EMAIL SECURITY: Protecting the Attorney-Client Privilege

1 Comment

Are E-Mails Confidential?

“Warning: This e-mail, including all attachments is not
encrypted. Accordingly, it is possible for others to read and
use this confidential information. We take no
responsibility for using unencrypted e-mail and this e-mail
and related attachments may be deemed by the court to be a
waiver of attorney-client privilege and the work-product
doctrine.”

This satirical warning comes from an article [1] published by Rebecca Bolin of Yale Law School and is meant to be facetious in its imaginary iteration of how a tech-savvy IT guy might view the “confidentiality disclaimers” that are uniformly included in the digital signatures of modern attorneys’ emails. It is, however, not that far removed from the reality of where we are headed, if we are not already there. Ms. Bolin goes on to say, “Attorneys have been lulled into a false security, risking clients’ most precious secrets.” She may be on to something.

Every attorney has an express duty “[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.” [2] This duty arises from the relationship of trust that must be formed between an attorney and a client and which is intended to be nearly absolute, with very few exceptions.The idea that protected communications between a lawyer and his client are sacrosanct, and that the attorney has the highest duty at all times to protect that confidentiality from being breached by a third party, is one of the fundamental tenets of the practice of law. There is nothing quite as essential to open communication as the concept that what one discusses with one’s attorney is to be held in confidence, remaining as ‘inviolate’ to the world as the words spoken in a confessional. So what does it mean, then, when the use of technology, particularly the use of email communication, may erode, or altogether waive, the veil of privacy that is the very foundation of the relationship between counsel and client?

Most lawyers routinely advise clients of their duty of confidentiality, cautioning them about the best methods to ensure that the attorney-client privilege is protected during the course of the relationship. Clients are instructed not to discuss their case with anyone not directly involved, and instructed not to communicate to their attorneys on third-party email services, such as those afforded them by their employers. Lawyers take various precautions to ensure that in-person conversations with clients are not overheard by others. Yet as technology evolves, so must the methods by which lawyers address the issue of protecting confidential communications with their clients.

The Death of the Letter

Since society’s embrace of email, the everyday use of formal letters has gone the way of the dinosaur, becoming all but extinct in this modern era of easy and rapid digital communication. The measured communication of a formal letter sent via post, has evolved into a series of shattered email “threads.” These missives alternate jarringly between vaguely formal and extremely informal speech, and take place across a multitude of platforms. Originating on one account, any given message can pass through a variety of ISPs as data is transmitted, before reaching the account of the recipient. This “simple” process can often involve multiple vendor platforms, ISPs, or in-house servers. All of these providers, as part of their usage, include differing Terms of Service (“TOS”) outlining the degree to which each respects or intrudes upon the privacy expectations of their consumers. TOS agreements also outline what portions of their users’ data a provider may store and for how long, as well as whether or not they will view a clients’ emails at any point along the way.

Third Party Exposure

Terms of Service agreements can change rapidly. Often the consumer is unaware of these changes, opting to “click-through” the unfailingly onerous language to get on with the business of sending an email. Whether or not emails are subject to viewing goes unnoticed. Currently this “viewing” is done by machines set to cull keywords for marketing data. Email  providers continue to assure the public that they are not reading the contents of their users’ private communications and that third-party viewing is a non-issue. But is that sufficient for purposes of protecting the attorney-client privilege, which is waived upon breach by a third party?

The Google Case

When the attorneys for Google filed a brief in their Motion to Dismiss the class action In Re: Google Inc., Gmail Litigation, (USDC ND 5:13-md-02430-LHK) it made the news. The statement contained in that document asserted that Gmail users have “no legitimate expectation of privacy” as a basis for dismissing the action, which was filed on behalf of users by privacy activists. When one of the most prevalent vendors of email is informing the public that they have no reasonable expectation of privacy while utilizing their email account, how can we not begin to ask some hard questions about its usage in the legal field, where an expectation of privacy is critical?

