Unencrypted Emails Between Attorneys and Clients May Not Be Privileged

Brian, are you saying that lawyers should not be communicating with their clients via email under *any* circumstances? If I send an email to my client's home computer, or if my client is the owner of a company (sole proprietorship or otherwise), I'd argue that those individuals still have an expectation of privacy in those emails.

I agree that one should exercise caution when emailing a client at their place of business — either get written permission to send email to their business, or don't do it at all.

But I haven't seen any caselaw yet that says that a person has no expectation of privacy in the email communications they receive at home, or at a business where they are in charge (and therefore can create their own email policies).

Tom,

Thanks for your comment. I am not saying under no circumstances should attorneys communicate with clients over email. However, I am concerned with misinformed expectations of privacy beyond the circumstances applied in the cited cases. In my opinion, any private communication you wouldn't want read by others should not be sent via unencrypted email, regardless of current caselaw.

In fact, let's take the courts out of it for a second. Let's just look at sensitive communications in general. If you wouldn't want your adversary to see the communications even if it were protected from the jury, you wouldn't speak loudly with the client in a public place or dispose of a confidential document by throwing it (intact, without shredding) into a waste basket. If you communicate over unencrypted email, you are practically doing just that. Email (without encryption) sends information in clear text, easily intercepted and read by literally hundreds of freely available applications on the internet that "sniff" internet traffic. Anyone can read what you wrote. Though attorneys (to my knowledge) haven't made a convincing argument to a judge that there is no expectation of privacy in ANY unencrypted email communication, if your adversary gets their hands on what was written, it still affects the case even if the jury never sees it.

That said, I agree that courts have, for the most part, not made waves in this area. I believe that is due more to lack of understanding of the technology involved than a solid foundation of protection accorded by the courts. The line of thinking in current caselaw looks at expectations of privacy in the context of control over the method of delivery and storage. In my opinion, it is not relevant where email is stored or delivered. If it is not encrypted, then there is no privacy in any of the contents. Why? Because anyone can read it - not just those who store or deliver the email. Anyone who has a "packet sniffer" program can listen in on communications. It requires no specialized tool, no proximity within earshot of the conversation. It just requires that the clear text email makes it's way past your sniffing program. Considering that email many times goes all over the world before it makes it to the recipient across town, there are plenty of opportunities for the email to be intercepted.

Further, once intercepted, someone could change the actual text of the email. The below is an excerpt from Internet RFC/STD/FYI/BCP Archives, RFC 2821 (Copyright The Internet Society 2001) under Section 7: Security Considerations:

"SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else."

Read more at http://www.faqs.org/rfcs/rfc2821.html You could make the argument that intercepting email is akin to opening a letter in your mailbox. Aside from the federal laws against reading mail from another person's mailbox, letters in a mailbox are sealed in an envelope. Without encryption, email isn't sealed by anything but headers that are unknown to the casual user. What about faxing? Faxes are point to point (traditional faxing via phone line at least) which is similar to a postal letter.

Just a few weeks ago the British and American defense agencies agreed to a new secure email protocol(http://www.computerworlduk.com/technology/security-products/authentication/news/index.cfm?newsid=6964). Microsoft and others have developed Sender-Id protocol (http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx). Both are ways to offset the inherent insecurity of email communications.

Until a new security standard is adopted for email by attorneys, I believe utilizing email for sensitive communications without any encryption puts you at risk of being the unlucky example of a persuasive "tech-adept" attorney.

Thanks, Brian — I agree with all you have said. But your statements about packet sniffing and encryption argue more for encryption for anybody, not just lawyers. By the way, what encryption program do you use for your private communications (assuming you send private communications by email), and do you recommend it for other lawyers? I have used PGP, which is dead simple to learn.

I have been speaking on email security for a number of years — during that time, I have yet to find a single report where a lawyer's confidential communications were intercepted by people other than the client's employer (it may certainly be happening out there, but unknown to us). If you are aware of any reports where lawyer-client communications were intercepted via packet sniffer or some other nefarious means, I would love to get them, to add to my research database. As an aside, we(I) have been hearing about packet sniffers and interception for some time, but we rarely, if ever, hear about circumstances where specific people are intercepting specific emails — is it all happening in private? I don't know.

Leaving aside the obvious ethical implications of intercepting your adversary's email (which I hope would be enough to deter a lawyer from doing something like that), I would guess that if lawyers *are* doing this, they are keeping it to themselves — otherwise, they would probably find themselves subject to liability under the Electronic Communications Privacy Act or maybe the Stored Communications Act.

