Winpro, Inc. - Software development and consulting



In responding to a request for an opinion on the issue of whether the use of unencrypted e-mail sent over the Internet violates Model Rule 1.6(a) because it fails to protect client confidences adequately, the ABA Standing Committee on Ethics and Professional Responsibility (the “Committee”) confronted a dilemma: should it fully inform lawyers and clients of the legal and technical realities of sending unencrypted e-mail across the Internet, thereby potentially placing thousands of competent lawyers at risk of being accused of ethical violations, or should it assert that unencrypted e-mail communication across the Internet has a reasonable expectation of privacy? As a responsible and influential trade association for the legal profession, the Committee, in a carefully worded opinion, concluded, “(t)he same privacy accorded U. S. and commercial mail, land-line telephonic transmissions and facsimiles” should apply to unencrypted e-mail transmissions across the Internet. The Committee had little choice as to the conclusion it reached. That conclusion, however, does not change the relevant legal and technical realities, nor does it relieve lawyers, client and courts of responsibility for examining the potential risks of using unencrypted e-mail for confidential attorney-client communications across the Internet.


Newspapers, articles and Internet browser software warn us that the confidentiality of electronic communications traveling across the Internet cannot be assured.[2] The fact that a “reasonable expectation of privacy” is required in order to assert that use of a particular mode of communication does not waive the attorney-client or related work product privileges, combined with the recognition that the confidentiality of unencrypted e-mail cannot be assured, has given rise to discussions of the possibility that using e-mail may, in some circumstances, effectively waive the attorney-client privilege.[3] As a result, several states have adopted legislation providing that the use of e-mail, in and of itself, does not destroy the attorney-client privilege.[4]

Because successful assertion of the attorney-client and work product privileges requires a showing that the evidence in question was handled as confidential information, and such handling requires use of a mode of communication regarding which there is a reasonable expectation of privacy, discussions of the need for encrypting e-mail traveling across the Internet often blur the distinction between confidential handling for purposes of preserving the attorney-client privilege and for purposes of maintaining ethical standards regarding handling confidential client information. The distinction, however, is important. Questions of attorney-client privilege, and related questions of work product privilege, involve the rules of evidence and are answered by applying those rules, however interpreted, to discovery in a particular case. A finding that the use of e-mail by a lawyer or client in a particular case did not adequately protect client confidences and thereby waived the attorney-client or related work product privilege would permit discovery of that evidence but would be limited to the particular case.

In contrast, a determination by the American Bar Association or other highly-respected legal organization that there is no reasonable expectation of privacy for unencrypted communications sent across the Internet, and that therefore the use of that mode of communication for confidential attorney-client communication constitutes a breach of a lawyer’s ethical duties regarding confidentiality, has draconian implications for the entire legal profession. Failure to treat client information as confidential is malpractice. Such failure places practicing attorneys at risk financially, and in egregious cases, may result in suspension or loss of the license to practice law. Even if it is determined that the lawyer did not breach ethical duties, if the e-mail communications turn out in fact not to be private, that is, the expectation of privacy is in fact not met, whether or not the expectation of privacy was reasonable, the attorney-client relationship is likely to be degraded, and possibly, depending on the adverse consequences of actual disclosure, destroyed.

Thus, responsible bar associations, ethics committees and others are reluctant to set out in detail the risks and legal arguments available to challenge the position that sending unencrypted e-mail across the Internet is ethical. The reluctance is well-founded, but it risks leaving lawyers inadequately educated for determining whether and when it is advisable to take steps to encrypt Internet e-mail, and thus, unable to make and to assist clients to make informed choices regarding the use of e-mail.

Two state ethics committees have taken the position that, because of the possibility of interception, e-mail should not be used for attorney-client communication unless the messages are encrypted or the client has been made aware of the risk and consented to use of the “insecure” communication.[5] Many more have taken the position that e-mail transmission is no more subject to interception than is a telephone conversation, and therefore, there is a reasonable expectation that e-mail will remain private and use of unencrypted e-mail across the Internet is ethically acceptable.[6] Both extremes focus on the difficulty and likelihood of “interception.” Interception, however, is not the only issue, or even the primary issue, in determining whether there is a foreseeable risk of unintended disclosure to third parties. A significant issue is whether there is a foreseeable likelihood of authorized review, that is, review that is not interception and is both legal and foreseeable. Interception, except in limited circumstances, is illegal. Use of the word “interception” implies unauthorized access. Assuming that the risk of unauthorized access is not so great as to vitiate a reasonable expectation of privacy, the question remains as to whether the risk of authorized review is sufficient to undermine the reasonable expectation of privacy. At least arguably, if there is a risk of foreseeable, legal review, that risk may vitiate, or at a minimum, significantly weaken, the argument that there is a reasonable expectation of privacy for communications moving unencrypted across the Internet.

The House of Delegates, acting as the voice of the American Bar Association, has taken the position that “state, local and territorial courts (should) accord electronic mail communication, whether by Internet or any other means, the same expectation of privacy and confidentiality as lawyer-client communications by telephone calls, United States mail and other means of communication traditionally deemed private and confidential.”[7] Both the August 1998 resolution and the recent opinion of the Committee[8] are carefully phrased. Neither says that e-mail has, in fact , the same reasonable expectation of privacy as telephone calls or other means of communication; only that courts “should accord” it, i.e., treat it, as if it has. The phrasing indicates that the Committee may be aware of a possible discrepancy between the realities of using unencrypted e-mail across the Internet and the recommendation as to how it should be treated by the courts.

E-mail has been likened to cellular telephones,[9] land-line telephones,[10] and postcards sent through the U.S. Postal Service.[11] In referring to the U.S. Mail, the ABA’s resolution clearly intended that e-mail be analogized to letters in sealed envelopes, not postcards, but at least one court has stated that it is not appropriate to consider e-mail to be a “sealed” mode of transmission. That court however did not analogize e-mail across the Internet to sending a postcard through the mail. Rather, the court analogized to facsimile transmissions, suggesting that cautionary language similar to language commonly used on confidential facsimile transmissions might be sufficient to assure a reasonable expectation of privacy.[12]

The discussion in opinions of various ethics committees indicates some uncertainty regarding the factual workings of Internet communications, and discomfort and continuing insecurity regarding use of unencrypted e-mail across the Internet.


“E-mail” has become a generic term for a variety of electronic communication arrangements. It includes internal systems in law firms that permit lawyers to communicate with one another within a single office, among regional offices of the firm, and even with one or more offices from outside the system. It includes internal systems in corporations that permit lawyers to communicate with one another and with their corporate clients, again, some within the corporate headquarters, some from outlying locations and some from outside the internal system.

Law firms are connecting electronically with their clients. Sometimes these are direct, dedicated connections. Sometimes they permit clients to have limited access to a firm’s internal system. Sometimes these arrangements give outside counsel access to the corporate client’s system. Access, when given, may be provided in various ways. For example, access may be through an outside provider, such as AT&T or America Online, as a means of exchanging e-mail. These arrangements, in turn, may vary. For example, such e-mail may be exchanged either through the provider’s general system or within a special, dedicated area of the system with limited access. Where attorney and client use different e-mail providers, the e-mail may move directly between providers, or, in order to move from one provider to another, may move across the Internet. Recently, services that provide document exchange and storage on a web site using a web browser have appeared,[13] and organizations are setting up secure socket web sites, accessible via an Internet browser, permitting them to store, exchange and collaborate on documents among their own employees, and with outside counsel, clients and customers.[14]

E-mail communication on a private intranet is likely to go straight to the organization’s e-mail server and remain there until retrieved. Communication within a given service provider is likely to go to the service provider’s server and remain there until retrieved. Communication from one service provider to another is likely to travel across the Internet, a process which may involve passing the message from server to server, across a varying number of servers and via routes that cannot be predetermined. E-mail on an internal “intranet” system may be encrypted or not, and may be read by the system administrator (or not, if it is encrypted), depending upon the system and how it is configured and used. The variations among systems are even more diverse.

