|
E-MAIL ETHICS FOR
ATTORNEY-CLIENT COMMUNICATIONS
COMMENTS ON ABA OPINION REQUEST 98-001 REGARDING
UNENCRYPTED INTERNET E-MAIL[1]
In responding to a request for an opinion on the issue of whether the use of
unencrypted e-mail sent over the Internet violates Model Rule 1.6(a) because it
fails to protect client confidences adequately, the ABA Standing Committee on
Ethics and Professional Responsibility (the “Committee”) confronted a dilemma:
should it fully inform lawyers and clients of the legal and technical realities
of sending unencrypted e-mail across the Internet, thereby potentially placing
thousands of competent lawyers at risk of being accused of ethical violations,
or should it assert that unencrypted e-mail communication across the Internet
has a reasonable expectation of privacy? As a responsible and influential trade
association for the legal profession, the Committee, in a carefully worded
opinion, concluded, “(t)he same privacy accorded U. S. and commercial mail,
land-line telephonic transmissions and facsimiles” should apply to unencrypted
e-mail transmissions across the Internet. The Committee had little choice as to
the conclusion it reached. That conclusion, however, does not change the
relevant legal and technical realities, nor does it relieve lawyers, client and
courts of responsibility for examining the potential risks of using unencrypted
e-mail for confidential attorney-client communications across the Internet.
THE PROBLEM
Newspapers, articles and Internet browser software warn us that the
confidentiality of electronic communications traveling across the Internet
cannot be assured.[2]
The fact that a “reasonable expectation of privacy” is required in order to
assert that use of a particular mode of communication does not waive the
attorney-client or related work product privileges, combined with the
recognition that the confidentiality of unencrypted e-mail cannot be assured,
has given rise to discussions of the possibility that using e-mail may, in some
circumstances, effectively waive the attorney-client privilege.[3]
As a result, several states have adopted legislation providing that the use of
e-mail, in and of itself, does not destroy the attorney-client privilege.[4]
Because successful assertion of the attorney-client and work product privileges
requires a showing that the evidence in question was handled as confidential
information, and such handling requires use of a mode of communication
regarding which there is a reasonable expectation of privacy, discussions of
the need for encrypting e-mail traveling across the Internet often blur the
distinction between confidential handling for purposes of preserving the
attorney-client privilege and for purposes of maintaining ethical standards
regarding handling confidential client information. The distinction, however,
is important. Questions of attorney-client privilege, and related questions of
work product privilege, involve the rules of evidence and are answered by
applying those rules, however interpreted, to discovery in a particular case. A
finding that the use of e-mail by a lawyer or client in a particular case did
not adequately protect client confidences and thereby waived the
attorney-client or related work product privilege would permit discovery of
that evidence but would be limited to the particular case.
In contrast, a determination by the American Bar Association or other
highly-respected legal organization that there is no reasonable expectation of
privacy for unencrypted communications sent across the Internet, and that
therefore the use of that mode of communication for confidential
attorney-client communication constitutes a breach of a lawyer’s ethical duties
regarding confidentiality, has draconian implications for the entire legal
profession. Failure to treat client information as confidential is malpractice.
Such failure places practicing attorneys at risk financially, and in egregious
cases, may result in suspension or loss of the license to practice law. Even if
it is determined that the lawyer did not breach ethical duties, if the e-mail
communications turn out in fact not to be private, that is, the expectation of
privacy is in fact not met, whether or not the expectation of privacy was
reasonable, the attorney-client relationship is likely to be degraded, and
possibly, depending on the adverse consequences of actual disclosure,
destroyed.
Thus, responsible bar associations, ethics committees and others are reluctant
to set out in detail the risks and legal arguments available to challenge the
position that sending unencrypted e-mail across the Internet is ethical. The
reluctance is well-founded, but it risks leaving lawyers inadequately educated
for determining whether and when it is advisable to take steps to encrypt
Internet e-mail, and thus, unable to make and to assist clients to make
informed choices regarding the use of e-mail.
Two state ethics committees have taken the position that, because of the
possibility of interception, e-mail should not be used for attorney-client
communication unless the messages are encrypted or the client has been made
aware of the risk and consented to use of the “insecure” communication.[5]
Many more have taken the position that e-mail transmission is no more subject
to interception than is a telephone conversation, and therefore, there is a
reasonable expectation that e-mail will remain private and use of unencrypted
e-mail across the Internet is ethically acceptable.[6]
Both extremes focus on the difficulty and likelihood of “interception.”
Interception, however, is not the only issue, or even the primary issue, in
determining whether there is a foreseeable risk of unintended disclosure to
third parties. A significant issue is whether there is a foreseeable likelihood
of authorized
review, that is, review that is not interception and is both legal and
foreseeable. Interception, except in limited circumstances, is illegal. Use of
the word “interception” implies unauthorized access. Assuming that the risk of
unauthorized access is not so great as to vitiate a reasonable expectation of
privacy, the question remains as to whether the risk of authorized review is
sufficient to undermine the reasonable expectation of privacy. At least
arguably, if there is a risk of foreseeable, legal review, that risk may
vitiate, or at a minimum, significantly weaken, the argument that there is a
reasonable expectation of privacy for communications moving unencrypted across
the Internet.
The House of Delegates, acting as the voice of the American Bar Association,
has taken the position that “state, local and territorial courts (should)
accord electronic mail communication, whether by Internet or any other means,
the same expectation of privacy and confidentiality as lawyer-client
communications by telephone calls, United States mail and other means of
communication traditionally deemed private and confidential.”[7]
Both the August 1998 resolution and the recent opinion of the Committee[8]
are carefully phrased. Neither says that e-mail has, in fact
, the same reasonable expectation of privacy as telephone calls or other means
of communication; only that courts “should accord” it, i.e., treat it, as if it
has. The phrasing indicates that the Committee may be aware of a possible
discrepancy between the realities of using unencrypted e-mail across the
Internet and the recommendation as to how it should be treated by the courts.
E-mail has been likened to cellular telephones,[9]
land-line telephones,[10]
and postcards sent through the U.S. Postal Service.[11]
In referring to the U.S. Mail, the ABA’s resolution clearly intended that
e-mail be analogized to letters in sealed envelopes, not postcards, but at
least one court has stated that it is not appropriate to consider e-mail to be
a “sealed” mode of transmission. That court however did not analogize e-mail
across the Internet to sending a postcard through the mail. Rather, the court
analogized to facsimile transmissions, suggesting that cautionary language
similar to language commonly used on confidential facsimile transmissions might
be sufficient to assure a reasonable expectation of privacy.[12]
The discussion in opinions of various ethics committees indicates some
uncertainty regarding the factual workings of Internet communications, and
discomfort and continuing insecurity regarding use of unencrypted e-mail across
the Internet.
HOW E-MAIL WORKS
“E-mail” has become a generic term for a variety of electronic communication
arrangements. It includes internal systems in law firms that permit lawyers to
communicate with one another within a single office, among regional offices of
the firm, and even with one or more offices from outside the system. It
includes internal systems in corporations that permit lawyers to communicate
with one another and with their corporate clients, again, some within the
corporate headquarters, some from outlying locations and some from outside the
internal system.
Law firms are connecting electronically with their clients. Sometimes these are
direct, dedicated connections. Sometimes they permit clients to have limited
access to a firm’s internal system. Sometimes these arrangements give outside
counsel access to the corporate client’s system. Access, when given, may be
provided in various ways. For example, access may be through an outside
provider, such as AT&T or America Online, as a means of exchanging e-mail.
These arrangements, in turn, may vary. For example, such e-mail may be
exchanged either through the provider’s general system or within a special,
dedicated area of the system with limited access. Where attorney and client use
different e-mail providers, the e-mail may move directly between providers, or,
in order to move from one provider to another, may move across the Internet.
