The Equifax data security breach was the hallmark of data breaches in 2017 (at least for now). But for most lawyers (especially litigating lawyers), the minuscule Wells Fargo data breach was of particular interest. This interest stems from the fact that it involved one of their own in the course of her professional duties.
1. The Incident
The Wells Fargo incident arose from a legal fight between two brothers Gary and Steven Sinderbrand. Gary (the plaintiff) who was an ex-Wells Fargo employee commenced a defamation lawsuit against Steven (who still works for Wells Fargo) in a New Jersey court. The plaintiff brought a third party subpoena for discovery of electronic communications between the defendant and Wells Fargo. Wells Fargo retained the services a law firm (Bressler) to assist in the eDiscovery of the related documents, and response to the subpoena. An outside eDiscovery firm was also retained to conduct a search of Wells Fargo’s custodian databases.
Upon completion of the search, the lawyer conducted (so she thought) a privilege review of documents for confidential and privileged information. Upon completion of her review, the lawyer instructed the eDiscovery vendor to produce the documents in the database and withhold documents that has been tagged privileged and confidential. Unknown to the lawyer, she did not review the entire database of documents. She only reviewed the first one thousand documents in the database. The lawyer also did not realize that even the documents she reviewed were reviewed in a format that presented only a limited view of the contents. She also thought that the vendor was going to redact the documents she had flagged for redaction. But that was not the case. There was a total failure of communication between the lawyer and the eDiscovery service provider.
Wells Fargo thereafter turned over to the plaintiffs 1.4 gigabytes of documents containing personal information of about 50,000 super wealthy customers of Wells Fargo in United States and Europe. The information included their names, social security numbers, financial details, investments and fees charged. The documents were turned over with no protective orders or confidentiality agreement. More so, as a result of the poor document review conducted by the lawyer, large portion of the documents turned over to the plaintiff were non-relevant, privileged documents. This was a clear case of terrible eDiscovery resulting in overbroad disclosure.
The plaintiff’s lawyer notified the Wells Fargo lawyer about the data breach, and then turned over the trove of personal information in the disk to his acrimonious client who sought to use the privileged information to extract a privileged settlement of his claim. The plaintiff thereafter shared the information with the New York Times resulting in an embarrassing news headline for Wells Fargo.
The lawyer for Wells Fargo sought to have the plaintiff lawyer return the disc, asserting that the disclosure was “inadvertent”. Plaintiff lawyer refused to return the disc asserting that the disclosure was a data breach which violates federal and state privacy laws and regulations. Wells Fargo’s lawyer thereon applied and got an order from a Manhattan court restraining the plaintiff and his lawyer from further use or dissemination of the privileged information. The New Jersey court hearing the defamation suit also ordered the plaintiff to hand over the disc to the court pending a scheduled hearing to determine whether the disc should be returned to the bank.
2. The Lessons
The Wells Fargo incident underlines the high stake in eDiscovery document review especially privilege review. Privilege review is the most important aspect of document review. Bad relevancy review may result in cost of additional review or cost awards in court, which is bad but not as bad as the negative publicity that may result from inefficient privilege review resulting in disclosure of privileged and confidential information or data breach as was the case in Wells Fargo. Poor communication between the lawyer and the eDiscovery service provider was partly responsible for the Wells Fargo incident. Thus, it is important for lawyers to not only maintain good communication with their eDiscovery service providers, but it is also important for lawyers to ensure proper and adequate supervision of the work of the eDiscovery service provider.
In conducting eDiscovery (even third party discovery), it is important to have a claw back agreement that will enable a party to claw back any “inadvertently” disclosed privileged information. That notwithstanding, a clawback agreement does not and should not excuse inefficient privilege review. Clawback agreement will be useful in the event of an inadvertent disclosure of privileged documents only if the lawyer acted reasonably to prevent the disclosure. Thus failure to act reasonably to prevent disclosure of privileged information in eDiscovery could be deemed as a waiver of the privilege.
Clawback agreement are usually drafted in such a way as to permit the recall of disclosed privileged information. However, where the disclosed information is a non-privileged but confidential information not protected by any common law privilege or statutory exception, it may not be protected under a clawback agreement.
There was no framework in the Wells Fargo discovery process to determine what exactly was disclosed. The data breach resulting from the eDiscovery process only came to light because the plaintiff’s lawyer notified the Wells Fargo lawyer about it. Otherwise, it was not clear if the breach could have been noticed.
Although Wells Fargo was able to obtain a temporary restraining order with respect to the disc, it remains to be seem when the case is eventually heard what the court would decide with regards to the privileged status of the disc. We look forward to answers to such questions as: Did the counsel act reasonably to prevent the disclosure of the privileged information? Did the disclosure of the information amount to a waiver of privilege? If so, can Wells Fargo’s request to have the non-privileged/confidential information returned?