Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law

Business Law Today

The Risks of E-Mail Communication
A Guide to Protecting Privileged Electronic Communications
By Brenda R. Sharton and Gregory J. Lyons
"Never write if you can speak, never speak if you can nod, never nod if you can wink."

—Attributed to the 19th century Boston political boss Martin Lomasney.

One need only take notice of the newly adopted Federal Rules of Civil Procedure governing electronic evidence to realize the growing business importance of cataloging, managing, and protecting electronic communications. Tales of embarrassing e-mails surfacing during litigation are legendary. The risks to a company, its personnel, and its reputation are very real. Failing to properly preserve relevant electronic documents or simply one bad e-mail can lead to disastrous results in litigation. It can be a daunting challenge to protect sensitive e-mails in a world where chunks of data can be instantly "beamed" to all corners of the world via the Internet. Only adding to the challenge is the often-difficult task of preserving attorney-client privilege when it comes to e-mail, a medium in which a simple click of the "forward" button risks waiving the privilege. While recent press reports may have somewhat overblown the effect of the new Federal Rules adopted December 1, 2006, there are, nonetheless, certain steps that should be taken now to minimize the risks associated with electronic communications. This article will examine the risks of electronic communications and how business lawyers can protect their companies and clients from these risks.

The Attorney-Client Privilege
Any discussion of protecting electronic communications must begin with a basic refresher on the attorney-client privilege. Generally, the privilege protects communications (including e-mail) sent from a client to a lawyer from forced disclosure to third parties, and most jurisdictions have accepted, as a corollary to this rule, that communications from a lawyer to a client are also privileged. (The rationale behind protecting lawyer-to-client communications stems from the risk of disclosing the content of any underlying client-to-lawyer communications. Thus, it is advisable to structure lawyer-to-client communications as a response to client-initiated communications.) Moreover, communications from a lawyer to a client are also generally protected by the work product doctrine in the event of anticipated or actual litigation. The privilege can be asserted against the government (e.g., regulatory inquiries, examinations, and investigations) as well as against private parties. To assert the privilege, these basic elements must be present:

  • a communication between lawyer and client (person or corporation);
  • the purpose of which is to seek or obtain legal advice;
  • the communication is made to a lawyer acting in his/her capacity as a lawyer;
  • the communication must be made and keptin confidence.
When the privilege has been waived, it is because one of these elements is not satisfied. Most often with electronic communications, it is the "in confidence" element that is waived—by disseminating the communication to an outside party or too widely disseminating beyond a "need to know" group—thus putting a formerly privileged communication at risk of conversion to nonprivileged status.

E-Mail and In-House Counsel

The attorney-client privilege belongs to and protects the company and those who act on behalf of the company, including in-house counsel. As a practical matter, however, the line between an in-house lawyer giving advice in a business versus a legal capacity is often blurry, with only the latter communications falling within the protection. A line of attack is available to a plaintiff's lawyer when dealing with an in-house lawyer's e-mail communication ("he or she was providing business advice, not legal advice, so therefore there is no privilege") that is not available when that same communication is sent to or from outside counsel. In many a workplace, e-mail has essentially replaced the short phone call, hallway conversation, or water-cooler talk of yesteryear. BlackBerry devices serve to magnify the risk of e-mail informality even further. Likewise, business and legal communications have become intermingled. E-mail is only protected when the e-mail from in-house counsel predominantly contains legal (not business) advice.

Be warned that outside of the United States, the legal landscape may be different. A potential trap for the unwary arises when sending out e-mail on a global basis. In the United States, the fundamental policies of attorney-client privilege apply to both in-house and outside counsel alike. However, some countries do not recognize a privilege for in-house counsel. As a general matter, a sliding scale of protection exists across the globe. Some countries such as France and Switzerland recognize no privilege at all for in-house counsel. At the other end of the spectrum, countries such as the United States, Canada, and England recognize a full privilege. Finally, other countries such as Germany and Japan fall in between the two extremes and recognize some form of privilege, but not a complete one. In-house counsel, therefore, must be wary of sending sensitive e-mails outside the U.S. border because, in the blink of an eye, that e-mail could traverse cyberspace into a country where no privilege is recognized or where lesser protections are granted. This could be problematic in the event that litigation in the "privilege unfriendly" jurisdiction ensues. In sum, it is best to check with counsel in whatever country your legal interactions are likely to touch before sending sensitive e-mails around the globe.