Recently, services that provide document exchange and storage on a web site
using a web browser have appeared,[13]
and organizations are setting up secure socket web sites, accessible via an
Internet browser, permitting them to store, exchange and collaborate on
documents among their own employees, and with outside counsel, clients and
customers.[14]
E-mail communication on a private intranet is likely to go straight to the
organization’s e-mail server and remain there until retrieved. Communication
within a given service provider is likely to go to the service provider’s
server and remain there until retrieved. Communication from one service
provider to another is likely to travel across the Internet, a process which
may involve passing the message from server to server, across a varying number
of servers and via routes that cannot be predetermined. E-mail on an internal
“intranet” system may be encrypted or not, and may be read by the system
administrator (or not, if it is encrypted), depending upon the system and how
it is configured and used. The variations among systems are even more diverse.
Stated simply, all e-mail is not created equal.
Where e-mail moves via a direct connection from the sender’s to the receiver’s
system, for example, via modem to modem, the connection is, like a telephone
call, simultaneous. Where, however, e-mail communication is across the
Internet, the communication is made via a series of relays and there is
unlikely to be a simultaneous connection between writer and addressee. Thus,
the communication, although it uses telephone lines, is technically different
from a telephone call or a facsimile connection.
The Internet can be envisioned as a huge number of computer systems linked
together, some of which are set up to send and receive e-mail. (A system for
this conceptual purpose may be of any size, from a small desktop computer to a
large mainframe.) Each system set up to send and receive e-mail is able to send
and receive messages directed to anyone, to sort the messages and keep those
addressed to it, and to pass on those messages addressed to other systems. The
Internet was designed by the U.S. Department of Defense, with the original
objective of assuring that messages reached their destinations somehow, even if
parts of the Internet were cut off. Thus, the specific route, or even most
likely route, of a particular message, is never known with certainty in
advance. (It may be determined in retrospect however. At the beginning of many
e-mail messages that have traveled across the Internet is a list of addresses,
generally unfamiliar to the final addressee. These are the addresses of the
systems through which the message has passed en route to the addressee.) Long
messages may be broken into “packets,” which are reassembled at each relay
point as well as at their final destination.[15]
It is worth noting that the Department of Defense did not envision sending
confidential information across the Internet unencrypted. It had, and continues
to have, different levels of encryption (and alternative communication
channels), and, depending upon its own set of classifications, sends messages
at whatever level of encryption is determined to be appropriate for the
information involved. The more secret the information, the more complex the
encryption code, and the longer the time required to encrypt and decrypt the
message.
Each system that participates in the Internet has at least one system
administrator. That person, in order to keep the system operating efficiently,
may review messages on the system to assure the system’s orderly functioning.[16]
This review process by system administrators is not “interception” or
“hacking.” There is nothing illegal or improper in the owner of a computer
system reviewing messages on the system. Moreover, because widespread use of
the Internet is relatively new, and because review of messages occurs while on
a server and is not limited by time to the duration of a simultaneous
connection, as is the case in a telephone or facsimile connection, the
likelihood of review of e-mail messages is probably far greater than the
likelihood that a telephone operator will have occasion to monitor a telephone
conversation in the ordinary course of managing the telephone system.
Where messages travel across the Internet, there may or may not be any
contractual relationship (e.g. such as might be established between an e-mail
user and a commercial service) between sender or receiver and the system owners
requiring that confidentiality be maintained. There are statutory obligations
of confidentiality imposed on commercial system administrators. It is not clear
that these will apply to unrelated non-commercial system administrators. Note
too, that obligations of confidentiality do not mean that system administrators
cannot see e-mail on their systems, but only that they have an obligation not
to disclose the information to third parties, or to use the information for
their personal benefit (see discussion below).[17]
In fact, it is clear that such system administrators will, under appropriate
circumstances, have legal access to confidential messages passing through the
service provider’s system, and therefore, that actual disclosure of
confidential information is a risk, even when the party to whom it is disclosed
has obligations of maintaining its confidentiality.
SUMMARY OF ETHICS COMMITTEE OPINIONS REGARDING E-MAIL COMMUNICATIONS
Under Model Rule 1.6, a lawyer has an ethical obligation to “hold inviolate”
confidential information of the client.[18]
State ethics opinions, regardless of whether they have concluded that it is or
is not ethical to use unencrypted e-mail traveling across the Internet for
confidential attorney-client communications, have focused on the possibility
(or likelihood) of interception. Focusing on this issue, Iowa, and less
emphatically, Arizona, concluded because it is possible for e-mail messages to
be intercepted, lawyers should not use e-mail for sensitive communications
unless the messages are encrypted or the client has consented to the
“non-secure” communication.[19]
Illinois, and those states following its reasoning, came to the opposite
conclusion.[20]
Illinois concluded that one has a reasonable expectation of privacy when
sending unencrypted e-mail over the Internet, and its reasoning has
subsequently been followed by several other states, including South Carolina,
Vermont, North Dakota and Kentucky. In its analysis, Illinois focused on the
fact that a particular e-mail message was unlikely to be “intercepted” when
traveling across the Internet and noted that the Electronic Communications
Privacy Act made it a crime to intercept an e-mail message. Based on this
analysis, Illinois concluded that such interception was no more likely than
interception of a telephone conversation and therefore, that there was a
reasonable expectation of privacy in using e-mail across the Internet and
encryption was not necessary either to meet ethical obligations of
confidentiality or to protect the confidentiality of sensitive information.[21]
As indicated above,[22]
many of the state ethics opinions concluding that e-mail has a sufficiently
reasonable expectation of privacy to make it an appropriate mode of
attorney-client communication rely on analogizing e-mail to a land-line
telephone call. Illinois, for example, relies on a theory that that
“interception or monitoring of e-mail for purposes other than assuring quality
of service of maintenance is illegal under the Electronic Communications
Privacy Act, 18 USC 2511 (2)(a)(i).”[23]
The Electronic Communications Privacy Act (“ECPA”),[24]
however, clearly distinguishes between interception of a telephone conversation
and access to stored communications,[25]
and the law applicable to each. “Interception” as defined by the Electronic
Communications Privacy Act (“ECPA”)[26]
relates only to messages moving across the Internet. Once messages are
“delivered” (and “delivery” may be to servers en route as well as to the final
addressee), they are “stored” on a server, and reading them while they are on a
server does not constitute “interception.”[27]
The language of the statute is clear, and was applied in the recent case of United
States v. Smith, which decided that reading stored messages is not
“interception.”[28]
If other courts read the law as the Ninth Circuit did, they, too, may conclude
that the telephone analogy is technically faulty, that the result of the
Illinois analysis is, accordingly, unpersuasive, and therefore, that the
conclusion that use of unencrypted e-mail across the Internet will not
compromise confidentiality so as to breach the attorney’s obligation to
maintain client confidences is unwarranted because there may, in fact, be no
reasonable expectation of privacy.
It is also worth noting that the ECPA regulates only “provider [s] of wire or
electronic communication service [s], whose facilities are used in the
transmission of a wire or electronic communication,”[29]
and there is a risk that the reference will be construed to refer only to
commercial providers. If the reference is so construed and limited, messages
passed through the systems of organizations that are at best only incidentally
“providers” of electronic communications services (for example, universities
and large corporations) may not be protected by any of the obligations imposed
by the ECPA, including any obligations of confidentiality. (Since the ECPA also
provides certain protections to those it covers, imposing confidentiality
obligations on system administrators of non-commercial third party systems
might entail extending the protections of the ECPA to these entities, which a
court might be reluctant to do in the absence of clear legislative direction on
the issue.) Even if confidentiality obligations are imposed upon private
parties, if a court were to view unencrypted e-mail moving across the Internet
as more like a postcard than a letter in a sealed envelope, a confidentiality
obligation similar to that imposed upon U. S. Postal employees might not be
sufficient to satisfy a client that the attorney’s ethical obligations to
protect client confidences had been met.
