The sanctity of attorney-client communications and attorney work-product is a bedrock principle of our legal system.  It exists to encourage clients to be candid and truthful with their attorneys, so that the attorneys are empowered to provide the best advice and most effective representation.  However, in our era of communication overload and big eDiscovery—which shows no signs of slowing—preserving the attorney-client privilege and work-product protection during discovery is often a huge burden.  Reviewing responsive information for privilege is tedious and expensive work, and vulnerable to human error. A simple mis-click that results in coding error (not caught in quality checks), can have significant negative consequences.  A party’s production of a privileged document can result in an expensive fight over waiver. Unless the attorney-client privilege is declared a casualty of the end of privacy (or of sheer expense), attorneys should routinely consider whether a tailored order regarding waiver is appropriate for a given case.

Prior to 2006, there was a real risk that the disclosure of privileged information would result the waiver of that privilege, regardless of how extensive the efforts a party had made to keep it confidential or how big the error that resulted in the disclosure. In 2006, Federal Rule of Evidence 502(b) was amended to include a three-pronged safe-harbor that protects a party’s privilege where the party (1) inadvertently discloses privileged information, (2) takes reasonable steps to prevent the disclosure, and (3) takes reasonable steps to rectify the error.  While this rule change reduce the likelihood that an expansive waiver will result if a single document is miscoded, the rule has also created new opportunities for litigation over “inadvertence,” and “reasonable steps.”  Invoking the safe-harbor can be expensive on account of all of the fact-finding required to meet the criteria.    Accordingly, attorneys and their clients should consider whether different parameters are appropriate for a given case.

Orders that override the safe-harbor requirements in Fed. R. Evid. 502(b) are increasingly common.  Attorneys and their clients may consider seeking an agreed order that provides that no disclosure of privileged information will result in waiver. Alternatively, parties may seek an agreed order provides that that any disclosure is ipso facto inadvertent, and/or that the steps being taken to attempt prevent the disclosure of privileged information are ipso facto reasonable.  These types of orders are often referred to as “FRE 502(d) Orders” since they are expressly authorized by Federal Rule of Evidence 502(d).

These 502(d) Orders provide enhanced predictability, reduce the risk of a privilege waiver, and reduce the risk of an expensive fight about waiver.  The Federal Rules of Evidence Advisory Committee contemplated that parties may enter into such orders, explaining in the Notes to Fed. R. Evid. 502 that, “a court order may provide for return of documents without waiver irrespective of the care taken by the disclosing party; the rule contemplates enforcement of “clawback” and “quick peek” arrangements.”

Nonetheless, attorneys and clients should exercise caution because protecting truly sensitive privileged communications remains important.  While a broad FRE 502(d) Order may protect your client from waiver (and you from malpractice), information once learned by your adversary cannot be unlearned.  In addition, if parties expect that the scope of the privilege will be contested, such an order may not be appropriate.  For example, if a fact witness is also an attorney and not all communications fall within the privilege, parties may want to attach consequences to disclosure so that the party asserting the privilege is incentivized to define the scope it is asserting at the earliest point possible.

I have been on both sides of an inadvertent disclosure of privileged information.  On the receiving end, I was given a report prepared by a consulting expert hired by my adversary that thoroughly analyzed the strengths and weaknesses of my adversary’s primary defense.  It was not labeled confidential or privileged.  I read it, in its entirety.  After the fact, I deduced what I had read. Although I advised opposing counsel and destroyed the memo, the knowledge I gained could not be similarly returned.  I suspect that the disclosure of this memo caused a great chasm between the client and its lawyers.  I believe that the disclosure of this memo changed the course of the litigation and led to a favorable settlement for my client.  The accidental disclosure of this memo did not result in a privilege waiver, but its harm was significant.  Further, while the scope of the harm in this case was limited to that single dispute, the potential harm is significantly increased for parties that face repeated lawsuits with the same parties or opposing counsel, where the knowledge gained as a result of one error in one case can be a road map for the next case.