Stated simply, all e-mail is not created equal.

Where e-mail moves via a direct connection from the sender’s to the receiver’s system, for example, via modem to modem, the connection is, like a telephone call, simultaneous. Where, however, e-mail communication is across the Internet, the communication is made via a series of relays and there is unlikely to be a simultaneous connection between writer and addressee. Thus, the communication, although it uses telephone lines, is technically different from a telephone call or a facsimile connection.

The Internet can be envisioned as a huge number of computer systems linked together, some of which are set up to send and receive e-mail. (A system for this conceptual purpose may be of any size, from a small desktop computer to a large mainframe.) Each system set up to send and receive e-mail is able to send and receive messages directed to anyone, to sort the messages and keep those addressed to it, and to pass on those messages addressed to other systems. The Internet was designed by the U.S. Department of Defense, with the original objective of assuring that messages reached their destinations somehow, even if parts of the Internet were cut off. Thus, the specific route, or even most likely route, of a particular message, is never known with certainty in advance. (It may be determined in retrospect however. At the beginning of many e-mail messages that have traveled across the Internet is a list of addresses, generally unfamiliar to the final addressee. These are the addresses of the systems through which the message has passed en route to the addressee.) Long messages may be broken into “packets,” which are reassembled at each relay point as well as at their final destination.[15] It is worth noting that the Department of Defense did not envision sending confidential information across the Internet unencrypted. It had, and continues to have, different levels of encryption (and alternative communication channels), and, depending upon its own set of classifications, sends messages at whatever level of encryption is determined to be appropriate for the information involved. The more secret the information, the more complex the encryption code, and the longer the time required to encrypt and decrypt the message.

Each system that participates in the Internet has at least one system administrator. That person, in order to keep the system operating efficiently, may review messages on the system to assure the system’s orderly functioning.[16] This review process by system administrators is not “interception” or “hacking.” There is nothing illegal or improper in the owner of a computer system reviewing messages on the system. Moreover, because widespread use of the Internet is relatively new, and because review of messages occurs while on a server and is not limited by time to the duration of a simultaneous connection, as is the case in a telephone or facsimile connection, the likelihood of review of e-mail messages is probably far greater than the likelihood that a telephone operator will have occasion to monitor a telephone conversation in the ordinary course of managing the telephone system.

Where messages travel across the Internet, there may or may not be any contractual relationship (e.g. such as might be established between an e-mail user and a commercial service) between sender or receiver and the system owners requiring that confidentiality be maintained. There are statutory obligations of confidentiality imposed on commercial system administrators. It is not clear that these will apply to unrelated non-commercial system administrators. Note too, that obligations of confidentiality do not mean that system administrators cannot see e-mail on their systems, but only that they have an obligation not to disclose the information to third parties, or to use the information for their personal benefit (see discussion below).[17] In fact, it is clear that such system administrators will, under appropriate circumstances, have legal access to confidential messages passing through the service provider’s system, and therefore, that actual disclosure of confidential information is a risk, even when the party to whom it is disclosed has obligations of maintaining its confidentiality.


Under Model Rule 1.6, a lawyer has an ethical obligation to “hold inviolate” confidential information of the client.[18] State ethics opinions, regardless of whether they have concluded that it is or is not ethical to use unencrypted e-mail traveling across the Internet for confidential attorney-client communications, have focused on the possibility (or likelihood) of interception. Focusing on this issue, Iowa, and less emphatically, Arizona, concluded because it is possible for e-mail messages to be intercepted, lawyers should not use e-mail for sensitive communications unless the messages are encrypted or the client has consented to the “non-secure” communication.[19]

Illinois, and those states following its reasoning, came to the opposite conclusion.[20] Illinois concluded that one has a reasonable expectation of privacy when sending unencrypted e-mail over the Internet, and its reasoning has subsequently been followed by several other states, including South Carolina, Vermont, North Dakota and Kentucky. In its analysis, Illinois focused on the fact that a particular e-mail message was unlikely to be “intercepted” when traveling across the Internet and noted that the Electronic Communications Privacy Act made it a crime to intercept an e-mail message. Based on this analysis, Illinois concluded that such interception was no more likely than interception of a telephone conversation and therefore, that there was a reasonable expectation of privacy in using e-mail across the Internet and encryption was not necessary either to meet ethical obligations of confidentiality or to protect the confidentiality of sensitive information.[21]

As indicated above,[22] many of the state ethics opinions concluding that e-mail has a sufficiently reasonable expectation of privacy to make it an appropriate mode of attorney-client communication rely on analogizing e-mail to a land-line telephone call. Illinois, for example, relies on a theory that that “interception or monitoring of e-mail for purposes other than assuring quality of service of maintenance is illegal under the Electronic Communications Privacy Act, 18 USC 2511 (2)(a)(i).”[23] The Electronic Communications Privacy Act (“ECPA”),[24] however, clearly distinguishes between interception of a telephone conversation and access to stored communications,[25] and the law applicable to each. “Interception” as defined by the Electronic Communications Privacy Act (“ECPA”)[26] relates only to messages moving across the Internet. Once messages are “delivered” (and “delivery” may be to servers en route as well as to the final addressee), they are “stored” on a server, and reading them while they are on a server does not constitute “interception.”[27] The language of the statute is clear, and was applied in the recent case of United States v. Smith, which decided that reading stored messages is not “interception.”[28] If other courts read the law as the Ninth Circuit did, they, too, may conclude that the telephone analogy is technically faulty, that the result of the Illinois analysis is, accordingly, unpersuasive, and therefore, that the conclusion that use of unencrypted e-mail across the Internet will not compromise confidentiality so as to breach the attorney’s obligation to maintain client confidences is unwarranted because there may, in fact, be no reasonable expectation of privacy.

It is also worth noting that the ECPA regulates only “provider [s] of wire or electronic communication service [s], whose facilities are used in the transmission of a wire or electronic communication,”[29] and there is a risk that the reference will be construed to refer only to commercial providers. If the reference is so construed and limited, messages passed through the systems of organizations that are at best only incidentally “providers” of electronic communications services (for example, universities and large corporations) may not be protected by any of the obligations imposed by the ECPA, including any obligations of confidentiality. (Since the ECPA also provides certain protections to those it covers, imposing confidentiality obligations on system administrators of non-commercial third party systems might entail extending the protections of the ECPA to these entities, which a court might be reluctant to do in the absence of clear legislative direction on the issue.) Even if confidentiality obligations are imposed upon private parties, if a court were to view unencrypted e-mail moving across the Internet as more like a postcard than a letter in a sealed envelope, a confidentiality obligation similar to that imposed upon U. S. Postal employees might not be sufficient to satisfy a client that the attorney’s ethical obligations to protect client confidences had been met.

In any event, it is generally agreed that the risk of actual disclosure remains. As indicated above, computer systems of all sizes, from single desktop computers to large mainframes, have at least one system administrator whose job it is to assure that the system operates smoothly. A system administrator for an organization’s e-mail system does not, in the normal course, have a “need to know” the content of e-mail messages, but may, in connection with managing the organization’s computer system, have, and have a need to have, access to all the information on the system, including (unencrypted) e-mail. Review by an organization’s system administrator appears to be similar to review by a secretary of documents typed for a lawyer, and should not give rise to a claimed breach of ethical obligations. Where, however, it is foreseeable that the review may in fact be made by an unaffiliated third party’s system administrator, and particularly where it is in fact so made, there is a risk that a client would conclude that the information had not been treated with sufficient care to provide a reasonable expectation of privacy,[30] and that an ethics committee might, in egregious factual circumstances, agree.

While Illinois recognized the existence of the possibility that a (third party) system administrator could lawfully read part or all of a confidential message, it rested its conclusion that e-mail traveling across the Internet has a reasonable expectation of privacy on the absence of likelihood of illegal interception, concluding that the opportunity for “illegal interception” by such system administrators did not make it unreasonable to expect privacy of the message (emphasis added).[31] Both the ECPA and case law recognize that accessing stored messages is not “interception,” and the recent case of United States v. Smith also determined that accessing stored messages is not interception.[32] Thus, the reference of the Illinois opinion to “illegal interception” is inconsistent with its implicit recognition that a system administrator has a legitimate right to monitor messages. Possibly, the drafters of the Illinois opinion, and those in the states that adopted its view, as well as the ABA Opinion, were aware of the flaw in their reasoning, but chose, in the interest of reaching the desired result, to ignore it.

Focus on the question of the likelihood of interception sidesteps the fundamental issue, which is whether there is a reasonable likelihood of privacy. The relevant technology makes it possible for system administrators to view e-mail legitimately, and the key question is how to evaluate the likelihood that such viewing will occur. As indicated above, unlike telephone conversations, which are ephemeral and therefore will be monitored, if at all, while they occur, e-mail messages create a document. Thus, the risk of disclosure is not limited to “tapping” into a particular conversation in progress.[33] Although e-mail messages travel over telephone lines, the technology causes them to move through a series of computer system mail servers, some of which may belong to entities that are not regulated interstate communications service providers. Accessing messages delivered to intermediate systems en route is not “interception” and is not “illegal.” Moreover, the ability of a third party system administrator to access messages on a mail server is routine and therefore foreseeable, and the frequency of problems with Internet communications and system “glitches” make exercise of that ability far more likely than the monitoring of a telephone conversation to assure system quality.

By concluding that the reasonable expectation of privacy rests on the unlikelihood of interception, which is illegal, the Illinois reasoning ignores the parallel with telephone companies’ right to monitor telephone conversations for quality control, thereby weakening its own rationale for adopting the telephone analogy. The legal basis for imposing confidentiality obligations on service providers’ monitors is also uncertain. Not all mail servers are commercial Internet service providers, and whether entities other than commercial Internet service providers have confidentiality obligations is unclear. Finally, even if system administrators of entities other than commercial Internet service providers have confidentiality obligations, if they are regarded as obligations analogous to those of U.S. postal employees, they may be insufficient to support assertions that unencrypted e-mail traveling across the Internet is an appropriate way to handle information, as information on a postcard placed in the U.S. Mail generally is not regarded as having been treated as confidential information.


The Committee relies on U. S. v. Maxwell[34] to support its conclusion that unencrypted e-mail communication sent across the Internet has a reasonable expectation of privacy. Maxwell states that there was a reasonable expectation of privacy regarding the e-mail in that case. The case, however, does little to assist analysis of whether use of unencrypted e-mail traveling across the Internet has a reasonable expectation of privacy for purposes of Model Rule 1.6. Maxwell was a Fourth Amendment search and seizure case involving requests for and receipt of pornographic materials by an enlisted soldier on active duty - a criminal offense. The defendant asserted that he had, for purposes of the Fourth Amendment, a reasonable expectation of privacy regarding materials placed in his e-mail “mailbox.” In the context of the case, the court agreed that the defendant had a reasonable expectation of privacy for purposes of the Fourth Amendment. The e-mail transmission in that case, however, did not involve any transmission over the Internet. Both the defendant and the provider of the materials used the same private on-line commercial computer service. The use of passwords was also required, and provided additional evidence of a reasonable expectation of privacy.

The language of Maxwell sounds persuasive. The facts and circumstances of the case, however, make it an uncertain foundation for asserting that unencrypted e-mail sent over the Internet has a reasonable expectation of privacy. It did not involve an Internet transmission. The Maxwell court, which was a military court, determined that for Fourth Amendment purposes evaluated in a criminal context, there is a reasonable expectation of privacy in the mailbox of the addressee when the e-mail is sent between persons subscribing to the same commercial provider.

The Committee’s Opinion relates to unencrypted Internet communications. Challenges to the adequacy of protecting client confidences are likely to arise in a civil, not a criminal context, and professional standards imposed on lawyers generally require higher levels of knowledge and judgment than those required of the ordinary person. Given the facts of the Maxwell case, it seems a slender reed on which to rely.


The absence of case law dealing with whether sending unencrypted e-mail across the Internet fails to meet counsel’s ethical obligations to maintain client confidences, and the technical inaccuracy of many of state ethics committee opinions stating that use of unencrypted e-mail is not unethical, have led some commentators to warn that “current statutes and case law are inadequate to provide the expectation of privacy necessary to invoke the protection of the attorney-client privilege” when unencrypted e-mail is sent across the Internet,[35] while others assert that unencrypted e-mail communications should be considered privileged,[36] thereby implying that there is a reasonable expectation of privacy.

The mere fact that there is currently a body of commentary warning of the absence of existing law to provide a foundation for a reasonable expectation of privacy regarding these communications has, justifiably, created a sense of unease regarding use of e-mail for confidential communications. Some commentators have mentioned the possibility of exposure to a malpractice suit if the risk of inadvertent or unintended disclosure of attorney-client confidences becomes reality.[37] As indicated above, even ethics committees and commentators who do believe that there is a reasonable expectation of privacy regarding unencrypted e-mail messages across the Internet emphasize the potential risks of unwanted disclosure of sensitive information and recommend various protective measures, from encryption to warning language similar to that typically included on the cover pages of messages sent by facsimile, to reduce those risks.


Ethics committees can deal with abstract legal issues. Courts can deal with practical issues in a particular case. Practicing attorneys must routinely decide practical issues, including how to manage their practices so as to maximize efficient and effective service to clients. Mistakes and errors in judgment will be made. Perfection is unattainable. But attorneys can, and do, seek to minimize the risk of making mistakes, and most routinely seek to “do the right thing,” that is, behave ethically.

E-mail is a new and unique form of communication. E-mail feels like a telephone conversation and in some cases uses telephone lines, and ethics committee opinions talk about “interception” of e-mail communications as being the primary risk to loss of confidentiality. E-mail, however, involves a different technology from telephone calls, and creates a document that may, in the absence of encryption, be legally viewed by persons other than the writer and the addressee. Such viewing is not “interception” and does not require a “wire tap” or even “listening in” while the “conversation” is in progress. (See above discussion on “How E-Mail Works.”)

Because e-mail feels like a telephone call, e-mail communications are likely to be hastily composed and casually-worded. Moreover, evidence indicates that people tend to make statements in e-mail messages that they would never make in a formal letter or memorandum. “Steamy” messages have given rise to personnel problems and law suits by employees who expected privacy but found their expectations unmet.[38] Such messages have also been a basis for sexual harassment claims.[39] Strongly-worded e-mail has been used effectively to attack credibility and undercut defendant’s arguments in major cases. [40] Thus, because e-mail feels like a telephone call but creates a document (which, because of automatic organizational back-up systems is likely to be long-lived), encouraging use of unencrypted e-mail for confidential attorney-client communications has risks that unrecorded telephone conversation and more traditional, formal modes of written communication do not have.

