A massive Wells Fargo customer data breach was not the work of a hacker, but of the bank's own lawyer who failed to review the bank's entire set of discovery documents, including information about the bank's wealthy customers, before it was shipped to a litigation adversary.
The event highlights the increasing risks of relying on unfamiliar e-discovery technology — and the potential liability exposure to lawyers.
"Unbeknownst to me, the view I was using to conduct the review has a set limit of documents that it showed at one time," said Wells Fargo's attorney, Angela Turiano, a New York-based principal at Bressler, Amery & Ross, in an affidavit. "I thought I was reviewing a complete set, when in fact, I only reviewed the first thousand documents."
Turiano's affirmation explains in detail how she inadvertently provided Wells Fargo customer information, including personally identifiable information about wealthy customers and their assets, in discovery.
The information was turned over without confidentiality protection or redaction, appearing to violate various privacy protection laws, Financial Industry Regulatory Authority guidance and Securities and Exchange Commission regulations, according to opposing counsel in court documents.
Turiano blames her court adversary for revealing the information to The New York Times, which published a report on the error. The newspaper said it was shown large portions of data that included what appeared to be client names and assets under management.
The escalating incident underlines the high-stakes of e-discovery, now common to commercial litigation.
"E-discovery is a minefield," said Howard Elman, a lawyer who frequently defends large firms in malpractice cases, adding the chance of wrongly producing documents increases with each gigabyte. "It also increases the lawyer's potential exposure to liability, if they [lawyers] don't make sure there are sufficient safeguards in place."
Potential damages from malpractice claims arising from e-discovery errors could include the amount of legal fees needed to remedy any data releases, regulatory actions and, if the data was released to the public, potential claims by the public.
"Errors through e-discovery are becoming more pronounced because the volume of document production is multiplying every year," said Elman, a partner at Matalon Shweky Elman.
'Slew of Documents'
The discovery error arose in litigation involving two brothers, Gary and Steven Sinderbrand, who have served as Wells Fargo financial advisors. Gary Sinderbrand brought a defamation suit in New Jersey state court against his brother.
Gary and his company, Mill Lane Management, also sued his brother and Wells Fargo in New York state court over a breach of consulting and settlement agreements.
In the New Jersey action, he sought third-party discovery from Wells Fargo, including emails between Steven and the bank.
Wells Fargo retained the Bressler Amery firm to help with the subpoena request, Turiano said in court documents. "I am the lawyer in charge of this matter," she wrote.
The bank agreed to conduct a search of four custodians' email accounts using designated search terms, using an outside e-discovery service to conduct the searches.
Turiano said using the vendor's e-discovery software, she reviewed "what I thought was the complete search results" and marked some documents as privileged and confidential. She then coordinated with the vendor to withhold from production anything she tagged as privileged and confidential.
"What I did not realize was that there were documents that I had not reviewed," she said, adding she was using "a view" that showed a set limit of documents at one time. "I thus inadvertently provided documents that had not been reviewed by me for confidentiality and privilege."
Turiano also said the documents she flagged as needing redactions "were not redacted" before production. "I realize now that I misunderstood the role of the vendor," she said. "Finally, I now understand that I may have miscoded some documents during my review."
Gary Sinderbrand's attorney in New York, Aaron Zeisler of Zeisler PLLC, informed Turiano about the disclosure last week.
"Your firm produced a slew of documents revealing billions of dollars of client account information, from residents of numerous states and possibly Europe," he said in a letter to Turiano that is now a court exhibit.
Turiano's firm has scrambled since then to have the documents returned.
Manhattan Supreme Court Justice Charles Ramos on Tuesday signed an order restraining the plaintiffs from any further review or use of the confidential documents, pending a Aug. 10 hearing.
And on Wednesday, a New Jersey court required Gary Sinderbrand and his lawyers to delete any digital file copies they made from the information disclosed in the subpoena, and to give the court the encrypted CD and any copies, Reuters reported. The court will "safeguard the CD" until a court hearing.
Zeisler said in a July 22 letter to Ramos that Sinderbrand and his lawyers in the New York case had not refused to return the documents. "Neither I nor anyone at this firm ever stated that we would not return documents containing sensitive financial and personally identifying information at the appropriate time," Zeisler wrote.
Zeisler declined to comment. Turiano did not return messages seeking comment.
In a statement, a Wells Fargo spokeswoman said, "The security of our clients' accounts and information is a priority at Wells Fargo and we are dedicated to protecting our client data."
The spokeswoman said the court rulings "are a positive result of our ongoing efforts to make things right" and "we'll continue to thoroughly investigate this matter."
--- Check out Wells Fargo Data Fiasco Raises Red Flags, Demands Serious Change: Lawyer on ThinkAdvisor.