On the producing end, I was privy to a situation where a team produced a series of emails an attorney had sent to his client from his personal email account on his mobile device. Upon discovery, the producing party was able to clawback these documents and the privilege remained intact. It was clear to all parties that both the attorney’s use of the personal email account and the production were inadvertent. Fortunately, also, there was little substantive discussion in these emails, so no important strategy was revealed to the other party.  However, it was an anxiety-producing experience and a reminder of all the risks.

In our era of communication overload and big data, there risk of disclosing privileged information in litigation is high.   A tailored FRE 502(d) Order can attempt to mitigate some of the risk and reduce costs.  Nonetheless, even the most finely tuned order cannot protect a party from the harm caused by disclosing legal strategy.  Even when a 502(d) order is in place, it is no substitute for using humans and technology to keep confidential legal strategy and advice a secret.

The media headlines are full of stories about the theft and disclosure of incriminating photos of celebrities, credit card numbers, and state secrets. However, such hacking is sometimes much more localized and personal. Unauthorized access to another person’s electronically stored information (i.e. “hacking”) could lead to civil and criminal liability under both state and federal law.

Do you know the password for the personal email account of your competitor, former employee, or ex-husband?  Using that password to access another’s online account may feel innocuous since you can do it from your mobile device or your home computer. While the temptation to review the email of a previous ally turned adversary may be strong, you must resist. Don’t be a hacker.

If you do not have express permission to access another person’s email account, doing so could land you in hot water.  Accessing another person’s account exposes you to civil liability and criminal liability. If you were given permission to access another person’s email account at some point, changed circumstances might mean that this authorization is no longer adequate.

In Massachusetts, a woman trying to help her husband in a business dispute ended-up on the receiving end of a lawsuit and faced significant liability.  Two doctors who were shareholders in a medical clinic exchanged personal email account passwords to enable them to share specific information related to the clinic’s technology. Cheng v. Romo, Civil Action 11-10007-DJC (D. Mass. Dec. 20, 2013, March 6, 2014).  Several years later, one of the doctors had a business dispute with the other doctor’s husband that resulted in litigation.

In order to help her husband, the doctor tried the access the Yahoo! email account of her former business partner using his years-old password and voila, it worked!  She accessed the email account and printed a series of emails that her husband used in his business litigation. Eventually, the wife’s involvement in obtaining the emails came to light.

After the dispute between the husband and the other doctor resolved, the wife’s former partner sued her under the federal Stored Communications Act and for invasion of privacy.  The case proceeded to trial, and the jury found her guilty, awarding damages to the doctor in excess of $300,000.00.   Subsequently, the Court awarded the Plaintiff an attorney fee award of $241,073.

In personal disputes, the risk that someone accesses another’s email account is great since individuals tend to pay less attention to computer security issues than businesses do.  In Michigan, an information technology professional was involved in a custody dispute with his ex-wife. He correctly guessed the password to her Gmail email account, accessed the emails, and used them during the custody proceedings. The IT professional worked for county government, and his acts were reported to the county prosecutor who initiated a prosecution.

At the trial court level, the IT Professional’s attorney challenged the applicability of the statute in an effort to avoid liability.  However, the Michigan Court of Appeals agreed with the trial court judge and found enough to prosecute him with violating Michigan’s Fraudulent Access to Computers, Computer Systems, and Computer Networks statute. People v. Walker, Case No. 304702 (Mich. Ct. App. Dec. 27, 2011) aff’d, 491 Mich. 931 (Mich. 2012).  This penalty for violating this statue varies depending on the damage caused by the violation and other factors, and ranges from a misdemeanor to a felony and 10 years imprisonment. However, the trial did not go forward.  According to media reports, it was discovered that the IT professionals ex-wife had been illegally accessing his text messages.  Therefore, the prosecutor decided to drop the charges and the IT professional (& his ex-wife) avoided criminal liability.

