American Bar Association
Forum on Communications Law
Ethical Challenges in an Electronic Age
Alan N. Greenspan
Few of us can imagine practicing law without the modern conveniences made available by the electronic age. How did people communicate before e-mail and faxes? How did documents get drafted before word processing? How did we travel without our notebook computers? How did we check stock prices before our company gave us desktop Internet access? Indeed, we all remember times when modern conveniences were considered "inconveniences," e.g., when we complained that we could only leave a message on voice mail, while we now complain about having to leave a message with a person. While it is undoubtedly true that the electronic age has at once made life easier and more hectic, it is also true that it has created new and difficult ethical challenges for lawyers and their clients. This article addresses three of the most interesting issues. First, it addresses the ethical obligations concerning electronic communications between attorney and client. Second, it addresses the parameters of effective e-mail and Internet usage policies. Finally, it addresses the professional responsibilities implicated by electronic evidence.
Confidentiality in Electronic Communications
The challenge of preserving confidentiality in attorney-client communications is not a new one. Imagine the questions that might have arisen when attorneys began communicating via telegraph: The message had to be written out and submitted to the telegraph operator; the operator had to transmit the message over land wires to another location; at the recipient's location, another operator heard the message in Morse code and translated it into English; and the message was given to a courier to be delivered to the actual recipient. At each step of this process, there was an opportunity for the confidentiality of the communication to be compromised. The same issues are raised with respect to modern electronic communications: the problems are the same; it is just the medium that is different.
When an attorney communicates with a client regarding client information, two considerations are implicated. First, there is the attorney's duty of confidentiality, codified under the Model Rules of Professional Conduct1 and various state ethical codes. The second is the question of whether the attorney-client privilege is preserved. In most cases, these two concerns merge because one of the elements of whether a communication is privileged is if it was transmitted in confidence.2 Thus, it is always the case that, barring subsequent waiver, a communication that satisfies Model Rule 1.6(a) also is privileged. But there are many communications not necessarily subject to the attorney-client privilege, which generally applies only to communications for the purposes of rendering legal advice, that must be kept confidential pursuant to Model Rule 1.6(a).3 Thus, a communication may not be privileged but nevertheless may need to be kept confidential. The touchstone of both concerns, in the context of this discussion, is whether the communication was made with a reasonable expectation of privacy.4
Research reveals not a single case or ethics opinion addressing whether communication via telecopy is a violation of Model Rule 1.6(a). One could easily construct an argument that it would be a violation. For example, it is not unusual at my firm for the telecopy center to receive one or two faxes each day that are intended to be directed to another person. Likewise, many attorneys receive telecopies at hotels or other locations where security cannot be guaranteed. Yet few of us doubt that communicating via telecopy is ethical. In fact, despite these risks, the ABA Committee on Ethics and Professional Responsibility cautions only that "prudent lawyers faxing highly sensitive information should take heightened measures to preserve the communication's confidentiality."5 Most lawyers take no further step than to include a notice and disclaimer on their fax cover pages and rely on this to satisfy their ethical duty and their need to preserve privilege. As to the latter, courts uniformly have held that communication via telecopy does not waive the attorney-client privilege.6
Cellular and Portable Telephones
Like telecopy machines, most attorneys nonchalantly use cellular, portable, and other wireless phones to communicate with and about their clients. Yet, on even cursory examination, we know that such communications are easily intercepted, although it is illegal to do so.7 Indeed, it is not unusual to hear others' conversations during the course of one's own conversations on a cellular or mobile phone, and some cordless home telephones can be overheard on baby monitors and other devices. For this reason, especially before the law was extended to make interception of portable phone conversations illegal, several ethics opinions expressed concern about attorneys using wireless telephones to communicate with clients.8 In its most recent pronouncement on confidentiality in the electronic age, the ABA Committee on Ethics and Professional Responsibility refused to express an opinion on the use of cellular and other wireless telephones.9
Electronic mail, or "e-mail," is a generic term referring to a variety of means of communicating over computer networks. Some e-mail travels only over a self-contained, hardwired network. Other e-mails are sent between subscribers to the same online service provider, such as AOL, where both the sender and recipient have password-protected accounts that only they can access. Finally, and most dominantly, there is e-mail over the Internet.
There are two types of risks to the confidentiality of e-mail. The first risk is of authorized, legal monitoring by third parties, and the second is of unauthorized, illegal interception. Make no mistake: Whether one is communicating via a self-contained system or via the Internet, there is a possibility of both types of interception. For example, even if one has a completely secure network with password-protected mailboxes, unauthorized access is a relatively simple matter if the computer is left on and unattended over lunch or overnight.
There are few authoritative pronouncements regarding whether the use of e-mail constitutes a violation of ethical duties of confidentiality. The most recent, and one of the most thoughtful, was by the ABA's Committee on Ethics and Professional Responsibility. In March 1999, the committee generally concluded that e-mail is a confidential means of communicating with and about clients.10 But the ABA committee's opinion is not the first, and, importantly, it has absolutely no binding effect. To date, there are only nine opinions, from
the bars of the states of Alaska,11 Kentucky,12 New York,13 Illinois,14 Ohio,15 North Dakota,16 South Carolina,17 and Vermont,18 and from the bar association of the District of Columbia,19 that unequivocally authorize e-mail communications. Two other state bars, Pennsylvania20 and Arizona,21 permit use of e-mail, but advise client consent or encryption. And two other bar associations, Iowa22 and North Carolina,23 refuse to authorize, and even advise against, the use of e-mail.
A reasoned analysis of the issue indicates that electronic mail, regardless of whether encrypted, ought to be both privileged and confidential. First, interception or other unauthorized
use of e-mail is a federal crime.24 Naturally, therefore, it is reasonable to expect that it will remain private. Second, the criminal act of intercepting e-mail is extremely difficult, far more difficult than sitting outside a client's home and eavesdropping on a portable telephone call, which is equally illegal, and far more difficult than it would be to obtain a fax sent to a hotel. Third, the risk of inadvertent misdirection of e-mail is less likely than the inadvertent misdirection of a telecopy, yet telecopies are unquestionably privileged and confidential. Finally, clients are demanding the convenience, informality, and efficiency of communicating with their lawyers via electronic mail. Since the rules of confidentiality and privilege are designed to protect clients-not lawyers' insurance carriers-the wishes of clients should prevail.
E-mail and Internet Usage Policies
Now that many companies give their employees access to the Internet, as well as internal and Internet electronic mail capability, a concern has arisen regarding the potential dangers associated with this practice. These concerns are well founded inasmuch as cases recently have arisen where use of the Internet or e-mail has played a role. These cases typically involve allegations of harassment or hostile work environments and offer evidence of offensive e-mail or Internet usage in support. There are other potential pitfalls, too. For example, employees may use Internet access to obtain obscenity or child pornography. Although an employer probably would not have liability in such a case, it certainly would be an embarrassment to the company. Another potential problem is the unauthorized downloading of copyrighted materials, an act that could very well expose a company to vicarious liability. As a final example, one might consider the possibility of viruses, Trojan horses, and other harmful programs being downloaded. For all these reasons, prudence dictates that companies adopt and enforce policies and guidelines for Internet and e-mail usage.
The first consideration in any e-mail or Internet usage policy is to dispel the myth that they are for personal use. No doubt many employees believe that e-mail is provided in order to make jokes easier to circulate, and that Internet access is provided so that they can better track their investment portfolio. Obviously, companies provide e-mail and Internet access for legitimate business reasons and employees should be told that they ought to be used only for these purposes. Employees also need to be told that the company can, and will, monitor Internet and e-mail usage. Advising employees of this practice will eliminate any reasonable expectation of privacy with respect to personal matters.25 This ought to be distinguished from the expectation of privacy that one has with respect to business-related communications with and about client confidences.
