The Dangers of Trusting Technology to Keep Privileged Documents From Opposing Counsel

It's every litigator's fear - inadvertent disclosure of privileged documents leading to a court finding of waiver of privilege.  A recent Illinois case shows just how easy it is to waive the privilege if you do not stay on top of the technological aspects of your production, even after conducting a complete review and indentifying privileged documents.

In Thorncreek Apartments III, LLC v. Village of Park Forest, 2011 WL 3489828 (N.D. Ill. Aug. 9, 2011), the court was faced with a defense counsel who "thought" that merely marking documents as privileged in an electronic database would keep them safe from production. Unfortunately for counsel, every document that had been identified as privileged was produced to opposing counsel. To make matters worse, defense counsel did not learn of the accidental disclosure for nearly nine months of discovery. He then waited an additional four months to produce a privilege log to opposing counsel. Not surprisingly, the court held that while some of documents were privileged when originally created, defense counsel had waived privilege by his actions, or more precisely his inaction.

Here are some key points from the case all litigators should take to heart when engaging in document production:
 

1.  Attorneys must take precautions to protect electronic disclosure of privileged documents. They should never presume that merely marking documents as privileged in an electronic database will prevent their production.

The court determined that the defendants' procedures for privilege review were "completely ineffective." Although counsel "thought" marking a document as privileged in the electronic database would automatically lead to it being withheld from opposing counsel, counsel never actually checked the production to assure that this was the case. The court also noted that counsel hardly could have taken adequate safeguards against production where every single privileged document, not merely one or two, had been produced.

2.  Attorneys should produce privilege logs close to the time when a production is made. It will act as a check on whether documents have inadvertently been produced and alert opposing counsel to a document's privileged status.

The Thorncreek court weighed heavily the defendants' nearly nine-months' ignorance regarding the disclosure of privileged documents. Defense counsel failed to check in at all, on the electronic database of documents to see what documents were present and what documents opposing counsel was viewing from the production.

Defense counsel was also faulted for failing to timely produce a privilege log. Such a log would have alerted both sets of counsel to a privileged document being accidentally disclosed. Instead, defense counsel waited more than a year after production began, and a whole four months after learning of the accidental disclosure during a deposition, to provide such a log.

3.  Where inadvertent production of privileged documents has occurred, counsel must immediately take steps to rectify the error in order to protect and maintain privilege.

The court came down on defense counsel for not knowing of the inadvertent production of privileged documents for months, and then failing to act with diligence after finding out.

It may be basic, but the lesson is that there must be additional checks and balances other than simply checking off documents as privileged in an electronic database, ten steps before they are actually produced. While this hardly means that an attorney must re-check every single document marked for production or privilege a second time, there could be, for example, a search of a sample of privileged documents to ensure they are privileged; and a sample of non-privileged documents to make sure nothing privileged has snuck into the pile. Another method is to run a search for a few attorney names, and verify that the resulting hits are marked privileged.

The bottom line is that counsel should always check a production for privileged documents, monitor documents in an electronic database, and act immediately to assert privilege when an accidental production is found. 

Ascending to the Cloud Creates Negligible E-discovery Risk

Cloud computing platforms (a set of pooled computing resources that are powered by software and delivered over the Web) have been generating quite a bit of press in the last year. Indeed, just recently computing giant Microsoft launched its Microsoft 365 cloud computing platform, designed to rival Google’s "mega-cloud" platform, which launched in May 2010. Since the release of the first commercial cloud computing platform by Amazon in 2006, cost-conscious companies have been racing to evaluate the pros and cons of moving their computing operations to “the cloud.” According to the Booz, Allen, Hamilton technology consulting firm, “Cloud computing may yield:

Life cycle costs that are 65 percent lower than current architectures

  • Benefit-cost ratios ranging from 5.7 to nearly 25
  • Payback on investments in three to four years."

Notably absent from that cost-benefit analysis, however, is the effect cloud computing may have on the costs and risks associated with conducting electronic discovery. Those engaged in such activities may well ask the question, “Will the savings companies expect from moving their data to the cloud be absorbed by the additional costs/risks created by conducting e-discovery in the cloud?”

The short answer is no. Although there are risks associated with conducting e-discovery from the cloud, they are remote, manageable and eclipsed by the savings companies should expect from cloud computing. Some of the riskiest aspects of conducting e-discovery in the cloud are:

  • The loss/alteration of data and associated metadata
  • The potential violation of international data privacy laws by illegally disclosing data in the jurisdiction in which the cloud is located
  • The unintentional waiver of the attorney-client privilege by co-mingling data or disclosing attorney client communications to third parties
  • The failure to properly and timely implement and monitor litigation holds

Fortunately, companies can easily manage the risk of altering metadata and the risk of violating international data privacy laws by insisting the service agreement with their cloud provider:

  • State that none of the company’s data may be stored outside the United States
  • Provide a detailed mechanism for how the cloud will implement litigation holds
  • Address how metadata will be created and stored in the cloud environment

Similarly, companies can minimize the risk of waiving the attorney-client privilege by including “no waiver” language in their cloud computing service agreements and establishing security protocols to prevent the inadvertent disclosure of communications to the administrators of the cloud or any other third party.

When the technology has improved and cloud computing administrators have developed expertise at responding to e-discovery requests, companies might even enjoy e-discovery cost savings by moving their data to the cloud. “If the cloud fulfills its promise and supplants the hodgepodge of local hard drives, LAN servers, and removable storage that now house our data, the cloud will emerge as the simpler, ‘one-stop shop’ for preservation and search in electronic discovery,” Craig Ball, an expert on trends in e-discovery, predicts.

