A massive Wells Fargo customer data breach was not the work of a hacker, but of the bank’s own lawyer who failed to review the bank’s entire set of discovery documents, including information about the bank’s wealthy customers, before it was shipped to a litigation adversary.
The event highlights the increasing risks of relying on unfamiliar e-discovery technology — and the potential liability exposure to lawyers.
“Unbeknownst to me, the view I was using to conduct the review has a set limit of documents that it showed at one time,” said Wells Fargo’s attorney, Angela Turiano, a New York-based principal at Bressler, Amery & Ross, in an affidavit. “I thought I was reviewing a complete set, when in fact, I only reviewed the first thousand documents.”
Turiano’s affirmation explains in detail how she inadvertently provided Wells Fargo customer information, including personally identifiable information about wealthy customers and their assets, in discovery.
The information was turned over without confidentiality protection or redaction, appearing to violate various privacy protection laws, Financial Industry Regulatory Authority guidance and Securities and Exchange Commission regulations, according to opposing counsel in court documents.
Turiano blames her court adversary for revealing the information to The New York Times, which published a report on the error. The newspaper said it was shown large portions of data that included what appeared to be client names and assets under management.
The escalating incident underlines the high-stakes of e-discovery, now common to commercial litigation.
“E-discovery is a minefield,” said Howard Elman, a lawyer who frequently defends large firms in malpractice cases, adding the chance of wrongly producing documents increases with each gigabyte. “It also increases the lawyer’s potential exposure to liability, if they [lawyers] don’t make sure there are sufficient safeguards in place.”
Potential damages from malpractice claims arising from e-discovery errors could include the amount of legal fees needed to remedy any data releases, regulatory actions and, if the data was released to the public, potential claims by the public.
“Errors through e-discovery are becoming more pronounced because the volume of document production is multiplying every year,” said Elman, a partner at Matalon Shweky Elman.
‘Slew of Documents’
The discovery error arose in litigation involving two brothers, Gary and Steven Sinderbrand, who have served as Wells Fargo financial advisors. Gary Sinderbrand brought a defamation suit in New Jersey state court against his brother.
Gary and his company, Mill Lane Management, also sued his brother and Wells Fargo in New York state court over a breach of consulting and settlement agreements.
In the New Jersey action, he sought third-party discovery from Wells Fargo, including emails between Steven and the bank.
Wells Fargo retained the Bressler Amery firm to help with the subpoena request, Turiano said in court documents. “I am the lawyer in charge of this matter,” she wrote.