WSBA Info For Lawyers For the Public For the Media CLE
| Bench Bar Guidelines | News Releases | Publications |
Lawyer Directory
Find Legal Help
Job Opportunities
Access to Justice
MCLE Website
Ethics Opinions

Admissions
Bar Leadership
Board of Governors
Committees
Diversity
Law Students
Sections
Young Lawyers
FAQs
WSBA Store
Bar News
Events Calendar
Law Links
Contact Us
Bar News Archives
Home > For the Media > Publications > Bar News > Archives
May 1998

Using E-mail, Asking for Trouble?
E-mail, the Attorney-Client Privilege
and RPC 1.6

By Mark D. Walters

In today's legal environment, it's not uncommon to find e-mail addresses on attorneys' business cards, letterhead and Martindale-Hubbell listings. We attorneys are asking our existing and future clients to communicate with us via electronic mail. By doing so, however, are we asking for trouble by either waiving the attorney-client privilege or perhaps violating Rule 1.6 of the Rules of Professional Conduct?1 The answer appears to be, "probably not, but it depends."

Internet Security Concerns: The Dilemma

There is concern among technophiles and cyber lawyers that there is not a reasonable expectation of confidentiality or privacy via unencrypted e-mail because the Internet is not secure.2 As explained by Todd H. Flaming, a Chicago attorney and secretary of the Illinois State Bar Association's Standing Committee on Legal Technology, the reasons for this perception and the concerns raised are valid:

In reality, an assessment of how secure the Internet is depends on the way it is used. To discuss what security risks exist requires an understanding of how a particular type of message is transmitted over the Internet.

E-mail messages sent over the Internet reach their destinations because a series of computers copy each message and send it to the next one until it reaches its destination. That is the source of the potential security problems. To understand this, consider an alternative known as "modeming." I tell my computer to call your computer using a standard phone line and send a document to it. That transmitted document is no less secure than the contents of a normal telephone conversation.

The difference between modeming and e-mailing is that my e-mail message does not travel directly to your computer; it passes through at least one other computer before it reaches yours. That computer is almost certainly owned and operated by a third party. Thus, the risk in e-mail comes from the intermediate computers, called "routers." They run software that helps your e-mail message reach its intended destination.

There are two threats to the confidentiality of e-mail messages on a router. First, the system administrator of the router may read the message. System administrators can access e-mail being sent over their computers.

Second, a hacker (technically "cracker" is the proper term) may use special "sniffer" or "spoofer" software to gain access. Data sent over the Internet is commonly sent through a protocol called "ethernet," in which data packets are sent to all computers on the same circuit. Ordinarily, computers ignore data not intended for them. Sniffer software tells a computer to accept all data sent in that circuit, not just data addressed to that computer. The sniffer can then filter out data to search for packets addressed to a specific machine. Spoofer software allows a computer to act like the recipient's computer. When packets arrive, the spoofer sends back a message saying that the information has reached its destination. Through either technique, a cracker can get copies of e-mail messages you send. 3

E-Mail and the Attorney-Client Privilege

Because Internet security concerns exist, many have voiced concerns regarding the attorney-client privilege and e-mail. Courts appear to be cognizant of these concerns, but have yet to directly address them. As will be discussed later in this article, the trend appears to be that courts will apply the attorney-client privilege to e-mail messages. To date, however, courts have not addressed the practical considerations of confidentiality and Internet security. For example, in Black v. United States, the court stated:

At the outset, it should be noted that able counsel have raised a venerable plethora of complex legal issues surrounding the complexities of modern day legal practice. In today's real legal world, the use of computerized equipment for the storage and exchange of sensitive confidential information become commonplace. The advent of fax machines, e-mail, ready exchangeability of data stored on hard drives and floppy disks requires a re-thinking of some of the traditional approaches Courts have made in years gone by, to the protection accorded the work product of attorneys and the confidential communications of clients.4

Washington's legislature has codified the attorney client privilege at RCW 5.60.060:

An attorney or counselor shall not, without the consent of his or her client, be examined as to any communication made by the client to him or her, or his or her advice given thereon in the course of professional employment.5

The attorney-client privilege exists to allow clients to communicate freely with their attorneys without fear of compulsory discovery.6 This rule should apply, even in the electronic age. Such privilege applies to communications and advice between attorneys and their clients and extends to documents that contain privileged communications.7 To invoke the attorney-client privilege, one must establish the following elements:

