The increased ease and availability of online storage and file transfer systems has made it much easier for lawyers to quickly share documents with their clients. Rather than shipping a bankers box of documents, a client can simply upload the documents to Dropbox, Google Drive, or any number of file sharing sites that can be quickly and easily accessed. But, as two recent court decisions show, online file sharing also creates risks that the attorney-client privilege could be inadvertently waived. It is important for corporate counsel to be aware of these risks and take steps to protect the attorney-client privilege whenever privileged information is shared via online services.
The Attorney-Client Privilege
With few exceptions, the attorney-client privilege protects communications between a lawyer and her client as long as the communications are confidential and made for the purpose of obtaining legal advice. Because the privilege only applies where the communications are confidential, one way that the privilege can be waived is if the information is disclosed to a third party. In some circumstances, even an inadvertent disclosure can waive the privilege. One of the key factors that courts look at to determine if an inadvertent disclosure waives the attorney-client privilege is whether adequate steps were taken to protect the privileged communications.
Waiver of the Attorney-Client Privilege Through Online File Sharing
In a pair of recent decisions, a federal court in Virginia grappled with the question of whether a company took adequate steps to protect privileged communications sent through an online file-sharing service. In Harleysville Insurance Co. v. Holding Funeral Home, the plaintiff’s employee used an online file sharing service called “Box” to send a video of a fire scene to a third party. Several months later, that employee sent plaintiff’s entire investigative file—including memoranda reflecting its attorneys’ investigation and legal analysis of the claims at issue—to its outside counsel using the same link he used to send the video to the trade organization. Through the course of discovery, the opposing party obtained an email showing the link sent to the trade organization and discovered that the investigative file was available to download. When plaintiff discovered that defendant had obtained a copy of the investigative file, it asserted the attorney-client privilege and demanded that the defendant destroy the file. The defendant argued that the privilege was waived because the documents were available for download on the file sharing website and no password or other limitations on access were present.
A magistrate judge agreed with the defendant and ruled that plaintiff had waived its attorney-client privilege with respect to the documents in the investigative file. The court stressed that plaintiff’s privileged materials were available for months on a website that was not password protected and could be accessed by anyone who discovered the link or simply stumbled across the website. The court compared plaintiff’s actions to “leaving its claims file on a bench in the public square.”
That decision was appealed to a district judge, who reversed the magistrate’s ruling and held that plaintiff did not waive the privilege. The district judge found that the employee took reasonable precautions to prevent disclosure of the investigative file even if those precautions were not ultimately successful. In particular, the judge found that the link plaintiff’s employee sent to download the file was analogous to a password because it contained 32 randomly-selected characters, making it nearly impossible for anyone to stumble across the download page. He also noted that the employee (mistakenly) believed he was implementing other security features to limit who could access the files being sent and that the file would automatically be deleted within five to ten days.
Steps to Take to Protect Privilege when Using Online File-Sharing Services
The analysis applied by the court in these decisions highlights the types of protections that should be used to protect against waiver of the attorney-client privilege when sending files online. Corporate counsel and other company employees should take as many of these precautions as possible when sending privileged materials.
- Only use reputable websites to share documents.
- Use a unique web link each time documents are sent.
- Use randomly-generated web links to protect against anyone guessing the link. The longer the better!
- Set a timer that will delete the files automatically after a few days.
- Always require a password to access the web address or encrypt and password-protect the files themselves before they are uploaded to the website.
Originally published in the Oregon Association for Corporate Counsel September 2018 newsletter.