With a funeral home in ashes and an insurance company refusing to pay benefits, the last thing you’d expect to hear about is online security and the cloud.
But that’s exactly what happened in 2014 when the Holding Funeral Home lost a building in Castlewood, Virginia, to a fire and Harleysville Insurance Co. refused to pay out the claim, alleging misrepresentation and other issues.
During the investigation, security video footage of the incident was shared between the insurer and the National Insurance Crime Bureau through the cloud storage service Box. The investigator who created the account didn’t password-protect it. Pretty soon that account contained the entirety of the plaintiff’s case file, including privileged information. Anyone who had a link could access it.
Sure enough, the opposing counsels mistakenly received access. After downloading the entire file, the funeral home’s attorneys saw everything, including privileged documents, but they did not notify the insurer’s attorneys, thinking that privilege had been waived.
At first, the insurer and its lawyers seemed out of luck. In 2017, U.S. Magistrate Judge Pamela Meade Sargent sided with the funeral home’s attorneys in Harleysville Insurance Co. v. Holding Funeral Home and determined the failure to limit permissions and create a password did waive privilege. She wrote that it was “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.”
Luckily for the insurer, U.S. District Judge James P. Jones, on appeal, rejected the magistrate’s reasoning. Jones concluded that the disclosure was inadvertent and the unique URL of 32 randomly assigned characters created by Box, which was needed to access the account, made it “impossible for anyone, let alone a particular person connected with the case, to accidentally stumble across the Box folder.”
While failing at cyber security basics, the judge determined that the insurer had acted reasonably and privilege hadn’t been waived.