(1) Where legal advice of any kind is sought (2) from a professional legal advisor in his capacity as such, (3) the communications relating to that purpose (4) made in confidence (5) by the client, (6) are at his instance permanently protected (7) from disclosure by himself or by the legal advisor, (8) except the protection may be waived.8

The attorney-client privilege belongs to the client, but it can be waived either intentionally or inadvertently. For example, if a client discloses to a friend the substance of what her attorney told her, she has intentionally waived the privilege. The attorney-client privilege is inadvertently waived by not taking reasonable precautions to avoid unintentional disclosures.9

Under Washington law, whether or not the attorney-client privilege applies depends largely on the parties' intent that the communication be confidential.10 For example, courts have held that the attorney-client privilege does not apply if the communication is made in the presence of an unnecessary third party. In these cases, courts conclude that the communication was not "made in confidence." The court in Washington v. Anderson, stated: "A privilege may be waived by the presence of third parties, depending on the reason for their presence."11 In Dietz v. Doe, the court explained that the privilege is deemed waived in such a circumstance because the presence of the unnecessary third party suggests that the communication was not reasonably intended to be confidential:

[W]aiver may occur when the communication is made in the presence of third persons on the theory that such circumstances are inconsistent with the notion the communication was ever intended to be confidential.12

Thus, applying traditional analysis and reasoning to the modern dilemma of e-mail, it appears that whether or not e-mail messages between clients and their attorneys are protected by the attorney-client privilege will depend upon whether or not they reasonably intended their e-mail messages to be made (and kept) in confidence, and whether or not they took reasonable precautions to prevent inadvertent disclosures.

Some commentators compare e-mail messages to postcards.13 Because attorneys don't communicate with their clients by postcards, very few cases address the attorney-client privilege with respect to postcards. But, in Saxholm v. Dynal Inc., the court held that a postcard was not protected by the attorney-client privilege because "the manner of conveying the information display[ed] no desire to maintain the confidentiality of the information."14 Consequentially, authority exists supporting a waiver argument using the postcard analogy.

Nonetheless, several courts have held that e-mail messages are covered by the attorney-client privilege.15 These cases do not, however, address the issues of whether the parties reasonably intended to have a confidential communication via electronic mail and whether they took reasonable precautions to prevent accidental disclosures. Further, the only case that cites authority for its holding, International Marine Carriers, Inc. v. United States,16 cited two cases that did not involve e-mail. Hence, it appears that these issues remain open for review.

One case which offers some guidance on these issues is United States v. Maxwell.17 Maxwell is a United States Court of Appeals for the Armed Forces case in which a Colonel Maxwell challenged the validity of an FBI search of his computer files, maintained by America Online (AOL), as violating the Fourth Amendment to the United States Constitution.

The Maxwell court noted that a "person may challenge the validity of a search only by asserting a 'subjective expectation of privacy' which is objectively 'reasonable.'"18 Thus, the standards between one's expectation of privacy under the Fourth Amendment, and one's expectation of confidentiality under the attorney-client privilege appear to be similar.

The Maxwell court held that the Colonel had a subjectively reasonable expectation of privacy in his AOL e-mail transmissions.19 Presumably, if the issue of the attorney-client privilege and the Colonel's e-mail was before the court, it would likewise have found that the attorney-client privilege attached to any e-mail communication between Colonel Maxwell and his attorney through AOL. But the court's holding clearly turned on the facts of the case, so the court's holding should not be taken as a broad statement of e-mail privacy.

The court explained that the AOL system offers more security than the Internet:

AOL differs from other systems, specifically the Internet . . . in that e-mail messages are afforded more privacy than similar messages on the Internet, because they are privately stored for retrieval on AOL's centralized and privately owned computer bank located in Vienna, Virginia. . . . AOL's policy was not to read or disclose subscribers' e-mail to anyone except authorized users, thus offering its own contractual privacy protection in addition to any federal statutory protections. It was AOL's practice to guard these 'private communications' and only disclose them to third parties if given a court order. Just for comparison, the Internet has a less secure e-mail system, in which messages must pass through a series of computers in order to reach the intended recipient . . . . While implicit promises or contractual guarantees of privacy by commercial entities do not guarantee a constitutional expectation of privacy, we conclude that under the circumstances here appellant possessed a reasonable expectation of privacy, albeit a limited one, in the e-mail messages that he sent and/or received on AOL. Expectations of privacy, however, have limitations, and this case illustrates some of them.20

