When you’re a lawyer and you find out that you’ve inadvertently produced client confidential information in litigation, it’s a bad day. When you find out that confidential information is personal information on thousands of the most wealthy investors in your client’s portfolio, it’s an even worse day. And, when you find out that disclosure is being covered by The New York Times, it’s a lawyer’s worst nightmare.
Such is the story of Angela A. Turiano, a lawyer with Bressler, Amery & Ross, an outside law firm of Wells Fargo based in New Jersey. In response to a New Jersey court case involving a dispute between ex-Wells Fargo employee Gary Sinderbrand and his brother who also worked there, Turiano inadvertently produced tens of thousands of client names, Social Security numbers, account balances and more. This was on behalf of Wells Fargo as a third party to the New Jersey court case.
The documents and spreadsheets containing client information were originally provided to Aaron Miller, Sinderbrand’s lawyer in the New Jersey case on July 8 (according to the New York Times article linked below). Miller later shared knowledge of what the documents contained to Aaron Zeisler, who is representing Sinderbrand in a New York case against Wells Fargo Advisors. Miller notified Turiano of the disclosure of confidential information on July 20 (according to her affirmation filed with the New York Supreme Court on July 24). The following day, the Times article was published with quotes from both Zeisler and Gary Sinderbrand, detailing the disclosure. After Wells Fargo asked the NY and NJ courts to intervene, lawyers for Gary Sinderbrand were ordered to hand back over the data on July 26.
In Turiano’s affirmation, she described how the inadvertent disclosure evidently happened. It’s based on this description of events that I offer up some suggestions about ways to avoid the scenario. Here is the description provided by Turiano in paragraph 3 from the affirmation as to how the disclosure happened (I have put in bold a few key points that I reference below):
“Based upon my discussion with Mr. Miller, Wells Fargo agreed to conduct a search of four custodians’ email boxes using designated search terms. Wells Fargo, like many large corporations, uses an outside e-discovery service to conduct e-mail searches. The vendor conducted the search and, upon completion, I personally conducted a review of the voluminous search results to exclude from production any e-mails containing confidential or privileged information. Specifically, using the vendor’s e-discovery software, I reviewed what I thought was the complete search results and for documents that contained confidential or privileged information, I thought I marked them as confidential or privileged. I then coordinated with the vendor with both written instructions and by telephone and instructed the vendor to produce the emails in the database that I had marked, but that the vendor should withhold from the production anything that I tagged privileged-withhold and confidential and client-information withhold. What I did not realize, was that there were documents that I had not reviewed. Unbeknownst to me, the view I was using to conduct the review had a set limit of documents that it showed at one time. Thus, I thought I was reviewing a complete set, when in fact, I only reviewed the first thousand documents. I thus inadvertently provided documents that had not been reviewed by me for confidentiality and privilege. In addition, it was my understanding that the vendor was going to apply redactions for documents I flagged as needing redactions. Thus, I thought that responsive documents that contained confidential information would be redacted prior to production. The documents, however, were not redacted prior to production. I realize now that I misunderstood the role of the vendor. Finally, I now understand that I may have miscoded some documents during my review.”
As a vendor, here are some of the things I would be doing to avoid the situation:
Communicate Search Results Completely and Clearly: I’m frequently asked to perform searches on behalf of clients and I always document the search results clearly in a spreadsheet with total documents retrieved for each term and a grand total of documents retrieved from all of the terms. I also communicate that to the client clearly in an email, reiterating (in the email) the total count of documents retrieved via the searches (and usually follow up via phone as well). I can’t say that the vendor didn’t do that here (maybe they did and the attorney glossed over – or forgot – the info), but a clear communication of search results may have helped ensure that Turiano had the correct count of documents and led her to realize that there were more documents than displayed on the first page of the eDiscovery software program. It’s also important to realize that most (if not all) eDiscovery software applications deliver result sets in manageable batches of documents for efficiency sake – nobody wants to wait for all the data to load for 100,000 documents retrieved in a large search result – so the applications deliver the results in pages or batches.
Track Documents Reviewed and Report Anomalies: In a project where you know that the attorney is reviewing all retrieved documents for confidentiality and privilege, it’s good to track the documents actually reviewed and be able to report if there is an anomaly. This could be done either by setting a specific field to mark a document as “Reviewed”. Or it could be done via audit log tracking within the software. Regardless, if either was done here, the vendor could have then informed the attorney that there were documents not reviewed and the mistake could have been discovered.
Confirm Documents Tagged for Redaction Were Actually Redacted: The workflow when dealing with native ESI is typically to flag documents that need redaction (which the attorney apparently did, at least for the documents she reviewed), then for the vendor to convert those native files to image format, then for the attorney to apply the redactions. It doesn’t appear that the last two steps actually happened. I’m not sure how the attorney expected the vendor to apply redactions simply based on a tag of “needs redactions” unless there was also a description field with a detailed description of where – even then, most vendors would still expect the attorney to ultimately apply them. One check that should always be made before ESI is produced is to confirm that redactions were properly applied and if documents were tagged for redaction, there should be a step to make sure that they were actually redacted. That’s a production QC step that should always be done before signing off on the production (by both vendor and attorney).
Perform a Pattern Search for Personally Identifiable Information (PII): With data privacy becoming more important than ever and GDPR looming, it’s becoming necessary to do more than just manual review to identify potential personal data – after all, people make mistakes. Pattern searches are specialized searches, looking for specific types of information, such as 3 digits, then 2 digits, then 4 digits (i.e., the pattern for a social security number). Searches for other patterns, like client account numbers or credit card numbers, could also be performed to determine whether personal data exists in the production set, which may need to be redacted or removed altogether.
Recognize When Your Client Needs More Hand Holding: Some attorneys are experienced and tech-savvy with regards to eDiscovery and want to drive the process, others are not. Based on the description of events, I would suggest that this attorney was not very experienced in eDiscovery matters or in using eDiscovery software. When that’s the case, it’s important for the vendor to be prepared to take more of a lead in driving the production QC and raising issues like those I discussed above. As Turiano stated, “I realize now that I misunderstood the role of the vendor.” Evidently, there was certainly a lack of communication on who was “driving the bus” on this production – when that’s the case, “the bus” tends to end up in a ditch.
So, what do you think? What steps do you take to avoid inadvertent disclosures? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.