For purposes of analyzing whether attorney-client privilege is at risk, the key issue is whether, in communicating by e-mail, an attorney and client have a reasonable expectation of privacy. Because the factual situations and contexts in which e-mail is used vary widely, whether particular arrangements provide a “reasonable expectation of privacy” and thus conform to the evidentiary standard required in connection with asserting attorney-client privilege, is likely to be a question of fact.

As noted above, the question of whether, when an attorney communicates with a client via unencrypted e-mail, there is a sufficient “reasonable expectation of privacy” to support an assertion of the attorney-client and work-product privileges, which are rules of evidence, is separate from the issues relating to whether use of unencrypted e-mail raises ethical issues regarding potential failure to treat client confidences as confidential. The following discussion deals with the ethical issue.


Under present case law, and most state ethics committee opinions, using e-mail to communicate confidential information across the Internet is not deemed a breach of an attorney’s ethical obligation to maintain client confidences. Clearly, however, the considerable body of literature combined with routine on-screen warnings of the absence of confidentiality when sending messages across the Internet indicates that there is a potential risk that using unencrypted e-mail across the Internet to communicate confidential information will be deemed a breach of Model Rule 1.6 (Confidentiality of Information).

A court might reach this conclusion by several different routes. One possibility is by reference to the existence of a body of literature warning that confidentiality of Internet communications cannot be assured, followed by refusal to recognize unencrypted or otherwise unprotected e-mail communications across the Internet as attorney-client privileged. To forestall such a conclusion, several states, including New York, have adopted legislation to the effect that merely transmitting e-mail across the Internet will not, in and of itself, waive the attorney-client privilege for purposes of the rules of evidence.[41] Where it exists, such legislation provides a measure of comfort and security regarding waiver for purposes of the rules of evidence, and may have some probative value regarding the issue of whether use of unencrypted e-mail across the Internet meets the requirements of Model Rule 1.6. The legislation however, may be a two-edged sword. One might argue that if in fact there was a reasonable expectation of privacy, no legislation would be required to explain or modify otherwise applicable standards under the rules of evidence. Thus, the fact that such legislation exists in some states provides comfort for purposes of the rules of evidence, but also provides a warning.

A second route by which a court might conclude there is no reasonable expectation of privacy in using unencrypted e-mail across the Internet is to begin its analysis by analogizing e-mail to a telephone conversation. A recent resolution by the ABA House of Delegates states that e-mail offers the same reasonable expectation of privacy as a telephone call,[42] but for the reasons outlined above, the analogy is technically flawed. If a court analyzes the analogy and determines that it is technically flawed, it might then conclude that there is no reasonable expectation of privacy when sending unencrypted e-mail across the Internet.

A third route by which a court might conclude that using unencrypted e-mail across the Internet to communicate confidential information will be deemed to constitute a breach of Model Rule 1.6 obligations to maintain confidentiality is to look to the 1986 report of the ABA Standing Committee on Lawyers’ Responsibility for Client Protection, which suggested that lawyers should not discuss confidential matters via e-mail unless they’re assured “either through bar approval or through the lawyer’s own informed evaluation” that a system operator will maintain confidentiality.[43] Because there is no way for a lawyer to evaluate whether the system administrators of third party systems through which a message may pass will maintain confidentiality, the Standing Committee’s 1986 suggestion may provide support for an argument that in particular circumstances, there was no reasonable expectation of privacy in connection with an e-mail message.

The Committee Opinion does not discuss the 1986 suggestion by the Standing Committee on Lawyers’ Responsibility for Client Protection, and its silence is understandable. In 1986, use of e-mail was relatively uncommon, and the suggestion to limit its use was a reasonable advisory. Today, if a similar suggestion were made, and a court used it to support its finding of a lapse in attention to the ethical obligation of confidentiality, such a finding might have implications for many more lawyers and their clients than was the case in 1986. For many lawyers and their clients, the opportunity to take preventive, preemptive action has passed. Thus, in setting policy today, the organized bar must be concerned with the risk that a suggestion that lawyers have an ethical obligation to take special precautions when using e-mail may provide ammunition for accusing thousands of competent, ethical lawyers of unethical behavior in connection with using unencrypted e-mail across the Internet. Quite properly, those in a position to influence courts and judges are taking steps to protect otherwise capable, competent, ethical lawyers, who are just beginning to become reconciled to using e-mail, from untoward results if they fail to take additional measures to assure confidentiality regarding these communications.

A fourth route by which a court might determine that the use of unencrypted e-mail across the Internet does not meet a lawyer’s ethical obligations under Model Rule 1.6 is to deem sending e-mail across the Internet as analogous to sending a postcard through the U.S. Mail, i.e. , not (despite any obligations of U.S. Postal employees) handled as confidential information and deem encryption as analogous to putting the message in a sealed envelope.

As indicated above, there is a considerable body of literature, both technical and in the “popular press,” describing e-mail as “like a postcard.” There is, therefore, a risk that a court will accept the postcard analogy, and conclude that sending unencrypted e-mail across the Internet indicates that the information so sent is not being treated as confidential for purposes of discovery. If that is a court’s position, it is a short step to the conclusion that sending unencrypted e-mail across the Internet not only waives the attorney-client and work product privileges, but that the attorney failed to meet confidentiality obligations under Model Rule 1.6.[44]

A fifth route by which a court might reach the conclusion that unencrypted e-mail traveling across the Internet is not being handled as confidential information is to analogize e-mail to communication by cellular or cordless telephone. This mode of communication has been deemed to be similar to e-mail because of the transmission of communications into an “environment” in which messages can be intercepted relatively easily, and may even be inadvertently overheard.[45] Cellular telephones use a broadcast technology, which is different from the technology of the Internet. In general, the older cases involving cellular telephones held that there was no reasonable expectation of privacy in such communications because of the likelihood of interception. More recently however, cellular telephone technology has improved. Encryption is automatic in certain equipment, and there is at least one case indicating that with improved technology (by implication, scrambling, a kind of encryption), there may be a reasonable expectation of privacy.[46]

The propriety of using cellular telephones to communicate confidential information with clients has been the subject of several state ethics committee opinions. New Hampshire sees technology as key in analyzing whether there is a reasonable expectation of privacy with regard to the use of cellular telephones and other forms of mobile communications. The annotation to its Ethics Committee Advisory Opinion on the subject states, “In using cellular telephones or other forms of mobile communications, a lawyer may not discuss client confidences or other information relating to the lawyer’s representation of the client unless the client has consented after full disclosure and consultation. An exception to the above exists where a scrambler-descrambler or similar technological development is used.”[47]

Arizona took an approach to cellular telephone communication that is consistent with its approach to e-mail confidentiality, concluding, “the time has not yet come when a lawyer’s mere use of a cellular phone to communicate with the client - without resort to a scrambling device or exculpatory language at the call’s beginning - constitutes an ethical breach . . . . Nevertheless, there is a genuine risk that a third party may intercept harmful information. Consequently, the lawyer should exercise caution when discussing client matters with opposing counsel on any portable telephone.”[48] Somewhat surprisingly in light of its opinion on e-mail communications, with regard to cellular telephones, Illinois’ state bar association opined: “Mobile communications are not secure to maintaining confidentiality of conversations and participants in those conversations have no right to expect to maintain privacy of their conversation.”[49]

A sixth route by which a court might reach a conclusion that people in a corporate setting have no reasonable expectation of privacy when using e-mail is to review the corporation’s written policies, practices and procedures regarding use of e-mail. E-mail moving within an organization generally moves from the sender to a central server to the addressee. Messages on the central server will be accessible to the organization’s system administrator, but this accessibility, like giving such information to a secretary or paralegal, should not affect confidentiality for purposes of complying with Model Rule 1.6.

Risks may, however, arise in connection with retention and destruction of copies of electronic communications. In most organizations, back ups are made automatically, at least weekly, and often daily. If the back-up copies are available to all without regard to, or any effort to protect, their confidentiality, it may be difficult to argue persuasively that the information is treated as confidential.

In addition, technology has made possible new types of review that can create bases for challenging confidential handling of internal e-mail. For example, many companies routinely scan their e-mail files for inappropriate or improper messages. These scans can range from a brokerage firm’s scanning to assure that its brokers are not promoting stocks improperly, e.g. , by searching for key phrases such as “guaranteed return,” to corporations concerned about employee relations scanning for “steamy” messages. The scanning process itself is automatic. A simple scan “kicks out” messages that include the triggering key words or phrases, and those messages are reviewed by human beings. To the extent that communications between attorney and client are reviewed by non-lawyers, or lawyers acting in a non-legal capacity, an argument that the confidential nature of the communications is not being maintained might be successful.

These risks may be considerably reduced by instituting internal procedures designed to protect attorney-client privilege and confidentiality, for example, by making the reviewer an agent of the organization’s lawyer. In the absence of attention to possible pitfalls, the combination of scanning e-mail and review by a person who is neither an attorney nor an agent of an attorney, may result in inadvertent waiver of the attorney-client privilege, [50] and subsequent accusations that the failure to protect client confidences so as to constitute a waiver of the attorney-client privilege constituted a breach of ethical obligations under Model Rule 1.6.

Arrangements that permit people to work from home or while they travel by giving them the ability to access an organization’s intranet computer system from outside that system create additional challenges to maintaining confidentiality. System security is only as good as its weakest link. Security of internal systems can be enhanced in a variety of ways. For example, many internal systems “automatically” encrypt e-mail messages and include password protection mechanisms for each user. Such systems may provide high barriers to casual access and to monitoring of messages without users being aware of these barriers.

An organization’s own statements about its treatment of e-mail communications may influence a court’s determination of whether such communications are confidential, as well as how confidential they in fact are. For example, many corporations advise their employees that e-mail is not confidential, that it is to be used only for corporate business, and that it will be monitored. If such corporate policies are included in a manual or other written notices instructing employees that e-mail should not be used to communicate confidential information, in the absence of encryption, password, or other types of protection, or special internal rules regarding monitoring attorney-client communications, it may be difficult for the corporation’s lawyers to argue that use of such systems carries a reasonable expectation of privacy.

Any one of these routes may result in a court or ethics committee finding that sending unencrypted e-mail across the Internet fails to meet the ethical standards required of a lawyer to protect client confidences. Having reached that conclusion, in an egregious fact situation, it is conceivable that a finding of malpractice might follow. Presently, such a finding seems unlikely and unwarranted. Still, given the availability of encryption software and the relative ease with which it can be used to protect e-mail communication, it is not inconceivable that a court would find, under egregious factual circumstances, that the failure to use encryption was deserving of ethical sanctions. As the risks become more widely known and the use of encryption becomes easier and more common, the likelihood of such a determination becomes greater.

Whatever a court or ethics committee may conclude, a client’s determination of what is appropriate is likely to have the most immediate effect. If a client determines that the lawyer’s failure to consider the risks of using e-mail, explain them to the client, and obtain the client’s consent to using that means of communication is a basis for terminating the attorney-client relationship, loss of a client may result. Outside of states that require, under their ethical rules, that a lawyer obtain a client’s consent to use of e-mail,[51] there is no ethical obligation to discuss the issue, much less obtain a client’s consent to use of e-mail. (Moreover, the efficacy of client consent may also be risky, as in general, a client’s agreement to a lawyer’s unethical conduct does not make such conduct acceptable.)

Discomfort regarding the use of e-mail for confidential communications is evident in most ethics committee opinions. The Illinois discussion recognized that “the same potential exists for the illegal interception of regular mail, the interception of a facsimile, and the unauthorized wiretapping of a land-based telephone” and concluded: “Because the expectation is no less reasonable than the expectation of privacy associated with regular mail, facsimile transmissions, or land-based telephone calls . . . use of e-mail is proper under Rule 1.6.” Illinois did not discuss the efficacy of confidentiality language on a facsimile cover sheet or the distinction between mailing information on a postcard and placing the message in an envelope, but did warn that “[a] finding of confidentiality and privilege should not end the analysis. For information that a prudent attorney would hesitate to discuss by facsimile, telephone, or regular mail (presumably in a sealed envelope), a lawyer should discuss with the client such options as encryption in order to safeguard against even inadvertent disclosure when using e-mail.”[52] South Carolina followed a similar line of reasoning in concluding that a lawyer may communicate with a client via e-mail, warning that there is some information that a prudent lawyer would hesitate to discuss via e-mail, and recommending that regarding such information, alternatives, including encryption, should be discussed with the client to safeguard information.[53] The Committee also encourages discussion regarding communication of particularly sensitive information, while (for the reasons stated above) reiterating that such advice “does not erode the reasonable expectation of privacy.”[54]

If inadvertent disclosure of the content of an electronic communication creates serious problems for the client, and the lawyer has not discussed the risks of using unencrypted e-mail for confidential communications, the client may blame the lawyer, thus impairing or ending an attorney-client relationship. Thus, even in the absence of both a legal and an ethical duty to encrypt confidential information before sending it across the Internet, if the result of sending unencrypted e-mail is premature disclosure of such confidential information, or inadvertent disclosure to a hostile party, the client may be lost.


Enumerating the risks points the way to reducing them.

Know the Rules. The legal and ethical risks of any particular course of action regarding use of e-mail for confidential attorney-client communication may be governed by applicable local laws and ethical and disciplinary rules. Thus, before determining appropriate uses of e-mail, attorneys will need to check local statues, rules of court relating to evidence and ethics, and local ethics committee opinions regarding use of e-mail to communicate confidential information, and establish and institute practices and procedures in light of those rules and opinions. Lawyers practicing in states in which local laws, decisions or ethics opinions impose requirements, such as a requirement to discuss use of electronic communication with clients and obtain client consent,[55] need to be aware of and comply with such requirements. Lawyers practicing in states in which local law, decisions and ethics opinions do not speak to the issues of whether and when use of electronic exchanges of information are appropriate will want to examine the issues and risks, and make an educated evaluation as to whether or not the use of e-mail in particular circumstances is ethical and, even if it is, whether, in the particular circumstances, it is wise. Lawyers practicing in states in which local law, decisions or ethics opinions have taken the position that use of unencrypted e-mail sent across the Internet is ethical[56] will want to be aware that both the law and relevant technology are in the process of development and evaluate whether, in the particular circumstances, use of unencrypted e-mail across the Internet is wise.

Know How the System Works. When dealing with an organizational entity, take time to understand and evaluate the subject organization’s e-mail system. Advise system administrators of their confidentiality obligations, and establish and implement appropriate internal procedures to protect and evidence proper handling of confidential information and material.

Establish Procedures That Enhance and Evidence Confidential Handling of Attorney-Client Communications. Because “e-mail” encompasses a variety of communications systems, in a variety of settings, each with opportunities for a variety of configurations, what constitutes a reasonable expectation of privacy in any given situation depends upon the characteristics of the particular system involved, where it is, and how it is configured and used. All systems have system administrators, and those system administrators who are part of an organization’s internal system can and should be advised of their obligations of confidentiality.[57] To the extent that they are required or requested to report certain types of information that come into their possession through the e-mail systems they administer, if the information is from or directed to a lawyer, protection of attorney-client confidentiality can be supported by having the information reported to an attorney. Such an internal procedure evidences that the reporting person is acting as the attorney’s agent, and not the agent of a non-attorney whose review might jeopardize attorney-client confidentiality.

