Sweat the Small Stuff

A friend once told me that he was not comfortable using computers because he could not really understand how they worked. Compare it to a car engine, he said. A person does not need to be a mechanic to understand that gasoline gets sprayed into a cylinder, then it explodes, then a piston moves, etc. But all those electrons flying through chips, motherboards, cables, servers – who really understands how any of that stuff works?

One could say the same about client files and information. When a lawyer has a paper file with the pages neatly clipped in place and she puts that file in alphabetical order in a drawer of a big, sturdy, metal file cabinet, she knows exactly where it is and who has access to it (some lawyers claim to know exactly where their files are amongst multiple vertical stacks of paper in their offices, much as squirrels know where their nuts are buried. But I digress). The paperless lawyer knows their files are . . . where exactly? In a cloud someplace? Would that be a cumulus or a nimbostratus cloud?

None of us should be surprised that when lawyers combine our human tendency to be cautious or fearful of what we do not understand with our sacred obligation to safeguard confidential client information, it produces an abundance of anxiety. This is what most ethics discussions about confidentiality seem to focus on lately. Big fears about hackers, data breaches, HIPAA, e-mail security, metadata, the dark web, temporal anomalies, worm holes! One slip and Mrs. Lipschitz’s confidential divorce settlement will go viral and your law license will be shredded in a very public way.

Not so much. Don’t get me wrong. Lawyers certainly have an obligation to protect their client’s confidential electronic information. There can be big consequences for failing to do so: IT costs to fix breaches, pure embarrassment, hours lost to implementing new protections, worry over distressed clients and the unknown impact of unauthorized disclosures, and time lost to restoring data or recreating files. Breaches can turn your world upside down for days or weeks afterwards.

From an ethics perspective, however, hacks and attacks are not the types of confidentiality failures that typically get lawyers in trouble. Your duty under the Rules of Professional Conduct, as interpreted through ethics opinions in numerous U.S. jurisdictions, is to take reasonable measures to prevent hacks. Perfection is not required. Yes, lawyers should definitely have security systems in place that are reviewed and upgraded when necessary. They should use two-factor authentication to access critical systems, use a VPN if they intend to use wifi outside the office, and educate their employees to recognize and avoid phishing, spear-phishing, whaling, and other maritime-themed social-engineering e-mail scams. You cannot likely make your practice bulletproof from cybercrime but by taking reasonable precautions your law license should not be at risk. In fact, although lawyers are often the targets of hackers, there are very few discipline cases that arise from breaches, outside of “Nigerian Prince” and other certified check scams, which are less about confidentiality than they are about pure con artistry.

Instead, when it comes to confidentiality, it’s the small stuff that leads to discipline. It’s the slip of the tongue, the boastful indiscretion, or confused loyalty that is all about being human but not at all about the hazards of technology. In one case, a lawyer’s client in a personal-injury case backed out of a settlement and then fired the lawyer. The lawyer e-mailed the claims adjuster to convey what had happened. Reading between the lines, one suspects that the lawyer was concerned about what the adjuster would think of the lawyer and whether it might affect the lawyer’s future relationship with that adjuster. Part of the e-mail stated, “I advised [client] that he already accepted [the settlement] and there’s no rescinding his acceptance.”[1] That one sentence, devoid of any earth-shattering revelations, disclosed attorney-client privileged information and violated Rule 1.6, MRPC. The Minnesota Supreme Court affirmed the private admonition that had been issued to the lawyer.

This is typical of the level of violations in other cases. Saying just a little too much to a reporter without the client’s authorization. Responding to a client’s attempt to convince a credit-card processor to reverse a fee payment and offering gratuitous information about the client’s attitude or personal issues (fee disputes with clients are fertile ground for inappropriate disclosures of confidential information). Replying to a client’s one-star online review of your services by “setting the record straight” regarding what happened in the case. Recognizing the need to withdraw because of a conflict but disclosing the name of one client to the other.[2] Sending to the person who referred a client to you a copy of your e-mail defending your position in a fee dispute. Each of these scenarios resulted in a private admonition.

These situations have a common theme: emotion. Anger, resentment, embarrassment, frustration, hubris, and guilt lead lawyers to make mistakes. Perhaps they do bear some relationship to phishing schemes, which take advantage of lawyers being rushed or busy or gullible enough to click a link too quickly. It’s not the hackers who are going to get you; you’re more likely to get yourself. Pay attention to the small stuff to keep yourself out of trouble.

(Originally published in the January 2021 issue of Hennepin Lawyer)

[1] In re Panel File No. 41310, 899 N.W.2d 821, 824 (Minn. 2017).
[2] E. Cleary, “Summary of Admonitions” Bench & Bar of Minnesota (March 2000).

This Post is Privileged and Confidential

But you started reading it anyway.

We’re all so inundated with disclaimers and license agreements at every turn that we barely flinch anymore when we see the words privileged and confidential — or worse, long paragraphs in small fonts portending doom for the unwitting recipient of a misdirected email or the surfer of a law firm website. Disclaimers seem to have spread like a consensual virus — a lawyer sees another lawyer using a disclaimer, figures it must be a good idea, and includes it in his own materials.

Website Disclaimers

Website disclaimers are fairly inoffensive. These disclaimers generally warn visitors that the information on the website is not meant to provide legal advice about the visitor’s individual legal problem and caution the visitor not to disclose confidential information in an email or contact form sent to the law firm until the firm has agreed to enter into an attorney-client relationship. Lawyers are concerned, of course, that an opposing or related party to one of the firm’s existing clients might provide confidential information that would conflict the lawyer out of its already existing representation.

There do not appear to be any reported cases that have disqualified a law firm from representing a client because the firm received unsolicited confidential information from a non-client. The Virginia State Bar Committee on Legal Ethics did issue an opinion that compared websites to advertisements in the Yellow Pages. Just as a prospective client who obtains a lawyer’s phone number from a Yellow Pages ad should have no expectation of confidentiality when leaving a voicemail message for a lawyer, the Virginia Bar reasoned that there ordinarily should be no expectation of confidentiality in an email message sent from a website. The opinion recommends, but does not require, that Virginia lawyers include such a disclaimer on their websites and cautions that lawyers may create a duty of confidentiality through sites that offer  a “free evaluation” of a prospective client’s case and invite web visitors to provide the lawyer with information about their situations.

Website disclaimers are designed to address the exact same situation repeatedly: stranger v. law firm. No disclosure of an existing client’s confidential information is involved, and whether the stranger reads the disclaimer or heeds its warning is of no consequence to the law firm, which has discharged its duty to itself (protect against claims of reliance on alleged legal advice) and to its existing clients (prevent being disqualified from existing representations).

Email disclaimers, however, are a different and dangerous breed.

Email Disclaimers

They probably have their roots in that antiquated technology: the facsimile transmission (which our ancestors colloquially referred to as a fax).  Right after the first lawyer sent a fax to opposing counsel when it was meant for the client‘s eyes only, that lawyer starting putting a disclaimer on the fax cover sheet. That way, the next time it happened the blame for the mistake could be shifted from the lawyer to the accidental recipient, who had no business reading that fax in the first place. When lawyers started using email, it must have seemed only logical to try to remedy the predictable calamity of the future misdirected email with a warning to those who receive messages that were not intended for them.

Now, probably 80% or more of the emails I receive from lawyers contain some form of disclaimer. Nearly all appear after the signature block; in longer messages they don’t even appear on the screen until I scroll down further. Some simply declare that the email is “privileged and confidential;” most suggest that the email “may” be privileged and confidential (how I should determine whether it is or not is not explained), and either ask or demand that I notify the sender, and destroy the email and any paper copies I may have printed.

There are several problems with these disclaimers, aside from cluttering up email threads. For one, attorney-client privilege and confidentiality are not the same thing.  Without digressing too much, suffice it to say that while all attorney-client privileged communications are confidential, only a small portion of the client information lawyers are required to treat as confidential is also privileged. Another incongruity is that an email intentionally sent from a lawyer to almost anyone except a client will not be confidential or privileged at all (setting aside agents or experts the lawyer may be contacting on the client’s behalf or negotiations subject to a confidentiality agreement or rule).  So for the vast majority of emails that lawyers send — to colleagues, to witnesses, to vendors, to friends, to listservs, etc. — the disclaimer is meaningless.