The Maxwell court found that the police must obtain a search warrant before searching an individual's computer files, but the court cautioned that a person's expectation of privacy diminishes when using e-mail:

We are satisfied that the Constitution requires that the FBI and other police agencies establish probable cause to enter into a personal and private computer. . . . However, when an individual sends or mails letters, messages, or other information on the computer, that Fourth Amendment expectation of privacy diminishes incrementally. . . . Moreover, the more open the method of transmission, such as the 'chat room,' the less privacy one can reasonably expect.21

The court explained that an e-mail message is similar to a letter because once it is received, the sender can no longer protect its privacy. But, importantly, the court stated that the ability of crackers to intercept e-mail messages does not diminish a person's legitimate expectation of privacy:

[O]nce the [e-mail] transmissions are received by another person, the transmitter no longer controls its destiny. In a sense, e-mail is like a letter. It is sent and lies sealed in the computer until the recipient opens his or her computer and retrieves the transmission. The sender enjoys a reasonable expectation that the initial transmission will not be intercepted by the police. The fact that an unauthorized "hacker" might intercept an e-mail message does not diminish the legitimate expectation of privacy in any way.22

The court implied that if the Internet service provider reviews its customers' e-mail messages, there is no reasonable expectation of privacy:

[T]he relationship of a computer network subscriber to the network is similar to that of a bank customer to a bank. So far as the company's records are concerned, there is no reasonable expectation that the records are private, and the customer has no control whatsoever over which employees may see the records.23

Finally, the Maxwell court warned that this issue would be taken on a case-by-case basis and that there is no expectation of privacy in "chat rooms" or when e-mail messages are forwarded:

Expectations of privacy in e-mail transmissions depend in large part on the type of e-mail involved and the intended recipient. Messages sent to the public at large in the 'chat room' or e-mail that is "forwarded" from correspondent to correspondent lose any semblance of privacy.24

E-mail and RPC 1.6

Attorneys who opt to communicate with their clients by e-mail should also consider Rule 1.6 of the Rules of Professional Conduct, which addresses the obligation and duty to maintain client secrets and confidences.

RPC 1.6 provides:

A lawyer shall not reveal confidences or secrets relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation . . . ." The terminology section of the RPC defines "confidences" as "information protected by the attorney-client privilege" and the term "secrets" is defined as "other information gained in the professional relationship that the client has requested be held inviolate or the disclosure of which would be embarrassing or detrimental to the client. 25

Guarded Conclusions in Other States

The Washington State Bar Association has not issued an ethics opinion addressing e-mail and RPC 1.6, but other bar associations have looked at this issue. Although a trend favoring no violation is clearly developing, the conclusions are guarded. For instance, the State Bar Association of Arizona issued an advisory ethics opinion stating that while lawyers may communicate with existing clients via e-mail about confidential matters, they may want to have e-mail encrypted with a password known only to the lawyer and the client.26 The Illinois State Bar Association stated that "[l]awyers may use electronic mail services, including the Internet, without encryption to communicate with clients unless unusual circumstances require enhanced security measures."27 The Missouri Bar Association issued an opinion noting that Web pages asking clients to contact attorneys by e-mail should warn that e-mail communications are not necessarily secure and confidential.28 The North Carolina Bar Association advises attorneys to minimize the risk of disclosing confidential information when using e-mail and stating that if the lawyer knows that the communication can be intercepted, the attorney must notify the parties to the conversation.29 The New York State Bar Association recently issued a draft proposal which states:

No communication otherwise privileged under this article shall lose its privileged character for the sole reason that it is communicated by electronic means or because persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication.30

Kevin M. French, a member of the Pennsylvania Bar Association's Committee on Legal Ethics and Professional Responsibility, issued an unofficial opinion that states in pertinent part:

(1) A lawyer may use e-mail to communicate with or about a client without encryption; (2) A lawyer should advise a client concerning the risks associated with the use of e-mail and obtain the client's consent either orally or in writing; (3) A lawyer should not use unencrypted e-mail to communicate information concerning the representation, the interception of which would be damaging to the client, absent the client's consent after consultation; (4) A lawyer may, but is not required to, place a notice on client e-mail warning that it is a privileged and confidential communication . . . 31

The South Carolina Bar Association issued an ethics advisory opinion finding that the use of e-mail does not affect the confidentiality of client communications under South Carolina Rule of Professional Conduct 1.6.32

Finally, the Vermont Bar Association issued an advisory opinion which states:

(a) . . . [E]-mail privacy is no less to be expected than in ordinary phone calls, and (b) unauthorized interception is illegal, a lawyer does not violate [the Disciplinary Rules to maintain the confidentiality of client information] by communicating with a client by e-mail, including the [I]nternet, without encryption. In various instances of a very sensitive nature, encryption might be prudent, in which case ordinary phone calls would obviously be deemed inadequate.33

Importantly, the Vermont Bar Association noted that the

Attorneys' Liability Assurance Society (ALAS), a captive insurance company which insures lawyers against malpractice claims, advises its members that encryption is not necessary on the Internet except for items so sensitive as to require avoidance of any threat of interception.34

Practice Pointers for Attorneys Using E-Mail

The Attorney-Client Privilege:
The Maxwell Case Offers Guidance

As explained above, no hard-and-fast rule has developed regarding the impact of e-mail usage on the attorney-client privilege. Maxwell strongly suggests, however, that when presented with evidence of the Internet's privacy limitations, courts will review the reasonable expectation of confidentiality and reasonable precautions issues on a case-by-case basis. Hence, it appears that reason for caution still exists. Nevertheless, the Maxwell court appears to set forth the following guiding principles:

• If the Internet service provider used by the attorney and client does not read or monitor e-mail, the expectation of confidentiality is more likely to be deemed reasonable. Note, however, that this requires two reviews: both the attorneys' and the clients' Internet service providers must be checked.

• Until the law in this area is more fully developed, law firms and attorneys should host their own e-mail service providers so that their clients' e-mail is stored in their own computer system, rather than on a (potentially unnecessary) third party's service provider.

• The initial transmission of e-mail messages between clients and their attorneys are probably protected by the attorney-client privilege. That privilege is waived, however, if either party forwards that message through the Internet.

• If a client sends an attorney an e-mail message from his company-provided e-mail browser and his company reviews and monitors employee e-mail, the client probably inadvertently waived the attorney-client privilege. Note, however, this would not apply if the client is communicating with his attorney on a matter of company business.

• The reasonable expectation of confidentiality is not lost simply because it is technologically feasible for crackers to intercept e-mail messages.

• There is no expectation of privacy in "chat rooms" or on a bulletin board service (BBS). Therefore, attorneys and clients should not seek legal advice through these electronic forums.

RPC 1.6: There is Reason for Guarded Optimism

As with e-mail and the attorney-client privilege, the relation of e-mail communication to the attorney's responsibilities under RPC 1.6 is not yet clear. On the one hand, the bar associations noted above reflect a trend favoring no violation of an attorney's duty to protect client confidences and secrets by using e-mail. On the other hand, these bar associations also recommend that precautions be taken, so until the law in this area fully develops, it's better to be safe than sorry.

• RPC 1.6(a) requires consultation and client consent before an attorney may ethically reveal client confidences and secrets. Thus, attorneys should inform existing clients in writing that e-mail messages may not be secure.

• Lawyers who advertise their e-mail address in such a way that potentially new clients are asked to send e-mail messages should include a warning in the advertisement that e-mail messages may not be confidential.

• Lawyers who choose to communicate with their clients via e-mail should amend their engagement letters to include a warning regarding the loss of confidentiality.

It is probably not necessary to use encryption when communicating with clients by e-mail, but, highly confidential or highly secret messages should never be sent by unencrypted e-mail and attorneys should warn clients in writing about the risks of doing so. If the matter is one you wouldn't discuss with your client on a crowded airplane, don't discuss it via unencrypted e-mail.

Endnotes

1Much has been written on this subject. One excellent article is by Joan C. Rogers, Legal Editor, ABA/BNA Lawyers' Manual on Professional Conduct, entitled Malpractice Concerns Cloud E-mail, On-line Advice. See also Krakaur, Peter J., Treat E-mail Like Other Communications: An Argument Against Mandatory Encryption of Attorney-Client Communications. Available online at http://www.llrx.com/features/e-mail.htm.