In any event, it is generally agreed that the risk of actual disclosure
remains. As indicated above, computer systems of all sizes, from single desktop
computers to large mainframes, have at least one system administrator whose job
it is to assure that the system operates smoothly. A system administrator for
an organization’s e-mail system does not, in the normal course, have a “need to
know” the content of e-mail messages, but may, in connection with managing the
organization’s computer system, have, and have a need to have, access to all
the information on the system, including (unencrypted) e-mail. Review by an
organization’s system administrator appears to be similar to review by a
secretary of documents typed for a lawyer, and should not give rise to a
claimed breach of ethical obligations. Where, however, it is foreseeable that
the review may in fact be made by an unaffiliated third party’s system
administrator, and particularly where it is in fact so made, there is a risk
that a client would conclude that the information had not been treated with
sufficient care to provide a reasonable expectation of privacy,[30]
and that an ethics committee might, in egregious factual circumstances, agree.
While Illinois recognized the existence of the possibility that a (third party)
system administrator could lawfully read part or all of a confidential message,
it rested its conclusion that e-mail traveling across the Internet has a
reasonable expectation of privacy on the absence of likelihood of illegal
interception, concluding that the opportunity for “illegal interception”
by such system administrators did not make it unreasonable to expect privacy of
the message (emphasis added).[31]
Both the ECPA and case law recognize that accessing stored messages is not
“interception,” and the recent case of United States v. Smith also
determined that accessing stored messages is not interception.[32]
Thus, the reference of the Illinois opinion to “illegal interception” is
inconsistent with its implicit recognition that a system administrator has a
legitimate right to monitor messages. Possibly, the drafters of the Illinois
opinion, and those in the states that adopted its view, as well as the ABA
Opinion, were aware of the flaw in their reasoning, but chose, in the interest
of reaching the desired result, to ignore it.
Focus on the question of the likelihood of interception sidesteps the
fundamental issue, which is whether there is a reasonable likelihood of
privacy. The relevant technology makes it possible for system administrators to
view e-mail legitimately, and the key question is how to evaluate the
likelihood that such viewing will occur. As indicated above, unlike telephone
conversations, which are ephemeral and therefore will be monitored, if at all,
while they occur, e-mail messages create a document. Thus, the risk of
disclosure is not limited to “tapping” into a particular conversation in
progress.[33]
Although e-mail messages travel over telephone lines, the technology causes
them to move through a series of computer system mail servers, some of which
may belong to entities that are not regulated interstate communications service
providers. Accessing messages delivered to intermediate systems en route is not
“interception” and is not “illegal.” Moreover, the ability of a third party
system administrator to access messages on a mail server is routine and
therefore foreseeable, and the frequency of problems with Internet
communications and system “glitches” make exercise of that ability far more
likely than the monitoring of a telephone conversation to assure system
quality.
By concluding that the reasonable expectation of privacy rests on the
unlikelihood of interception, which is illegal, the Illinois reasoning ignores
the parallel with telephone companies’ right to monitor telephone conversations
for quality control, thereby weakening its own rationale for adopting the
telephone analogy. The legal basis for imposing confidentiality obligations on
service providers’ monitors is also uncertain. Not all mail servers are
commercial Internet service providers, and whether entities other than
commercial Internet service providers have confidentiality obligations is
unclear. Finally, even if system administrators of entities other than
commercial Internet service providers have confidentiality obligations, if they
are regarded as obligations analogous to those of U.S. postal employees, they
may be insufficient to support assertions that unencrypted e-mail traveling
across the Internet is an appropriate way to handle information, as information
on a postcard placed in the U.S. Mail generally is not regarded as having been
treated as confidential information.
THE COMMITTEE OPINION
The Committee relies on U. S. v. Maxwell[34]
to support its conclusion that unencrypted e-mail communication sent across the
Internet has a reasonable expectation of privacy. Maxwell states that
there was a reasonable expectation of privacy regarding the e-mail in that
case. The case, however, does little to assist analysis of whether use of
unencrypted e-mail traveling across the Internet has a reasonable expectation
of privacy for purposes of Model Rule 1.6. Maxwell
was a Fourth Amendment search and seizure case involving requests for and
receipt of pornographic materials by an enlisted soldier on active duty - a
criminal offense. The defendant asserted that he had, for purposes of the
Fourth Amendment, a reasonable expectation of privacy regarding materials
placed in his e-mail “mailbox.” In the context of the case, the court agreed
that the defendant had a reasonable expectation of privacy for purposes of the
Fourth Amendment. The e-mail transmission in that case, however, did not
involve any transmission over the Internet. Both the defendant and the provider
of the materials used the same private on-line commercial computer service. The
use of passwords was also required, and provided additional evidence of a
reasonable expectation of privacy.
The language of Maxwell sounds persuasive. The facts and circumstances
of the case, however, make it an uncertain foundation for asserting that
unencrypted e-mail sent over the Internet has a reasonable expectation of
privacy. It did not involve an Internet transmission. The Maxwell
court, which was a military court, determined that for Fourth Amendment
purposes evaluated in a criminal context, there is a reasonable expectation of
privacy in the mailbox of the addressee when the e-mail is sent between persons
subscribing to the same commercial provider.
The Committee’s Opinion relates to unencrypted Internet communications.
Challenges to the adequacy of protecting client confidences are likely to arise
in a civil, not a criminal context, and professional standards imposed on
lawyers generally require higher levels of knowledge and judgment than those
required of the ordinary person. Given the facts of the Maxwell
case, it seems a slender reed on which to rely.
ABSENCE OF CASE LAW REGARDING USE OF E-MAIL ACROSS THE INTERNET
The absence of case law dealing with whether sending unencrypted e-mail across
the Internet fails to meet counsel’s ethical obligations to maintain client
confidences, and the technical inaccuracy of many of state ethics committee
opinions stating that use of unencrypted e-mail is not unethical, have led some
commentators to warn that “current statutes and case law are inadequate to
provide the expectation of privacy necessary to invoke the protection of the
attorney-client privilege” when unencrypted e-mail is sent across the Internet,[35]
while others assert that unencrypted e-mail communications should be considered
privileged,[36]
thereby implying that there is a reasonable expectation of privacy.
The mere fact that there is currently a body of commentary warning of the
absence of existing law to provide a foundation for a reasonable expectation of
privacy regarding these communications has, justifiably, created a sense of
unease regarding use of e-mail for confidential communications. Some
commentators have mentioned the possibility of exposure to a malpractice suit
if the risk of inadvertent or unintended disclosure of attorney-client
confidences becomes reality.[37]
As indicated above, even ethics committees and commentators who do believe that
there is a reasonable expectation of privacy regarding unencrypted e-mail
messages across the Internet emphasize the potential risks of unwanted
disclosure of sensitive information and recommend various protective measures,
from encryption to warning language similar to that typically included on the
cover pages of messages sent by facsimile, to reduce those risks.
THE ISSUE: TO ENCRYPT OR NOT TO ENCRYPT - A PRACTICAL QUESTION
Ethics committees can deal with abstract legal issues. Courts can deal with
practical issues in a particular case. Practicing attorneys must routinely
decide practical issues, including how to manage their practices so as to
maximize efficient and effective service to clients. Mistakes and errors in
judgment will be made. Perfection is unattainable. But attorneys can, and do,
seek to minimize the risk of making mistakes, and most routinely seek to “do
the right thing,” that is, behave ethically.
E-mail is a new and unique form of communication. E-mail feels like a telephone
conversation and in some cases uses telephone lines, and ethics committee
opinions talk about “interception” of e-mail communications as being the
primary risk to loss of confidentiality. E-mail, however, involves a different
technology from telephone calls, and creates a document that may, in the
absence of encryption, be legally viewed by persons other than the writer and
the addressee. Such viewing is not “interception” and does not require a “wire
tap” or even “listening in” while the “conversation” is in progress. (See above
discussion on “How E-Mail Works.”)
Because e-mail feels like a telephone call, e-mail communications are likely to
be hastily composed and casually-worded. Moreover, evidence indicates that
people tend to make statements in e-mail messages that they would never make in
a formal letter or memorandum. “Steamy” messages have given rise to personnel
problems and law suits by employees who expected privacy but found their
expectations unmet.[38]
Such messages have also been a basis for sexual harassment claims.[39]
Strongly-worded e-mail has been used effectively to attack credibility and
undercut defendant’s arguments in major cases.