Your situation might not be so fortuitous. If you need to know information that is contained in another person’s email account, you should use legal channels to get the information. The consequences for snooping in another person’s email account can be significant. Even if it is easy and feels safe, these actions might make you the next hacker to grace the pages of your local paper.

This article was co-written with David Lerner.

Creditors have faced a morass trying to figure out how to effectively collect debt while complying with the Bankruptcy Code and the Fair Debt Collection Practices Act. Likewise, debtors’ frustratingly confront inconsistent perspectives across bankruptcy and district courts. The Second Circuit Court of Appeals recently issued a decision that brings some clarity and, most notably—makes sense— under both the Bankruptcy Code and the FDCPA. The court held that where a pre-petition creditor tries to collect discharged debt after the debtor has been discharged from bankruptcy proceedings, it must comply with the FDCPA. In short, the FDCPA is a boomerang; once bankruptcy is over, it returns in full force.

In Garfield v Ocwen Loan Servicing, LLC, Dkt. # 15-527 (2nd Cir. Jan. 4, 2016) the Second Circuit ruled that where a creditor engages in debt collection of discharged debt after discharge, the FDCPA applies, and, where violations are alleged, the debtor can bring claims in federal district court, in lieu of returning to bankruptcy court. The key to this ruling is that it relates to post-discharge activities of creditors; there remains a divergence of opinions regarding how the FDCPA applies during bankruptcy proceedings, pre-discharge.

In the Garfield case, the debtor filed for Chapter 13 bankruptcy, and made monthly payments during the bankruptcy proceeding to pay the then-existing arrears on her mortgage loan. Notably, she paid all of the arrears. The Chapter 13 Trustee gave notice that all of the arrears had been paid. The creditor did not object and did not assert that the debtor still owed arrears or was not current on her plan payments. In August 2103, she obtained a discharge. In Garfield, the Second Circuit misstated that she received a discharge of her entire personal obligation for the mortgage loan. Rather, under 11 USC §1328(a), one is not discharged from the personal liability on long term debt secured by the personal residence provided for in the Chapter 13 Plan. The Garfield debtor was permitted to keep the property on the condition that she made payments of $938 per month.

Unfortunately, things did not turn out as the Garfield debtor hoped, and she quickly defaulted by failing to make the monthly payments. In February 2014, the servicer of the debtor’s mortgage loan contacted her and demanded payment of $21,825 or face foreclosure, sent a delinquency notice for more than $22,000, and reported these delinquencies to the credit bureaus. However the arrears for her mortgage obligation at the time was not $22,000 but under $7,000; the creditor was trying to collect $15,000 more than it was owed. In fact, the Debtor had paid the over $15,000 in her bankruptcy case as part of the arrears. Notably, in Garfield action, the parties agreed that the creditor had made an error and was trying to collect sums that had been discharged in the bankruptcy, given the debtor had paid the arrears as part of the Chapter 13 plan.

The debtor filed suit against the creditor in the United States District Court, and brought more than 10 claims under the FDCPA (15 USC §1692e) on the basis of the error, the failure to use the mini-Miranda, and the failure to provide a validation notice. The Garfield creditor sought dismissal of all claims on the basis that there was there a full or partial implied repeal of the FDCPA, that the Bankruptcy Code offered the exclusive remedy, and that the bankruptcy court was the proper forum. The Garfield district court agreed with the creditor, finding that the Bankruptcy Code had the exclusive remedy for debtor’s claim on the basis that it related to collection of a discharged debt.

The debtor appealed and the Second Circuit reversed the district court, finding that at the point of discharge, the debtor no longer had protection of the bankruptcy court. Likewise, neither did the creditor. So, while no automatic stay protected the debtor and prevented the creditor from collecting (or foreclosing the mortgage), the FDCPA did apply to the creditor’s activities. This result makes sense for both the creditor and debtor: it clarifies the applicability of the FDCPA by fixing a finite point in time that it definitely applies, while also fixing a finite point in time that the Bankruptcy Code no longer provides cover for the debtor. Indeed, to the extent that pre-petition creditor remains a creditor post-discharge, under Garfield it is treated exactly as a new post-discharge creditor would be.

