Privacy Advisor

E-mails and the Attorney-Client Privilege: Avoiding Risk When Reviewing Employee Communications

June 1, 2008

Andrew Serwin

The ever-increasing use of e-mail as a communication medium creates a number of issues for employers and employees as courts sort out what is, and is not, proper use of an employer's e-mail system. Courts have reached somewhat inconsistent results on these issues, though there are some general principles that can be drawn from the cases. This muddled legal picture is also complicated by the fact that, while in many cases employers will not want employees using their e-mail system, there are cases, such as certain internal investigations, where employers may want to facilitate employees obtaining, and freely communicating with, their own attorneys. The complex nature of this issue, plus the often significant consequences for violating the attorney-client privilege, means that companies should attempt to proactively address this issue, and tread carefully when reviewing attorney-client communications.

Assessing the scope attorney-client privilege for companies is a complex issue and understanding the context in which this particular issue arises is critical to understanding how to address it. Lawyers retained by a corporation to represent it typically do not owe any duty of confidentiality to the company's officers, directors, or employees, particularly if an "Upjohn" warning is given to the individual. This particular e-mail issue does not arise from a situation involving a corporation's attorney, but instead results from an individual retaining an attorney and using a company e-mail system to communicate with the employee's personal attorney.

Cases on Attorney-Client Privilege Issue Have Been Inconsistent
In one of the first reported decisions on this issue, In re Asia Global Crossing, Ltd., a bankruptcy court addressed the application of the attorney-client privilege to an employee who uses a corporate network to communicate with his personal attorney. This case arose in New York, and New York has, by statute, provided that any communication that is privileged under the attorney-client privilege does not lose its privileged nature simply because it is communicated by electronic means or because persons necessary for the delivery of the electronic communication may have access to the content of the communication.

The court noted that it is generally accepted that attorneys can communicate, without fear of disclosure, with their clients via unencrypted e-mail. This court examined the e-mail privacy cases as a starting point and noted that the application of the privilege must be consistent with objective and subjective components. The court ultimately considered four factors when formulating its test to determine whether e-mails were privileged:

  • does the corporation maintain a policy banning personal or other objectionable use;
  • does the company monitor the use of the employee's computer or e-mail;
  • do third parties have a right of access to the computer or e-mails; and,
  • did the corporation notify the employee, or was the employee aware of the use and monitoring policies?

In the In re Asia Global Crossing, Ltd. case, while the court found that third-parties could review the e-mails because they were sent over the network and stored on the company's servers (a fact that is true in virtually all cases), the remaining factors were not met because the evidence was "equivocal" regarding the existence or notice of monitoring policies. Thus, the court could not conclude that the privilege was inapplicable.

Other courts have considered these factors, as well as related factors. In Curto v. Medical World Communications, Inc., the court considered the non-enforcement of a computer monitoring policy, as well as traditional factors that included the reasonableness of the precautions taken by the producing party to prevent inadvertent disclosure; the delay, if any, in the party's actions in asserting an issue, and an examination of the issue of fairness. Whether the computer was in a home office, or an office that otherwise had restricted access has also been a consideration, though not a dispositive one.

California has also addressed this issue in a related context—protection of electronic files on a work computer. In People v. Jiang, the defendant used his work computer to create electronic files that were communications to his attorney. The employer had a computer use policy that stated there was no reasonable expectation of privacy, but it did not preclude personal use, in contrast to the policy in other California cases. Ultimately the court concluded that the defendant's communications were confidential under the attorney-client privilege and could not be used by the prosecution.

A court in New York recently had occasion to address the scope of the attorney-client privilege on an employer's network, and applied In re Asia Global Crossing. In Scott v. Beth Israel Medical Center, a doctor used his employer's email system to communicate with his personal lawyer in connection with an employment dispute. The employer, Beth Israel Hospital, was monitoring the doctor's email and saw these communications. The doctor brought a motion for protective order seeking the return of the emails.

Beth Israel had a computer use policy that disclosed their right to monitor, and explicitly stated that the computer systems could not be used for personal use. The court also noted that the attorney's emails contained what is a standard footer which stated that the communications were privileged and confidential, and were for the intended recipient only. When the court examined the In re Asia Global Crossing factors, it found that one of the key issues for the prior decision, permitting personal use, was not present and particularly when the right to monitor was clearly disclosed, the employee could not assert the attorney-client privilege over emails sent on the employer's network.

Key Takeaways
While the cases are important, drawing some conclusions from the somewhat inconsistent results is important so that companies can take steps to address these issues. Since the key factor for courts when they assess an employee's ability to send attorney-client privileged e-mails to his personal attorney, is whether the employer permits personal use, you should assess your company's computer use policy to see what is said about personal use by employees. If personal use is permitted by the company's computer use policy then caution must be exercised before attorney-client privileged emails because this factor, among the others identified by the cases, is given strong consideration by courts.

It is also important to note that these cases do not address the use of webmail, or other similar forms of email, even if they are used on the employer's network. Several cases, such as Sims v. Lakeside School and Fischer v. Mt. Olive Lutheran Church have drawn a distinction between the use of the employer's email system, and the use of webmail even if on the employer's network, and companies should exercise due care before webmail communications are reviewed, particularly if the attorney-client privilege or other similar privileges are implicated.

Assessing these issues before an incident occurs is important, and a key part of this assessment is one that is overlooked by companies. The most important factor to consider in this scenario is whether your company would want to review attorney-client communications in any, or all circumstances. In some cases (certain internal investigations) companies may want to facilitate privileged communications, and in other cases companies may not in fact desire to review privileged communications, even if other monitoring occurs.

If that is the case, then policies should be implemented to separate privileged communications, if and when email communications are reviewed. If your company does want to review privileged communications then reviewing your policy and changing it (if necessary) to make sure it bans personal use and bans communications with attorneys or others that could participate in a privileged communication. Finally, in light of the California cases that address electronic files generally, companies should consider whether they can review other electronic files if they potentially implicate privileged communications, even if not contained in emails.

As email and electronic files become more ubiquitous, stay tuned for more developments from courts and more inconsistent results until courts fully clarify their analysis.

Andrew B. Serwin is a partner in the San Diego office of Foley & Lardner LLP and has extensive experience in privacy and security matters, including state, federal and international restrictions on the use and transfer of information, security breach compliance, incident response, marketing restrictions, and the drafting and implementation of privacy and security policies. He is the author of "Information Security and Privacy: A Practical Guide to Federal, State and International Law," as well as the "Internet Marketing Law Handbook." He can be reached at 619.234.6655.