It’s every attorney’s nightmare: a notice you’ve accidentally handed over unprotected confidential information. To claw the information back, you’re forced to file an affidavit explaining how you failed to review thousands of documents and stating “I misunderstood the role of the vendor.”
For some attorneys, though, this nightmare is reality. On July 20th, a lawyer for Bressler, Amery & Ross representing Wells Fargo was informed that she had mistakenly produced confidential information on some of the bank’s wealthiest clients—on a CD-ROM, without redaction, and without a confidentiality agreement in place. What’s worse, the receiving party then took that information and showed it to the New York Times, garnering front-page headlines. What followed was finger-pointing between the attorney and her client’s eDiscovery vendor, a desperate scramble to claw back the information and prevent further dissemination, and what must be a whole lot of anger and humiliation on the part of all parties involved.
While this is, to be sure, a total failure of due diligence—the attorney admitted, among other things, to mismarking confidential materials and performing only minimal “spot-checking”—it also highlights the need for powerfully simple discovery software that mitigates the potential for these mistakes to occur in the first place, with intuitive user interfaces and inherent safeguards. Indeed, Wells Fargo’s discovery nightmare is a symptom of a badly kept secret in legal technology: attorneys are by and large not equipped to perform the crucial duties of eDiscovery because the eDiscovery tools themselves are archaic, complex, and risk-laden.
Thankfully, more and more legal professionals are abandoning risky, outdated technology—as our experience with Logikcull’s ShareSafe shows. Soon, the days of lawyers producing highly sensitive information through a vendor, using technology from 1982, will finally be over.
Wells Fargo’s discovery data breach offers a prime example of what’s wrong with the eDiscovery process. The company’s data breach arose during litigation between two brothers, over allegedly unpaid commissions. Gary Sinderbrand, a former adviser at the bank’s brokerage firm, sued his brother Steven, a current Wells Fargo adviser, in both New York and New Jersey, accusing him of defamation and breach of contract, stemming from their (formerly) shared book of business.
As part of the lawsuit, Gary Sinderbrand subpoenaed emails from the bank. When Wells Fargo sent over its production, it turned over far more than just emails. The production included “copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them,” according to the New York Times, whose reporters were shown the documents. Personal and confidential information was left unredacted and there was no protective order in place limiting how the receiving party could use the data.
In an affidavit filed shortly after the breach, Wells Fargo’s outside counsel in charge of the production stated that she had misunderstood the role of the third-party vendor hired to aid in discovery, as well as the technology the vendor used. Documents went unreviewed, files flagged for redaction were never redacted.
When informed of the erroneous production by Sinderbrand’s team, Turiano responded that “Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted.” Sinderbrand’s attorney was not receptive to the request, however, leaving the bank scrambling to obtain court orders to force the data’s return (in New Jersey) and limiting its use (in New York).
As Turiano’s affidavit notes, release of that information and its publication to the Times “created a significant risk of harm to Wells Fargo customers.” The breach is also, Turiano alleges, being seized on as a bargaining chip by Sinderbrand, who has reached out to Wells Fargo leaders “in an apparent attempt to profit from the discovery mistake.”
This is just the beginning of the potential fallout. In addition to the fight over the inadvertently revealed customer information, the bank’s release of private information may trigger data breach laws and has reportedly caught the attention of federal regulators, including the Financial Industry Regulatory Authority. It also, of course, raises the spectre of legal malpractice.
While it’s the few headline-garnering cases that attract national attention, mistakes like this happen all the time. And virtually any attorney who’s ever practiced complex litigation has a horror story or two—a production poorly done, a confidentiality review botched, a CD full of client information lost.
eDiscovery increasingly exposes attorneys to malpractice allegations, and, as has happened with the Bressler Amery attorney involved in this particular matter, career-threatening reputational damage. But beyond the personal consequences, eDiscovery is also a serious security issue—parties, from banks to the federal government, gather their most sensitive documents together in repositories that become low-hanging fruit for cybercriminals, inside traders, nefarious legal adversaries, and unscrupulous insiders.
Part of the problem stems from outdated technology provided by a third-party vendor system that relies on complexity to stay in business (after all, if any random attorney could do eDiscovery herself, you wouldn’t need a vendor in the first place). Poorly made eDiscovery software can take months to learn and years to master, leading to situations like Wells Fargo’s—users who simply do not understand the tool they are using and place their faith in a vendor’s ability to manage discovery for them. The more prevalent risk of human error only exacerbates the issue, and when something goes wrong, it is the attorneys (who are bound by professional duties) not vendors (who are not) who will face potential malpractice claims.
The solution is two-pronged. Better education is a must, and the pleas for better training both from the bar and from private providers will only get louder as more of these incidents become public. But lawyers will never be technologists. The average attorney is no more likely to be skilled at software as a software engineer is to be learned in the law, and that is likely to remain the case for the foreseeable future. Instead, it is incumbent upon technology providers to build software that is simple yet powerful, and intuitive, with safeguards to protect attorneys from themselves.
That software exists today, but is only now emerging from the backwater of legaltech as more attorneys and their clients are burned by the tools offered by the old guard. Modern discovery technology—Discovery Automation, as it is known—can automatically identify documents as potentially privileged and quickly locate and redact sensitive information like Social Security numbers. Powerful search technology virtually eliminates the need for attorneys to review documents one-by-one. And because this software is cloud-based, lawyers can produce documents to third parties through a secured download link, rather than a CD-ROM sent in the mail. But above all, this emergent technology is just much easier to use, eliminating much of the operator error intrinsic to eDiscovery.
Thankfully, there are many legal professionals out there who are getting rid of their CDs, dated discovery technology, and third-party vendors. Logikcull’s recently introduced ShareSafe feature is a great example of this. ShareSafe allows productions to be made instantly via a secured download link, where permissions-based access is granted temporarily before automatically expiring. There’s no waiting for documents to upload to an FTP site or burn to a DVD and if the wrong information is accidentally produced, the invitation can be canceled, revoking access in seconds.
Introduced in January, ShareSafe usage has grown rapidly. In ShareSafe’s first few months, Logikcull users have produced nearly 8 million documents and over 47 million pages through the service.
Forward-thinking lawyers are leading the charge to safer, simpler productions. Contrary to the image of the technophobic attorney, many law firms have been quick to adopt ShareSafe, with hundreds of legal professionals sending out productions through the feature and ShareSafe productions growing by 280 percent in its first few months.
Those attorneys can enjoy the peace of mind that comes with being able to share a production simply, securely and through the cloud, to see when the shared documents are downloaded, and to control permission-based access.
With tools that take advantage of the hallmarks of modern, cloud-based technology—secure file transfer, encryption, intuitive interfaces, auto-detection, and more—the kinds of disastrous mistakes that landed Wells Fargo and its attorneys in the New York Times can be avoided, and the legal professionals who deal in the high-risk, high-stakes arena of complex litigation can sleep a little easier at night.
Thankfully, many attorneys are starting to adopt these tools. For those who haven’t, the responsibility now lies with them and their clients to find and start using them.