The Courts Weigh in on the Debate

Recent ethics rulings by the California and New York State Bars hold that email may still be utilized by clients and their attorneys. New York’s Bar specifically noted that, as the “viewing” is done by a “non-human” entity, the practice does not breach the third party test. Given the myriad services out there providing email to clients, and the varying degree to which personal security is waived by unknowing clients as they click through an ever-changing group of TOS requirements, how long will unencrypted email continue to withstand these challenges to its security as a tool for legal communication? Massachusetts, Nevada and Washington have already passed legislation requiring that businesses transmitting customer data via the internet through email must take steps to encrypt it. Can we expect California to follow suit by requiring encryption of email for attorneys who routinely transmit information that they have a duty to protect absolutely?

There are further challenges to the private status of email, particularly in cases where employees have utilized their employer-provided email accounts or equipment to transmit data or information to counsel. In Holmes v. Petrovich Development Co., 191 Cal. App. 4th 1047 (3d Dist 2011), an employee was found to have waived the attorney-client privilege in an email sent to her attorney because she used a computer belonging to her employer to do so. The facts established that the employer had provided sufficient warning that company computers were to be used for company business and that all usage would be monitored. The court compared the employee’s use of the computer under these circumstances to “consulting her attorney in one of the defendant’s conference rooms, in a loud voice, with the door open.”

In Kaufman v. SunGard Inv. System, 2006 WL 1307882 (D.N.J. 2006), the employer sought a determination that certain e-mails between the plaintiff and her counsel were discoverable. The employer’s policy expressly provided that “[e]mployees should not expect that any items created with, stored on, or stored within Company property will remain private.” Based on those facts, the court ruled that the plaintiff had no expectation of privacy with respect to her e-mail message and, therefore, waived her attorney-client privilege.

The court upheld the claim of privilege in Stengart v. Loving Care Agency, Inc., 201 N.J. 300 (2010), finding that an employee had not waived her attorney-client privilege by communicating with her attorney on her private e-mail account, despite the fact that she accessed that account on her employer-provided computer. The employer’s privacy policy contained language stating that “occasional personal use” was permissible on the company device. Thus, the court held “it would be unreasonable to expect an employee to assume that personal use of her work computer was allowed, but that all personal e-mails would become the property of the employer.”

THE TAKEAWAY

Given the potential risks as outlined above, it has become a widespread practice for attorneys to instruct clients who are employees not to engage in any transmission of emails on employer equipment or host services, and to confine all communication with counsel to a secure, personal device with no connection to an employer whatsoever.

As the various technologies used for our day-to-day communications continue to evolve, so will the technology available to protect that communication. For the time being, it seems that any attorney using unencrypted email communications might wish to, at the very least, re-examine the Terms of Service for his or her provider and explore available means to further protect client data, (including hardware or software encryption of information stored on an attorney’s in-house systems). Attorneys may also wish to devise a method of communicating the most sensitive data via an email encryption service. While encryption may not yet be required by law or ethics, an attorney practicing law in the age of technology should take all steps reasonably possible to ensure that attorney-client protections remain in effect.

Lazear Mack, LLP
Employment Law Attorneys
436 14th Street, Suite 1117
Oakland, CA

510-735-6316

[1] “Risky Mail: Concerns in Confidential Attorney-Client Email”  By Rebecca Bolin, Lecturer and Other Affiliate Scholarship Series. (2012)

[2] Bus. & Prof. Code, § 6068, subd. (e)(1)

You May Also Like

One comment

  1. July 7, 2014 at 3:39 pm

    So I’m the guy who did the ABI 2006 article that Rebecca quoted.

    That said and given how easy and inexpensive to convert we need to read about that? Think how it will look someday when all the excuses lined up to avoid doing what is right, and I might add, it will convince clients that “We are different and glad to have you for a client…”

    Jack
    Jack Seward
    917.450.9328

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.