Wells Fargo’s inadvertent production of personal identifying information ("PII") in a case involving a former employee became national news when the New York Times broke the story late last week. Discovery practices are hardly the stuff of salacious tweets and White House leaks, so when routine document production lands on the pages of the Times, you know something must be remiss.
By way of background, the Times reported that an attorney for Wells Fargo inadvertently produced confidential PII from approximately 50,000 customers to a former employee in response to a third party subpoena received in association with the former employee’s defamation case against his brother (also a Wells Fargo employee). The 1.4 gigabytes of materials produced reportedly contained voluminous spreadsheets detailing customer identities, social security numbers, Taxpayer Identification Numbers, and information relating to specific accounts and investment portfolios. The document production came to light only after the former employee’s attorney in a different action centering on a contract dispute (also involving the former employee’s brother) informed Wells Fargo’s attorney that the documents had been produced in the defamation action.
The makings of a soap opera?
Here’s the full story: Former Wells Fargo employee Gary Sinderbrand sued his brother, and former business partner, Steven Sinderbrand, who remains a Wells Fargo employee, for defamation in New Jersey state court in 2016. Wells Fargo was not a party to that case. Brother Gary also sued brother Steven and Wells Fargo in April 2017 alleging breach of both a consulting and a separation agreement. On February 13, 2017, Gary’s attorney in the New Jersey action served Wells Fargo with a third-party subpoena seeking electronic communications between Gary and other Wells Fargo employees. Wells Fargo agreed to conduct a search of four custodians’ e-mailboxes using various search terms. An e-discovery vendor conducted the searches and, upon completion, Wells Fargo’s attorney reviewed the search results, consisting of around 2,500 emails, marking them confidential or privileged.
Simple enough, right?
Unfortunately, an apparent combination of user error and production miscommunications led to the production of confidential and privileged documents that had not been reviewed to which the PII was attached. Those documents were produced by Wells Fargo’s attorney to Gary’s attorney in the New Jersey action on July 6, 2017. Surprisingly, it was not until July 20, 2017 that Gary’s attorney in the New York action notified Wells Fargo’s attorney that emails containing privileged communications and PII had been produced. Subsequently, the production of these emails was made known to the Times, which broke the story on July 21, 2017.
Most problematically, the documents were produced by Wells Fargo’s attorney without reference to any governing protective order or confidentiality agreement detailing steps to be taken by the parties to protect and minimize disclosure of PII. Moreover, without the benefit of such agreements, and the often attendant inadvertent disclosure clawback provisions, Wells Fargo and its attorney had no ability to seek the immediate return of the inadvertently produced PII without court intervention.
Wells Fargo’s attorney has since moved for an emergency restraining order barring Gary or his attorney from retaining the documents in the New York action and the court in the New Jersey action has ordered Gary and his attorney to turn the CD containing the documents over to the Court pending a hearing. However, the cat, as they say, is out of the bag. And, while two judges will decide the fate of the documents for use in these respective cases, the reputational damage has already been done to Wells Fargo.
Avoid this fate!
While accidents happen in even the most carefully coordinated document production, keep these questions and suggestions in mind whenever your organization’s data is going to be shared for purposes of litigation, whether with an outside attorney, a vendor, or, most certainly, an adversary.
- Know your data
Where does PII manifest itself in your organization’s records? PII is not just a concern for financial institutions and is more than social security numbers and account numbers in the traditional sense. Does your organization keep records that contain customer names with internal account identifiers, phone numbers, addresses (even zip codes), or other unique identifiers? What about HR files with employee contact information, information related to an employee’s benefits, or direct deposit information? How about a customer service/contact logging database or application?
Know your files and engage actively with your attorney when discussing what documents may need to be collected, reviewed, or produced in association with the litigation. If there is a chance they contain employee or customer PII, make sure these documents are closely examined as they are collected.
- Narrow what is shared
Specificity is key. What are the documents being sought in the litigation and what sources need to be considered? Can non-responsive documents or sources that contain PII be easily segregated from the collection of otherwise responsive documents? If documents containing PII or attaching it come into play, how can PII be redacted or anonymized to the extent it is not relevant to the claims at issue before any documents are queued for review?
- Follow a strict collection and review protocol
How will documents be shared with your outside attorney or vendor? What safeguards will be put into place to guarantee that any documents containing PII will be redacted to the extent not relevant? What do the relevant state privacy statutes dictate with respect to the disclosure of PII?
- Check, check, and re-check
Machines and technology are only as good as their operators. Even if you or your attorney have reviewed for PII and redacted or removed whatever PII can be omitted, make sure you have a sufficient quality control process in place to confirm that all instructions are followed and only documents that have been clearly reviewed and determined to be appropriately coded are batched for production.
- Safeguard the production
When producing documents containing PII, make sure there is a mechanism in place to address inadvertently produced documents, inadvertently non-redacted documents, or documents lacking appropriate confidentiality coding. If you are a third party responding to a subpoena, ask the subpoenaing party if a protective order is in place that will apply to the document production. If not, discuss execution of a confidentiality agreement as a precursor to the production of documents. And always remember to consider restraints on the disclosure of produced documents beyond the immediate parties and case at hand, especially if you are a non-party responding to a subpoena.