[40]
Thus, because e-mail feels like a telephone call but creates a document (which,
because of automatic organizational back-up systems is likely to be
long-lived), encouraging use of unencrypted e-mail for confidential
attorney-client communications has risks that unrecorded telephone conversation
and more traditional, formal modes of written communication do not have.
For purposes of analyzing whether attorney-client privilege is at risk, the key
issue is whether, in communicating by e-mail, an attorney and client have a
reasonable expectation of privacy. Because the factual situations and contexts
in which e-mail is used vary widely, whether particular arrangements provide a
“reasonable expectation of privacy” and thus conform to the evidentiary
standard required in connection with asserting attorney-client privilege, is
likely to be a question of fact.
As noted above, the question of whether, when an attorney communicates with a
client via unencrypted e-mail, there is a sufficient “reasonable expectation of
privacy” to support an assertion of the attorney-client and work-product
privileges, which are rules of evidence, is separate from the issues relating
to whether use of unencrypted e-mail raises ethical issues regarding potential
failure to treat client confidences as confidential. The following discussion
deals with the ethical issue.
CONSIDER THE RISKS
Under present case law, and most state ethics committee opinions, using e-mail
to communicate confidential information across the Internet is not deemed a
breach of an attorney’s ethical obligation to maintain client confidences.
Clearly, however, the considerable body of literature combined with routine
on-screen warnings of the absence of confidentiality when sending messages
across the Internet indicates that there is a potential risk that using
unencrypted e-mail across the Internet to communicate confidential information
will be deemed a breach of Model Rule 1.6 (Confidentiality of Information).
A court might reach this conclusion by several different routes. One
possibility is by reference to the existence of a body of literature warning
that confidentiality of Internet communications cannot be assured, followed by
refusal to recognize unencrypted or otherwise unprotected e-mail communications
across the Internet as attorney-client privileged. To forestall such a
conclusion, several states, including New York, have adopted legislation to the
effect that merely transmitting e-mail across the Internet will not, in and of
itself, waive the attorney-client privilege for purposes of the rules of
evidence.[41]
Where it exists, such legislation provides a measure of comfort and security
regarding waiver for purposes of the rules of evidence, and may have some
probative value regarding the issue of whether use of unencrypted e-mail across
the Internet meets the requirements of Model Rule 1.6. The legislation however,
may be a two-edged sword. One might argue that if in fact there was a
reasonable expectation of privacy, no legislation would be required to explain
or modify otherwise applicable standards under the rules of evidence. Thus, the
fact that such legislation exists in some states provides comfort for purposes
of the rules of evidence, but also provides a warning.
A second route by which a court might conclude there is no reasonable
expectation of privacy in using unencrypted e-mail across the Internet is to
begin its analysis by analogizing e-mail to a telephone conversation. A recent
resolution by the ABA House of Delegates states that e-mail offers the same
reasonable expectation of privacy as a telephone call,[42]
but for the reasons outlined above, the analogy is technically flawed. If a
court analyzes the analogy and determines that it is technically flawed, it
might then conclude that there is no reasonable expectation of privacy when
sending unencrypted e-mail across the Internet.
A third route by which a court might conclude that using unencrypted e-mail
across the Internet to communicate confidential information will be deemed to
constitute a breach of Model Rule 1.6 obligations to maintain confidentiality
is to look to the 1986 report of the ABA Standing Committee on Lawyers’
Responsibility for Client Protection, which suggested that lawyers should not
discuss confidential matters via e-mail unless they’re assured “either through
bar approval or through the lawyer’s own informed evaluation” that a system
operator will maintain confidentiality.[43]
Because there is no way for a lawyer to evaluate whether the system
administrators of third party systems through which a message may pass will
maintain confidentiality, the Standing Committee’s 1986 suggestion may provide
support for an argument that in particular circumstances, there was no
reasonable expectation of privacy in connection with an e-mail message.
The Committee Opinion does not discuss the 1986 suggestion by the Standing
Committee on Lawyers’ Responsibility for Client Protection, and its silence is
understandable. In 1986, use of e-mail was relatively uncommon, and the
suggestion to limit its use was a reasonable advisory. Today, if a similar
suggestion were made, and a court used it to support its finding of a lapse in
attention to the ethical obligation of confidentiality, such a finding might
have implications for many more lawyers and their clients than was the case in
1986. For many lawyers and their clients, the opportunity to take preventive,
preemptive action has passed. Thus, in setting policy today, the organized bar
must be concerned with the risk that a suggestion that lawyers have an ethical
obligation to take special precautions when using e-mail may provide ammunition
for accusing thousands of competent, ethical lawyers of unethical behavior in
connection with using unencrypted e-mail across the Internet. Quite properly,
those in a position to influence courts and judges are taking steps to protect
otherwise capable, competent, ethical lawyers, who are just beginning to become
reconciled to using e-mail, from untoward results if they fail to take
additional measures to assure confidentiality regarding these communications.
A fourth route by which a court might determine that the use of unencrypted
e-mail across the Internet does not meet a lawyer’s ethical obligations under
Model Rule 1.6 is to deem sending e-mail across the Internet as analogous to
sending a postcard through the U.S. Mail, i.e.
, not (despite any obligations of U.S. Postal employees) handled as
confidential information and deem encryption as analogous to putting the
message in a sealed envelope.
As indicated above, there is a considerable body of literature, both technical
and in the “popular press,” describing e-mail as “like a postcard.” There is,
therefore, a risk that a court will accept the postcard analogy, and conclude
that sending unencrypted e-mail across the Internet indicates that the
information so sent is not being treated as confidential for purposes of
discovery. If that is a court’s position, it is a short step to the conclusion
that sending unencrypted e-mail across the Internet not only waives the
attorney-client and work product privileges, but that the attorney failed to
meet confidentiality obligations under Model Rule 1.6.[44]
A fifth route by which a court might reach the conclusion that unencrypted
e-mail traveling across the Internet is not being handled as confidential
information is to analogize e-mail to communication by cellular or cordless
telephone. This mode of communication has been deemed to be similar to e-mail
because of the transmission of communications into an “environment” in which
messages can be intercepted relatively easily, and may even be inadvertently
overheard.[45]
Cellular telephones use a broadcast technology, which is different from the
technology of the Internet. In general, the older cases involving cellular
telephones held that there was no reasonable expectation of privacy in such
communications because of the likelihood of interception. More recently
however, cellular telephone technology has improved. Encryption is automatic in
certain equipment, and there is at least one case indicating that with improved
technology (by implication, scrambling, a kind of encryption), there may be a
reasonable expectation of privacy.[46]
The propriety of using cellular telephones to communicate confidential
information with clients has been the subject of several state ethics committee
opinions. New Hampshire sees technology as key in analyzing whether there is a
reasonable expectation of privacy with regard to the use of cellular telephones
and other forms of mobile communications. The annotation to its Ethics
Committee Advisory Opinion on the subject states, “In using cellular telephones
or other forms of mobile communications, a lawyer may not discuss client
confidences or other information relating to the lawyer’s representation of the
client unless the client has consented after full disclosure and consultation.
An exception to the above exists where a scrambler-descrambler or similar
technological development is used.”[47]
Arizona took an approach to cellular telephone communication that is consistent
with its approach to e-mail confidentiality, concluding, “the time has not yet
come when a lawyer’s mere use of a cellular phone to communicate with the
client - without resort to a scrambling device or exculpatory language at the
call’s beginning - constitutes an ethical breach . . . . Nevertheless, there is
a genuine risk that a third party may intercept harmful information.
Consequently, the lawyer should exercise caution when discussing client matters
with opposing counsel on any portable telephone.”[48]
Somewhat surprisingly in light of its opinion on e-mail communications, with
regard to cellular telephones, Illinois’ state bar association opined: “Mobile
communications are not secure to maintaining confidentiality of conversations
and participants in those conversations have no right to expect to maintain
privacy of their conversation.”[49]
A sixth route by which a court might reach a conclusion that people in a
corporate setting have no reasonable expectation of privacy when using e-mail
is to review the corporation’s written policies, practices and procedures
regarding use of e-mail. E-mail moving within an organization generally moves
from the sender to a central server to the addressee. Messages on the central
server will be accessible to the organization’s system administrator, but this
accessibility, like giving such information to a secretary or paralegal, should
not affect confidentiality for purposes of complying with Model Rule 1.6.
