Home – Attorney-client privilege: Technological changes bring changing responsibilities for attorneys and legal departments

Attorney-client privilege: Technological changes bring changing responsibilities for attorneys and legal departments

 Among the many things that have been challenged by the advent of digital, portable, mobile and social network communications is attorney-client privilege (ACP).  The risks and pitfalls change as technology changes to enable us to communicate and share information from anywhere, store and share information on tiny devices or somewhere on the Internet, and access the Internet via WiFi® hotspots.  Gone is the need for wires and cables and large machines.  Also gone is confidence that confidential information will not easily and accidentally find its way to your opponents in litigation, or that your communication will be privileged.


The  most  popular LexisNexis® Webinar for corporate legal departments in 2013 was on ACP in the context of corporate witnesses.  Our panel featured three attorneys who represent corporations large and small in litigation, and dedicate themselves to preserving, challenging and otherwise staying up to speed on how the risks and rules of ACP are changing, particularly because of digital communications. 


The speakers were Kay Baxter, a founding partner of Swetman Baxter Massenburg, LLC, Daniel G. Wills of Swanson, Martin & Bell, LLP, and Amy Bures Danna with The Clary Law Firm, P.C.


How has ACP evolved over the years?


Corporations are asking about ACP more and more in the digital and social media age of communication, said Wills.  Whether a specific document is privileged is not always an easy question to answer.  Some courts have held it is a case-by-case and even a document-by-document determination.  Several have provided tests. 


Historically, Wills said, courts held that self-incrimination is part of privilege, so it is a personal right and should not apply to corporations.  Some courts have held that privilege should not apply to corporations where information is flowing freely among employees, he said.  Some courts have expressed concern that corporations will manipulate ACP by, for example, running potentially damaging documents by counsel for the sole purpose of protecting the documents, Wills said.


These views narrowed in the 1960s and 1970s. The so-called “Control Group Test” limited ACP to communication exchanges among persons in an organization who have authority to shape corporate policy or act upon a lawyer’s advice.  “In other words, management,” Wills said. 


However, the Supreme Court  rejected the Control Group Test in its 1981 decision in Upjohn v. U.S. 499 U.S. 383 (1981), holding the test was too stringent because it hindered the free flow of information between counsel and non-managerial employees, who are the sources of a great deal of information.   Upjohn of course applies in federal cases, Wills said, but some states have adopted it: Alabama, Arkansas,  Arizona, Colorado, Nevada, Oregon, Texas and Utah. 


What about former employees?


The majority of courts have applied Upjohn to former employees, generally speaking, he said, when the issue is information that was obtained during the course of employment.  “If it was privileged then and it remained privileged during the employment, privilege continues,” Wills said.  “However, if you are coaching a former employee prior to testimony and offering coaching tips with regard to the information in evidence, that coaching will not be privileged,” Wills said.  “If you talk litigation strategy or work product, that likely isn’t going to be privileged.”  See Peralta v. Cendant Corp., 190 F.R.D. 38, 41 (D. Conn. 1999).


“When talking to a former employee, assume there is no privilege until you’re satisfied there is privilege,” Wills said.  “Conduct due diligence on former employees—determine dates of employment, the contents of their discussions with corporate counsel, their role in the organization, and whether they are represented by independent counsel.  Make sure you tailor your severance agreements to ensure privilege continues.  Remember to be careful in all forms of discovery, from interrogatories and depositions to trial preparation.


“Check to see if the witness is represented by independent counsel.  Ninety percent of the time I do represent the former employee,” Wills said, “but you want to avoid soliciting and you want the client itself to offer representation to the former employee.  Your client should provide a list of former employees.”


How does an attorney protect ACP in the digital age?