It is, however, important to note that the Second Circuit may have reached the right result for the wrong reason based on a mistake of law that seems to have been made in the district court level and perpetuated throughout the process. In the Garfield case, the debtor was in Chapter 13 – not Chapter 7. In Chapter 13, there is no discharge of the personal liability on long term debt secured by a mortgage on the residence , unlike in Chapter 7. 11 USC §1328(a). Indeed, this may explain how the creditor, a sophisticated loan servicer, made the error in the first place. However, this mistake of law is not relevant to the outcome. If the creditor had simply sought to collect $70,000 and not $7,000 by virtue of a typo that resulted in an additional zero after the bankruptcy concluded, the Court would have reached the same conclusion for the same reasons. It is unfortunate though that a quick read of the case may lead one to incorrectly conclude that personal liability on long term debt secured by a residential mortgage is discharged in a Chapter 13 case. Nothing could be further from the truth.

The takeaway is to closely scrutinize Chapter 13 cases, know what debts are being discharged, and carefully update records to ensure that discharged debts are not pursued post-bankruptcy. Otherwise, one may be facing an expensive lawsuit under the FDCPA for post-discharge violations. The interrelationship of bankruptcy law and the FDCPA is evolving and requires vigilance and careful legal advice.

Five tips for managing risk when you are asked for information that is missing or
destroyed.

The media is full of stories of email, text messages and other data gone missing.  Most infamously, it was reported that significant email of Hillary Clinton’s during her tenure as U.S. Secretary of State went missing.  But this story was not isolated, and it may even sound familiar. Like the U.S. State Department, your business is unlikely to preserve every email sent or received or every document created. At some point, someone may come looking for email or other documents that your business once had but no longer possesses. While the U.S. Select Committee on Benghazi is probably not interested in your business, you may be served with a civil or criminal subpoena, receive an investigative request from a government agency or be given a document request during litigation.

Whether it’s your car keys, a receipt for a broken watch or important corporate emails, it is always unsettling when you can’t find something you know you once possessed. The consequences for not having maintained email or documents are wide-ranging—from absolutely none to criminal. On one end of the spectrum, if your business was never obligated to preserve email, its absence may save you resources and minimize your risks since you can’t produce what you don’t have and were not required to preserve. On the other end of the spectrum, if your business had an obligation to preserve email but didn’t, its absence could possibly even have criminal implications.

In the case of the U.S. State Department email controversy, while there may be no basis for criminal charges, the reputational harm caused by the deletion of the missing  emails may have only just begun. Here are five tips for managing your risk when your business is asked for lost or destroyed email or documents:

