It seems innocent enough. Your attorney shares a few files by sending a link from their unprotected cloud storage account. They expect that you’ll only see the files that they intended to send. But there are huge risks to this approach. This behavior can result in the waiver of attorney client privilege.
In a recent case in Virginia, a judge ruled that Harleysville Insurance Company had waived its right to attorney client privilege when it made the mistake of storing privileged investigation files about a case on an unsecured file sharing service.
Harleysville and its attorneys stored their investigation files on an unprotected cloud drive for over 6 months. During the discovery process, defense counsel received a link to this cloud drive, in order to access a limited number of files. They downloaded and reviewed the entire file. Later, defense counsel discovered that the insurance company’s entire investigation file was accessible from the cloud drive.
This is a real problem with cloud storage platforms – when senders send a file-link to a recipient, giving them access to retrieve the file from one of their cloud storage folders. What will the recipient see? Will the recipient see all the names of people who have access? Will they see folder names in the folder structure? Might they have access to other folders? When will their access be terminated? What if other documents are added to the folder in the future, and no one is monitoring who had access in the past? If you are not thinking about these issues and are sharing files from your main cloud storage platform, you might start to worry – and look to separate one-time file delivery from long-term file storage.
In this case, when it came to light that Harleyville had effectively invited (via the openly accessible shared link) the defendant into its office records, Harleysville was on the defense. They argued that defense counsel should not be able to use these files, because they were protected by attorney client privilege. The judge ruled that Harleysville had waived its right to attorney client privilege by leaving the data unprotected – effectively making it publicly accessible.
The court wrote, “In essence, Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to image an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”
We anticipate that there will be a future case where a party will claim correspondence or documents are attorney-client privileged, but since they were not transmitted encrypted, this is like sending postcards by mail.
Further, leaving confidential files unprotected in the cloud can also create a temptation for hackers who can easily leverage personal data to commit identity theft, gain access to a corporate server or threaten to publish private data widely unless they are paid a ransom.
Attorneys, insurance companies and clients should be encrypting communications when discussing sensitive information by email or sharing confidential files. When you send a large file that must be stored in the cloud, ensure that the file is not stored indefinitely. There should be an auto-purge feature that ensures the file is deleted after 30 or 60 days, and there should be a one-time-send file sharing system so that the recipient does not have even the slightest potential to be let into the senders’ cloud storage file structure.
RMail’s LargeMail™ sending option lets you send large files (up to 10 GB) with auto-purge and one-time file delivery, as easily as you send any file attachment, providing your recipient with a direct download link via email. LargeMail can be used with RMail’s encryption feature for privacy. All RMail® Registered EMail™ services prove successful delivery, time of delivery, and exact message and file content.