Speaker Amy Danna from The Clary Law Firm, P.C.,  said new forms of electronic communication, such as texting, Tweeting via Twitter®, social networking, and instant messaging, are creating new challenges for attorneys and new expectations on the part of their clients in how they communicate with the outside attorney. “Our respective bars are beginning to have new expectations of us as well.  We remember the times when we brought clients into the office for confidential discussions, held discussions via landlines, or simply used the U.S. mail.  Now that clients reach out to us in new media, the duty to protect confidential information of all types is further challenged by the fact that many lawyers don’t understand electronic information or have failed to take necessary precautions to protect it.   We are required to take precautions by professional rules of conduct, common law and contracts, state, federal and international rules, and court rules.  Firms operating on an international basis have special considerations because the ACP isn’t defined the same way across the globe,” Danna said.  


To protect ACP, Danna said attorneys should educate their clients on the basics.  Clients have to learn how to avoid intentional and inadvertent disclosures, and should thoroughly understand the risks of disclosure.  Also, attorneys can make it simple for clients.  Tell them never to communicate via text or instant messaging, for example, she said.  “Tell them to pick up a landline or send in encrypted email.  Advise them to add the words Attorney-Client Privilege in the email subject line.  It’s a reminder to the the client that this is confidential information.  If the message is accidentally sent to opposing counsel, they are on notice that the email contains ACP information.  Also, if not currently engaged in litigation and your communications are marked ACP it makes it easier in the future,” Danna said.  The same lessons apply to working with corporate witnesses, Baxter added.


Are employees right to have an expectation of privacy?


Danna discussed City of Ontario v. Quon, 130 S.Ct. 2619 (2010), which evaluated public employee rights to privacy on mobile devices under the Fourth Amendment. The employee, Quon, a SWAT team member, was using state-owned equipment for non-work communications, including sexually explicit messages.  The Supreme Court held that, yes, Quon had an expectation of privacy in using the device, however the city’s audit was a reasonable search because Quon knew he could be audited at anytime and that his overuse of the device for non-work exchanges was a rational reason for an audit.  The device in this case was a pager and the court did not take the opportunity to create a hard-and-fast rule for all mobile devices given the rapid change in technology, Danna said. 


What about email sent via a company computer to an employee’s attorney?


Danna turned to Holmes v. Petrovich, 191 Cal. App. 4th 1047 (2011), which addressed the question of  privilege for emails sent to counsel by a person using her employer’s computer.  The employee, Holmes, had been told computers were for company business only, that sending or receiving personal email was prohibited, and that the company would monitor and inspect email usage at any time.  The company explained all of this in its employee handbook, which also said there was no right of privacy when using company computers.  


Holmes sued her employer for wrongful termination after she notified them of her pregnancy.  When she became concerned about her employment she sent an email to her attorney and forwarded him many of her supervisor’s emails.  Holmes’ attorney told her to delete all of the communications from her work computer because her employer might claim a right of access to it, which is what happened.   Holmes later resigned claiming hostile work environment.  The company found the attorney-client exchange on her computer, which the company used at trial. 


The Court of Appeal acknowledged that the California Evidence Code insulated electronic communications from waiver when people involved in the “delivery, facilitation, or storage of electronic communications may have access to the content of the communication.”  However, the panel said this wasn’t the case in Holmes’ situation.  The court held that sending emails on the company computer was akin to consulting her lawyer in her employer’s conference room in a loud voice with the door open where there was a reasonable expectation that the conversation would be overheard.   Her claim of privacy of the exchange was found unreasonable given the warnings by the employer, Danna said.


What about using a personal email account while on company equipment?


In Stengart v. Loving Care Agency Inc., 990 A.2d 650 (N.J. 2010), Loving Care Agency employee Stengart, used a company-issued laptop to communicate with her attorney through her personal, password protected Web-based email account.  She filed a discrimination lawsuit.   The company used a forensic expert and found the attorney client emails.  Loving Care attorneys said ACP was waived because of its written policy that information exchanged via company equipment was not to be considered private.  That was the written policy, with which the New Jersey Supreme Court disagreed, saying an employee has a subjective and objective expectation of privacy in the attorney-client emails, Danna said.  “Stengart had the former because she used a personal email account, and the latter because the company policy did not specifically address the use of personal accounts,” Danna said.  