Risks may, however, arise in connection with retention and destruction of
copies of electronic communications. In most organizations, back ups are made
automatically, at least weekly, and often daily. If the back-up copies are
available to all without regard to, or any effort to protect, their
confidentiality, it may be difficult to argue persuasively that the information
is treated as confidential.
In addition, technology has made possible new types of review that can create
bases for challenging confidential handling of internal e-mail. For example,
many companies routinely scan their e-mail files for inappropriate or improper
messages. These scans can range from a brokerage firm’s scanning to assure that
its brokers are not promoting stocks improperly, e.g.
, by searching for key phrases such as “guaranteed return,” to corporations
concerned about employee relations scanning for “steamy” messages. The scanning
process itself is automatic. A simple scan “kicks out” messages that include
the triggering key words or phrases, and those messages are reviewed by human
beings. To the extent that communications between attorney and client are
reviewed by non-lawyers, or lawyers acting in a non-legal capacity, an argument
that the confidential nature of the communications is not being maintained
might be successful.
These risks may be considerably reduced by instituting internal procedures
designed to protect attorney-client privilege and confidentiality, for example,
by making the reviewer an agent of the organization’s lawyer. In the absence of
attention to possible pitfalls, the combination of scanning e-mail and review
by a person who is neither an attorney nor an agent of an attorney, may result
in inadvertent waiver of the attorney-client privilege,
[50]
and subsequent accusations that the failure to protect client confidences so as
to constitute a waiver of the attorney-client privilege constituted a breach of
ethical obligations under Model Rule 1.6.
Arrangements that permit people to work from home or while they travel by
giving them the ability to access an organization’s intranet computer system
from outside that system create additional challenges to maintaining
confidentiality. System security is only as good as its weakest link. Security
of internal systems can be enhanced in a variety of ways. For example, many
internal systems “automatically” encrypt e-mail messages and include password
protection mechanisms for each user. Such systems may provide high barriers to
casual access and to monitoring of messages without users being aware of these
barriers.
An organization’s own statements about its treatment of e-mail communications
may influence a court’s determination of whether such communications are
confidential, as well as how confidential they in fact are. For example, many
corporations advise their employees that e-mail is not confidential, that it is
to be used only for corporate business, and that it will be monitored. If such
corporate policies are included in a manual or other written notices
instructing employees that e-mail should not be used to communicate
confidential information, in the absence of encryption, password, or other
types of protection, or special internal rules regarding monitoring
attorney-client communications, it may be difficult for the corporation’s
lawyers to argue that use of such systems carries a reasonable expectation of
privacy.
Any one of these routes may result in a court or ethics committee finding that
sending unencrypted e-mail across the Internet fails to meet the ethical
standards required of a lawyer to protect client confidences. Having reached
that conclusion, in an egregious fact situation, it is conceivable that a
finding of malpractice might follow. Presently, such a finding seems unlikely
and unwarranted. Still, given the availability of encryption software and the
relative ease with which it can be used to protect e-mail communication, it is
not inconceivable that a court would find, under egregious factual
circumstances, that the failure to use encryption was deserving of ethical
sanctions. As the risks become more widely known and the use of encryption
becomes easier and more common, the likelihood of such a determination becomes
greater.
Whatever a court or ethics committee may conclude, a client’s determination of
what is appropriate is likely to have the most immediate effect. If a client
determines that the lawyer’s failure to consider the risks of using e-mail,
explain them to the client, and obtain the client’s consent to using that means
of communication is a basis for terminating the attorney-client relationship,
loss of a client may result. Outside of states that require, under their
ethical rules, that a lawyer obtain a client’s consent to use of e-mail,[51]
there is no ethical obligation to discuss the issue, much less obtain a
client’s consent to use of e-mail. (Moreover, the efficacy of client consent
may also be risky, as in general, a client’s agreement to a lawyer’s unethical
conduct does not make such conduct acceptable.)
Discomfort regarding the use of e-mail for confidential communications is
evident in most ethics committee opinions. The Illinois discussion recognized
that “the same potential exists for the illegal interception of regular mail,
the interception of a facsimile, and the unauthorized wiretapping of a
land-based telephone” and concluded: “Because the expectation is no less
reasonable than the expectation of privacy associated with regular mail,
facsimile transmissions, or land-based telephone calls . . . use of e-mail is
proper under Rule 1.6.” Illinois did not discuss the efficacy of
confidentiality language on a facsimile cover sheet or the distinction between
mailing information on a postcard and placing the message in an envelope, but
did warn that “[a] finding of confidentiality and privilege should not end the
analysis. For information that a prudent attorney would hesitate to discuss by
facsimile, telephone, or regular mail (presumably in a sealed envelope), a
lawyer should discuss with the client such options as encryption in order to
safeguard against even inadvertent disclosure when using e-mail.”[52]
South Carolina followed a similar line of reasoning in concluding that a lawyer
may communicate with a client via e-mail, warning that there is some
information that a prudent lawyer would hesitate to discuss via e-mail, and
recommending that regarding such information, alternatives, including
encryption, should be discussed with the client to safeguard information.[53]
The Committee also encourages discussion regarding communication of
particularly sensitive information, while (for the reasons stated above)
reiterating that such advice “does not erode the reasonable expectation of
privacy.”[54]
If inadvertent disclosure of the content of an electronic communication creates
serious problems for the client, and the lawyer has not discussed the risks of
using unencrypted e-mail for confidential communications, the client may blame
the lawyer, thus impairing or ending an attorney-client relationship. Thus,
even in the absence of both a legal and an ethical duty to encrypt confidential
information before sending it across the Internet, if the result of sending
unencrypted e-mail is premature disclosure of such confidential information, or
inadvertent disclosure to a hostile party, the client may be lost.
RECOMMENDATIONS: REDUCING THE RISKS
Enumerating the risks points the way to reducing them.
Know the Rules. The legal and ethical risks of any particular
course of action regarding use of e-mail for confidential attorney-client
communication may be governed by applicable local laws and ethical and
disciplinary rules. Thus, before determining appropriate uses of e-mail,
attorneys will need to check local statues, rules of court relating to evidence
and ethics, and local ethics committee opinions regarding use of e-mail to
communicate confidential information, and establish and institute practices and
procedures in light of those rules and opinions. Lawyers practicing in states
in which local laws, decisions or ethics opinions impose requirements, such as
a requirement to discuss use of electronic communication with clients and
obtain client consent,[55]
need to be aware of and comply with such requirements. Lawyers practicing in
states in which local law, decisions and ethics opinions do not speak to the
issues of whether and when use of electronic exchanges of information are
appropriate will want to examine the issues and risks, and make an educated
evaluation as to whether or not the use of e-mail in particular circumstances
is ethical and, even if it is, whether, in the particular circumstances, it is
wise. Lawyers practicing in states in which local law, decisions or ethics
opinions have taken the position that use of unencrypted e-mail sent across the
Internet is ethical[56]
will want to be aware that both the law and relevant technology are in the
process of development and evaluate whether, in the particular circumstances,
use of unencrypted e-mail across the Internet is wise.
Know How the System Works.
When dealing with an organizational entity, take time to understand and
evaluate the subject organization’s e-mail system. Advise system administrators
of their confidentiality obligations, and establish and implement appropriate
internal procedures to protect and evidence proper handling of confidential
information and material.
Establish Procedures That Enhance and Evidence Confidential Handling of
Attorney-Client Communications. Because “e-mail” encompasses a
variety of communications systems, in a variety of settings, each with
opportunities for a variety of configurations, what constitutes a reasonable
expectation of privacy in any given situation depends upon the characteristics
of the particular system involved, where it is, and how it is configured and
used. All systems have system administrators, and those system administrators
who are part of an organization’s internal system can and should be advised of
their obligations of confidentiality.[57]
To the extent that they are required or requested to report certain types of
information that come into their possession through the e-mail systems they
administer, if the information is from or directed to a lawyer, protection of
attorney-client confidentiality can be supported by having the information
reported to an attorney. Such an internal procedure evidences that the
reporting person is acting as the attorney’s agent, and not the agent of a
non-attorney whose review might jeopardize attorney-client confidentiality.
