Yottabytes: Storage and Disaster Recovery

Jul 31 2017   9:03PM GMT

E-Discovery Data Breach is a Lesson for All of Us

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


Be careful with e-discovery: You might discover something you didn’t intend.

That’s what one attorney recently learned when collecting data for a legal case. “The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them,” write Serge Kovaleski and Stacy Cowley in the New York Times – data from some 50,000 customers altogether.

Typically, such personally identifiable information is redacted, or removed, from e-discovery data sent to the opposing counsel, Kovaleski and Cowley explain.

Initially, the attorney blamed the software vendor (of course), which wasn’t named but appeared to include both software and service. But as it turns out, the attorney hadn’t realized how much data the e-discovery request had obtained, writes Christine Simmons in Law.com. Using the software, the attorney reviewed “what I thought was the complete search results” and marked some documents as privileged and confidential, and then coordinated with the vendor to withhold from production anything she tagged as privileged and confidential, Simmons writes.

“What I did not realize was that there were documents that I had not reviewed,” the attorney tells Simmons, adding that her view showed only a set limit of documents at one time. There also appeared to be some confusion about who actually performed the redacting of the documents, and whether any of the data was redacted, according to court documents (which are a thing of beauty, and you really should read them to get the full effect).

Moreover, the files were handed over to opposing counsel with no protective orders and no written confidentiality agreement in place. Consequently, it would be perfectly legal for counsel “to release most of the material or include it in their legal filings, which would then become part of the public record,” Kovaleski and Cowley write.

And it didn’t end there. Because Wells Fargo had released the personally identifiable information, it then became a data breach and was subject to all the laws governing data breaches. Sending the data without redactions or confidentiality agreements violates “various privacy protection laws, Financial Industry Regulatory Authority Inc. guidance and U.S. Securities and Exchange Commission regulations, according to opposing counsel in court documents,” she writes. The attorney who had sent the files to the other attorney asked that the data be returned, but at that point it became evidence in the data breach case.

Wells Fargo and its attorney have been using various legal maneuvers to get the opposing counsel to return the data, as well as destroy any copies it had made of it, Simmons writes. The attorney also noted, however, that the CD was encrypted, and that she’d written “Confidential” on the envelope. Thank goodness.

Regardless, Wells now needs to follow standard data breach protocols, such as notifying the customers that their data has been improperly released, Kovaleski and Cowley write. “And some of the accounts are listed as having a foreign owner, which would potentially trigger a separate set of overseas regulations, such as Europe’s stricter privacy statutes,” they add.

Such data breaches could happen more often as e-discovery becomes more common and more voluminous, Simmons warns.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: