Posted on: 10/10/2011
Lauren Fajoni Bartlett, Leake & Anderson
View Latest Articles
ABA’s Position on Electronic Communications and the Attorney-Client Privilege
Protecting attorney-client communications in the age of technology can be a difficult and daunting task. On August 4, 2011, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 11-459, which discusses the duty to protect the confidentiality of e-mail communications with clients. The advisory opinion pertains to ABA Model Rule 1.6 and the comments thereto, which require a lawyer to maintain confidential communications and act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons. Thus, it is incumbent upon the practitioner to be aware of scenarios where modern communication devices may result in an inadvertent disclosure, thereby compromising confidential attorney-client communications. It is fairly well settled that attorneys and their clients can communicate freely and securely through electronic means without having to take extreme measures in order to ensure that the communications are secure; however, “in the context of representing an employee, this obligation arises, at the very least, when the lawyer knows or reasonably should know that the client is likely to send or receive substantive client-lawyer communications via e-mail or other electronic means, using a business device or system under circumstances where there is a significant risk that the communications will be read by the employer or another third party.” ABA Formal Op. 11-459. Knowing when and under what circumstances the client may have a reasonable expectation of privacy in communications sent from an employer issued communication device is key to understanding when the privilege may be lost.
When the Attorney-Client Privilege May Be at Risk
When it comes to the attorney-client privilege, knowing when your client has a reasonable expectation of privacy in electronic communications is critical to maintaining the privilege. In In re Asia Global Crossing, Ltd., 322 B.R. 247, 258-59 (Bankr. S.D.N.Y. 2005), the question presented was whether an employee’s use of his company’s e-mail system to communicate with his personal attorney destroyed the attorney-client privilege. When Asia Global went into bankruptcy, the trustee compelled the production of a number of e-mails sent by several “insiders” from the corporate e-mail system to their personal attorneys. The trustee argued that the attorney-client privilege had been waived as to those communications because Asia Global maintained a corporate policy that warned e-mail users that such communications were the company’s property, the e-mail system was not secure, third parties could access the e-mail system, and no one was authorized to use the e-mail system to transmit confidential or secret information. In response, the insiders contend simply that they were not aware of Asia Global’s e-mail policy regarding personal or confidential communications.
“Although e-mail communication, like any other form of communication, carries the risk of unauthorized disclosure, the prevailing view is that lawyers and clients may communicate confidential information through unencrypted e-mail with a reasonable expectation of confidentiality and privacy.” Id. at 256 (citations omitted). These types of privileged communications typically do not lose their privileged character merely because they were sent by e-mail or because persons necessary for the facilitation of the e-mail may have access to their content. Id. These principles apply so long as the employee is acting as an agent for the corporation; however, the same does not hold true when the communications are between an employee and his personal attorney. There are few cases that discuss a private employee’s right to privacy in the context of the attorney-client privilege, so one must look to the broader case law to determine when—if ever—a private employee has an expectation of privacy in the workplace.
When Is There a Reasonable Expectation of Privacy?
In order for the attorney-client privilege to attach to a confidential communication, the party invoking the privilege must have a reasonable expectation of privacy in the communication. The Fourth Amendment to the United States Constitution prevents the government from conducting unauthorized or illegal searches and seizures without just cause in any place where we have a reasonable expectation of privacy; however, such protections rarely exist when the searching entity is a private employer (one exception being when the employer acts as an agent for the government). As a general rule private employers have much greater freedom to peruse their employees’ work areas, computers, PDAs and other company issued electronic devices at any time and for any reason without having to consider the Fourth Amendment. See Muick v. Glenayre Electronics, 280 F.3d 741, 743 (7th Cir. Ill. 2002) (laptops belonged to the company, and it could attach whatever conditions to their use it wanted to, regardless of whether those conditions were reasonable.)
While the Fourth Amendment may not be directly implicated in this situation, the common law also places limits on an employer’s ability to search through an employee’s personal information that is stored on an employer owned electronic device. The common law right to privacy derives from the “intrusion on seclusion” tort theory found in Restatement (Second) Torts 652B. The Restatement defines the tort as “the intrusion upon the solitude or seclusion of another which would be highly offensive to a reasonable person.” In these types of cases, courts continue to use the Fourth Amendment reasonable expectation of privacy standard even though as a technical matter constitutional considerations are not in play. See Hansen v. California Dep’t of Correction, 868 F. Supp. 271, 272 (N.D. Cal. 1994) (“[t]he reasonableness requirements of the Fourth Amendment are implicated whether it is a private company or the government that is acting in the role of employer.”); Kline v. Security Guards, Inc., 386 F.3d 246, 260 (invasion of privacy theory of liability requires employee to show that he had a reasonable expectation of privacy); In re Royce Homes, LP, 449 B.R. 709, 735 (S.D. Tx. 03/11/11) (employee’s expectation of privacy must be objectively reasonable).
“An employee’s expectation of privacy in his office, desk and files ‘may be reduced by virtue of actual office practices and procedures, or by legitimate regulation.’” In re Asia Global Crossing, Ltd., 322 B.R. 247, 258-59 (Bankr. S.D.N.Y. 2005), quoting O’Connor v. Ortega, 480 U.S. 709, 717, 107 S.Ct. 1492, 94 L.Ed.2d 714 (1987). There is no bright line rule defining the parameters by which an employer can search through its employees’ work stations, and given the great variety of work environments, the question of whether an employee has a reasonable expectation of privacy must be addressed on a case-by-case basis. O’Connor v. Ortega, 480 U.S. at 718. In general, the test for determining whether an employee’s expectation of privacy is reasonable is whether the employee was on actual or constructive notice that communications sent from an office computer could be accessed by third parties. In re Reserve Fund Secs. & Derivative Litig. v. Reserve Mgmt. Co., 2011 U.S. Dist. LEXIS 55769, 19-20 (S.D.N.Y. May 23, 2011); see also In re Asia Global Crossing, Ltd., 322 B.R. 247, 258-59 (Bankr. S.D.N.Y. 2005) (the question of privilege comes down to whether the intent to communicate in confidence was objectively reasonable; the objective reasonableness of that intent will depend on the company’s e-mail policies regarding use and monitoring, its access to the e-mail system, and the notice provided to the employees.)
When examining this issue, courts consider four-factors: (1) does the corporation maintain a policy banning personal or other objectionable use; (2) does the company monitor the use of the employee’s computer or e-mail; (3) do third parties have a right of access to the computer or e-mails; and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies. Id. at 257. “Because an employer’s announced policies regarding the confidentiality and handling of e-mail and other electronically stored information on company computers and servers are critically important in determining whether an employee has a reasonable expectation of privacy in such materials, the cases in this area tend to be highly fact-specific and the outcomes are largely determined by the particular policy language adopted by the employer.” In re Reserve Fund Secs., supra at *20. Thus, when communicating with a client through a work e-mail address, it is important to know what the employer’s personal use policy is and advise the client that such communications may not be protected by the attorney-client privilege.
Courts have consistently held that if the company has a written policy prohibiting personal communications on company equipment, then it is unlikely that the employee can have an objectively reasonable expectation of privacy. If a company’s electronic communications policy clearly and unambiguously cautions its employees that they do not have a privacy interest in any information stored on a company computer, the employee does not have an objectively reasonable expectation of privacy. See United States v. Simons, 206 F.3d 392, 398 & n.8 (4th Cir. 2000) (no reasonable expectation of privacy in office computer and downloaded Internet files where employer had a policy of auditing employee's use of the Internet, and the employee did not assert that he was unaware of or had not consented to the policy); Muick v. Glenayre Elecs, 280 F.3d 741, 743 (7th Cir. 2002) (no reasonable expectation of privacy in workplace computer files where employer had announced that he could inspect the computer); Thygeson v. U.S. Bancorp, 2004 U.S. Dist. LEXIS 18863, No. CV-03-467, 2004 WL 2066746, at *20 (D. Or. Sept. 15, 2004) (no reasonable expectation of privacy in computer files and e-mail where employee handbook explicitly warned of employer's right to monitor files and e-mail); Kelleher v. City of Reading, 2002 U.S. Dist. LEXIS 9408, No. Civ. A. 01-3386, 2002 WL 1067442, at *8 (E.D. Pa. May 29, 2002) (no reasonable expectation of privacy in workplace e-mail where employer’s guidelines ‘explicitly informed employees that there was no such expectation of privacy’); and Garrity v. John Hancock Mutual Life Ins. Co., 2002 U.S. Dist. LEXIS 8343, No. Civ. A. 00-12143, 2002 WL 974676, at *1-2 (D. Mass. May 7, 2002) (no reasonable expectation of privacy where, despite the fact that the employee created a password to limit access, the company periodically reminded employees that the company e-mail policy prohibited certain uses, the e-mail system belonged to the company, although the company did not intentionally inspect e-mail usage, it might do so where there were business or legal reasons to do so, and the plaintiff assumed her e-mails might be forwarded to others).
This is true regardless of whether the company routinely inspects its computers for non-work related communications or stored data. See In re Royce Homes, LP, 449 B.R. 709, 739-40 (Bankr. S.D. Tex. 2011) (the fact that the company may not routinely or even ever enforce its “no personal use” policy does not give rise to a waiver or estoppel argument because the purpose of the Asia Global test is to determine whether an employee has an objectively reasonable “expectation” of privacy.) Even a policy that states the company “could” inspect computers furnished to its employees would be sufficient to destroy any reasonable expectation of privacy in the stored information. See Muick, supra at 743.
Even with a policy in place, an employee nevertheless may be able to assert a privacy interest in company owned equipment if the company has furnished the employee with space to store or keep personal information or communications. See Muick v. Glenayre Electronics, 280 F.3d 741, 742 (7th Cir. 2002) (right of privacy would exist in employer-owned equipment furnished to an employee for work use if the employer equips the employee with a safe, file cabinet or other receptacle in which to keep his private papers.) For example, an employee may be able to assert a privacy claim if the personal information at issue was stored in a password protected personal folder and saved on the local hard drive; however, no privacy interest would exist if the information was stored in a personal folder on the main server where any authorized person could access it because such an expectation would not be objectively reasonable. See In re Asia Global Crossing, Ltd., supra, 322 B.R. at 259 (recognizing the difference between e-mail systems that grant access to communications from the company server and information stored on office computers or local hard drives). While courts recognize that there is no reasonable expectation of privacy in shared computers and workstations, in cases where an employee has his own password protected computer and is the sole user of the computer, it is far more likely that the employee would have a reasonable expectation of privacy such that the employer cannot access stored information without first obtaining a court order. This same conclusion would hold true if an employee sent e-mails or stored information on systems maintained by outside entities such as Microsoft or Google even though the employee may have accessed those servers from an employer issued computer. See Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 587 F. Supp. 2d 548, 562 (S.D.N.Y. 2008).
An employee is far more likely to have a reasonable expectation of privacy in circumstances where an employer (1) does not have a policy regarding the confidentiality of personal e-mails or electronically stored information; (2) does not prohibit an employee from storing personal information on work computers; (3) does not have a general practice of conducting searches on office computers; and (4) has not notified the employee that he should not have any expectation of privacy in the contents of his office computer. Leventhal v. Knapek, 266 F.3d 64, 73-74 (2d Cir. 2001); see also Leventhal v. Knapek, 266 F.3d 64, 74 (2d Cir. 2001) (employee had reasonable expectation of privacy in contents of workplace computer where the employee had a private office and exclusive use of his desk, filing cabinets and computers, the employer did not have a general practice of routinely searching office computers, and had not placed the employee on notice that he should have no expectation of privacy in the contents of his office computer); United States v. Slanina, 283 F.3d 670, 676-77 (5th Cir. 2002), vacated on other grounds, 537 U.S. 802, 154 L. Ed. 2d 3, 123 S. Ct. 69 (2002) (employee had reasonable expectation of privacy in his computer and files where the computer was maintained in a closed, locked office, the employee had installed passwords to limit access, and the employer did not disseminate any policy that prevented the storage of personal information on city computers and also did not inform its employees that computer usage and Internet access would be monitored); Haynes v. Office of the Attorney General, 298 F. Supp. 2d 1154, 1161-62 (D. Kan. 2003) (employee had reasonable expectation of privacy in private computer files despite computer screen warning that there shall be no expectation of privacy in using employer’s computer system where employees were allowed to use computers for private communications, were advised that unauthorized access to user’s e-mail was prohibited, employees were given passwords to prevent access by others and no evidence was offered to show that the employer ever monitored private files or employee e-mails). Note, however, that the absence of an established policy discouraging employees from storing personal information on company equipment may open the door to a right to privacy argument, but it does not necessarily create an expectation of privacy where it would not otherwise exist. See O’Connor v. Ortega, supra, 480 U.S. at 719.
A Case Study
As with any fact specific inquiry, the question of privilege ultimately comes down to whether the employee’s belief that his e-mails were sent in confidence is objectively reasonable. Ultimately, the reasonableness of that belief hinges on the company’s e-mail policies regarding use and monitoring, its access to the e-mail system, and the notice provided to the employees. In re Asia Global Crossing, Ltd., supra, 322 B.R. at 258-59. In Asia Global, the court ultimately held that the insiders’ communications with their private attorneys retained their confidential nature because of certain ambiguities in the company’s e-mail policy and issues with regard to notice of the policy to its employees. Had the company been more clear in its policies and made that information known to its employees, there is little doubt that the court would have found that the insiders had waived the attorney-client privilege as the Fifth Circuit did in In re Royce Homes, LP, 449 B.R. 709, 735 (S.D. Tx. 03/11/11).
In Royce Homes, the Fifth Circuit considered a similar issue to that posed in Asia Global where the court had to decide whether privileged communications sent between a key employee and his personal attorney were discoverable by the employer in a commercial bankruptcy proceeding. Unlike Asia Global, though, Royce Homes had a clear and explicit electronic communications policy that had been expressly communicated to its employees. The Fifth Circuit followed the reasoning in Asia Global, but reached a different conclusion because “unlike the equivocal corporate electronic communications in Asia Global, the Debtor’s Electronic Communications Policy unquestionably was in force and applied to all “ROYCE HOMES, L.P.” employees.” Id. at 738. The court, therefore, ordered the employee to turn over all e-mail communications with his personal attorney because he waived the attorney-client privilege when he sent communications to his attorney from his work e-mail.
When the client is a corporation, the scenario presented herein more than likely will not become an issue; however, when representing an individual—especially in the context of corporate litigation where the employee and employer may become adverse—it is incumbent upon the attorney to advise the client that e-mail communications sent from a work computer can result in a waiver of the attorney-client privilege. This information should be included in every retainer agreement, and the attorney should advise the client of the associated risks at the outset of the representation. The ABA places an affirmative duty on the attorney to ensure that the attorney-client privilege is preserved throughout the litigation, so it is incumbent upon practitioners to stay informed about technological trends and keep the client informed of how they may impact the attorney-client privilege.
Lauren Fajoni Bartlett is a partner in the New Orleans firm of Leake & Andersson, LLP. Her practice areas consist of product liability, commercial litigation, insurance defense, construction and appellate advocacy. She currently serves as the newsletter editor for the DRI Technology Committee and the Product Liability Automotive SLG, she is the newsletter vice chair for the Product Liability Committee.