Take Extra Precautions for Group Distributions.
Group distribution arrangements should be instituted with care and reviewed
regularly to assure that confidential communications are sent to an
appropriately limited group. The risk of including inappropriate copy
recipients of e-mail communications is, theoretically, no different from that
for paper-based communications, but because of the ease of sending electronic
communications and the often automatic setting for dissemination, special care
must be taken to assure that attorney-client communications are disseminated in
accordance with the desired treatment. Thus, extra steps may be required in
connection with electronic communications to assure limited access and to
generate good evidence that confidentiality obligations are being met. Extra
steps that provide clear and convincing evidence of an intention to protect
confidentiality can provide effective support for the assertion of the
attorney-client and work-product privileges, as well as meeting in-house
attorneys’ ethical obligations of confidentiality.
Take Extra Steps for Establishing Access From Outside the System.
Because a system’s security is only as good as its weakest link, additional
precautions are appropriate in connection with communications from outside the
system. Establishing and implementing appropriate security measures to assure
that access to the system is limited to authorized persons provides additional
insurance against unwanted disclosures, as well as evidence of concern with
confidentiality and taking reasonable steps to maintain it.
Recognize the Reality of Possible Disclosure to System Administrators.
Recognition of the risks of actual disclosure to third party system
administrators is the first step to reducing that risk. Because of the manner
in which e-mail is sent and received, the risk itself is unavoidable, and
exists regardless of whether or not these system administrators have
confidentiality obligations. Thus, where information is sufficiently sensitive
to make actual disclosure unacceptable even if the persons to whom it may be
disclosed have legal or moral obligations to maintain its confidentiality,
additional steps are advisable to assure confidentiality. Such steps may
include encryption, or modified e-mail arrangements, such as a modem to modem
or secure socket connection.[58]
Note that encryption has limitations. For example, encrypting a message
generally does not include encrypting the name of the sender or addressee. This
information, together with the length of the encrypted message, remains
disclosed to each system administrator, including intermediate system
administrators, who may review e-mail messages on the system while the
encrypted message is on that system administrator’s system. Direct
modem-to-modem and secure socket arrangements do not involve a similar risk of
disclosure of that limited information to intermediate system administrators.
Talk with Clients; Joint Informed Decisions Have Fewer Risks.
The risks of having an unhappy client as a result of using e-mail can be
reduced by conferring with each client regarding the specific risks of e-mail
communication in light of the specific technology being used, and with due
attention to related facts such as the client’s internal system and
characterization of its system (if any). Such discussion of the advantages and
disadvantages of a particular mode of communication may also decrease the risk
of being sued by that client for malpractice if the mode of mutually-approved
communication turns out to be less confidential than anticipated. Note,
however, that although the risks of facing a malpractice suit and having an
unhappy client can be reduced by discussing the relative risks and rewards of
using e-mail communication, unless local rules provide otherwise, the ultimate
responsibility for evaluating, for purposes of the rules of ethics, what modes
of communication are ethical, remains with the lawyer.
THE CASE FOR ENCRYPTION
If the use of e-mail, in and of itself, risks forfeiting the attorney-client
privilege in connection with a demand for discovery, on the ground that
communication across the Internet via e-mail has been likened to sending a
postcard through the mail and using a postcard to communicate information may
be seen as indicating that the information is not regarded by the sender as
confidential, it makes sense to encrypt.
If legislation or applicable rules of court place the attorney-client privilege
beyond risk, but an attorney using unencrypted e-mail is vulnerable to
accusations of unethical practice for failure to take reasonable,
readily-available steps protect a client’s confidences, it makes sense to
encrypt.
If the use of unencrypted e-mail is neither unethical nor a risk to the
attorney-client privilege, but merely unwise because there is a high risk of
unintended disclosure with resulting damage to the attorney-client
relationship, it makes sense to encrypt.
If the risk of actual disclosure of an e-mail message, however remote or
encumbered with legal or ethical obligations of confidentiality, is
unacceptable, it makes sense to encrypt.
If the risk of disclosure of the fact that communications between certain
parties is occurring, or the fact that communications of a certain length
between certain parties is occurring, is unacceptable, then encrypting e-mail
messages may not be adequate protection. In such cases, if e-mail is to be used
for communication, other methods for protecting communications, such as
modem-to-modem and secure socket arrangements, are appropriate.
CONCLUSION
E-mail is a wonderful mode of communication. It’s fast, easy to use, cost
efficient, and feels as comfortable as a telephone call, but more convenient.
But e-mail is not a telephone call. E-mail creates a document. Because e-mail
is so widely used by lawyers and clients to communicate confidential
information, bar associations and others in a position to influence courts are
reluctant to generate ethics opinions that might be used to challenge the
ethics of good, capable and ethical lawyers. Accordingly, ethics opinions
generally confirm that the use of unencrypted e-mail across the Internet to
communicate confidential client information is ethical. Nevertheless, the fact
remains that sending e-mail across the Internet is readily analogized to
putting a postcard in the U.S. Mail: difficult to find a particular message,
but easy to read if one happens to run across it. Most attorneys would not
communicate confidential information on a postcard, although they routinely do
so in written communications placed in sealed envelopes. As the workings of the
Internet become more widely known and encryption becomes easier, lawyers are
likely to be under increasing pressure to recognize the realities of
unencrypted communication across the Internet, and to take effective action to
minimize the risks of unintended disclosure and maximize protection of
confidential information.
To date, we are not aware of a case in which the use of unencrypted e-mail
across the Internet, in and of itself, was deemed sufficient to constitute a
waiver of the attorney-client or work product privileges or to subject an
attorney to liability for ethical violations or claims of unethical behavior
based on a failure to adequately protect client confidences under Model Rule
1.6. E-mail communications between lawyers and clients have a short history,
and the mechanics of those communications are only beginning to be understood.
At the same time, encryption is only beginning to be easy to use. As the
realities of how the Internet works become more widely understood and
encryption becomes increasingly available and easy to use, the way in which use
of unencrypted e-mail across the Internet is regarded by ethics committees,
courts and clients is likely to change. The acceptability of using unencrypted
e-mail for confidential communications is likely to decrease, and those who
fail to anticipate the change may suffer adverse consequences that are, even
today, easily avoided.
FOOTNOTES
1 Copyright
1999, Micalyn S. Harris. All Rights Reserved. Originally printed in The
Professional Lawyer, Spring, 1999. Printed by Permission The author
wishes to thank Louis J. Cutrona, Jr., Ph.D., President, Winpro, Inc., who
patiently reviewed this article for technical accuracy. All statements and
conclusions are the author’s.
2 For
example, before sending an unencrypted message across the Internet, Internet
Explorer and Netscape browsers put up a message stating, in effect, “You are
about to send a message across the Internet. Confidentiality cannot be
guaranteed. Do you wish to continue?” with buttons for “Yes” and “No.”
3 See,
e.g., Law and Policy of Cyberspace: Lawyers Need Not Encrypt E-Mail, Ethics
Panels Say, The Virtual Lawyer (June, 1997) at 5. The article also notes
opposing views.
4 See,
e.g., Sec. 4547, New York Civil Practice Law, signed July 7, 1998.
California considered, but did not adopt, similar legislation. See also 1990
California Penal Code re cordless phones.
5 See
Iowa S. Ct. Board of Professional Conduct and Ethics Op. 96-0 dated 8/29/96 and
Op. 97-1 dated 9/18/97, referencing DR101(A); see also State Bar of
Arizona’s Committee on Rules of Professional Conduct Op. No. 97-04 dated
4/7/97.
6 See,
e.g., May 16, 1997 Advisory Opinion of the Illinois Bar’s Professional
Conduct Committee.