Citing the important public policy concerns at play with ACP, the court went further and held that a policy that bans all personal use of company computers and includes an unambiguous warning that the company could review all attorney-client communications made through a personal password-protected email account using the company’s email system would not be enforced, Danna said.


“Companies should keep this in mind when using witnesses employed by other companies,” Baxter added.


What should be taught in educating attorneys and legal teams?


Danna urged listeners to consult their own state’s ethics rules, but recited some noteworthy rules from around the country.


California:   Lawyers risk violating ACP if they use public wireless connections without using encryption.


Florida:  Lawyers who use devices that contain electronic storage must sanitize the device before disposing of it.


New Jersey:  The duties associated with ACP will continue to change as technology changes.  Lawyers should use password protection on documents given the difficulty in protecting information on the Internet.


Alabama:   Lawyers may use cloud computing if they stay current on security safeguards and take reasonable steps to ensure their cloud vendor uses suitable methods to protect stored data.


Arizona:   Lawyers must take reasonable steps to protect ACP and must have the competence to evaluate the nature of a potential threat to the system being used to transfer information.  If they lack the competence they should hire an outside expert to consult.


Kay Baxter said law firms should assist in educating clients on best practices.  “Not all companies are Fortune 500® corporations and may not be as sophisticated in this area.  We have used our own IT people to work with the client to secure their system and communications.”


Education should start with evaluating the risks associated with digital communication, Danna said.  Attorneys must know the risks of both internal and external threats.  Internal threats could be use of the equipment and information by firm personnel who might not be sensitive or might not understand the need to protect the information.   External threats can include spyware, malware and hackers.  Outdated encryption tools and computer programs increase risk, she warned. 


Attorneys and legal teams have to be particularly careful with mobile devices. “Unfortunately, mobile devices and wireless systems can be hacked to compromise contact lists, usernames, passwords, client data and browser history.  As well,” she said, “lawyers routinely carry around confidential information on small USB flash drive devices.”  Danna pointed out that 10,000 laptops are lost each week in the nation’s largest 36 airports, typically at security checkpoints.


What can attorneys can do to protect confidential information?


  • Password protect devices and individual documents.
  • Use encryption tools when communicating any privileged information.
  • Create and store electronic documents only on the firm’s network—not on home systems. 
  •  Scrub metadata before documents are sent to external email addresses, including the lawyer’s home email.
  • Avoid installing third-party mobile applications on firm-issued smartphones—they spread malware, infiltrate networks or gain access to data.  Clients should know this too.
  • Put Bluetooth® devices in “non-discoverable” mode, protect pairing with passwords and pair with other devices only when in a trusted location.
  •  Password protect and encrypt USB flash drives.


What about using wireless connections?  Are they secure?


With the great freedom WiFi provides comes risk.  Many small firms and attorneys working from home offices use off-the-shelf systems.  Using these without changing the system’s settings and without using encryption can make the system susceptible to interception by third parties, Danna said.


When working at a hot spot, a coffee shop or a hotel, it is important to know that the transmission between a laptop and base station are not encrypted, she said.  Public computers used by third parties, such as in a hotel business center, should be used only with proper precautions to prevent anyone who uses the computer after you from gaining access to your email.  There are some simple solutions such as simply logging off and close the web browser, she said.    If there is keylogging on the system there isn’t much a lawyer can do, she said.  Programs can be placed on any computer to allow a third party to capture keystrokes and can compromise passwords and client matters. 


Malpractice insurers suggest you do not use text and instant message to conduct client communications, Danna said.  They are not as secure and encryption is not as available as it is for email systems.  Further, she said text and IM conversations are very informal, prone to errors and misspellings, automatic word substitutions and can be a smoking gun in a malpractice suit.  Text and IM data are more vulnerable to hacking, interception and misdirection, she said.  If the device is lost the messages are easily accessible and preserving a record of conversations is more difficult than with email, she said. 