In my opinion, lawyers should be more concerned about their own conduct than the illegal conduct of others. There are a number of ways that lawyers can compromise the confidentiality of their own communications:

– Misaddressing an email to the wrong client.
– Sending to the correct client, but attaching another client's document.
– Compromised security at the lawyer's or recipient's computers.
– Sending email to a client's employer (which we have discussed).

Encryption would clearly protect the email under all of these circumstances. That said, the ABA Law Technology Resource Center 2007 Survey states that only about 15% of lawyers are using encryption. I suspect that as long as ABA Ethics Opinion 99-413 is out there saying it's okay to send an unencrypted email without a breach of confidentiality, or until we get a major decision disagreeing with that opinion, lawyers probably won't be rushing to adopt encryption.

There are also a couple of practical (but not insurmountable) reasons why lawyers don't do this. First, you'll have to make sure that *all* of your clients who communicate with you via email use the same encryption program. What if a number of your clients insist on using email with the encryption software of their choosing, and they are all different products? It's just not realistic for a lawyer to run 2-3 different encryption programs to deal with clients — but the client's IT department will probably want some say in the matter, as well.

Further, there are a number of countries worldwide that have specific laws regulating encryption and cryptography in general — so if lawyers have international clients, they will have to make sure they are complying with those laws, too.

I have used several different programs and don't recommend any in particular. PGP is easy to use, but there are some even easier if not as feature-rich. Like you said though, it is difficult to recommend one over the other since it requires all clients to use the same program. PGP is the standard so it is always the first one that should be considered.

As far as packet sniffing, yes, it is usually done in private. In fact, it is only exposed when someone wants to make a name for themselves. Otherwise, you run the risk of the network closing the exploit. Every network is hit by potential sniffers hundreds if not thousands times a day. It is just a matter of the wrong information getting in the hands of an interested person.

It is doubtful that most attorneys care to get this detailed into the technology, but here is a good article regarding packet sniffing programs and how easy they are to use to gain access to private information (including email communications):

http://www.itsecurity.com/features/sniffing-security-problem-101607/

Regardless of whether ethically forgiven, if you want to protect sensitive communications between yourself and your client, you don't want to communicate via email unless it is encrypted.

Thanks again for the great comments.

Brian:

Thanks for posting this information. I will be directing my clients here to read the discussion.

I don't know why people think that e-mail is as safe and secure as a postal letter — but after conversations with 1,000's of attorneys and business owners over the years, I do know that it is a common perception.

I have found the easiest way to explain it to those less webby, is to say that e-mail is more of a postcard than it is a sealed envelope.

Usually, the next question I get is: "Then how do I exchange confidential work product with my clients safely?"

My response: as with all forms of technology, there are lots of options.

The best fit for any particular firm will depend on many factors, including (but not limited to): size of the firm, in place equipment/IT resources, and the technology comfort level of the end users (for this discussion "end user" must also includes the firm's clients since they will have to be instructed on how to use whatever method of exchange the firm adopts.)

A few options for the tech end include: the firm creating password protected client specific pages on their website, where documents and exchanges are loaded; or using a secure file transfer service such as http://www.SendThisFile.com.

Also, adding one more to Tom's list above of what else can go wrong with e-mail: most e-mail applications do not have an on-going back up - meaning that if the software shuts down for any reason **poof** what you were working on is now gone. No, there's no .bk file anywhere containing the contents. It's just gone. This is why I advise all my clients to draft their detailed communications/documents in word processing software.

Again, thanks for posting and getting this very serious topic "out there".

Andrea Cannavina
LegalTypist, Inc.
http://www.legaltypist.com
http://www.legalva.com

Interesting thread - I hadn't heard about the NY ruling, and will definitely bring it to the attention of our managing partner. E-mail has this innocuous quality to it that lulls many users - particularly inexperienced users - into a false sense of security. For instance, my e-mail inbox has proxy access to the attorneys' e-mail inboxes so that I can monitor for scheduling issues, federal e-file notifications, time-sensitive communications from clients' billing departments, and so forth. However, the sheer volume of (should be) privileged information I see go back and forth on a daily basis is mind-boggling. I've seen e-mails detailing lit strategy that go out to upwards of twenty recipients at the same time (clients, co-counsel, co-counsels' support staff, etc.). If that isn't compromising, I don't know what is. Any one of these people, or the incalculable number of people to whom they could forward our original message, sits just one mouse-click away from finding a new best friend in the adverse counsel's office. Scary stuff.

I'd also like to second Ms. Cannavina's comment regarding e-mail retention - one of our firm's branch offices just recently discovered their retention policy did not meet the requirements set out by our malpractice carrier. Thankfully, this turned up in a routine audit rather than in a case where it might really have dire consequences. Still, though, it's certainly something that needs to be on the firm's radar.