top of page

Wells Fargo's Big Mistake

As reported in the New York Times last month, on July 8 Wells Fargo made an inadvertent production of epic proportions. 1.4 GB of electronic files containing confidential personal information of wealthy clients of the bank were produced to a former employee of the bank who had filed a defamation suit against another Wells Fargo employee. While this would be a bad error in any case, in this particular one it was catastrophic because the lawyers representing Wells Fargo had failed to file a protective order or confidentiality agreement. This calls to mind Judge Peck's admonition that failing to have a FRE 502(d) order in place was akin to malpractice. See the Tip of the Night for February 1, 2017.

In affirmation filed with the New York Supreme Court in support of an application for an injunction to prevent the plaintiff and his firm from making use of the CPI, and requiring them to return it, the attorney who made the inadvertent production states that she used software provided by an e-discovery vendor to review its search results and tag privileged information. She states that, "Unbeknownst to me, the view I was using to conduct the review had a set limit of documents that it showed at one time." She also notes that the vendor failed to redacted confidential information as she expected it would. When she transmitted a CD with the data it was encrypted, marked, 'Confidential', and was accompanied by a letter indicating that CPI had been excluded from the production. Her trouble with the document review software's view suggest to me that she may have been using Relativity. Relativity does not default to a view showing all records in a workspace when a user first logs in.

The attorney states that the plaintiff disclosed some of the CPI to the reporter for the New York Times, and also accuses him of attempting to force a settlement in exchange for the return of the data.

The affirmation filed by the plaintiff in opposition to the defendant's application, notes that the confidential data was shared with the the plaintiff's employer via Dropbox so they could confirm its confidentiality. This is pretty interesting because Dropbox is not regarded as the most secure file transfer site. They also state that the confidential data was only shown to the reporter in redacted form. It also states that electronic media containing the data was delivered to a New Jersey court for safekeeping. The plaintiff also engaged a vendor that, "permanently deleted beyond possible recovery" the confidential data , and prepared a report confirming that he no longer had access to the data. The Cyber Forensics Findings Report filed with the court, notes that a deep search was performed with Bash Shell and Powershell using regular expressions, and a registry scan was also done for ransomware that may have collected the data.

I'll post an update when a decision is reached on this application in this case, Mill Lane Management, LLC v. Wells Fargo Advisors, LLC, Index No. 652025/2017 (N.Y. Sup. Ct.).

bottom of page