With all of these traps and pitfalls, one can only help but wonder what to do to protect sensitive e-mails. There are several things that in-house counsel can do to help preserve the privilege.

  • Be aware of when you are giving legal versus business advice in your e-mail. In sensitive situations, you may consider sending two e-mails—one with your business advice and the other with your legal advice. While not practical for day-to-day communications on more mundane issues, in sensitive situations, this may help ensure that your legal advice remains bulletproof from a privilege attack.

  • When sending out legal advice via e-mail, another effective way to delineate business and legal advice, particularly for sensitive situations, is to consider using a lead-in phrase in your e-mail along the lines of "You have asked for my legal advice on X issue . . ." Remind business clients not to mass forward your e-mails.

  • Continually educate your business clients that e-mail is not destroyed simply by pressing the "delete" button and warn them of the risks of informality. BlackBerry devices are invitations for disaster as they create inadvertent documentation in situations where clients have their guard down. Clients (and lawyers alike) should be reminded that they should not send an e-mail unless they are willing to have the president of their company or outside press see that e-mail.

  • Selectively use "Privileged & Confidential" notations on e-mail communications. Although stamping every e-mail with a macro header of "Privileged & Confidential" may be tempting, it is not advised because it can hamper your efforts to argue that the label is meaningful in the event of litigation or investigation. If forced to argue in front of a judge as to whether a particular e-mail is privileged or not, it will be an uphill battle to convince a judge that the label signifies that the e-mail is privileged when another e-mail from your spouse asking you to pick up the kids from soccer practice contains the very same label. Of course, the mere fact of the label does not make an e-mail privileged or nonprivileged; it will always come down to whether the content of the e-mail satisfies the elements of the privilege.
Waiver of Attorney-Client Privilege
Inadvertent waiver of the attorney-client privilege is another area of concern with electronic communications. A company can waive the attorney-client privilege expressly or impliedly. As a general rule, the disclosure of attorney-client communications (including sharing of an e-mail) to a third party waives the privilege. In the context of e-mail, the most common pitfall leading to inadvertent waivers stems from the ease with which e-mail containing legal advice can be sent to large groups of people via the Internet. Not only will a dissemination to a third party potentially waive the privilege (i.e., the "in confidence" element of the privilege is no longer met), but dissemination to too wide of an audience within the company also may cause a waiver. Business lawyers must be attentive because it is usually the business client who fails to keep a communication in confidence through mass distribution or forwarding of the e-mail "from legal." For example, your legal advice contained within an e-mail to a select few business people is then mass forwarded to the whole company. In some instances, this may constitute a waiver of the privilege, sometimes referred to as a "technical waiver." Although the e-mail may never leave the company, the client may be vulnerable to attack by a plaintiff's lawyer that, because the e-mail was disseminated beyond the "need to know" group (meaning individuals who need the information in order to take some action), the privilege has been waived. The trick is to ensure that sensitive e-mails are only shared on a need-to-know basis within the client's shop. Ask yourself (and train your clients to ask themselves): Do the recipients of this e-mail need this information in order to take some action or alter their actions in some way?

And it only gets worse. Oft forgotten by business lawyers, an adversary may argue that once the privilege is waived, it is waived not only to the one e-mail at issue, but to the whole subject matter to which that e-mail refers. No bright-line test exists for how broadly or narrowly the courts will construe the subject matter that has been waived. Courts will usually weigh three factors: (1) the circumstances of the disclosure; (2) the nature of the legal advice; and (3) the prejudice to the parties of further disclosures. Courts also look to the equities of the disclosure including who noticed the disclosure, how quickly it was noticed, and what steps were taken to remedy the situation. The bottom line is that one e-mail can cause a world of damage if improperly disseminated.

For those who operate in highly regulated environments such as financial institutions and public entities, the landscape is often even more complex. Regulators, understanding that a review of the company e-mail is a good way to get to the heart of the matter quickly, often ask up front for a wide swath of e-mail traffic (i.e., all of John Doe's e-mails in his inbox and sent items for X time period) in electronic form. Some regulators then run their own search engines on the large document production that lands at their doorstep. It is especially important to bear in mind that, in most jurisdictions, an adversary may argue that when you give privileged electronic documents to regulators (i.e., a third party), you generally waive the attorney-client privilege. This may happen even if you are turning over the electronic documents in response to a subpoena. Moreover, those disclosed documents may then also be the subject of a Freedom of Information Act request from plaintiffs' lawyers. If you have handed documents over to the government, in most jurisdictions, you can be precluded from invoking the privilege as to those same documents when plaintiffs' lawyers bring claims arising out of the same circumstances that caught the "regulators' eyes" in the first instance.

