E-Mail and Client Confidentiality
by Ernest Sasso, Esquire
The explosion of technology within the last two decades has spawned the evolution of a new area of law. With the daily expansion of the Internet and the availability of inexpensive computers, many difficult and new questions of the law are emerging. One particularly troubling area for attorneys is the widespread use of electronic mail (“e-mail”). Many questions as to its use arise from ethical and evidentiary standpoints. As e-mail becomes the medium of choice for business communications, the legal community has become increasingly concerned with protecting confidentiality through the attorney-client privilege. This concern will only grow: within the next two years, it is expected that over 40 million people in business and industry will have access to e-mail. Already, clients are demanding that their lawyers be able to communicate electronically, and even among lawyers, e-mail correspondence is becoming the norm. Indeed, an e-mail address on an attorney’s business card is now as common as a fax number.
E-mail is extremely easy to use, exceptionally fast and easily accessible to almost all individuals throughout the world. With these characteristics, along with an attractive price—e-mail is virtually free—it appears like this would be the perfect medium for attorneys and others to use to communicate to each other. However, the e-mail messages that are sent on the Internet have the ability to be intercepted with more ease then a wiretap on a conventional telephone line. If vital information is communicated between an attorney and client, which is then intercepted, can this be used against that party in court? Will using a medium that is interceptable automatically waive privilege between an attorney and a client? Can the attorney be disciplined for sending the material over a “unsafe” medium?
An e-mail may also contain a whole series of electronic messages between or among two or more parties, such as when the parties have been “replying” to the other’s messages rather than creating a “new message.” Disclosure of an e-mail risks disclosure of an entire dialogue between senders.
In addition to the security risk of interception over the Internet or of virus-driven malicious dissemination, one false keystroke could send an e-mail intended for one recipient to an improper recipient or even an entire class of improper recipients. Such a risk could spring from inadvertently hitting “send” after selecting the wrong address or e-mail group from a stored address book of possible recipients.
Given the foregoing risks, a writer of e-mail should be cognizant that his or her communication might be read by unintended persons. Some advocate the use of encrypted e-mail whenever privileged or trade secret information is to be communicated. Yet, there are practical issues associated with encryption and in actual practice most attorney-client and business e-mail is sent unencrypted.
There are two different bodies of law which are implicated when discussing privilege and confidentiality through e-mail. The first body of law concerns discovery and evidence procedure.
Does privilege apply to an e-mail message in discovery or an e-mail message that is sought to beadmitted as evidence in court? The second body of law deals with ethical considerations and therules of professional responsibility. Although an attorney may win in court and keep the privileged information out of the proceeding, that attorney may still be able to be disciplined by the bar. Can an attorney be disciplined for sending e-mail messages because it may violate the confidential relationship between the attorney and the client? Both of these need to be considered in order to have an accurate perspective on e-mail and the attorney’s privilege.
The attorney-client privilege protects communications that are intended to remain confidential and which are made under such circumstances where a reasonable expectation exists that the communication is confidential. To this end, the privilege applies to all imaginable means of communication, from telephone conversations to written correspondence, or postal mail from the U.S. Postal Service (“snail mail”) to e-mail. The privilege, after all, is intended to promote the free flow of information between an attorney and client; restricting its application to particular types of communication would certainly hinder this goal.
The popularity of e-mail is tied to its convenience. Computer-generated documents can be sent to several parties simultaneously in a matter of seconds, and files and messages can be forwarded. This includes client memoranda, drafts of written discovery and legal briefs, and scanned executed agreements. The price is also right: for businesses and law firms that already have computer networks and Internet access: e-mail is either free or close to it (one expense may be the specialized programs needed to compose and organize messages). E-mail systems are particularly useful to the legal community, as they allow firms to communicate directly with clients and corporate in-house counsel.
But as messages travel along the Internet, third parties can intercept them. E-mail can also be stored on a system’s backup files indefinitely and misdirected with the push of a single button. Such security risks have prevented federal and state courts from universally applying the attorney-client privilege to e-mail.
