In the News: Data Breach Brings Key eDiscovery Lessons to Light

A recent New York Times article spotlights how Wells Fargo inadvertently turned over a “vast trove of confidential information about tens of thousands of the bank’s wealthiest clients” to a former bank employee and his lawyer¹. 

The employee and his lawyer had subpoenaed the bank as part of a defamation lawsuit. They expected to receive a selection of documents and emails related to the case. Instead, they received 1.4 gigabytes of files with personally identifiable information including social security numbers, financial details and other information connected with at least 50,000 customers. These include a well-known hedge fund billionaire who had a least $23 million invested through Wells Fargo Advisors.  

I disagree with the opposing party running to the New York Times with this story, which in my opinion could have been an attempt to leverage their negotiating position or discredit the opposition. On the other hand, I'm glad the story is out because many can learn from the mistakes made here. Keep in mind, however, that this is one incident coming to light. There are scores of others we hear nothing about due to protective orders, confidentiality agreements or clawback agreements. I suspect some breaches are also not disclosed out of pure "professional courtesy" from one lawyer to another.

This brings me to my main point: clearly there are vital lessons to be gleaned from this particular disclosure. First is that communication is the most important factor when dealing with eDiscovery matters. The communication breakdown between the Wells Fargo lawyer and the vendor, as reported in the New York Times article, was substantial. Too often lawyers don't want to be "bothered" with the details of eDiscovery. I suggest taking the time to talk with vendors in order to more clearly understand the processes, protocols and risks associated with a situation like this one.  

Second, the workflow and process for completing the document production related to the Wells Fargo case did not exist, or was not followed. A simple workflow process with quality control steps for review, redaction and production would have solved this issue. Needless to say, the attorney is the one ultimately responsible and a judge will ultimately have a challenge in unraveling a tangled web to determine what exactly happened.

Third, legal professionals should ensure that they are working with vendors backed by many years of solid, credible industry experience. There are hundreds of "startups" in our field; many of them lack the skills honed by doing this type of work over decades. Additionally, the relatively high number of mergers and acquisitions among vendors occurring in our industry has also created an unstable environment within those organizations going through the M&A process. Cultures differ, jobs are shifted or changed and employees are usually unhappy or nervous. This translates into risk when working with vendors that have gone through this process in the last year or two.

Too often in eDiscovery I see lawyers being "penny wise and pound foolish."  Trying to save costs, they cut corners, which can include disregarding important advice and protocols. There are other ways to contain costs without jeopardizing your eDiscovery practice.  Canon Business Process Services can offer solutions that help save money without the risk of skipping critical steps or protocols.

Feel free to visit the Legal Services page of our website for insights on industry trends and best practices including case histories, research reports, whitepapers and more.

1. Kovaleski, S and Cowley, S. (2017) “Wells Fargo Accidentally Releases Trove of Data on Wealthy Clients.” New York Times, July 21, 2017