In fact, that technology already has been developed and is in use for other applications. In late 2010, Facebook (currently the largest functioning equivalent to a cloud computing environment) added to its regular user interface a one-button preservation tool for capturing user content. Now, by simply clicking the “Download Your Information” button (and providing the appropriate password), Facebook users can request a neatly packaged zip file containing all of their videos, messages, wall posts, friend lists and other profile content — it doesn’t require a professional background in information systems to comprehend how similar technology can be applied to collect corporate data stored in the cloud.

Furthermore, cloud administrators saddled with the responsibility of responding to many subpoenas or production requests on behalf of myriad clients will, in time, develop an expertise in culling, processing and producing data. In turn, cloud users will undoubtedly benefit from advances in technology as well as the experience that cloud administrators have gained in responding to e-discovery requests.

The hope is that these efficiencies will translate directly to the end-user. At the end of the day, in-house counsel should be confident that (if managed properly) the benefit of moving a company’s data to the cloud outweighs the risks and costs associated with producing data from the cloud as part of a lawsuit.

                                       *                                                   *                                                *

This article was originally published by Steven Hunter, a Quarles & Brady partner, in Inside Counsel.

Logging Email Chains to Preserve Privilege

 

Lawyers regularly receive emails from clients that contain earlier email threads that are forwarded in the course of seeking legal advice. Sometimes these earlier threads appear as attachments. Other times, they are embedded beneath the content of the most recent thread. Regardless of the form of the threads, parties involved in litigation will often seek to withhold the entire chain from the opposing party. The problem lies in determining how to properly log an email chain to preserve the privilege that attaches to the earlier email threads when they are forwarded along with a privileged email.

In a recently published opinion from the Eastern District of Pennsylvania, the court found that each individual thread must be logged. Rhoads Industries, Inc. v. Building Materials Corp. of America, 254 F.R.D. 238, 241 (E.D. Penn. 2008). If an underlying email is not logged, any privilege that otherwise might have attached to it is waived.  

If it doesn’t make immediate sense to you why someone might not want to log each individual thread, consider that the underlying emails probably have to be produced in their original, non-forwarded format. By comparing the log with the emails that have been produced, the opposing party can determine what emails the client forwarded to the lawyer.  Because the opposing party has access to these emails in their original format, the opposing party might be able to determine what the lawyer and client knew and when they knew it, including key facts in any dispute. 

 

Rhoads made many bloggers “Year in Review” lists in December and January because the court, in an earlier opinion, engaged in a lengthy analysis of the factors to be considered under Federal Rule of Evidence 502 in determining whether Rhoads took reasonable steps to prevent inadvertent disclosure and to rectify the mistake upon discovering it. In that earlier opinion, the court decided that Rhoads had waived the privilege that might otherwise apply to several documents that its attorneys had failed to log.

The court was subsequently called upon to clarify whether or not Rhoads had waived the privilege with respect to email chains, some threads of which were logged, others of which were not.  Although the court noted that the attorney-client privilege may attach to an otherwise non-privileged email when the email is forwarded along with a privileged email, the court found that Rhoads had waived the privilege for any unlogged threads. The court ordered Rhoads to produce the email chains, but authorized Rhoads to redact any threads its lawyers had previously logged.

The moral?  If one email in a chain is privileged, counsel needs to take care in considering whether all of the emails in the chain are privileged and treat them accordingly.  If they are not all treated as privileged and logged as such, counsel risks waiving the privilege as to the entire email string. 

Client Confidentiality and WiFi

The next time you log into your work email from the corner coffee shop on a sunny Sunday morning, or from your hotel room or a seat at the airport in the midst of business travels, this article from The Legal Intelligencer may give you pause. 

"Free" WiFi "hotspots" are springing up everywhere.  But they may cost more than we think:  when we take advantage of unsecured wireless access, the information we input does not go directly from our laptops to the nearest connection.  Instead, it floats out there in the air (I believe that is the technical term...) for a radius of up to 500 feet.  Highly tech-savvy miscreants (ok, hackers) can misroute these transmissions to their own "Evil Twin" wireless access sites, and capture the confidential information of unsuspecting users, with devastating consequences.  Of course this raises concerns about data security generally, but it also could implicate - or compromise - the attorney-client privilege and work product protections, and land attorneys in ethical trouble. 

Fortunately, the article provides some helpful tips on how to secure your computer and avoid misappropriation of your clients' - or your own - confidential data.

On a more whimsical note....I like to think that when I stopped for my morning latte in Los Angeles, dialogue from 2010's Best Picture could have been floating in the air right past my head.

Employer Policy Regarding Email for Personal Use Trumps Attorney-Client Privilege

 A recent New York appellate court decision offers some guidance on the interplay among an employer's right to monitor email traffic, an employee's expectation of privacy in their email and the attorney-client privilege.  In a decision by the Supreme Court for New York County, the Plaintiff, Dr. Scott, was fired by Beth Israel Medical Center and sued for $14 million in severance payments.  Dr. Scott got a bit ahead of himself, though, and sent several emails about the impending suit to his lawyers while still employed by the hospital, using his work email account and a hospital computer.  When the hospital informed his attorneys that it had the emails, Dr. Scott moved for a protective order preventing their use in litigation.

The question, then, was what took precedence, the attorney-client and work product privileges, or the hospital's email policy, which provided that the hospital's email system was not for personal use and that the hospital reserved the right to access emails at any time.

The court found that "A 'no personal use' policy combined with a policy allowing for employer monitoring and the employee's knowledge of these two policies diminishes any expectation of privacy," and the combined effect "is to have the employer looking over your shoulder every time you send an e-mail."  Thus, the court held that the emails were not protected, and were properly discoverable in litigation.  The full decision appears here: Scott v. Beth Israel Medical Center.