Concern over the possible unavailability or waiver of the attorney-client privilege by sending unencrypted e-mail containing confidential information has been heightened by such cases as Castano v. American Tobacco Co., 896 F.Supp. 590, (E.D. La. 1995), where documents that a company claimed were privileged but that were available on the Internet through a state library were held to be in the public domain. To be privileged, information conveyed to a lawyer must be communicated in confidence, and not in the presence of third parties. No court has directly addressed whether unencrypted e-mail meets this requirement, but a military court in 1995 recognized a reasonable expectation of privacy in e-mail messages for Fourth Amendment search and seizure purposes. U.S. v. Maxwell, 42 M.J. 568 (US Air Force Ct.Crim.App 1995). The court applied a two-prong test in making this determination. First, the person must exhibit an actual expectation of privacy. Second, the person must show that the expectation of privacy is one that society is prepared to consider reasonable. The court found that both of these prongs were met when e-mail was sent to a particular individual.
Some courts have refused to recognize a reasonable expectation of privacy in electronic communications that can be intercepted with more ease than regular landline telephone calls. Tyler v. Berodt, 877 F.2d 705 (8th Cir. 1989) (cordless telephone). It is unclear whether such holdings could support an argument that unencrypted e-mail is not sufficiently private to be within the scope of the attorney-client privilege. The precedential value of these cases may be questioned to some extent depending on when they were decided, since federal law did not make it a crime to eavesdrop on cellular calls until 1986, and did not make cordless phone eavesdropping a crime until 1994. See Askin v. U.S., 47 F.3d 100 (4th Cir. 1995) (holding that warrantless interception of cordless phone conversation did not violate federal wiretap statute or Fourth Amendment, but noting that the wiretap statute had been amended subsequently to safeguard privacy of such conversations). However, in the Eastern District of Pennsylvania, the federal court has ruled that an employee did not have a reasonable expectation of privacy in using the company e-mail system, upholding the tenet that an employer may legally monitor its employees’ e-mail. Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996) (sustaining the discharge of an employee for making threatening comments about his supervisor in an e-mail transmission to a fellow employee).
Encryption (encoding of e-mail messages) would solve many of these security issues. If an encrypted e-mail is intercepted, or accessed while on the server, the message appears to be gobbledygook, with “garbage” text.
The most popular encryption program now in use, PGP, or Pretty Good Privacy, can be freely downloaded from the Internet at http://www.pgp.com/. However, PGP requires the creation of two sets of “keys”, a public key, and a private key. The keys, which are actually arcane mathematical formulas, serve to identify the signer and to signify that the message has not been altered since it was sent.
Even if encryption is handled by support staff, key creation still requires extensive time and training. While there are instructions on the PGP Web site, the technology can be extremely intimidating to all but the most technical savvy users. Not surprisingly, the use of encryption is not common in the legal community.
If otherwise privileged information is communicated via unencrypted e-mail and is missent or intercepted, will the privilege be deemed waived? The answer may depend, at least in part, on whether the disclosure is viewed as “intentional”' or “inadvertent”. In a different context, it was held that transmission of communications over cellular telephones was not an intentional divulgence of the communications’ content, and thus the privilege was not waived, although the transmission could be readily intercepted. Shubert v. Metrophone Inc., 898 F.2d 401 (3rd Cir. 1990).
Although analogies can be drawn between e-mail and other methods of communication, those analogies are at best imperfect, and provide clues of uncertain value for lawyers using e-mail.
In connection with ethics, Model Rule of Professional Conduct 1.6 precludes a lawyer from disclosing “information relating to representation of a client unless the client consents after consultation”. D.R. 4-101 of the Model Code of Professional Responsibility prohibits the lawyer from “knowingly” revealing information protected by the attorney-client privilege and other information gained in the professional relationship that might embarrass or be detrimental to the client or that the client wants to remain secret.
There are clear factual distinctions exist between cellular telephones and e-mail that favor the free exchange of unencrypted e-mail. For example, an Internet communication is not broadcast in all directions as is a cellular telephone conversation, and the “sniffer” software required to intercept e-mail is not a common consumer product like a scanning receiver.
Question No. 1: Is it necessary—for either ethics, privilege, or liability purposes—to encrypt communications on the Internet, except for matters so important that any threat of interception must be avoided? Question No. 2: Must lawyers communicate with or about clients on the Internet using only encryption software? The answer to both questions is a resounding NO! An Internet transmission may pass through as many as a dozen computers operated by different entities, each of which may handle thousands or even millions of messages per day among thousands of persons and entities. To identify one of the relevant computers and then locate, isolate, and capture a particular message requires an enormous investment in time and money, as well as personnel who are both technically proficient and willing to violate the law.
