'Can We Talk?' E-Mail
Is Ethics Maze
Internet insecurity leads to questions about client confidentiality and privilege.
ALTHOUGH MANY FIRMS now routinely list e-mail addresses on attorney business cards, in Martindale- Hubbell directories and on law firm Web sites, confusion reigns over how secure the new electronic technology is.
Nothing has stirred greater concern than sending unencrypted e-mail over the Internet. There is no case law yet, but this spring state bar organizations issued a handful of ethics opinions to guide attorneys through the ethics maze of e-mail. But "more often than not, they just muddy the waters," says Peter Krakaur, a San Francisco attorney who is president of Internet Legal Services, a company that hosts a Web site dedicated to legal ethics.
Some of the ethics opinions contradict each other. Some appear to be technology-specific and may change as the technology does, says Mr. Krakaur. And some ethics boards--whose advisory opinions are not binding on courts but are often relied upon by judges--have displayed an imperfect or incomplete understanding of existing technology.
The attorney-client privilege belongs to the client, but an attorney can inadvertently waive the privilege on behalf of the client. Whether privilege was waived is an evidentiary issue, and the test applied by the courts is whether there was a reasonable expectation of privacy.
But an attorney's ethical obligations extend beyond privileged information to protecting all secrets gleaned during professional representation. To avoid violating state ethics rules, an attorney must take reasonable measures, by the accepted standards of the profession, to protect information that may be detrimental or embarrassing to the client.
Vermont was the most recent state to weigh in on the e- mail issue, stating that a lawyer does not violate disciplinary rules by communicating with a client via unencrypted e-mail. In so deciding, it agreed with Illinois, which opined in May that privacy expectations for e-mail are no less than those of a phone call. (Interception of either type of communication is illegal under federal law.)
South Carolina is now similarly accepting. In June, it revised and relaxed its original e-mail ethics opinion, holding there now exists a reasonable expectation that e-mail is confidential. New York is considering an amendment stating that communications otherwise privileged do not lose their privileged character because they were communicated via e-mail.
But although e-mail may be privileged, "these proposals do not make e-mail secret," says Kevin J. Connolly, counsel to New York's Eaton & Van Winkle, where he directs the firm's new-media and computer technology practice.
Iowa reconsidered its 1996 opinion deleting its requirement for encryption but still demanding that clients give express waivers before attorneys send confidential information by e-mail.
The difference in opinion may lie in the analogy drawn, e- mails Mr. Connolly. Those who compare e-mail to a postcard--a common analogy--feel that there can be no reasonable expectation of privacy in an unencrypted communication, he says. But some view e-mail as akin to a fax or telephone because e-mail travels over identical wires. They note that those communications enjoy the expectation of privacy.
"The sad thing about this is that we're off on a debate about this or that aspect of technology," says Nicholas Critelli, a trial lawyer with a civil and criminal practice in Des Moines, Iowa, and London who is a heavy e-mail user. "The guiding principle is that if you're communicating confidential matters, you should use a medium that is appropriate to the message."
His clients, however, e-mail sensitive messages to him via the Internet. "I can't stop them before they do it, but anyone who thinks the Internet is secure is a fool," he says. "I don't put my Mastercard number out over the Internet, so how can I provide confidential counsel over the Internet?"
Few lawyers like to talk about privilege problems. But, as with many practitioners interviewed, the greatest security breach Mr. Critelli encountered involved a fax machine; an opposing counsel mistakenly faxed him an evaluation of the strengths of the case. "I would never fax a report like that," says Mr. Critelli, who says he returned the document without reading it. When he interviews a client in prison, he says, he assumes the room is bugged.
Mr. Critelli says he agrees with the Iowa opinion. "I've received misdelivered e-mail. Who gets my e-mail?" But what about Illinois' opinion? "They're entitled to their opinion as to how the Internet works over there," he says.
"Over there," in neighboring Illinois, Christopher A. Bloom, the chair of the intellectual property and information technology department at Chicago's Bell, Boyd & Lloyd, who also lectures on professional responsibility and technology, says, "I treat e-mail as securely as a quiet conversation in a restaurant. That is to say, I have no problem discussing certain matters, but those things that I wouldn't discuss in a restaurant I would not discuss over e-mail."
