Protecting eDiscovery Privilege, the Case Against File Sharing Sites
File sharing services, such as DropBox, have become increasingly used as eDiscovery repositories for incoming data and outgoing productions. With easy sharing, via a simple URL link, it’s understandable why these tools appear to offer an optimal solution for sending and receiving massive amounts of data as one does with eDiscovery litigation. Unfortunately, this “solution” can become a massive liability and we caution clients against using these services because it is simply too easy to accidentally share privileged documents. In fact, there are several cases in which information has been inadvertently shared and the results were disastrous for the offending party.
What’s the problem?
It is not that it can’t be done correctly, it is more that one is asking for problems with an open platform like this. With default settings in place, the “owner” of a file relinquishes control of the data within the file when shared with other users. Once shared, the data within the file can be copied, changed and shared without the owner’s permission. New users can be added to the file to view the data and, with seemingly unlimited “cooks in the kitchen,” it is too difficult to maintain chain of custody and ensure responsible sharing. A few specific issues with file sharing services include:
- Shared files and folders are not static. This is not the equivalent of sending a document attachment via email. The shared file or folder remains “live”, thus any future additions or changes can still be seen by people with the link into perpetuity.
- On many platforms, user groups are created and can be duplicated to other folders with a simple click. For example, if several users have access to “Case X Final Production” folder, another attorney could grant access to all users in that file to “Case X Notes”- not realizing that opposing counsel was part of the original group.
- The link is not automatically password protected so anyone with the link can view the file unless proper authentication measures are manually enabled. This literally means that without setting up a password, anyone on the internet could potentially access your file.
What have the courts said?
In Harleysville Ins. Co v. Holding Funeral Home, Inc., Case No. 1:15cv00057 (W. D. Va. February 9, 2017), an insurance company refused a funeral home’s fire damage claim after determining the fire was caused by arson. An investigator for the insurance company uploaded video taken at the scene to a platform sharing site, box.com. The investigator sent the link to the insurance company attorney who then shared it with the funeral home attorney in order to substantiate their arson claim. Later, however, the insurance investigator uploaded additional files to that same folder, which the funeral home attorneys still had access to. The court found that because the link and files within were not properly password protected the insurance company had, in essence, “left the files on the park bench” in a virtual sense and thus waived privilege.
From the court:
Whether a company chooses to use a new technology is a decision within that company’s control. If it chooses to use a new technology, however, it should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.
What does Lexbe Recommend?
We have developed the Lexbe eDiscovery Platform to include a number of checks against inadvertent disclosure of privileged docs. We create a secure encrypted link specific to each production that can then be safely shared. By insulating exports with secure production links, we help prevent user error that could result in sharing documents not meant for opposing counsel or outside parties.