2See, e.g., Donald S. Skupsky, The Internet and Business: A Lawyer's Guide to the Emerging Legal Issues, Ch. 8, "The Discovery and Destruction of E-mail," (Computer Law Association 1996).

3Flaming, Todd H., Internet E-Mail and the Attorney-Client Privilege (1998). (Arguing that the attorney-client privilege should attach to unencrypted e-mail messages between attorneys and clients).

4172 F.R.D. 511, 515 (D.C.N.D. 1997) (emphasis added).

5RCW 5.60.060(2)(a).

6Dietz v. Doe, 131 Wn.2d 835,842, 935 P.2d 611(1997).

7131 Wn.2d at 842.

8J. Wigmore, Evidence § 2292 at 904, (MacNaughton rev. ed. 1961).

9See, e.g., "McGreevy v. CSS Indus., Inc.," 71 Fair Empl. Prac. Cas. (BNA) 1644 (1996) ("To maintain the privilege, a person must take affirmative action and institute reasonable precautions to ensure confidentiality.").

10Matter of McGlothlen, 99 Wn.2d 515, 663 P.2d 1330 (1983).

1144 Wn. App. 644, 650, 723 P.2d 464 (1986).

12131 Wn.2d 835, 850, 935 P.2d 611 (1997).

13See Virginia Shea, "Miss Manners' Guide to Excruciatingly Correct Internet Behavior," Computerworld, Mar. 6, 1995, at 85; Elsa F. Kramer, "The Ethics of E-mail: Litigation Takes on One of the Challenges of Cyberspace," Res Gestae, Jan. 1996, at 24, (suggesting that e-mail might be less secure than a postcard).

14164 F.R.D. 331, 339 (E.D. N.Y. 1996).

15See North Dartmouth Properties, Inc. v. United States, 1997 U.S. Dist. LEXIS 18948 (N.D. Ma. 1997); International Marine Carriers, Inc. v. United States, 1997 U.S. Dist. LEXIS 4155 (S.D.N.Y. 1997); Heidelberg Harris, Inc. v. Mitsubishi Heavy Indus., Ltd., 1996 U.S. Dist. LEXIS 19274 (N.D. Ill. 1996); Stopka v. Alliance of Am. Insurers, 1996 U.S. Dist. LEXIS 5466 (N.D. Ill. 1996); West Virginia v. Canady, 194 W.Va. 431, 460 S.E.2d 667 (1995); IBM Corp. v. Comdisco, Inc., 1992 Del. Super. LEXIS (1992).

161997 U.S. Dist. LEXIS 4155 (S.D.N.Y. 1997).

1745 M.J. 406, 1996 C.A.A.F. 116 (1996).

1845 M.J. at 417.

1945 M.J. at 419.

2045 M.J. at 417 (emphasis added; citations omitted).

2145 M.J. at 417-19 (emphasis added; citations omitted).

2245 M.J. at 417-19 (emphasis added; citations omitted).

2345 M.J. at 419 (citations omitted).

2445 M.J. at 417-19 (emphasis added; citations omitted).

25Rules of Professional Conduct, Terminology Section, Washington State Court Rules, at 34, (West 1998).

26A summary of Arizona Advisory Opinion 97-04 (4/7/97) is available online at http://www.legalethics.com/states/az.htm.

27ISBA Op. No. 94-11 (11/94). Available online at http://www.jmls.edu/cyber/docs/isba9610.html.

28Missouri Opinion 1997-10.

29North Carolina Opinion 215 (4/13/95). Available online at http://www.barlinc.org/ethics/ethp215.html.

30CPLR §4547 as approved by the executive committee of the NYSBA on Jan 24, 1997.

31Pennsylvania Opinion 97-130 (9/26/97). Available online at http://www.legalethics.com/states/97_130.htm.

32South Carolina Ethics Advisory Opinion 97-08 (06/97).

33Vermont Opinion 97-5. Available online at http://www.vtbar.org/ethics/97-05.htm.

34Id.

Mark D. Walters is an attorney with Oles Morrison & Rinker LLP. He invites your comments and feedback via e-mail at Walters@Oles.com. The author thanks Consultant and fellow Oles Morrison & Rinker LLP attorney, Elizabeth Anne Vaughan, for her editorial assistance.





Last Modified: Tuesday, June 24, 2003

 Contact Information
Disclaimer and Copyright Notice | Privacy Policy
SEARCH
SITE INDEX