Take Extra Precautions for Group Distributions. Group distribution arrangements should be instituted with care and reviewed regularly to assure that confidential communications are sent to an appropriately limited group. The risk of including inappropriate copy recipients of e-mail communications is, theoretically, no different from that for paper-based communications, but because of the ease of sending electronic communications and the often automatic setting for dissemination, special care must be taken to assure that attorney-client communications are disseminated in accordance with the desired treatment. Thus, extra steps may be required in connection with electronic communications to assure limited access and to generate good evidence that confidentiality obligations are being met. Extra steps that provide clear and convincing evidence of an intention to protect confidentiality can provide effective support for the assertion of the attorney-client and work-product privileges, as well as meeting in-house attorneys’ ethical obligations of confidentiality.

Take Extra Steps for Establishing Access From Outside the System. Because a system’s security is only as good as its weakest link, additional precautions are appropriate in connection with communications from outside the system. Establishing and implementing appropriate security measures to assure that access to the system is limited to authorized persons provides additional insurance against unwanted disclosures, as well as evidence of concern with confidentiality and taking reasonable steps to maintain it.

Recognize the Reality of Possible Disclosure to System Administrators. Recognition of the risks of actual disclosure to third party system administrators is the first step to reducing that risk. Because of the manner in which e-mail is sent and received, the risk itself is unavoidable, and exists regardless of whether or not these system administrators have confidentiality obligations. Thus, where information is sufficiently sensitive to make actual disclosure unacceptable even if the persons to whom it may be disclosed have legal or moral obligations to maintain its confidentiality, additional steps are advisable to assure confidentiality. Such steps may include encryption, or modified e-mail arrangements, such as a modem to modem or secure socket connection.[58] Note that encryption has limitations. For example, encrypting a message generally does not include encrypting the name of the sender or addressee. This information, together with the length of the encrypted message, remains disclosed to each system administrator, including intermediate system administrators, who may review e-mail messages on the system while the encrypted message is on that system administrator’s system. Direct modem-to-modem and secure socket arrangements do not involve a similar risk of disclosure of that limited information to intermediate system administrators.

Talk with Clients; Joint Informed Decisions Have Fewer Risks. The risks of having an unhappy client as a result of using e-mail can be reduced by conferring with each client regarding the specific risks of e-mail communication in light of the specific technology being used, and with due attention to related facts such as the client’s internal system and characterization of its system (if any). Such discussion of the advantages and disadvantages of a particular mode of communication may also decrease the risk of being sued by that client for malpractice if the mode of mutually-approved communication turns out to be less confidential than anticipated. Note, however, that although the risks of facing a malpractice suit and having an unhappy client can be reduced by discussing the relative risks and rewards of using e-mail communication, unless local rules provide otherwise, the ultimate responsibility for evaluating, for purposes of the rules of ethics, what modes of communication are ethical, remains with the lawyer.


If the use of e-mail, in and of itself, risks forfeiting the attorney-client privilege in connection with a demand for discovery, on the ground that communication across the Internet via e-mail has been likened to sending a postcard through the mail and using a postcard to communicate information may be seen as indicating that the information is not regarded by the sender as confidential, it makes sense to encrypt.

If legislation or applicable rules of court place the attorney-client privilege beyond risk, but an attorney using unencrypted e-mail is vulnerable to accusations of unethical practice for failure to take reasonable, readily-available steps protect a client’s confidences, it makes sense to encrypt.

If the use of unencrypted e-mail is neither unethical nor a risk to the attorney-client privilege, but merely unwise because there is a high risk of unintended disclosure with resulting damage to the attorney-client relationship, it makes sense to encrypt.

If the risk of actual disclosure of an e-mail message, however remote or encumbered with legal or ethical obligations of confidentiality, is unacceptable, it makes sense to encrypt.

If the risk of disclosure of the fact that communications between certain parties is occurring, or the fact that communications of a certain length between certain parties is occurring, is unacceptable, then encrypting e-mail messages may not be adequate protection. In such cases, if e-mail is to be used for communication, other methods for protecting communications, such as modem-to-modem and secure socket arrangements, are appropriate.


E-mail is a wonderful mode of communication. It’s fast, easy to use, cost efficient, and feels as comfortable as a telephone call, but more convenient. But e-mail is not a telephone call. E-mail creates a document. Because e-mail is so widely used by lawyers and clients to communicate confidential information, bar associations and others in a position to influence courts are reluctant to generate ethics opinions that might be used to challenge the ethics of good, capable and ethical lawyers. Accordingly, ethics opinions generally confirm that the use of unencrypted e-mail across the Internet to communicate confidential client information is ethical. Nevertheless, the fact remains that sending e-mail across the Internet is readily analogized to putting a postcard in the U.S. Mail: difficult to find a particular message, but easy to read if one happens to run across it. Most attorneys would not communicate confidential information on a postcard, although they routinely do so in written communications placed in sealed envelopes. As the workings of the Internet become more widely known and encryption becomes easier, lawyers are likely to be under increasing pressure to recognize the realities of unencrypted communication across the Internet, and to take effective action to minimize the risks of unintended disclosure and maximize protection of confidential information.

To date, we are not aware of a case in which the use of unencrypted e-mail across the Internet, in and of itself, was deemed sufficient to constitute a waiver of the attorney-client or work product privileges or to subject an attorney to liability for ethical violations or claims of unethical behavior based on a failure to adequately protect client confidences under Model Rule 1.6. E-mail communications between lawyers and clients have a short history, and the mechanics of those communications are only beginning to be understood.

At the same time, encryption is only beginning to be easy to use. As the realities of how the Internet works become more widely understood and encryption becomes increasingly available and easy to use, the way in which use of unencrypted e-mail across the Internet is regarded by ethics committees, courts and clients is likely to change. The acceptability of using unencrypted e-mail for confidential communications is likely to decrease, and those who fail to anticipate the change may suffer adverse consequences that are, even today, easily avoided.


1 Copyright 1999, Micalyn S. Harris. All Rights Reserved. Originally printed in The Professional Lawyer, Spring, 1999. Printed by Permission The author wishes to thank Louis J. Cutrona, Jr., Ph.D., President, Winpro, Inc., who patiently reviewed this article for technical accuracy. All statements and conclusions are the author’s.

2 For example, before sending an unencrypted message across the Internet, Internet Explorer and Netscape browsers put up a message stating, in effect, “You are about to send a message across the Internet. Confidentiality cannot be guaranteed. Do you wish to continue?” with buttons for “Yes” and “No.”

3 See, e.g., Law and Policy of Cyberspace: Lawyers Need Not Encrypt E-Mail, Ethics Panels Say, The Virtual Lawyer (June, 1997) at 5. The article also notes opposing views.

4 See, e.g., Sec. 4547, New York Civil Practice Law, signed July 7, 1998. California considered, but did not adopt, similar legislation. See also 1990 California Penal Code re cordless phones.

5 See Iowa S. Ct. Board of Professional Conduct and Ethics Op. 96-0 dated 8/29/96 and Op. 97-1 dated 9/18/97, referencing DR101(A); see also State Bar of Arizona’s Committee on Rules of Professional Conduct Op. No. 97-04 dated 4/7/97.

6 See, e.g., May 16, 1997 Advisory Opinion of the Illinois Bar’s Professional Conduct Committee.

7 Resolution of the American Bar Association adopted August, 1998. See 14 ABA/BNA Lawyer’s Manual on Professional Conduct, No. 15, August 19, 1998, at 394.

8 ABA Standing Committee on Ethics and Professional Responsibility, ABA Opinion Request 98-001 (made available in Draft at time of writing).

