GPSOLO December 2008
E-Mail Disclaimers and E-Mail Security
E-mail security is of interest to lawyers for several reasons. First and foremost, e-mail transmission and delivery are inherently insecure. E-mail can conceivably be intercepted at numerous points along its route of transmission, and it is stored briefly at several different servers along the way before it is delivered, again giving rise to security concerns.
Personally, I think that concern over this aspect of e-mail security is frequently overblown. Consider for a moment sending an overnight mail package: Have you ever read the delivery contract? Most likely, it gives the carrier the absolute right to open the package for almost any reason. How good is the security of that package along the way? Who might be opening your package and reading the contents?
In actual fact, the likelihood of a particular e-mail message being intercepted by a truly interested party is relatively low. That being said, you, as a lawyer, still have an obligation to take reasonable steps to protect the confidentiality of client information.
Another reason that e-mail security is of concern is the ease with which e-mail can be misdelivered. Technology consultant Ross L. Kodner has discovered that the shortest interval of time known to science is what he refers to as the “ono” second, defined as the interval of time between pressing the “Send” key and realizing you have sent the e-mail to the wrong party. It is just so easy with e-mail to mistakenly press the “Reply to All” button when you intended instead a private reply to a single person. In my own experience, I thought I had replied to an individual whom I was trying to recruit for an ABA Section, offering to pay her expenses to attend the meeting. I was more than a little chagrined when I discovered that I had replied rather to a listserve and received dozens of replies accepting my kind offer.
Yet another concern about e-mail security is the potential loss of attorney-client privilege. And this leads us into the question of e-mail disclaimers.
First, a bit of history: Where do these disclaimers come from? For my younger readers, let me begin by explaining that there once was a communications technology used in the age of steam and horseless carriages. It was called a fax and was used to send a copy of a document over a telephone line from one fax machine to another. You may never have seen one, but they were really useful in their day. These fax machines could store telephone numbers to make it easier to send a fax without having to manually enter a number. This led, of course, to faxes being inadvertently sent to the wrong person when the wrong stored number was mistakenly used. Moreover, faxes were often sent to people at hotels, where the fax would be received by a business center and delivered to a hotel room. This led to concerns that the information in the fax might be misdelivered or read by persons for whom it was not intended.
Enter the cover sheet. The cover sheet was added to a fax indicating to whom it was addressed and containing a frightening directive setting forth just what awful things would happen if the person reading the cover sheet was not the intended recipient. Indeed, several state bar associations considered the issue of a misdirected fax, some holding that a lawyer receiving such a fax had a duty to return it or destroy it unread, while others came up with different approaches. With a fax, the disclaimer appeared on the very first page where it would be immediately seen.
Enter the world of the e-mail. Same issue of the ease of misdelivery, and lawyers, being conservative by nature, sought to apply the same solution. However, rather than putting the disclaimer at the beginning of an e-mail, by virtue of reasoning I cannot understand, by nearly universal practice the disclaimer is placed at the end of the e-mail. Thus, the unintended recipient would read the entire e-mail, only to discover the frightening language informing him or her that they had done wrong.
Let me be blunt: An e-mail disclaimer for the most part is an attempt to close the barn door after the horse has bolted. Its legal effectiveness, for the most part, is dubious. More often than not, when read literally, such declaimers are laughable. They drone on interminably in language most opaque and incomprehensible, and they seek to disclaim all responsibility for the content, to frighten by threatening dire legal consequences, and sometimes to prevent retransmission of the e-mail message. Below is a typical disclaimer:
This message is covered by the Electronic Communications Privacy Act, Title 18, U.S. Code §2510-2521. This e-mail message and any attached files are the exclusive property of the Law Office of Dibble, Dabble and Doot and are subject to copyright. This communication is deemed privileged and confidential and is intended only for the person or entity to which it is addressed. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
First, the cited statute doesn’t cover the problem of misaddressed e-mails. The attached files may or may not be property of the law office. Because this disclaimer is added to every e-mail, it might be referring to a document prepared by someone else.
This communication is deemed privileged? By whom? Why? Under what authority? Deeming it doesn’t make it so. It’s intended only for the person to whom addressed? How does this deal with a misaddressed e-mail? (For a nice list of stupid disclaimers, see http://dltj.org/article/pointless-e-mail-disclaimers and also www.goldmark.org/jeff/stupid-disclaimers.)
If their effectiveness is the question, why do we use disclaimers? One reason is concern over loss of attorney-client privilege. Putting an e-mail disclaimer at the end of every message that says “this e-mail message may contain privileged or confidential information. No privilege is waived by the sending of this message” is a questionable way of dealing with this concern. Putting a disclaimer on all of your e-mails is not a substitute for taking appropriate care. And remember who has the sole right to waive attorney-client privilege.
So what should we be doing to protect the confidentiality of our e-mail communications? First and foremost, we should be conscious. We should think about what we are doing when we send an e-mail. Most e-mail is innocuous and trivial. We should not let the banality of most e-mail lull us into overconfidence. Just as when we send a letter marked “privileged communication,” we should consider the content of a message sent to a client and the consequences of that message being intercepted by an unintended recipient. If the content is truly crucial, perhaps e-mail is not the way to send the message. If e-mail is the only available channel, then a disclaimer at the head of the e-mail might be in order.
