“Beware How You Share Client Data” – U.S. Court Rules in File-Sharing Website Case

By John Murrill

In the recent case of Harleysville Insurance Co. v. Holding Funeral Home, Inc., 2017 WL 1041600 (W.D. Va. 2/9/2017), a federal district court in Virginia issued a ruling that should make you think twice about how you share confidential and privileged information across the Internet. After the Defendants’ funeral home burned, the property insurer, Harleysville, filed suit against the Defendants for a declaratory judgment that Harleysville was not liable on its policy because the fire was caused by arson. Nationwide Insurance Company owns Harleysville, and in September 2015, a Nationwide investigator uploaded a video of the fire scene to a cloud-based, file-sharing site operated by Box, Inc. (Box is similar to Dropbox, Google Drive, and Microsoft OneDrive.) At the same time, the investigator sent an e-mail to the National Insurance Crime Bureau (“NICB”) with a hyperlink and instructions on how to access the video on the Box website. Access to the video was not password-protected.

Several months later, in April 2016, the same Nationwide investigator uploaded his entire investigation file, as well as Harleysville’s entire claims file, to the same Box site, and a hyperlink was e-mailed to Harleysville’s attorney with instructions for accessing the files. The two files included sensitive documents that would ordinarily be protected by the attorney-client and work-product privileges. Once again, access to the files was not password-protected.

During discovery, the Defendants sent a subpoena for documents to NICB, and when NICB responded, it included with its production the September 2015 e-mail containing the hyperlink to the Box site. The Defendants’ attorney then used the hyperlink to access the website and was able to download the entire claim and investigation files that had been uploaded to the site in April 2016, including the potentially privileged materials. The Defendants’ attorney shared the files with his clients and with co-counsel without saying anything to Harleysville’s attorney.

Harleysville eventually learned what had happened and filed a motion to disqualify the Defendants’ attorney based on the argument that he improperly accessed the file materials on the Box site without authorization. The Defendants’ attorney argued in response that Harleysville waived any claim of privilege by placing the documents on the Box site without password protection, where it could be accessed by anyone.

After a lengthy analysis of both Virginia and federal laws regarding privilege, the district court concluded that Harleysville had waived the attorney-client privilege by placing the otherwise privileged materials on the unprotected Box website: “I find that Harleysville has waived any claim of attorney-client privilege with regard to the information posted to the Box Site. It has conceded that the Box Site was not password protected and that the information uploaded to this site was available for viewing by anyone who was connected to the internet and happened upon the site by use of the hyperlink or otherwise. In essence, Harleysville has conceded that its actions were the cyberworld equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.” (Emphasis added.) For the same reason, the Court found that Harleysville had waived the work-product privilege.

In a final twist, the Court denied Harleysville’s motion but nevertheless sanctioned the Defendants’ attorney: “defense counsel should have contacted Harleysville’s counsel and revealed that it had access to this information. If defense counsel believed that the circumstances which allowed its access to the information waived any claim of privilege or protection, they should have asked the court to decide the issue before making any use of or disseminating the information.” In summary, the Court ruled that Harleysville had waived the privileges and that the Defendants were entitled to make use of the privileged materials going forward in the litigation, but that their attorney must reimburse Harleysville’s costs incurred bringing the motion.

This ruling should make everyone think twice about how they use the Internet to share privileged materials. At a minimum, any sharing of files should include the use of a password to limit access only to the specific intended recipients; indeed, had Harleysville password-protected access to the files, it seems very likely the ruling would have gone the other way. Many file-sharing sites also allow the user to specify how long the files will remain available for access (e.g., 24 hours, one week, 10 days, etc.), which further helps to limit the accessibility of the files and demonstrates that you are taking additional steps to protect the confidentiality of your documents. Finally, when practical, users should avoid co-mingling privileged and non-privileged materials to help minimize the risk of inadvertently producing privileged information. One thing that should be very clear after this ruling is that you share documents on unsecure websites at the risk of waiving any privileges that might otherwise protect those documents.

Questions about this article, or inquiries into the steps that need to be taken to properly protect and secure client files can be sent to Taylor Porter Partner John Murrill at