One approach in evaluating the reasonableness of sending an unencrypted message is to apply the “Hand Formula,”' a balancing test attributed to Judge Learned Hand that weighs the likelihood and gravity of the harm against the burden of taking steps to prevent it. In the case of confidential e-mail, the harm to be guarded against depends largely on the subject matter of the message, while the burden of guarding against interception “seems to be very light,”' given the low cost in time and money of using encryption software and the availability of more secure means of communication. The formula is difficult to apply, however, because the likelihood that any particular e-mail will be intercepted, while miniscule, is difficult to predict.
Practically speaking, attorneys should employ the “sniffer” (pun intended) test in determining whether or not encryption is advisable. Some matters—such as negotiations for a multi–million dollar transaction—are so important that any threat of interception must be avoided. Similarly, attorneys defending individuals accused of white-collar crimes should generally encode communications to and from their clients. In a similar vein, individuals contemplating the transmission of messages whose content may be violative of one or more civil statutes, such as Title VII, or the federal securities and antitrust laws, should definitely use encryption.
Given the low risk of interception for any particular message among the millions that are exchanged over the Internet every day, a common-sense weighing and sniffer test is clearly appropriate in determining whether to encrypt e-mail communications.
Statutory Treatment of E-Mail Transmissions in the Context of the Attorney-Client Privilege
At work, lawyers who first used E-Mail only within their firms now find it virtually indispensable as a rapid, effective means of communicating with clients and other lawyers. Many worry, however, that sending an E-Mail without “encryption” (encoding) to prevent interception may violate the confidentiality requirement of the ethics rules, waive the attorney-client privilege for the transmitted information, or even result in malpractice liability. What is “privilege”, and why is its potential loss so troublesome to the legal community?
The general goal of the attorney-client privilege is to encourage candor and full disclosure by the client. The United States Supreme Court addressed the importance of this evidentiary rule in UpJohn v. United States, 449 U.S. 387, 388 (1981):
[The privilege’s] purpose is to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of the law and [the] administration of justice. The privilege recognizes that sound legal advice or advocacy serves public ends and that such advice or advocacy depends upon the lawyer’s being fully informed by the client.
In order to benefit from the absolute protection provided to privileged communications, four elements are required: (i) the client is seeking legal advice; (ii) from a professional in his capacity as an attorney; (iii) the communication relates to the legal advice; and (iv) the confidential communication is between the client and the attorney.
If the communication meets these requirements, it is instantly and permanently protected from Disclosure—unless there is a waiver by the action or inaction of the attorney or the client. The attorney-client privilege is an extremely powerful shield, as once the privilege has been held applicable, protected information may not be the subject of compelled disclosure regardless of the need or good cause shown for such disclosure. A lawyer who fails to safeguard the confidentiality of the communication after it is made will face an uncertain professional future: waiver of the privilege, by the failure to take reasonable precautions to preserve confidentiality, could result in the lawyer being sued for malpractice.
Given the above recitation of privilege, must an attorney encrypt his or her E-Mail to clients in order to maintain the privileged status of the documents conveyed? In a word, NO! Legal authorities in most of the United States—including Pennsylvania—have concluded that communications otherwise privileged do not lose their privileged character because they were communicated via E-Mail.
To be privileged, information conveyed to a lawyer must be communicated in confidence, and not in the presence of third parties. With respect to trade secrets, the information must be handled in a fashion that reasonably assures its confidentiality.
E-mail must pass through several computers (or servers) en route to its intended recipient. Multiple places exist where the e-mail message could be intercepted and scrutinized by anyone with sufficient technical skills. Additionally, service providers may legally view a message which passes through their servers. How, then, could anyone expect privacy when sending and receiving unencrypted e-mail?
The law’s focus, thus far, has been on the reasonableness of the expectation of privacy. The law has treated unencrypted telephone communications as partaking of a reasonable expectation of privacy even though phones and phone lines can be tapped and microwave and satellite relays intercepted. Although no high level court has addressed the issue in a major opinion, the published authorities treat e-mail as another aspect of telecommunications.