9 See Illinois Ethics Opinion 96-10, 1997, WL 317367, Illinois State Bar Association and New York State Bar Association Committee on Professional Ethics, Opinion 709 (September, 1998).

10 Todd H. Flaming, Internet E-Mail and the Attorney-Client Privilege, 85 Illinois Bar Journal 183 (1997).

11 See, e.g., William Freivogel, Communicating with or About Clients on the Internet: Legal, Ethical, and Liability Concerns, 17 ALAS Loss Prevention J. (1996), noting that technical articles frequently liken Internet messages to postcards, leading legal writers to conclude that there is no reasonable expectation of privacy, but himself concluding, “It is important to remember that the hacker’s activity is as criminal as the wiretapper’s.” Id, at 18, citing 18 U.S.C. 2510 et seq. See also, Richard E.V.Harris, Electronic Communications and the Law of Privilege, 11 California Litigation 14 (1997), and ALAS Loss Prevention Bulletin No. 98-27, October 19, 1998.

12 See American Civil Liberties Union v. Reno, 929 F. Supp. 824 (E. D. Pa 1996).

13 See, e.g.,, which advertises offering “secure document storage and collaboration over the Internet using a web browser.”

14 For example, Winpro, Inc., with which the author is associated, designs and installs such facilities for clients, and also provides a secure socket facility for communications with its clients.

15 Where messages are broken into such packets, “interception” of the message in transit may disclose less than the entire message, but as the message is reassembled at each relay point, each system administrator will receive and have access to the entire message as long as it is on that system’s server.

16 Note that this review does not require “opening” messages. Unlike letters placed in envelopes, which must be opened to be read, to a system administrator, e-mail messages appear immediately following their address blocks, and are followed by the address block of the next message. Unlike the addressee, who generally sees a list of messages identified by sender and subject, the system administrator sees a continuous text that does not separate addresses from text.

17 The imposition of confidentiality obligations on non-commercial system administrators may raise a variety of issues relating to whether they will know the information is confidential, and whether, in some circumstances, they may have a duty to disclose or investigate, as for example if they come across e-mail indicating that a crime threatening death or serious bodily harm is about to be committed. See, e.g., Clifford Stoll, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, (Mass Market Paperback, July, 1995), where a student system administrator concluded he did have an obligation, as an administrator and citizen, to report a billing discrepancy in a university system. Exploration of the discrepancy uncovered unauthorized, Germany-based entry into a U.S. military computer system through the university’s computer system.

18 Model Rule 1.6, Note [2], Model Rules of Professional Conduct, American Bar Association, 1999 Edition.

19 See Iowa Op. 96-01 and Iowa Op. 97-01, and Opinion of the Arizona Ethics Committee dated April 7, 1997. Using a question and answer format for its opinion, in response to the question, “Should lawyers communicate with existing clients, via e-mail, about confidential matters?”, Arizona answers, “Maybe” and suggests, “Lawyers may want to have the e-mail encrypted with a password.... Alternatively, there is encryption software available...” The Arizona Committee concluded that although it is not unethical for a lawyer to use e-mail to communicate with clients, it supported encryption, stating, “(t)his committee simply suggests that it is preferable to protect attorney/client communication to the extent it is practical.”

20 See Law and Policy of Cyberspace: Lawyers Need Not Encrypt E-Mail Ethics Panels Say, supra, note 3.

21 See Illinois Ethics Opinion 96-10, WL 317367, Illinois State Bar Association; South Carolina Bar Ethics Advisory Committee Opinion 97-08, 6/97, Vermont Bar Association Committee on Professional Responsibility, Opinion 95-5, North Dakota Bar Association Ethics Committee, Opinion 97-09 (9/4/97), New York State Bar Association Committee on Professional Ethics, Opinion 709 (September, 1998).

22 See also, Micalyn S. Harris, Of Gold Mines and Land Mines - Protecting On-Line Communications, Securities in the Electronic Age, Glasser LegalWorks, 1999 (in print).

23 Illinois Ethics Opinion 96-10, supra, note 21; South Carolina Bar Ethics Advisory Committee, Opinion 97-08, 6/97. Vermont and North Dakota have also concluded that use of unencrypted e-mail does not violate obligations to treat communications with clients as confidential. See Vermont Bar Association Committee on Professional Responsibility, Opinion 95-5, and North Dakota Bar Association Ethics Committee, Opinion 97-09 (9/4/97).

24 18 USC Section 2510 et seq.

25 18 USC Section 2511; see also, discussion by Raymond T. Nimmer, The Law of Computer Technology, Third Edition, (West Group 1997) at 16.11[1].

26 18 USC Sections 2510 and 2511(1)(a)

27 See, Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3rd 457, 461-62 (5th Cir. 1994). The decision has its critics. See, e.g., David Hricik, E-mail and Client Confidentiality: Lawyers Worry Too Much about Transmitting Client Confidences by Internet E-mail, The Georgetown Journal of Legal Ethics, Vol. XI, No. 3, manuscript at 34 (in print).

28 United States v. Smith, 155 F. 3rd 1051 (9th Cir. 1998), finding that stored e-mail is governed by the Wiretap Act, which requires that interception of a communication be contemporaneous with its transmission, and rejecting the government’s argument that access and recording of a stored voice mail message is governed by the Stored Communications Act. Had the Stored Communications Act applied, accessing stored e-mail may have constituted interception. The finding that the Wiretap Act applied meant that accessing stored e-mail was found not to constitute interception.

29 See, e.g., 18 USC Section 2511(2)(a)(i), prohibiting “interception and disclosure” of electronic communications

30 Note that when individuals receive e-mail, the sender’s name appears on a list and the addressee then clicks on the name to “open” the message. The separation of sender’s name and message occurs at the addressee’s terminal. The system administrator sees addressee and message in a continuous scroll.

31 IL Eth. Op. 96-10, supra, note 21, at 4

32 United States v. Smith, 155 F. 3rd 1051 (9th Cir. 1998). The Smith court found that stored e-mail is governed by the Wiretap Act, which requires that interception of a communication be contemporaneous with its transmission, and rejected the government’s argument that access and recording of a stored voice mail message is governed by the Stored Communications Act. Had the Stored Communications Act applied, accessing stored e-mail may have constituted interception. The finding that the Wiretap Act applied meant that accessing stored e-mail was found not to constitute interception.

33 In this sense, e-mail seems like voice mail, which can be accessed and “read” at a later time. As indicated above, courts may treat e-mail and voice mail differently. To the extent voice mail tapes are retained, not erased immediately after being retrieved, they may also create a “document” which is preserved and retrievable at a later time. Thus, establishment and maintenance of corporate policies regarding the retention and destruction of voice mail tapes is also advisable.

34 U. S. v. Maxwell, 42 MJ 568 (USAF Crim. App. 1995).

35 William P. Matthews, Encoded Confidences: Electronic Mail, The Internet, and the Attorney-Client Privilege, University of Kansas Law Review, November, 1996; see also, Charles R. Merrill, What Lawyers Need to Know About the Internet: Basics for the Busy Professional, 443 PLI/Pat 187, 1996, and Peter R. Jarvis, and Bradley F. Tellam, The Internet: New Dangers of Ethics Traps, 56 Dec. Or. St. B. Bull 17, 1995.

36 See, e.g., Chu, Morgan and Goldberg, Perry, E-Mail and the Attorney-Client Privilege in California, California Litigation (Fall, 1997), vol. 11, no. 1 pp. 18-23, and David Hricik, E-Mail and Client Confidentiality: Lawyers Worry Too Much about Transmitting Client Confidences by Internet E-Mail, The Georgetown Journal of Legal Ethics, Vol. XI, No. 3 (Spring, 1999).