His clients have been "pushing for" Internet e-mail, he says, but until the Illinois opinion was published, he insisted on using dedicated servers such as MCI Mail or CompuServe e-mail. "They are as secure as the telephone," he says.
Here Comes the Judge
Other concerns loom. "People are worried about unintentional waiver and a wacky judge," says Daniel Joseph, a litigation partner in the Washington, D.C., office of Akin, Gump, Strauss, Hauer & Feld L.L.P. who, as the firm's ethics officer, is grappling with the issue now.
The nightmare scenario, says Mr. Joseph, is one in which an attorney e-mails a message to a client that the lawyer considers harmless--"A new draft of the brief will be delivered to you tomorrow. We reversed Points One and Two because we think argument two is stronger"--and that bland e-mail is somehow intercepted during discovery by opposing counsel. Then the opposing side, Mr. Joseph hypothesizes, can argue that by not encrypting the message, privilege was waived and all e-mail on the issue becomes discoverable.
"Even though intercepting e-mail is now a felony under the Electronic Communications Privacy Act...you're always worried about the risk," says Mr. Joseph. "The widely held view--a correct view, in my opinion--is that if you have some information that is confidential and some of it is revealed, you may have waived the privilege for all of it."
A judge faced with the question of whether an attorney unintentionally waived the privilege, warns Mr. Joseph, might have read about the risks of Internet communication and, examining the issue some time down the road when encryption is easier and more common, might decide that unencrypted e-mail carries no reasonable expectation of privacy.
To Encrypt or Not
Encryption would solve many of these security issues. If an encrypted e-mail is intercepted, or accessed while on the server, the message appears to be gobbledygook.
The most popular encryption program now in use, PGP, or Pretty Good Privacy, can be downloaded from the Internet at www.pgp.com. But it requires the creation of two sets of "keys," a public key and a private key. The keys, which are actually mathematical formulas, serve to identify the signer and to signify that the message has not been altered since it was sent.
Even if encryption is handled by support staff, key creation still requires time and training. There are instructions on the PGP Web site, but the new technology can be intimidating. "Encryption is rare," says Martin Smith, a litigator at Seattle's Preston Gates & Ellis.
Myrna L. Wigod, a partner in the computer and high technology group at Newark, N.J.'s McCarter & English, says she has a computer client in litigation who refuses to encrypt. "The in-house counsel says his people think unencrypted e-mail is OK," she sighs. "They think it's far- fetched for anyone to intercept e-mail....I offered him the option of encryption, but I think he just didn't want to be bothered."
Encryption may become more widespread. By the time a judge examines a case, says Mr. Joseph, technological norms may have been transformed. "The judge might think with a little more effort you could have protected the privilege" and find that not using encryption was negligent, says Mr. Joseph.
Charles Merrill, the head of the computer and high-tech practice group at McCarter & English, says he feels attorneys should adhere to a higher standard than the general public. He thinks, therefore, that encryption is necessary now.
The case a judge could point to, notes Mr. Merrill, is The T.J. Hooper, 60 F.2d 737 (2d Cir. 1932), in which a tugboat's cargo was lost because the boat was not equipped with a radio. Although radios were not common on tugboats, Judge Learned Hand ruled that the technology was in common use and that the failure to use it caused liability to ensue.
Mr. Joseph is inclined to agree. "I will bet you that buying radios, and having people on board to keep them running in salt and wind and spray, was probably not an insignificant expenditure," he says. "But when something is lying on the bottom of the harbor, [protecting the cargo] looked like an insignificant expenditure" compared with the eventual cost of not using a radio.
Until there is case law to go by, the waters ahead look risky, experts warn.
William Freivogel, of the Attorneys' Liability Assurance Society, or ALAS, points out that T.J. Hooper has never been applied in privilege cases and that ALAS, which insures large law firms against malpractice, has never had a claim against a firm based on e-mail interception. Because of the number of e-mails sent and the protections of federal law prohibiting unauthorized access, the risks of a third party accessing an e-mail are slim.
But not impossible. After all, what were the odds that a couple of Democratic Party activists would overhear a cellular phone conversation conducted by, and embarrassing to, House Speaker Newt Gingrich on their police scanner and tape-record it?
This article is reprinted with permission from the August 18, 1997 edition of The National Law Journal. © 1997 NLP IP Company.