The Federal Communications Act of 1934 (“FCA”) prohibits unauthorized publication or interception of radio or telephone communications. While the FCA does not explicitly address modern forms of non-voice electronic communications, support for the confidentiality of e-mail has been found in law which was designed to protect cellular telephone communications, the Electronic Communications Privacy Act of 1986. Using language broad enough to include e-mail communications, the ECPA prohibits “intentionally intercept[ing], endeavor[ing] to intercept, or procur[ing] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” Additionally, the ECPA expressly states that “no otherwise privileged wire, oral, or electronic communication intercepted . . . shall lose its privileged character.”
Citing the ECPA, state bar opinions on the subject of attorney-client privilege and e-mail reflect a consensus that lawyers and clients can use regular e-mail for privileged communications without the need for any specialized encryption. Additionally, the American Bar Association has also issued an extensive opinion approving of e-mail for confidential and privileged communications:
The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e‑mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e‑mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e‑mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law.
The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e‑mail does not violate Model Rule 1.6(a)[ the ethical obligation to protect information relating to representation of a client] in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use.
The Pennsylvania Bar Association’s Committee on Legal Ethics and Professional Responsibility issued Informal Opinion Number 97-130 on September 26, 1997. Opinion Number 97-130 addresses a lawyer’s ethical obligations concerning the use of e-mail, and holds that interception of E-Mail is not a significant danger, and that encryption for most E-Mail messages should not be required. The Opinion, available online at <www.legalethics.com/ethics.law?state=Pennsylvania>, concludes that E-Mail is an acceptable method of communication in most circumstances. In summary form, the Opinion sets forth the following rules:
- A lawyer may use E-Mail to communicate with or about a client without encryption.
- A lawyer should advise a client concerning the risks associated with the use of E-Mail and obtain the client’s consent either orally or in writing.
- A lawyer should not use unencrypted E-Mail to communicate information concerning the representation, the interception of which would be damaging to the client, absent the client’s consent after consultation.
- A lawyer may, but is not required to, place a notice on client E-Mail warning that it is a privileged and confidential communication.
- If the E-Mail is about the lawyer or lawyer’s services and is intended to solicit new clients, it is lawyer advertising similar to targeted, direct mail and is subject to the same restrictions under the Pennsylvania Rules of Professional Conduct.
Just as the Federal Rules of Evidence do not modify the existing law with regard to privileges, the Pennsylvania Rules of Evidence, effective October 1, 1998, take a similar approach. Specifically, Rule 501 holds that “[p]rivileges as they now exist or may be modified by law shall be unaffected by the adoption of these rules.” This follows the much wordier New York provision, in effect since July 7, 1998, which provides that:
Privileged communications; electronic communication thereof. No communication privileged under this article shall lose its privileged character for the sole reason that it is communicated by electronic means or because persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication. [New York Civil Practice Law and Rules § 4547].
In sum, while the Opinion of the Pennsylvania Bar Association, and Pennsylvania’s evidentiary rule maintain the privileged status of electronic communications, attorneys must still keep in mind their ethical obligations. When communicating with a client via E-Mail, he or she must ensure that confidences are safeguarded. The lawyer’s duty is clear—no matter what the mode of communication. Attorneys who regularly use E-Mail for client communications may want to include the following confidentiality notice, akin to that used with fax transmissions:
This Internet E-Mail contains confidential, privileged information intended only for the addressee. Do not read, copy, or disseminate it unless you are the addressee. If you have received this E-Mail in error, please call us immediately at (___) ___-____, and ask to speak to the message sender. Also, please E-Mail the message back to the sender at ____________@______________________.com by replying to it and then deleting it. We appreciate your assistance in correcting this error.
For non-client communications, the following E-Mail disclaimer should be used in order to avoid the appearance and construction of an attorney-client relationship:
This E-Mail communication is offered for discussion purposes only and is not intended as and should not be interpreted as legal advice or a legal opinion. The transmission of this E-Mail communication does not create an attorney-client relationship between the sender and you. Do not act or rely upon the information in this communication without seeking the advice of an attorney.
Finally, if the communication is extremely sensitive, encrypt it. Once E-Mail has been compromised, the courts will go back and look at the steps that were taken to preserve its confidentiality. If those steps were “reasonable”, the privilege will be maintained. If the privilege is not maintained, it will assuredly be because of the attorney’s negligence—something that the attorney may expect the client to highlight in an adversarial proceeding.