Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Lawyer’s E-discovery Error Leads to Wells Fargo Breach

July 31, 2017

Angela A. Turiano is a lawyer with Bressler, Amery & Ross. As the New York Times reported on July 21^st, when a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Mr. Sinderbrand expected to receive a selection of emails and documents related to the case.

What he got – by accident – was a vast trove of confidential information about tens of thousands of the bank's wealthiest clients. The 1.4 gigabytes of files that Wells Fargo's lawyer sent included many spreadsheets with customers' names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them. Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-net-worth investors.

By Mr. Sinderbrand's estimate, he had financial information for at least 50,000 individual customers. In all, Mr. Sinderbrand said, these clients have tens of billions of dollars invested through Wells Fargo, all delivered to him as part of the discovery process in his lawsuit.

The files were handed over to Mr. Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo's. While the documents were not filed in court, it would be legal for Mr. Sinderbrand and his lawyer to release most of the material or include it in their legal filings, which would then become part of the public record.

Bressler, Amery & Ross, an outside law firm in Florham Park, N.J., was hired by Wells Fargo, which is not a party to the suit. Mr. Sinderbrand and one of his lawyers, Aaron Zeisler, notified Ms. Turiano about the sensitive documents now in their hands.

In an email response, Ms. Turiano described the disclosure as "inadvertent," and wrote, "Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted."

Mr. Zeisler said his client intended to keep the CD secure and confidential. "We are continuing to evaluate his legal rights and responsibilities," Mr. Zeisler said. "Wells Fargo has not identified what specific documents it asserts were inadvertently exposed."

The disclosure is a data breach that potentially violates a number of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties.

Based on the fairly narrow subpoena that his lawyer submitted, which sought communications about Mr. Sinderbrand's employment and compensation, there was no reason for the bank to turn over such information, especially without any redactions, Mr. Sinderbrand said.

In terms of information security, litigation poses a special risk because confidential material often must change hands. The legal industry's best practices for handling digital documents in e-discovery include careful reviews to exclude or redact personally identifiable information, encryption and other safeguards as data is transferred.

Confidential information is also often covered by a protective order, which must be granted by a judge, to prevent the data's recipients from sharing it more widely. None of that seemed to have happened here, reflecting a breakdown in vetting at multiple levels.

In Ms. Turiano's email to Mr. Sinderbrand's lawyer, she wrote: "We went through a long process of a very large email review with an outside vendor with instructions on exclusion which was spot checked. Clearly there was some type of vendor error — which I am confirming now."

Following up on the story, Naked Security reported on July 27^th that Wells Fargo & Co offered apologies to approximately 50,000 Wells Fargo Advisors clients whose information was inappropriately shared by Wells Fargo outside counsel.

As the article pointed out, to create a disk with 1.4GB of data (which equates to approximately 14,000 documents) is not an insignificant electronic litigation support task. As noted, Ms. Turiano blamed vendor error, effectively throwing the unidentified vendor under the bus.

In this instance, accepting Turiano's explanation, the information was identified and isolated, and compiled. Indeed, she notes the process included a laborious email review and guidance provided to their vendor on exclusions. Then the information was "spot-checked." In an affidavit to the court to explain what happen, she explained, "Unbeknownst to me, the view I was using to conduct the review has a set limit of documents that it showed at one time. I thought I was reviewing a complete set, when in fact, I only reviewed the first thousand documents."

The non-excluded information was then copied to the disk and provided to opposing counsel. Wells Fargo, once notified, went into crisis control mode, given that Miller had shared the information with the New York Times and had not returned it to Turiano, Wells Fargo filed suit to compel Miller to return the information that had been mistakenly shared by their outside counsel. On July 26th, Sinderbrand and his attorneys were ordered to return the data to the court for safekeeping.

Wells Fargo then acknowledged the e-discovery error, saying: "We take the security and privacy of our customers' information very seriously. Our goals are to ensure the data is not disseminated, that it is rapidly returned, and that we ensure the discovery process going forward in the cases is working as it should."

This appears to be a case implicating the duty of competence. The lawyer didn't understand what she was viewing.

As Naked Security said, "Companies would be well served to have in place an audit capability for both inside and outside counsel (and vendors) to ensure there is visibility into the ERDM and e-discovery process from beginning to end, with emphasis on accomplishing the process in the most secure manner possible."

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Lawyer’s E-discovery Error Leads to Wells Fargo Breach

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer