Lia Marie Brooks and Peter A. Nelson have an article on Harleysville Insurance Co. v. Holding Funeral Home, Inc. that I nearly skipped. I’m glad I didn’t, because it may have some applicability to cases where entities leave confidential or protected health information on public FTP servers without any password protection and then try to claim they were “hacked” when someone copies the data.
From their article:
The court found that the disclosure was “inadvertent” under state law because the insurer “unknowingly provided access to information by failing to implement sufficient precautions to maintain its confidentiality.” Further, the court held that the insurer waived any claim of privilege because the site was not password protected and the information “was available for viewing by anyone, anywhere who was connected to the internet and happened upon the site by use of the hyperlink or otherwise.”
“In essence,” the court held, the insurer had conceded that its actions were “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imag[in]e [sic] an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”
The court found that disqualifying defense counsel would serve no practical purpose, as any replacement counsel would be entitled to receive the same claims file in discovery. The court also chastised defense counsel for downloading the claims file because a confidentiality notice was displayed on the email message that was produced with the hyperlink. “[B]y using the hyperlink contained in the email containing a Confidentiality Notice … defense counsel should have realized that the Box Site might contain privileged or protected information.”
You can read their full article on Patterson Belknap Data Security Law Blog.