E-mail and Internet usage policies also should make employees aware of the dangers of downloading files, with explicit warnings about viruses, obscenity, and copyrighted material. System administrators often institute a policy of requiring permission before any material may be downloaded or before any e-mail attachment can be executed. This allows the administrator to check for viruses and also deters the downloading of offensive or illegal material.
Finally, employees should be warned about e-mailing or posting confidential or proprietary information over the Internet. It is all too common for employees of publicly held companies to be frequent contributors to stock chat boards about their employers. Some employees mistakenly think that their posts are anonymous when they are not. With respect to electronic mail, the concern is not so much for interception, which, as discussed in the previous section, is quite difficult, but for the lack of control. Once information is put in an e-mail and sent, the author has completely lost control of its duplication and distribution. It can be forwarded in seconds to hundreds of other users. For some reason, people seem much less worried about what they put in an e-mail than in what they put in hard copy.26
The creation and enforcement of an e-mail or Internet policy can save corporations from significant liability. For example, in Daniels v. WorldCom Corp.,27 the court found that the existence and enforcement of a policy against racist or harassing e-mails justified the dismissal of certain claims against the company by an employee who received that type of message. In at least one state, Connecticut, an employer is required to adopt and distribute a policy advising employees that their e-mails may be monitored.28
Digital and Electronic Data Retention Policies
Although companies routinely adopt retention/destruction policies for hard copy documents, they often do not consider the digital and electronic data, including drafts of documents, e-mails, and other materials. It is clear that this is a mistake for several reasons. First, under the rules of discovery in most jurisdictions, data stored on computers are not only discoverable, but implicate attorneys' duties to the court and opposing counsel. For example, under Rule 26 of the Federal Rules of Civil Procedure, an attorney's signature on a discovery response "constitutes a certification that to the best of the signer's knowledge, information and belief, formed after a reasonable inquiry, the disclosure is complete and correct as of the time it is made."29 Because clients may inadvertently or even intentionally destroy electronic information, the situation also implicates a lawyer's ethical duties. In particular, Rule 3.4(a) of the Model Rules of Professional Conduct prohibits a lawyer from destroying or altering documents or material "having potential evidentiary value" and likewise prohibits a lawyer from counseling or assisting another to do so.30
A second reason to adopt an electronic data retention policy is purely practical. Stored data take up space on hard drives, network servers, and other storage devices, and that space can be used if unneeded data are removed. Also, because these data are discoverable and a party has a duty to produce responsive data, the volume of data becomes unmanageable quite quickly. Imagine having to search through each e-mail sent or received over the past year or more by relevant employees and officers to determine whether any message is responsive to a document request. Undoubtedly, most of the data is wholly irrelevant and nonresponsive, but that often will not prevent the need for a search.31
The third reason to adopt a retention policy for electronic data is to avoid charges of spoliation of evidence. As a general proposition, a party is not under a duty to retain every bit of data, but that duty does arise once a lawsuit has been filed, or, in some situations, when notice of a potential suit has been received. Once proper notice has been given, the duty to preserve evidence applies not only to what has been specifically requested, but to (1) what one knows or reasonably should know is relevant or reasonably calculated to lead to the discovery of admissible evidence; (2) what is reasonably likely to be requested; and (3) what has been requested, even if an objection has been interposed.32 Destruction of evidence can result in sanctions,33 including the sanction of a default judgment,34 and in some states it gives rise to an independent tort of spoliation.35 A charge of spoliation can also be avoided if the policy sets forth the procedures to follow once notice of a claim has been received and if material prior to that time has been destroyed only in accordance with an appropriate policy.36
Parameters of an Effective Policy
The mere existence of a policy will not solve all the problems discussed above. A bad policy can be worse than no policy at all. As an example of what not to do, consider the case of Carlucci v. Piper Aircraft Corp.,37 in which the stated purpose of the policy was the elimination of documents that might be detrimental to the company in a lawsuit. This policy resulted in a default judgment being entered as a sanction.