In circumstances where frequent communication of a highly confidential nature is to take place by e-mail, you should consider the value of encryption. Encryption makes the contents of an e-mail message and/or attachment unreadable by anyone without the encryption key. It requires that the recipient have the same encryption program to be able to read the message, and is thus less convenient but inherently secure. As a patent practitioner, I have often used PGP, a commercially available and highly secure form of encryption, to exchange drafts of patent documents with clients. PGP is priced at $149 and is available for both Windows and Mac operating systems at www.store.pgp.com. And yes, PGP encryption may legally be used in international communications.
A commercial means of securing e-mail is to use secure sockets layer (SSL) communication when sending or receiving e-mail. SSL requires that both the sending e-mail program and the server be capable of an SSL connection. Most common e-mail programs support SSL. Most common e-mail servers do not. However, there are several services that allow you to route e-mail (for a fee) through a server that does support SSL. Unfortunately, both sender and recipient must use the SSL server, adding a small layer of inconvenience. The cost is relatively low, typically in the range of $2 to $4 per month per individual e-mail account.
Be careful about sending e-mails to large groups of people, where each recipient can see the e-mail address of every other recipient. Consider using the BCC field, whereby no recipient sees anyone’s address other than his or her own.
Be aware that e-mail has a long life and can easily be forwarded to persons you never intended. Some people go so far as to put a copyright notice on their e-mails in the hopes of preventing retransmission or cloaking. Personally, I think it is much more effective to put a note on e-mails I don’t wish to see forwarded that reads “Please do not forward this e-mail to anyone!”—not in the disclaimer field but in the body of the e-mail message where it will likely be read. And remember, when you send an e-mail message, a copy is often retained not only by your e-mail program but also perhaps on your company’s server and on the server of recipients and their e-mail programs. Consider, too, where your e-mail message may end up: When I am traveling, my e-mail goes to my BlackBerry, my laptop computer, and to my home. If I lose my BlackBerry, what happens to all those e-mail messages? I find I am pretty careful about erasing e-mail messages from my BlackBerry.
Consider using the subject line of your e-mails to highlight concerns about particularly confidential communications. With privileged communications, a subject line that reads “privileged and confidential communication—do not forward” can help to raise consciousness and preserve the privilege if the e-mail is unintentionally intercepted.
Most importantly, don’t press the send button before you think. Thinking is what you’re paid for. Look at the address fields. Are they correct? Be aware that often e-mail programs display a name rather than an e-mail address. That name may or may not accurately reflect the address off your intended recipient. You can frequently click on the name to see what the underlying address is. Doing this can help you avoid sending an e-mail to the wrong party or to the right party at the wrong address, such as a firm at which your intended recipient no longer works. Consider the further caution of setting your e-mail program to display the actual e-mail address rather than a name.
Consider whether responding by e-mail is appropriate. Sometimes a written letter or a phone call is a better way of dealing with a highly confidential issue. E-mails are easily ignored or forgotten. A letter is memorable. A phone call is interactive with far fewer security concerns.
Be wary of automatically putting a copy of the original message in your reply. Be careful when you hit “Reply” and even more careful when you hit “Reply to All.” Most e-mail programs can be set to simply append the original message and allow you to add new material. Not only can an e-mail message grow annoyingly long this way, it’s also an easy way to unintentionally send information to a wrong party who gets added down the chain to the list of recipients. As a courtesy and to be safe, set your e-mail program not to automatically do so. If you must include a portion of the prior message for clarity, do it manually so that you think about what it is you are doing. A simple cut and paste of only that portion of the message which is truly relevant is easy and requires cerebration on your part.
Putting a virus disclaimer on your e-mails (e.g., “We have checked this message for any known viruses; however, we decline any liability in case of any damage caused by a non-detected virus”) is a particularly ineffective way of preventing the spread of viruses. To my knowledge, a simple e-mail can’t contain a virus. Links can go to locations that have viruses, and various word processing, spreadsheet, and presentation files that support macros can have viruses. Unless it is necessary that you share a source file, a far safer way to send a file attachment is to send it as a PDF file. Recent versions of Adobe Acrobat allow recipients to annotate PDF documents so that you may still engage in collaborative editing in a safe environment.
In summary, there is no substitute for thinking when trying to communicate by e-mail. E-mail is a superb form of communication absent which I could not conduct my law practice. Putting a brainless disclaimer at the end of your e-mails is not a substitute for care, thoughtfulness, and consideration.
This article is intended solely for readers of GPSolo magazine. If you're not such a reader, please do not read this article. This article may contain information of a privileged or confidential nature. If it does, please forget it. The author is not responsible for the accuracy or truth of the information contained herein. Indeed, it may truly be said that the author is not responsible. No animals have been harmed in the preparation of this article. However, several trees have died during the research phase. It is not the intention of the author to render tax advice in this article, and indeed, but for this disclaimer, taxes have never been mentioned. Eat your vegetables.
Daniel S. Coolidge is a recovering large-firm lawyer, now a patent attorney with Coolidge & Graves, PLLC, in Keene, New Hampshire; he may be reached at firstname.lastname@example.org.