Undermining Disclaimers Through Overuse

Which brings us to the real problem with these disclaimers. By overusing them, lawyers may be undermining the effectiveness of disclaimers in protecting the confidential or privileged nature of the information in the email in the (hopefully) rare event that an email is misdirected (or inadvertently produced in discovery).

In Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436, 444 (2007), the court refused to find that a series of emails were privileged just because they contained a disclaimer that was found in every email sent by the plaintiff. Moreover, by overusing disclaimers and privilege warnings, lawyers are training the world to ignore them — which is precisely what we don’t want people to do.

Using Disclaimers Appropriately

Appropriately used, disclaimers may allow lawyers to rescue misdirected emails that were sent to other parties and preserve the client’s confidentiality, particularly in close cases in which the confidential or privileged nature of the email is not clearly apparent on the face of the email.  Those disclaimers should be sparingly used, appear at the beginning rather than the end of the email,  and state that information in the email is confidential or privileged only when it really is. That way, unintended recipients might really sit up and take notice when they see privileged and confidential declared in an email.

This was originally published on November 17, 2008. It was (lightly) revised and re-published on February 21, 2014.

Featured image: “confidentiality” from Shutterstock.

Emailing clients at work: privilege trumps employer policy

Typing on keyboard11 Emailing clients at work: privilege trumps employer policyA few months ago, I posted a warning to lawyers about emailing clients at work. My concern was based in large part on a NJ district court decision that found an employee had waived the attorney-client privilege for emails that she sent to her attorney while using her work computer. Although the emails had been sent using a Yahoo! account, the employer found images of the emails on the employee’s hard drive.

Well, the New Jersey Court of Appeals has quickly reversed the decision. Although the opinion starts off as a criticism of the district court for not properly evaluating the factual dispute over whether the employer had properly adopted its computer usage policy, the appellate court went on to proclaim the preeminence of the attorney-client privilege over employers’ computer usage policies.

The opinion contains quite a few quotables regarding the extent of an employee’s privacy interest in the information on their work computer. For example:

“A computer in this setting constitutes little more than a file cabinet for personal communications. Property rights are no less offended when an employer examines documents stored on a computer as when an employer rifles through a folder containing an employee’s private papers or reaches in and examines the contents of an employee’s pockets.â€� The court also compares reviewing an employee’s emails with “the highly impermissible conduct of electronically eavesdropping on a conversation between plaintiff and her attorney while she was on a lunch break . . . .

“We thus reject the philosophy buttressing the trial judge’s ruling that, because the employer buys the employee’s energies and talents during a certain portion of each workday, anything that the employee does during those hours becomes company property.â€�

Privilege and privacy trump the employer’s computer usage policy, concludes the NJ Court of Appeals.

But the Court was not quite done with the issue. Next it turned to the employer’s attorneys, who viewed images of the allegedly privileged emails that had been stored on the hard drive of the employee’s computer. The Court invoked a relatively new Rule of Professional Conduct, Rule 4.4(b), which reads (in NJ and many other states) “[a] lawyer who receives a document and has reasonable cause to believe that the document was inadvertently sent shall not read the document or, if he or she has begun to do so, shall stop reading the document, promptly notify the sender, and return the document to the sender.” The Court says the defense attorneys violated this rule when they failed to notify the employee’s lawyers that they had found images of the emails on the hard drive.

The Court is kind of stretching here to tag the attorneys for conduct that offends the spirit, but perhaps not the letter, of the rule. The defense attorneys viewed the hard drive images of the emails after the plaintiff filed her lawsuit. Seems like a stretch to call those images “inadvertently sent� documents. The defense attorneys’ conduct seems more akin to searching for metadata in documents, the ethics of which are still in dispute (and about which NJ has not taken a particular position). A prudent lawyer, however, reviewing paper documents clean out of a fired employee’s office, should probably not read letters that appear on their face to have been sent from the employee to his or her attorney. The NJ Court apparently applies the same reasoning to electronic information.

In NJ at least, the pendulum has swung back in favor of protecting the attorney-client privilege in emails sent through a work computer. Until, perhaps, the NJ Supreme Court takes its swipe at the issue.

lawyeristlab banner Emailing clients at work: privilege trumps employer policy

Emailing clients at work: privilege trumps employer policy is a post from the law firm marketing blog, Lawyerist.com

Related posts:

Skip to content