7 Resolution
of the American Bar Association adopted August, 1998. See 14 ABA/BNA Lawyer’s
Manual on Professional Conduct, No. 15, August 19, 1998, at 394.
8 ABA
Standing Committee on Ethics and Professional Responsibility, ABA Opinion
Request 98-001 (made available in Draft at time of writing).
9 See
Illinois Ethics Opinion 96-10, 1997, WL 317367, Illinois State Bar Association
and New York State Bar Association Committee on Professional Ethics, Opinion
709 (September, 1998).
10 Todd
H. Flaming, Internet E-Mail and the Attorney-Client Privilege, 85
Illinois Bar Journal 183 (1997).
11 See,
e.g., William Freivogel, Communicating with or About Clients on the
Internet: Legal, Ethical, and Liability Concerns, 17 ALAS Loss Prevention
J. (1996), noting that technical articles frequently liken Internet messages to
postcards, leading legal writers to conclude that there is no reasonable
expectation of privacy, but himself concluding, “It is important to remember
that the hacker’s activity is as criminal as the wiretapper’s.” Id, at 18,
citing 18 U.S.C. 2510 et seq. See also, Richard E.V.Harris, Electronic
Communications and the Law of Privilege, 11 California Litigation 14
(1997), and ALAS Loss Prevention Bulletin No. 98-27, October 19, 1998.
12 See
American Civil Liberties Union v. Reno, 929 F. Supp. 824 (E. D. Pa 1996).
13 See,
e.g., http://office.findlaw.com, which advertises offering “secure
document storage and collaboration over the Internet using a web browser.”
14 For
example, Winpro, Inc., with which the author is associated, designs and
installs such facilities for clients, and also provides a secure socket
facility for communications with its clients.
15 Where
messages are broken into such packets, “interception” of the message in transit
may disclose less than the entire message, but as the message is reassembled at
each relay point, each system administrator will receive and have access to the
entire message as long as it is on that system’s server.
16 Note
that this review does not require “opening” messages. Unlike letters placed in
envelopes, which must be opened to be read, to a system administrator, e-mail
messages appear immediately following their address blocks, and are followed by
the address block of the next message. Unlike the addressee, who generally sees
a list of messages identified by sender and subject, the system administrator
sees a continuous text that does not separate addresses from text.
17 The
imposition of confidentiality obligations on non-commercial system
administrators may raise a variety of issues relating to whether they will know
the information is confidential, and whether, in some circumstances, they may
have a duty to disclose or investigate, as for example if they come across
e-mail indicating that a crime threatening death or serious bodily harm is
about to be committed. See, e.g., Clifford Stoll, The Cuckoo’s Egg:
Tracking a Spy Through the Maze of Computer Espionage, (Mass Market Paperback,
July, 1995), where a student system administrator concluded he did have an
obligation, as an administrator and citizen, to report a billing discrepancy in
a university system. Exploration of the discrepancy uncovered unauthorized,
Germany-based entry into a U.S. military computer system through the
university’s computer system.
18 Model
Rule 1.6, Note [2], Model Rules of Professional Conduct, American Bar
Association, 1999 Edition.
19 See
Iowa Op. 96-01 and Iowa Op. 97-01, and Opinion of the Arizona Ethics Committee
dated April 7, 1997. Using a question and answer format for its opinion, in
response to the question, “Should lawyers communicate with existing clients,
via e-mail, about confidential matters?”, Arizona answers, “Maybe” and
suggests, “Lawyers may want to have the e-mail encrypted with a password....
Alternatively, there is encryption software available...” The Arizona Committee
concluded that although it is not unethical for a lawyer to use e-mail to
communicate with clients, it supported encryption, stating, “(t)his committee
simply suggests that it is preferable to protect attorney/client communication
to the extent it is practical.”
20 See
Law and Policy of Cyberspace: Lawyers Need Not Encrypt E-Mail Ethics Panels
Say, supra, note 3.
21 See
Illinois Ethics Opinion 96-10, WL 317367, Illinois State Bar Association; South
Carolina Bar Ethics Advisory Committee Opinion 97-08, 6/97, Vermont Bar
Association Committee on Professional Responsibility, Opinion 95-5, North
Dakota Bar Association Ethics Committee, Opinion 97-09 (9/4/97), New York State
Bar Association Committee on Professional Ethics, Opinion 709 (September,
1998).
22 See
also, Micalyn S. Harris, Of Gold Mines and Land Mines - Protecting
On-Line Communications, Securities in the Electronic Age, Glasser
LegalWorks, 1999 (in print).
23 Illinois
Ethics Opinion 96-10, supra, note 21; South Carolina Bar Ethics Advisory
Committee, Opinion 97-08, 6/97. Vermont and North Dakota have also concluded
that use of unencrypted e-mail does not violate obligations to treat
communications with clients as confidential. See Vermont Bar Association
Committee on Professional Responsibility, Opinion 95-5, and North Dakota Bar
Association Ethics Committee, Opinion 97-09 (9/4/97).
24 18
USC Section 2510 et seq.
25 18
USC Section 2511; see also, discussion by Raymond T. Nimmer, The Law of
Computer Technology, Third Edition, (West Group 1997) at 16.11[1].
26 18
USC Sections 2510 and 2511(1)(a)
27 See,
Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3rd 457, 461-62
(5th Cir. 1994). The decision has its critics. See, e.g., David Hricik,
E-mail and Client Confidentiality: Lawyers Worry Too Much about Transmitting
Client Confidences by Internet E-mail, The Georgetown Journal of Legal
Ethics, Vol. XI, No. 3, manuscript at 34 (in print).
28 United
States v. Smith, 155 F. 3rd 1051 (9th Cir. 1998), finding that stored e-mail is
governed by the Wiretap Act, which requires that interception of a
communication be contemporaneous with its transmission, and rejecting the
government’s argument that access and recording of a stored voice mail message
is governed by the Stored Communications Act. Had the Stored Communications Act
applied, accessing stored e-mail may have constituted interception. The finding
that the Wiretap Act applied meant that accessing stored e-mail was found not
to constitute interception.
29 See,
e.g., 18 USC Section 2511(2)(a)(i), prohibiting “interception and
disclosure” of electronic communications
30 Note
that when individuals receive e-mail, the sender’s name appears on a list and
the addressee then clicks on the name to “open” the message. The separation of
sender’s name and message occurs at the addressee’s terminal. The system
administrator sees addressee and message in a continuous scroll.
31 IL
Eth. Op. 96-10, supra, note 21, at 4
32 United
States v. Smith, 155 F. 3rd 1051 (9th Cir. 1998). The Smith court found that
stored e-mail is governed by the Wiretap Act, which requires that interception
of a communication be contemporaneous with its transmission, and rejected the
government’s argument that access and recording of a stored voice mail message
is governed by the Stored Communications Act. Had the Stored Communications Act
applied, accessing stored e-mail may have constituted interception. The finding
that the Wiretap Act applied meant that accessing stored e-mail was found not
to constitute interception.
33 In
this sense, e-mail seems like voice mail, which can be accessed and “read” at a
later time. As indicated above, courts may treat e-mail and voice mail
differently. To the extent voice mail tapes are retained, not erased
immediately after being retrieved, they may also create a “document” which is
preserved and retrievable at a later time. Thus, establishment and maintenance
of corporate policies regarding the retention and destruction of voice mail
tapes is also advisable.
34 U.
S. v. Maxwell, 42 MJ 568 (USAF Crim. App. 1995).
35 William
P. Matthews, Encoded Confidences: Electronic Mail, The Internet, and the
Attorney-Client Privilege, University of Kansas Law Review, November,
1996; see also, Charles R. Merrill, What Lawyers Need to Know About the
Internet: Basics for the Busy Professional, 443 PLI/Pat 187, 1996, and
Peter R. Jarvis, and Bradley F. Tellam, The Internet: New Dangers of Ethics
Traps, 56 Dec. Or. St. B. Bull 17, 1995.
36 See,
e.g., Chu, Morgan and Goldberg, Perry, E-Mail and the Attorney-Client
Privilege in California, California Litigation (Fall, 1997), vol. 11, no.
1 pp. 18-23, and David Hricik, E-Mail and Client Confidentiality: Lawyers
Worry Too Much about Transmitting Client Confidences by Internet E-Mail,
The Georgetown Journal of Legal Ethics, Vol. XI, No. 3 (Spring, 1999).
37 See
Jarvis, supra, note 35. Discussions are often characterized by
uncertainty and ambivalence. Particularly striking was one reported e-mail
interview in which the commentator stated that he did not believe use of
unencrypted e-mail exposed a lawyer to charges of acting unethically, but that
using it was “unconscionably poor judgment.” It appears that such a position is
untenable. At least arguably, exercise of “unconscionably poor judgment” is, or
should be, a breach of ethics. At a minimum, “unconscionably poor judgment” is
likely to provide a basis for a client’s termination of an attorney-client
relationship, even if not a successful malpractice suit. See also, Lawson, “An
Encryption Primer for Attorneys”, included in Lawyers on Line: A Guide to Using
the Internet, a 1995 Virginia CLE publication.
38 See,
e.g., Bourke v. Nissan Motor Co., No. YC 003979, L.A.Super.Ct., 1994.
39 See,
e.g., Blakey v. Continental Airlines, Inc., No. ESX-L-15323-95 (N. J. Law
Div. Apr. 22, 1998).
40 See,
e.g., press reports regarding testimony in United States v. Microsoft,
Civ. Ac. 94-1564, Microsoft Rests Its Case, Ending on a Misstep, New
York Times, February 27, 1999, page C1, col. 6.
41 Section
4547, New York Civil Practice Law, signed July 7, 1998. California considered,
but did not adopt, similar legislation. In the absence of legislative history
on the issue, one might conclude from a refusal to pass such legislation,
either that the legislature believed that a reasonable expectation of privacy
exists and therefore the proposed legislation was unnecessary, or that a
reasonable expectation of privacy does not exist, and therefore the proposed
legislation was inappropriate.
42 See
report in 14 ABA/BNA Lawyer’s Manual on Professional Conduct, No. 15, August
19, 1998, at 394.
43 See
ABA Standing Committee on Lawyers’ Responsibility for Client Protection, Lawyers
on Line: Ethical Perspectives in the Use of Telecomputer Communication (1986)
at 67, cited in ABA Lawyers’ Manual on Professional Conduct, at 55:409 and Rule
1.6, ABA Model Rules of Professional Conduct; see also, ABA Standing
Committee on Ethics and Professional Responsibility, Formal Op. 95-398(1995),
which noted that under Rule 5.3, an attorney who gives a third party computer
maintenance company access to client files “must make reasonable efforts to
ensure that the service company has in place, or will establish, reasonable
procedures to protect the confidentiality of client information.” Reasonable
efforts were seen to include attorney oversight to make sure the provider
understands the obligations of maintaining confidentiality. The Committee
recommended that the attorney obtain written assurance of confidentiality from
the service provider. See also, Rule 1.4(b), which discusses when an
attorney is obligated to advise a client that a significant breach of
confidentiality has occurred. If such a breach occurs within the service
provider’s company, and the breach could be seen as a “significant factor” with
regard to the representation, disclosure of the breach to the client might be
required under Rule 1.4(b). The opinion’s reasoning can be extended to other
third party service providers, e.g. data processing and printing providers.
44 Such
a position might have implications beyond waiver of the attorney-client and
work product privileges. For example, a conclusion that sending unencrypted
e-mail across the Internet fails to treat it as confidential might have
implications for handling information an organization wishes to protect as a
trade secret.
45 To
the extent statutes have made interception of cellular telephone communication
illegal, it may be argued that these cases are less useful as precedents than
when such statutes do not exist, on the theory that such statutes are
comparable to the Electronic Communications Privacy Act.
46 See
Tyler v. Berodt, 877 F2d 705, 706 (8th Cir 1989), cert. denied 493 US
1022 (1990); State v. Smith, 438 NW2d 571 (Wis. 1989); State v. Delaurier, 488
A3d 688 (RI 1985); People v. Fata, 559 NYS2d 348 (App Div 1990), but cf.
U. S. v. Smith, 978 F2d 171, 180 (5th Cir 1992), cert. denied 113 S Ct.
1620 (1993); State v. McVeigh, 620 A2d 133 (Conn. 1993), suppressing cordless
telephone conversation. None of these discussions deals with the possible
impact of the location of the speakers, e.g. taxi, commuter train, street or
baseball game, when using their cellular telephones.
47 New
Hampshire Ethics Committee Advisory Opinion #1991-92/6 of April 16, 1992;
accord: North Carolina State Bar Opinion, Modern Communications Technology and
the Duty of Confidentiality, Approved July 21, 1995.
48 Committee
on the Rules of Professional Conduct of the State Bar of Arizona, Opinion No.
95-11, December 6, 1995).
49 Illinois
State Bar Association Advisory Opinion on Professional Conduct, Opinion No.
90-07, November 26, 1990, citing Illinois Rule of Professional Conduct 1.6(a),
Edwards v. Bardwell, 632 F.Supp. 584 (M.D. Law. 1983), 808 F.2d 57 (aff’d),
110 S.Ct. 723 (cert. denied) and Tyler v. Berodt, supra, note 46.
50 In
a corporate organization, the ethical issues of disclosure of confidential
materials may be less urgent, but practical business issues, such as improper
disclosure of inside information relating to or having an impact on the price
of the company’s securities, or inadvertent disclosure of trade secrets, may
create business-related problems beyond those relating to attorney-client
privilege or lawyer ethics.
51 See,
e.g., Iowa Op. 96-01 and Iowa Op. 97-01, supra, note 19, and
Missouri Informal Advisory Opinion 970230, collected under Informal Advisory
Opinions Relating to Internet and E-Mail dated 6/5/98, also taking the position
that lawyers have an obligation to obtain clients’ permission before using
e-mail for confidential communications, “after the attorney is satisfied that
the client is aware of the risks of interception of the message as it travels
through the Internet as well as through any net work to which the computer may
be connected.”
52 ABA/BNA
Lawyers’ Manual on Professional Conduct, supra, note 42, at 210
53 Opinion
97-08 (6/97) of the Ethics Advisory Committee of the South Carolina Bar; 18
U.S.C. Sections 2701(a) and 2702(a); Rule 1.6; Accord, Vermont, Op. 97-5, supra,
note 23, and North Dakota, Op. 97-09, supra, note 23 and Alaska Bar
Association Ethics Opinion 98-2 (1998). See discussion, Opinion Request
98-001, Draft dated 2/4/99, at Footnote 37.
54 Opinion
Request 98-001, Draft dated 2/4/99, at p. 15
55 E.g.,
Iowa and Missouri, supra.
56 E.g.,
Iowa and Arizona, supra, note 19; D. C. Opinion No. 281, dated February
12, 1998; Kentucky Opinion No. E-403, dated July, 1998; and Illinois and South
Carolina opinions, supra, note 21.
57 Neither
Arizona, Iowa, Illinois nor South Carolina discussed whether actual or
potential access to confidential information by system administrators would
forfeit confidentiality or the attorney-client privilege because confidential
information could be or had been disclosed to system administrators who
constituted persons other than those with a “need to know”. It seems clear that
internal system administrators are like secretaries, i.e., agents with a need
to know. It is more difficult to apply that rationale to third party system
administrators, particularly if they are not administrators of commercial
systems. They may have a need to look, but they do not, for the most part, need
to know the contents of messages they review, and they may or may not have
knowledge of the confidential nature of the contents of e-mail messages they
review. As indicated above, encryption includes only text, not address, and
indicates the length, but not the content, of a message.
58 This
problem cannot be solved by having a dedicated password protected area within a
single commercial system, as the system administrator of that system will still
have the ability, and possibly the need, to review messages. As noted above, Maxwell
determined that for Fourth Amendment (search and seizure) purposes, persons
sending messages within a single system have a reasonable expectation of
privacy. See Maxwell, supra, note 32.
|