37 See Jarvis, supra, note 35. Discussions are often characterized by uncertainty and ambivalence. Particularly striking was one reported e-mail interview in which the commentator stated that he did not believe use of unencrypted e-mail exposed a lawyer to charges of acting unethically, but that using it was “unconscionably poor judgment.” It appears that such a position is untenable. At least arguably, exercise of “unconscionably poor judgment” is, or should be, a breach of ethics. At a minimum, “unconscionably poor judgment” is likely to provide a basis for a client’s termination of an attorney-client relationship, even if not a successful malpractice suit. See also, Lawson, “An Encryption Primer for Attorneys”, included in Lawyers on Line: A Guide to Using the Internet, a 1995 Virginia CLE publication.

38 See, e.g., Bourke v. Nissan Motor Co., No. YC 003979, L.A.Super.Ct., 1994.

39 See, e.g., Blakey v. Continental Airlines, Inc., No. ESX-L-15323-95 (N. J. Law Div. Apr. 22, 1998).

40 See, e.g., press reports regarding testimony in United States v. Microsoft, Civ. Ac. 94-1564, Microsoft Rests Its Case, Ending on a Misstep, New York Times, February 27, 1999, page C1, col. 6.

41 Section 4547, New York Civil Practice Law, signed July 7, 1998. California considered, but did not adopt, similar legislation. In the absence of legislative history on the issue, one might conclude from a refusal to pass such legislation, either that the legislature believed that a reasonable expectation of privacy exists and therefore the proposed legislation was unnecessary, or that a reasonable expectation of privacy does not exist, and therefore the proposed legislation was inappropriate.

42 See report in 14 ABA/BNA Lawyer’s Manual on Professional Conduct, No. 15, August 19, 1998, at 394.

43 See ABA Standing Committee on Lawyers’ Responsibility for Client Protection, Lawyers on Line: Ethical Perspectives in the Use of Telecomputer Communication (1986) at 67, cited in ABA Lawyers’ Manual on Professional Conduct, at 55:409 and Rule 1.6, ABA Model Rules of Professional Conduct; see also, ABA Standing Committee on Ethics and Professional Responsibility, Formal Op. 95-398(1995), which noted that under Rule 5.3, an attorney who gives a third party computer maintenance company access to client files “must make reasonable efforts to ensure that the service company has in place, or will establish, reasonable procedures to protect the confidentiality of client information.” Reasonable efforts were seen to include attorney oversight to make sure the provider understands the obligations of maintaining confidentiality. The Committee recommended that the attorney obtain written assurance of confidentiality from the service provider. See also, Rule 1.4(b), which discusses when an attorney is obligated to advise a client that a significant breach of confidentiality has occurred. If such a breach occurs within the service provider’s company, and the breach could be seen as a “significant factor” with regard to the representation, disclosure of the breach to the client might be required under Rule 1.4(b). The opinion’s reasoning can be extended to other third party service providers, e.g. data processing and printing providers.

44 Such a position might have implications beyond waiver of the attorney-client and work product privileges. For example, a conclusion that sending unencrypted e-mail across the Internet fails to treat it as confidential might have implications for handling information an organization wishes to protect as a trade secret.

45 To the extent statutes have made interception of cellular telephone communication illegal, it may be argued that these cases are less useful as precedents than when such statutes do not exist, on the theory that such statutes are comparable to the Electronic Communications Privacy Act.

46 See Tyler v. Berodt, 877 F2d 705, 706 (8th Cir 1989), cert. denied 493 US 1022 (1990); State v. Smith, 438 NW2d 571 (Wis. 1989); State v. Delaurier, 488 A3d 688 (RI 1985); People v. Fata, 559 NYS2d 348 (App Div 1990), but cf. U. S. v. Smith, 978 F2d 171, 180 (5th Cir 1992), cert. denied 113 S Ct. 1620 (1993); State v. McVeigh, 620 A2d 133 (Conn. 1993), suppressing cordless telephone conversation. None of these discussions deals with the possible impact of the location of the speakers, e.g. taxi, commuter train, street or baseball game, when using their cellular telephones.

47 New Hampshire Ethics Committee Advisory Opinion #1991-92/6 of April 16, 1992; accord: North Carolina State Bar Opinion, Modern Communications Technology and the Duty of Confidentiality, Approved July 21, 1995.

48 Committee on the Rules of Professional Conduct of the State Bar of Arizona, Opinion No. 95-11, December 6, 1995).

49 Illinois State Bar Association Advisory Opinion on Professional Conduct, Opinion No. 90-07, November 26, 1990, citing Illinois Rule of Professional Conduct 1.6(a), Edwards v. Bardwell, 632 F.Supp. 584 (M.D. Law. 1983), 808 F.2d 57 (aff’d), 110 S.Ct. 723 (cert. denied) and Tyler v. Berodt, supra, note 46.

50 In a corporate organization, the ethical issues of disclosure of confidential materials may be less urgent, but practical business issues, such as improper disclosure of inside information relating to or having an impact on the price of the company’s securities, or inadvertent disclosure of trade secrets, may create business-related problems beyond those relating to attorney-client privilege or lawyer ethics.

51 See, e.g., Iowa Op. 96-01 and Iowa Op. 97-01, supra, note 19, and Missouri Informal Advisory Opinion 970230, collected under Informal Advisory Opinions Relating to Internet and E-Mail dated 6/5/98, also taking the position that lawyers have an obligation to obtain clients’ permission before using e-mail for confidential communications, “after the attorney is satisfied that the client is aware of the risks of interception of the message as it travels through the Internet as well as through any net work to which the computer may be connected.”

52 ABA/BNA Lawyers’ Manual on Professional Conduct, supra, note 42, at 210

53 Opinion 97-08 (6/97) of the Ethics Advisory Committee of the South Carolina Bar; 18 U.S.C. Sections 2701(a) and 2702(a); Rule 1.6; Accord, Vermont, Op. 97-5, supra, note 23, and North Dakota, Op. 97-09, supra, note 23 and Alaska Bar Association Ethics Opinion 98-2 (1998). See discussion, Opinion Request 98-001, Draft dated 2/4/99, at Footnote 37.

54 Opinion Request 98-001, Draft dated 2/4/99, at p. 15

55 E.g., Iowa and Missouri, supra.

56 E.g., Iowa and Arizona, supra, note 19; D. C. Opinion No. 281, dated February 12, 1998; Kentucky Opinion No. E-403, dated July, 1998; and Illinois and South Carolina opinions, supra, note 21.

57 Neither Arizona, Iowa, Illinois nor South Carolina discussed whether actual or potential access to confidential information by system administrators would forfeit confidentiality or the attorney-client privilege because confidential information could be or had been disclosed to system administrators who constituted persons other than those with a “need to know”. It seems clear that internal system administrators are like secretaries, i.e., agents with a need to know. It is more difficult to apply that rationale to third party system administrators, particularly if they are not administrators of commercial systems. They may have a need to look, but they do not, for the most part, need to know the contents of messages they review, and they may or may not have knowledge of the confidential nature of the contents of e-mail messages they review. As indicated above, encryption includes only text, not address, and indicates the length, but not the content, of a message.

58 This problem cannot be solved by having a dedicated password protected area within a single commercial system, as the system administrator of that system will still have the ability, and possibly the need, to review messages. As noted above, Maxwell determined that for Fourth Amendment (search and seizure) purposes, persons sending messages within a single system have a reasonable expectation of privacy. See Maxwell, supra, note 32.

© 1997-2000 Winpro, Inc. All rights reserved.