Angela A. Turiano is a lawyer with Bressler, Amery & Ross. As the New York Times reported on July 21st, when a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Mr. Sinderbrand expected to receive a selection of emails and documents related to the case.
What he got – by accident – was a vast trove of confidential information about tens of thousands of the bank's wealthiest clients. The 1.4 gigabytes of files that Wells Fargo's lawyer sent included many spreadsheets with customers' names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them. Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-net-worth investors.
By Mr. Sinderbrand's estimate, he had financial information for at least 50,000 individual customers. In all, Mr. Sinderbrand said, these clients have tens of billions of dollars invested through Wells Fargo, all delivered to him as part of the discovery process in his lawsuit.
The files were handed over to Mr. Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo's. While the documents were not filed in court, it would be legal for Mr. Sinderbrand and his lawyer to release most of the material or include it in their legal filings, which would then become part of the public record.
Bressler, Amery & Ross, an outside law firm in Florham Park, N.J., was hired by Wells Fargo, which is not a party to the suit. Mr. Sinderbrand and one of his lawyers, Aaron Zeisler, notified Ms. Turiano about the sensitive documents now in their hands.
In an email response, Ms. Turiano described the disclosure as "inadvertent," and wrote, "Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted."
Mr. Zeisler said his client intended to keep the CD secure and confidential. "We are continuing to evaluate his legal rights and responsibilities," Mr. Zeisler said. "Wells Fargo has not identified what specific documents it asserts were inadvertently exposed."
The disclosure is a data breach that potentially violates a number of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties.
Based on the fairly narrow subpoena that his lawyer submitted, which sought communications about Mr. Sinderbrand's employment and compensation, there was no reason for the bank to turn over such information, especially without any redactions, Mr. Sinderbrand said.
In terms of information security, litigation poses a special risk because confidential material often must change hands. The legal industry's best practices for handling digital documents in e-discovery include careful reviews to exclude or redact personally identifiable information, encryption and other safeguards as data is transferred.
Confidential information is also often covered by a protective order, which must be granted by a judge, to prevent the data's recipients from sharing it more widely. None of that seemed to have happened here, reflecting a breakdown in vetting at multiple levels.
In Ms. Turiano's email to Mr. Sinderbrand's lawyer, she wrote: "We went through a long process of a very large email review with an outside vendor with instructions on exclusion which was spot checked. Clearly there was some type of vendor error — which I am confirming now."
Following up on the story, Naked Security reported on July 27th that Wells Fargo & Co offered apologies to approximately 50,000 Wells Fargo Advisors clients whose information was inappropriately shared by Wells Fargo outside counsel.
As the article pointed out, to create a disk with 1.4GB of data (which equates to approximately 14,000 documents) is not an insignificant electronic litigation support task. As noted, Ms. Turiano blamed vendor error, effectively throwing the unidentified vendor under the bus.
In this instance, accepting Turiano's explanation, the information was identified and isolated, and compiled. Indeed, she notes the process included a laborious email review and guidance provided to their vendor on exclusions. Then the information was "spot-checked." In an affidavit to the court to explain what happen, she explained, "Unbeknownst to me, the view I was using to conduct the review has a set limit of documents that it showed at one time. I thought I was reviewing a complete set, when in fact, I only reviewed the first thousand documents."
The non-excluded information was then copied to the disk and provided to opposing counsel. Wells Fargo, once notified, went into crisis control mode, given that Miller had shared the information with the New York Times and had not returned it to Turiano, Wells Fargo filed suit to compel Miller to return the information that had been mistakenly shared by their outside counsel. On July 26th, Sinderbrand and his attorneys were ordered to return the data to the court for safekeeping.
Wells Fargo then acknowledged the e-discovery error, saying: "We take the security and privacy of our customers' information very seriously. Our goals are to ensure the data is not disseminated, that it is rapidly returned, and that we ensure the discovery process going forward in the cases is working as it should."
This appears to be a case implicating the duty of competence. The lawyer didn't understand what she was viewing.
As Naked Security said, "Companies would be well served to have in place an audit capability for both inside and outside counsel (and vendors) to ensure there is visibility into the ERDM and e-discovery process from beginning to end, with emphasis on accomplishing the process in the most secure manner possible."
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology