Harleysville Insurance Company v. Holding Funeral Home, No. 15-57 (D. Va. Feb. 9, 2017) is as cautionary of a claims handling tale for insurers as you’ll ever see. Lists of claims handling don’ts have been around for a long time and are many. But this one is new to the scene and has the potential to rise in frequency. The tale goes like this. In the court’s own words…
The teaser: “In essence, Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to image an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”
Background: Harleysville and Holding Funeral Home were involved in coverage litigation concerning a fire. Thomas Cesario, a Senior Investigator for Nationwide (parent of Harleysville) “uploaded video surveillance footage of the fire loss scene, onto an internet-based electronic file sharing service operated by Box, Inc. Cesario then sent an email containing a hyperlink to the Box, Inc., internet site, by which Wes Rowe of the National Insurance Crime Bureau (“NICB”), could access the file containing the Video using the internet and download the Video. The Video was placed on the Box Site, and the hyperlink to the Box Site sent by email to Rowe on September 22, 2015.”
The problem starts: “Cesario placed files containing Harleysville’s entire claims file and Nationwide’s entire investigation file for the defendants’ fire loss, on the Box Site to be accessed by Harleysville’s counsel. Cesario then sent an email to Harleysville’s counsel with the same hyperlink he sent to Rowe to be used by counsel to access the Box Site and retrieve a copy of the Claims File.”
The train goes off the tracks: The insured’s “counsel issued a Subpoena Duces Tecum, dated May 24, 2016, to NICB requesting NICB’s entire file related to the fire. On or about June 23, 2016, NICB sent [the insured’s] counsel electronic copies of all documents and information it had received from Harleysville, including a copy of the September 22, 2015, email from Cesario to Rowe containing the hyperlink to the Box Site. That same day, [the insured’s] counsel, without the knowledge or permission of Harleysville or its counsel, used the hyperlink to gain access to the Box Site, which now contained the Claims File. [The insured’s] counsel downloaded the Claims File and reviewed it without ever notifying Harleysville’s counsel that they had accessed and reviewed potentially privileged information.” (emphasis added).
The Conflict: “Harleysville’s counsel argues that [the insured’s] counsel’s access to Harleysville’s Claims File was an improper, unauthorized access to privileged information requiring the disqualification of all [insured] counsel of record. [The insured’s] counsel argue[d] that the Motion should be denied because Harleysville waived any claim of privilege or confidentiality by placing the information on the Box, Inc., site where it could be accessed by anyone.”
T-H-E E-N-D: Putting aside the court’s discussion of the ins and outs of what it takes to waive attorney-client privilege under Virginia state law, the court held that Harleysville did. Such waiver was found on the basis of an inadvertent disclosure. In making this decision, the court looked to the reasonableness of the precautions taken to prevent the disclosure. And here the court was not sympathetic to Harleysville.
“With regard to the reasonableness of the precautions taken to prevent the disclosure, the court has no evidence before it that any precautions were taken to prevent this disclosure. The employee who uploaded Harleysville’s Claims File to the Box Site had used the site previously to share information with a third-party, the NICB. It does not matter whether this employee believed that this site would function for only a short period of time or that the information uploaded to the site would be accessible for only a short period of time. Because of his previous use of the Box Site, this employee either knew — or should have known — that the information uploaded to the site was not protected in any way and could be accessed by anyone who simply clicked on the hyperlink.” (emphasis in original”).
The moral: “The technology involved in information sharing is rapidly evolving. Whether a company chooses to use a new technology is a decision within that company’s control. If it chooses to use a new technology, however, it should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”
[There is more to the story – waiver under federal law and the manner in which the insured’s counsel acted upon receipt of the claims file -- but that’s not relevant to share the cautionary tale.]