The leading case providing guidance on document retention/destruction policies is Lewy v. Remington Arms Co.,38 which is instructive, although it did not address the unique problems of electronic data. In that case the Eighth Circuit set forth the following factors for a court to consider in evaluating a retention policy:
(1) Whether the policy is reasonable considering the facts and circumstances surrounding the relevant documents;
(2) Whether the destroyed documents are relevant to pending or probable lawsuits; and
(3) Whether the policy was instituted in bad faith.39
The court was mindful of giving blanket approval to retention programs generally and stated that "a corporation cannot blindly destroy documents and expect to be shielded by a seemingly innocuous document retention policy."40
In considering the parameters of a retention policy, the first inquiry should be directed at current practices. How are employees charged with maintaining a computer system handling historical data? Is the entire system backed up on a periodic basis or is only a portion backed up? How long are backup tapes retained? What happens to an employee's computer, especially its hard drive, when the employee leaves? What is the default for e-mail software, i.e., does it automatically delete, archive, or keep? All these questions must be answered before a policy can be implemented.
Probably the easiest policy to adopt and maintain is to avoid reliance on electronic data altogether. For example, employees might be instructed to print out all significant work-related electronic mail and other data, and to retain those hard copies pursuant to an otherwise applicable document retention program. Then it should be immaterial whether these data also are electronically stored. A second option is to instruct employees to routinely delete nonwork-related electronic mail and documents and archive or otherwise protect from destruction all work-related data. Again, at this point, the electronic nature of the data is irrelevant and they become subject to the general retention policy. Finally, regardless of which of these options is chosen, there ought to be no reason to retain backup copies of electronic mail for more than a few days because important e-mail has been preserved. Backup copies beyond a few days should be recycled. Obviously, the entire policy has to be properly considered and reflected in a manner that bespeaks good faith and reasonableness.
The most valuable advice that one can give about ethics in the electronic age is that a lawyer must not forget that ethical rules continue to apply, even though the context has changed. Just as the telegraph likely presented new challenges, so do electronic mail and Internet access. One of the biggest difficulties at this point in time is the lack of guidance. It should be noted that the ABA's formal opinion on the use of electronic mail was issued only in March 1999, many years after its use became prevalent. To a certain extent, the law always lags behind technology, but the pace of technological advances in the last few years has been unprecedented. Thus, it behooves the prudent attorney to think carefully about "business as usual" and determine whether adjustments are necessary under the current circumstances.
1 . See ABA Model Rules of Professional Conduct § 1.6(a) (1998).
2 . See 8 J. Wigmore, Evidence § 2292, at 554 (McNaughton rev. ed. 1961).
3 . See ABA Comm. on Ethics and Prof. Responsibility, Formal Op. No. 99-413, at n.4 (1999).
4 .David Hricik, Lawyers Worry Too Much about Transmitting Client Confidences by Internet E-Mail, 11 Geo. J. Legal Ethics 459, 478-79 (1998).
5. ABA Comm. on Ethics and Prof. Responsibility, Formal Op. No. 99-413, at 3 (1999).
6 . See, e.g., State ex rel. U.S. Fidelity & Guar. Co. v. Canady, 460 S.E.2d 677, 689-90 (W. Va. 1995).
7. 18 U.S.C. § 2511 (1994).
8 . See, e.g., State Bar of Ariz. Advisory Op. 95-11 (1995) (stating that lawyers should use caution before communicating with clients over cellular phones, but that such use does not violate duty of confidentiality); N.Y. City Bar Ass'n Comm. Prof. & Judicial Ethics Op. No. 1994-11 (Oct.1994) (stating that conversations over a cordless phone are not confidential and may compromise the attorney-client privilege).
