My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation. Eddie blogs at JurisHacker.
Attorney Client Privilege in the cloud
Over the past few months I’ve been asked several times about the status of attorney-client privilege when attorneys use cloud technology. It is an interesting question and there are a couple concepts that need to be explained about attorney client privilege. So buckle up, this is a long one.
First (and very broadly speaking), attorney client privilege is lost when disclosed to a third party intentionally or inadvertently. So an attorney and client discussing a case in a busy coffee shop could potentially lose attorney client privilege since a third party could overhear the communications. I know the attorneys reading this post will likely come out of their chairs with exceptions, but I’m trying to paint a high level picture.
This loss of attorney client privilege does not mean that attorneys have to hide everything in locked safes buried in concrete. The comments on the model rules of professional conduct state:
“…unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. ” (emphasis added).
So, this brings us to Harleysville Insurance Company v. Holding Funeral Home, No. 1:15cv00057, memorandum op. (WD Va. Feb. 9, 2017). In Harleysville, an investigator for the parent company of Harleysville uploaded surveillance video of the underlying event to a file sharing site. He then emailed a link to the video to another party. The same investigator later placed the case file in the share.
The share was not password protected or otherwise protected. In fact anyone with the link or anyone who found the share could see the information. Remember the language of the model rule above? The Virginia court echoed this language in their opinion stating that inadvertent disclosure can be caused “by failing to implement sufficient precautions to maintain its confidentiality.” (emphasis added) The court continued “With regard to the reasonableness of the precautions taken to prevent the disclosure, the court has no evidence before it that any precautions were taken to prevent this disclosure.” (emphasis added).
The court concluded that attorney client privilege had been waived by posting the information to a publically available website.
As I’ve counseled clients in the past, whether attorney client privilege will survive in the world of cloud usage depends on the steps taken to prevent disclosure. Encryption, access control, and logging are your friends.