“Clients are increasingly using and expecting lawyers to use these other forms of communications and not appreciating the risks they pose,” Danna said.


What can be done to protect confidential information?


Danna offered the following tips to protect data:


  • Create a confidentiality policy and circulate it annually.  Consider assigning an attorney as the ACP lead for the firm.
  •  Adopt policies to address text and instant messaging and other Internet communications.
  • Conduct a risk assessment of all devices, including computers, tablets, PDAs, mobile phones, flash drives, etc., and assess the sufficiency of current safeguards.
  • Require password protection, especially for portable electronic devices such as smartphones and laptops.
  • Configure desktop and portable devices to lock after a defined period of non-use.
  • Configure portable devices to permit the firm to remotely wipe them if they are lost or stolen.
  • Use tracking devices that can report a device’s location once connected to the Internet.
  • Encrypt all protected information sent from or stored on any electronic device.
  • Evaluate existing firewalls, antivirus software and other security measures, and make necessary upgrades.
  • Be very careful with auto-fill functions in emails, Baxter added, which often fill in the name of a recipient that may be close to the name of the person you intend, but is entirely wrong. 


What if disclosure was accidental? 


While it depends on the state, ACP and work product privilege can be waived by inadvertent disclosures to opposing parties, Danna said.  There are three schools of thought:  1) Any disclosure waives privilege; 2) An attorney cannot waive privilege as it is not theirs to waive; 3) The court will examine the reasonableness of the precautions taken to protect the privilege.  If the disclosure is the result of gross negligence, the court may determine that privilege was waived.


In the third category, Danna said, the courts will apply a multi-factor test to determine whether a disclosure was inadvertent:


  • Were reasonable precautions taken to prevent inadvertent disclosure?
  • How many inadvertent disclosures occurred?
  • What was the extent of the inadvertent disclosure?
  • Was there a delay and what measures were taken to rectify the disclosure?
  • Would the overriding interests of justice be served by relieving the party of its error?


If  you or your client took no precautions, you will face problems with that, Baxter warned. 


Danna added that a firm can get clawback or snap-back agreements or orders, which can reduce risk of waiver in the event of inadvertent disclosure.  Clawback orders generally should protect the content of the document unless a court finds the document is specifically not privileged, she said.  Often times we don’t get those agreements and orders, in which case an attorney has to work quickly to argue that privilege was not waived due to inadvertent disclosure, she said.


What about disclosures on social media?


“Know what type of social media your corporation or corporate client is engaged in,” Baxter said.  “Know if they are using it and how savvy they are.” 


“Courts have generally taken the view that if you’re posting on Facebook® or other sites there is no expectation of privacy or protection,” Baxter said.  She pointed to one court which held that only “the uninitiated or foolish could believe that Facebook is an online lockbox of secrets.”  It’s foremost purpose is sharing information, Baxter said, recommending that companies and firms hold seminars to educate their teams. 


The types of social media information that is discoverable includes relevant content, relevant third-party content and deleted content.   “Discovery requests must not be broad,” Baxter said.  “They must be relevant and they must not be a fishing expedition.”


Some social media best practices,  Kay Baxter said, are:


  • Don’t friend judges, clients, or other parties.
  • Be careful what you say in your profiles.
  • Disclaimers are important but they won’t cover you completely
  • Be careful not to upload contact information that might contain other people’s information.


Baxter also told attorneys to familiarize themselves with the model rules:


  • 1.18 Duties to Prospective Clients
  • 1.1 Competence
  • 1.6 Confidentiality of Information
  •  4.2 Communication with Person Represented by Counsel
  • 7.1-7.4 Information about Legal Services


Attorneys and clients do not have to return to the Dark Ages if they follow these best practices and stay abreast of how those best practices shift with new technology and new forms of communication.


View the recorded Webinar: Attorney-Client Privilege and the Corporate Witness.