A recent decision from the U.S. District Court for the Western District of Virginia highlights a potential problem with file sharing. A link to a set of documents that is not password protected can leave those documents vulnerable to disclosure to unintended parties — and may constitute waiver of attorney-client privilege.

The recent decision, Harleysville Insurance Company v. Holding Funeral Home, Inc., et al., is an insurance coverage dispute arising out of a fire loss. Case No. 1:15cv00057 (W.D. Va. Feb. 9, 2017)

The issue before the court was whether, by using a non-password-protected link to send claim file materials, the insurance company waived attorney-client privilege and work product protections.

During the course of its investigation, the insurance company placed its entire claims file in a folder on a cloud-based file sharing and storage site and provided a hyperlink to its counsel so that he could access the information. In addition to the claims file, the folder included information from an insurance company investigator. Anyone possessing the link could gain access to the claims file by clicking on the link, which was not password protected.

During the course of discovery in the lawsuit, the policyholder's lawyer saw a reference to the link in a document, clicked the link, and thereby had access to the entire claims file as well as all of the materials uploaded by the insurance company investigator. In responding to discovery, the policyholder's lawyer produced documents that were downloaded from the file sharing site. The insurance company filed a motion to disqualify the lawyer for what it characterized as "unauthorized access" to privileged information, citing attorney-client privilege and work product protections.

The District Court disagreed with the insurance company's position and ruled that the attorney-client privilege and work product protections were waived. Key to the court's ruling was the fact that the link to the filing sharing site was not password protected. And, as such, "the information uploaded to this site was available for viewing by anyone, anywhere who was connected to the internet and happened upon the site by use of the hyperlink or otherwise." In short, the insurance company knew or reasonably should have known that by using an unprotected link, third parties could access the material.

Per the court:

In essence, [the insurance company] has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.

Although the insurance company's disclosure of its claims file provided the policyholder with the full file, the result is a cautionary tale for policyholders. Policyholders using cloud-based services to provide access to information should consult their technology professionals to ensure that files are adequately protected both on the cloud and when they are being transferred. To that end, policyholders should also consider using password protection when transmitting links as well as assigning an expiration date when access to the folder will expire. The degree of care taken to protect against third-party access to information will likely be a factor when a court is evaluating whether a waiver has occurred. In the words of the court:

The technology involved in information sharing is rapidly evolving. Whether a company chooses to use a new technology is a decision within that company's control. If it chooses to use a new technology, however, it should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.

File sharers, take note.

Originally published by Policyholder Advisor & Alert, March 31, 2017.

Stephen D. Palley is a trial lawyer based in the Washington D.C. office of Anderson Kill. Mr. Palley represents policyholders seeking insurance coverage, with a particular focus on emerging technology, software development and the construc¬tion industry. He has worked closely with clients in the design and development of a variety of software platforms, and draws on this hands-on experience to advise clients about product development, design and risk transfer and mitigation.

Peter A. Halprin is an attorney in Anderson Kill's New York office. His practice concentrates in commercial litigation and insurance recovery, exclusively on behalf of policyholders. Mr. Halprin also acts as counsel for U.S. and foreign companies in domestic and international arbi-trations. He is also co-Deputy Chair of the firm's Cyber Insurance Recovery Group.

About Anderson Kill

Anderson Kill practices law in the areas of Insurance Recovery, Commercial Litigation, Environmental Law, Estates, Trusts and Tax Services, Corporate and Securities, Antitrust, Banking and Lending, Bankruptcy and Restructuring, Real Estate and Construction, Foreign Investment Recovery, Public Law, Government Affairs, Employment and Labor Law, Captive Insurance, Intellectual Property, Corporate Tax, Hospitality, and Health Reform. Recognized nationwide by Chambers USA for Client Service and Commercial Awareness, and best-known for its work in insurance recovery, the firm represents policyholders only in insurance coverage disputes - with no ties to insurance companies and has no conflicts of interest. Clients include Fortune 1000 companies, small and medium-sized businesses, governmental entities, and nonprofits as well as personal estates. Based in New York City, the firm also has offices in Philadelphia, PA, Stamford, CT, Washington, DC, Newark, NJ and Los Angeles, CA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.