Wells Fargo Data Disclosure Totally Human Error
And, I suspect, an attorney may be looking for a new job.
About a week ago the New York Times disclosed that a former employee who was suing Wells Fargo Advisors (WFA) received data that he had not asked for – 1.4 gigabytes of data, actually. Data on, he said, over 50,000 high net worth customers representing tens of billions of dollars invested through Wells’ high net worth investment arm, Wells Fargo Advisors. Wells Fargo Advisors is separate from the bank but a subsidiary of it. It came from Wachovia when Wells swallowed Wachovia during the banking meltdown. It is the second largest brokerage firm in the U.S. with $1.5 trillion in retail client assets under management (AUM), so this likely represents a couple of percent of its AUM. Still, exceptionally embarrassing, especially when you consider that what was disclosed included the size of individual investor’s portfolios, names, socials and the fees the bank charged them, likely plus other embarrassing information.
The files were handed over to the former employee with no protective order and no confidentiality agreement.
Given this former employee is not on friendly terms with WFA or, apparently, even his brother (who is also being sued by him), rather than tell Wells that they goofed, he turned the data over to the New York Times, who, of course, published it. Nothing illegal about it since there was no restriction on what he could do with it.
Bloomberg is reporting that FINRA, the regulator of brokerage firms, is now investigating how Wells’ (outside) attorney could screw up so badly without WFA detecting it.
Based on documents filed with the court, we now understand what happened and it is, very simply, human error by an attorney who did not understand the tools she was using nor the process she was supervising. While WFA will take all the heat for this, the outside law firm is really to blame, pretty much, 100 percent.
The attorney, Angela Turiano, a Principal at Bressler, Amery and Ross, in court filings attempting to stem the bleeding (which at this point is basically impossible), admitted that she didn’t understand the discovery tool that she was using so she only reviewed a small portion of the documents discovered, didn’t understand the responsibility of the vendor who sifted through the emails to find the responsive ones, so thought the vendor was going to do the redacting, which it was not and, for some unknown reason, didn’t request a protective order from the court to make sure that the data remained under control. She admits all this in the request to the court to protect this barnful of information after the doors were not only left open but removed and then pulverized.
The judge did order the plaintiffs to stop distributing the information any further, to return all copies of the data in their possession (but likely not in any third party’s possession), to destroy any copies that they had made and to not use the data any further until a court hearing.
Of course, the damage is mostly done. Assuming they did share this data with others or worse yet, post it online, putting the genie back in the bottle is impossible. Also, the plaintiff’s attorneys won’t just forget what they had read and while they might not be able, depending on the outcome of the hearings and appeals, be able to use those specific documents, it is likely that their knowledge will color their approach to their case. If there were any smoking guns in the 1 plus gigabyte of data they were given, then are likely going to push the court to let them use it.
As The New York Law Journal said, e-discovery is a minefield. It used to be that you printed out or made copies of paper documents and if you, as an attorney, had ten bankers boxes of documents to review, they were all in front of you. In addition, you didn’t have to worry about metadata (according to the current rules of civil procedure you are required to produce the documents in their original form – you cannot convert, for example, a Word document to a PDF to get rid of hidden artifacts – unless you can show a justification supporting that).
Many attorneys are not computer whizzes and the software interfaces are, in many cases, arcane. Add to that the fact that they don’t use e-discovery software every day and that there are many vendors of e-discovery software, each of which works differently and you can see why it is a minefield.
All that not withstanding, as more and more client data is digitized and more of it lives in the cloud, attorneys are going to need to make sure that they have in house or contract experts who can help them with these issues. As we add the cloud to the problem, it only becomes more complex and harder to corral in.
While I have no direct knowledge, I would assume that Wells is not happy, may be considering suing the law firm for any number of reasons and may also be considering not using the firm ever again. One also assumes that the law firm has contacted their professional liability insurance provider , just in case the worst happens.
This also means that companies hiring outside firms – such as, but not limited to – law firms – need to up their third party vendor risk management program. THAT failure falls directly in Wells Fargo Advisors’ lap AS WELL AS THE LAW FIRM’S LAP. Wells should have done a better job of managing the law firm and the law firm should have done a better job of managing their discovery vendor. And, they are far from alone in not managing the risk their vendors bring with them to a sufficiently high level.
There is a lesson to be learned here and companies that don’t learn from other people’s mistakes – well, they get to repeat them.
Vendor risk management – more important than ever.
Information for this post came from The New York Times , Bloomberg and The New York Law Journal.