Remembering that disclosure to a third party (regulator) may waive the privilege in most jurisdictions is especially important in this environment where regulators may ask for a waiver of the privilege from the company under investigation. For example, the SEC considers approximately 13 factors in deciding whether to bring an enforcement action. Among those considered is whether or not the company waived the attorney-client privilege. Some companies do indeed choose to waive the privilege. This type of strategic decision, however, is fact-intensive and case-specific and should be made only at the highest levels of a company. Part of the equation will be the risk of losing the privilege in any subsequent litigation that may be brought from the circumstances facing the company.

One consideration for whether or not disclosures should be made to a regulator is what jurisdiction's law governs. A few jurisdictions permit selective waiver, meaning that a company can disclose to the government without waiving the privilege as to other parties. Currently, the Eighth Circuit has taken a selective waiver approach. Most jurisdictions, however, have taken the most stringent approach. The First, Second, Third, Fourth, Sixth, Tenth, Federal, and D.C. Circuits have all prohibited selective waiver. The Seventh Circuit may possibly permit selective waiver if there is a confidentiality agreement. The Ninth Circuit remains unsettled on the issue. Thus, in most jurisdictions, turning over documents will constitute a waiver of the attorney-client privilege. Tempting as it may be to save legal fees, do not turn over documents (electronic or otherwise) wholesale, even when you are clear the client has done nothing wrong. E-mails taken out of context can be used against your client in subsequent litigation and, given that the privilege waiver may run to the whole subject matter, there may be other subjects within the e-mails or documents for which you have not made an independent decision to waive that then get swept up in the waiver. Take the prudent course whenever you share documents, whether with regulators or any other outside party: first have those documents reviewed for privilege by counsel.

E-Communications and Retention
Another area of risk associated with e-mail comes in the form of document retention and destruction policies or, more specifically, the lack thereof. On December 1, 2006, the recent revisions to the Federal Rules of Civil Procedure relating to electronic discovery went into effect. What do the new Federal Rules really mean for the business lawyer? The rules shine a spotlight on electronic document management and reaffirm the need for many companies to adopt best practices. Namely, a company should (1) know what electronic documents the company keeps (including how, where, and for how long they are kept); (2) manage electronically stored documents under reasonable retention policies; and (3) preserve documents or put a litigation "hold" on routine destruction as needed, in the event of litigation or an investigation.

Several other articles in this edition of Business Law Today provide an in-depth discussion of electronic discovery and the new Federal Rules. Nonetheless, it can never be stated too often that you should always be thinking about the risks associated with e-mail and other forms of electronic communication, even if litigation is not in your foreseeable future. The best way to meet the obligations of these new rules is to act now, rather than waiting for litigation. Designing a retention policy and taking actions in line with the goals stated above could pay dividends down the road.

Protecting the Company's Privilege
There are several best practices that you can implement immediately in order to protect your company and clients from the risks of damaging e-mail and to preserve the attorney-client privilege:

  • First, it is important to provide training and awareness to employees to ensure that proper steps are taken to prevent inadvertent disclosures, spoliation, and other risks from occurring.

  • Second, always strive to segregate legal advice from business advice in e-mails, using lead-ins and even separate e-mails where appropriate.

  • Third, indicate in an e-mail when communications and discussions are for legal purposes or are in anticipation of litigation. Make sure, however, you selectively use notations such as "Privileged & Confidential."

  • Fourth, limit distribution of privileged materials even within your own company.

  • Fifth, always remember that any disclosure—even a mistake—may cause a waiver of the privilege.

  • Sixth, make sure your company has a document retention and destruction policy.
E-mail has become an integral part of business in the twenty-first century and it's often hard to imagine any business getting done without the alluring benefits of instant communication around the globe. Business lawyers must always strive to remember, however, that along with these benefits, e-mail also ushers in a host of legal risks. Therefore, it is important to ensure that your company and clients consider those risks carefully and follow the aforementioned best practices in order to avoid being the subject of an e-mail "horror story" in the future.
Sharton is a litigation partner and Lyons is a financial services partner at Goodwin Procter LLP in Boston. Their e-mails are bsharton@goodwinprocter.com and glyons@goodwinprocter.com. The authors acknowledge and appreciate the able assistance of Bryan F. Bertram, associate, Goodwin Procter LLP.

Back to Top