovery Catastrophe
Of course, such discovery disasters can be avoided, or at least mitigated. A protective order can ensure that information produced isn’t shared more widely. When sensitive information is exchanged, parties can object to the production of documents if the other party does not follow sufficient data security protocols to ensure that the information remains protected once it’s in their hands. Offering a pre-approved list of vendors or technologies can often make such demands more acceptable to the other side.
Or skip the vendor altogether. After all, the more data changes hands, the greater potential there is a for a breach. Modern discovery technologies can make reviewing and redacting information quick and simple, automatically identifying potentially privileged and confidential information. Powerful search technology can help ensure that you don’t accidentally hand over unresponsive-but-unbelievably-valuable client information.
And when it comes to handing over the files, it’s time to ditch the CDs. Permission-based access, granted on the cloud, can make sure documents are retrievable instantly, avoiding needless reproductions while also ensuring easy access—but only to those who should have it. Logikcull’s ShareSafe feature, for example, allows productions to be made via a secured download link, where permissions-based access is granted temporarily before automatically expiring. If the wrong information is accidentally produced, the invitation can be canceled, revoking access.
That certainly beats trying to claw back a CD-ROM full of highly valuable client information—or having your discovery mistakes featured in the New York Times.
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.