1. Determine your legal, business and practical obligations. Evaluate your business’ legal and contractual obligations to preserve documents and email. For example, if you are a healthcare provider, patient medical records are usually required to be maintained for a period of years. Likewise, if you are an auto dealer, NHTSA requires you maintain certain records and your contract with the OEM likely includes specific requirements. Irrespective of your industry, if you are involved in a lawsuit, you are required to preserve all documents that may be relevant to the pending litigation. Even if your business doesn’t have an obligation to preserve the requested documents or email, consider if it would have made good sense to have kept the information anyway.
2. Confirm the email or document is really gone. Once you’re confident that the requested email or documents are not where they once were, or where they were supposed to be, or have been destroyed or deleted, check again. Ensure that the emails or documents are not on a back-up tape, an inactive server in the data center, an employee’s smart phone, an errant USB drive on your CFO’s desk, in cloud-storage or on the laptop hard-drive of a recently departed employee— to name just a few possible places to check. Apart from any electronic destinations, you also should confirm that the email or documents were not printed and stored. In sum, it is prudent to conduct a thorough search to locate additional copies of the lost email or documents.
3. Mitigate the consequences of the missing email or documents. If it’s clear that your business was not required to preserve the lost email or documents, promptly advise the requesting party that you will not be providing responsive information. If you have nothing to hide by the non-existence of the requested documents or email, being  forthcoming may help you avoid being accused of wrongdoing. If it’s possible that your business was required to preserve the requested email or documents, revisit your  obligations, evaluate the consequences and carefully devise a strategy to minimize your exposure. For example, if you are an accountant, the Sarbanes-Oxley Act imposes the risk of criminal sanctions for the willful destruction of workpapers earlier than seven years. Likewise, for financial institutions, the Bank Secrecy Act imposes stiff monetary fines for willful violation of record keeping requirements that can be imposed on both the institution and individual responsible employees. For all businesses, if missing documents were requested in the course of litigation, a litigant may suffer spoliation sanctions if the documents destroyed were required to be preserved, relevant to the lawsuit and destroyed with a “culpable” state of mind. Courts determine the appropriate sanctions on a case-by-case basis, and they include the imposition of monetary fines, the dismissal of a case or a jury instruction that the jury may infer a fact based on lost or destroyed evidence. Even in a lawsuit mistakes can be made – acting in good faith, being forthcoming and working cooperatively with the opposing side can go a long way to mitigate adverse consequences.
4. Understand the circumstances in which the email or documents became missing. In the best of circumstances, the email or documents will have been destroyed as part of your business’ routine document purge and in accordance with a robust information management compliance program. If that isn’t the case, figure out exactly how the email or documents went missing.
5. Consider hiring a computer forensics professional. If the missing documents or email consist of electronically-stored information, consider hiring a forensic computer  professional at the earliest possible instance. A sophisticated and skilled forensic specialist may be able to find lost, missing or deleted electronic data on your own computers.

Include language in standard contracts to maximize the likelihood your company is paid in the event of a customer’s financial distress or bankruptcy.

You might be able to get paid when your customer declares bankruptcy if you have the right language in your service contracts.

If your business relies on insurance claim proceeds to pay for services, getting paid can be complicated. If you are not directly paid by the insurance company — this is especially dicey. You may have suffered the disappointment of witnessing the insurance proceeds received as a result of your services paid to other creditors during a customer’s bankruptcy.

In a recent decision issued by the United States Bankruptcy Court for the Eastern District of Michigan, a provider of medical air-lift services facing such a situation was able to obtain all of the insurance proceeds because its service contract contained particular language assigning it the right to the proceeds. Michael Stevenson, Trustee v PHI Air Medical, LLC (In re Justin), 2014 WL 3373863 (July 9, 2014, Bank. E.D. Mich.)

The medical air-lift company flew an ill woman from Michigan to the Cleveland Clinic for a lung-transplant, and her husband signed a contract specifying that she assigned to the medical air-lift company all rights to the insurance benefits. However, the insurance company did not directly pay the medical air-lift company, and instead sent a $33,000 check to the customer/policyholder. While holding on to the check, the
customer/policyholder filed for bankruptcy protection.

A dispute ensued between the medical air-lift provider and the bankruptcy trustee over whether the insurance proceeds belonged in the bankruptcy estate to distribute among all the creditors or whether they should be paid only to the medical air-lift provider. Ultimately, the bankruptcy court  ordered that all of the insurance proceeds be paid to the medical air-lift company, and not distributed as part of the bankruptcy estate.

When your customer fails to turn-over an insurance check or files a bankruptcy petition, your business is at risk of not getting paid. Bankruptcy is intended to give people a fresh start and if there is not enough money to pay all of the debts, creditors are only paid a portion of what they are owed — a sum that is always reduced by the costs and fees related to the bankruptcy proceeding itself.

While the medical air-lift case applied particular Michigan law, the lesson is the same – in order to maximize the likelihood that your businesses’  services are paid for, you should regularly review and evaluate your standard service contracts with an eye toward ensuring you are paid even when your customer faces financial distress or is neglectful.