9. ABA Comm. on Ethics and Prof. Responsibility, Formal Op. No. 99-413, at 3 (1999).
10. ABA Comm. on Ethics and Prof. Responsibility, Formal Op. No. 99-413 (1999).
11. Alaska Bar Ass'n Op. 98-2 (1998).
12. Ky. Bar Ass'n Ethics Comm., Adv. Op. E-403 (1998).
13. N.Y. State Bar Ass'n Comm. on Prof. Ethics, Op. 709 (1998).
14. Ill. State Bar Ass'n., Adv. Op. on Prof. Conduct No. 96-10 (1997).
15. Ohio Bd. Com. Griev. Disp., Adv. Op. 99-2 (1999).
16. N.D. Bar Ass'n Ethics Comm., Op. 97-09 (1997).
17. S.C. Bar Ethics Adv. Comm., Op. No. 97-08 (1997).
18. Vt. Adv. Ethics Op. 97-5 (1997).
19. D.C. Bar Op. 281 (1998).
20. Pa. Bar Ass'n Comm. on Legal Ethics, Op. 97-130 (1997).
21. Ariz. Adv. Op. 97-04 (1996).
22. Iowa Bar Ass'n Op. 1997-1 (1997).
23. N.C. Bar Op. 215 (1995).
24. 18 U.S.C. § 2511.
25. See Smith v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996) (finding no cause of action for monitoring of employee e-mail even where employees were told that e-mail was private).
26. Many people mistakenly believe that a deleted e-mail or file is irretrievably lost. This is not true. The deleted data may be readily accessible on a backup tape. Also, skilled technicians often can retrieve deleted data from a hard drive.
27. 1998 Westlaw 91261 (N.D. Tex. Feb. 23, 1998).
28. 1998 Conn. Pub. Acts § 142(b)(1).
29. Fed. R. Civ. P. 26(g)(1). The failure to produce responsive electronic data may be sanctionable. See, e.g., Crown Life Ins. Co. v. Craig , 995 F.2d 1376 (7th Cir. 1993) (sanction affirmed where party failed to produce electronic data in response to discovery request for "written documents").
30. ABA Model Rules of Professional Conduct § 3.4(a).
31 . See, e.g., In re Brand Name Prescription Drugs Antitrust Litigation, 1995 Westlaw 360526 (N.D. Ill. 1995) (compelling response to discovery request that required production of 30 million pages of e-mail, despite assertion that it would cost over $50,000 to compile, format, search, and retrieve responsive e-mail).
32 . See Turner v. Hudson Transit Lines, Inc., 142 F.R.D. 68, 73 (S.D.N.Y. 1991); National Ass'n Radiation Survivors v. Turnage, 115 F.R.D. 543, 556-57 (N.D. Cal. 1987); William T. Thompson Co. v. General Nutrition Corp., 593 F. Supp. 1443, 1455 (C.D. Cal. 1984).
33 . See, e.g., Procter & Gamble Co. v. Haugen, 179 F.R.D. 622 (D. Utah 1998) (failure to retain e-mails from principals involved in lawsuit warranted sanctions); In re Prudential Ins. Co. Sales Practices Litigation, 169 F.R.D. 598 (D.N.J. 1997) (inadvertent destruction of documents during pendency of lawsuit warranted $1 million sanction).
34 . See Cabinetware Inc. v. Sullivan, 1991 Westlaw 327959 (E.D. Cal. 1991) (default judgment entered as sanction after source codes in dispute were overwritten on hard drive).
35 . See generally Trevino v. Ortega, 969 S.W.2d 950 (Tex. 1998) (where the Texas Supreme Court rejected an independent tort but reviewed those states in which the tort had been recognized).
36. One trap for the unwary is the claim often made that litigation was anticipated soon after an accident or other event for purposes of asserting the work product doctrine. It is extremely important that document retention policies be consistent with this claim.
37. 102 F.R.D. 472 (S.D. Fla. 1984).
38. 836 F.2d 1104 (8th Cir. 1988).
39 . Lewy, 836 F.2d at 1112.
40 . Id.
Alan N. Greenspan is a partner with the litigation and intellectual property sections of Jackson Walker L.L.P., in Dallas, Texas.