Law firms are slowly but steadily moving to the cloud. According to an American Bar Association report, 37.5% of lawyers reported the use of web-based software services or solutions in 2016, up from 31% in 2015, and 30% in 2014. A recent decision from a federal court in Virginia, however, highlights the substantial risks associated with the use of cloud technology. In that case, the court held that an insurance company had waived any claim of privilege with respect to its claims and investigation files, which had been posted to a publicly-accessible, non-password protected cloud account. Moreover, the court held that the privilege had been waived despite the fact that it was the insurer’s investigator, not the insurer, who had decided to use the unsecured account. The case serves as a warning that use of cloud technology demands that attorneys understand this new technology, and how their clients and agents are using it, in order to protect confidential information maintained there.
Remote cloud platforms offer a number of clear advantages – namely, the ability to manage and access documents from anywhere, and the ease of sharing files with colleagues and clients. Still, lawyers have approached this new technology with caution. In the ABA survey, 72% of lawyers named security and confidentiality as their primary concerns. And 63% of lawyers who had not yet adopted cloud technology said that they had not done so based on these specific concerns.
These apprehensions may be well-founded. The recent federal court decision in the case Harleysville Insurance Company v. Holding Funeral Home, Inc. aptly illustrates the potential perils of cloud technology for lawyers. There, cloud technology caused several unique twists and turns in what might have otherwise been an unremarkable insurance case.
The plaintiff insurance-company sued for a declaratory judgment that it did not have to provide insurance for losses from a fire at a mortuary because the policyholder had intentionally burned down the property. The insurer’s investigator used a cloud account maintained by Box, Inc., a cloud content management company, to share footage of the fire loss scene with an individual at the National Insurance Crime Bureau (NICB). The Box, Inc. cloud account was publicly-accessible via a hyperlink and was not password-protected. Later on, the insurer’s investigator added the claims and investigation files to this same cloud account. During discovery, the policyholder subpoenaed NICB, which produced a document containing a hyperlink to the Box, Inc. cloud account. The hyperlink led the policyholder to all of the insurer’s claims and investigation files. Counsel for the policyholder then produced back to the insurer a set of material which inadvertently contained the insurer’s claims file, alerting the carrier to its error.
The insurance company moved to disqualify the policyholder’s counsel and to bar use of the claims and investigation files on the grounds that the documents were protected from disclosure under the attorney-client privilege. The court determined that the insurer had waived any claim of privilege or work-product protection with respect to the information posted to the cloud account. The court reasoned that the insurer’s counsel knew or should have known that the information was publicly available because counsel had themselves used the unsecured hyperlink to access and download the claims file. Therefore, counsel “failed to take reasonable measures to ensure and maintain the document[s’] confidentiality, or to take prompt and reasonable steps to rectify the error.”
The court further analogized the insurer’s actions to “leaving its claims file on a bench in the public square” and warned that if a company chooses to use a new technology, “it should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”
The Harleysville decision underscores two important points. First, attorneys and their clients may ultimately be responsible for their own technological choices as well as those of the client’s agents. Although it was the insurer’s investigator who decided to use an unsecured, publicly accessible cloud account, the court nonetheless held the insurer and its counsel responsible for this decision. Second, an attorney’s technological ignorance is not a defense, and it is clear that attorneys’ ability to secure their clients’ information and data will increasingly come under scrutiny.
Ultimately, as technology evolves, attorneys’ obligations to their clients remain the same. Attorneys must protect client confidences, and doing so in today’s digital world demands a greater technological sophistication than ever before.