As an experiment, attorney Albert Barsocchini
used his wife's e-mail account one day to go online and find
software that enabled him to hack into his own e-mail account. It took
him just two hours.
Had Barsocchini chosen an unsuspecting target,
the victim may never have discovered the breach.
For Barsocchini, a consultant for law firms on
technology issues for 10 years, the experiment simply confirmed what
others have warned: E-mail interception is not difficult.
And with e-mail becoming more common, some
attorneys and consultants continue to raise questions regarding the
attorney's legal and ethical obligations to clients in communicating
"My policy would be to avoid using e-mail in
attorney-client communications," said Barsocchini, currently
retained by West Group to provide technology consulting to law firms.
"There are so many unknowns out there, it's not worth the risk."
According to Kathryn Thompson, senior research
specialist for the American Bar Association's Legal Technology
Resource Center, some states initially required attorneys to encrypt
such e-mail and/or obtain the client's consent before using it.
However, a 1998 amendment to the Electronic Communications Privacy Act
of 1986 extended the scope of an earlier wiretapping statute to
include "electronic communications." This, Thompson said,
established a presumption of lawful behavior in connection with e-mail
and "kind of opened up the door" for some states to approve e-mail
And in 1999, the ABA issued a formal opinion
(99-413) concluding that lawyers sending confidential client
information by unencrypted e-mail do not violate their duty to use
reasonable means to maintain confidentiality. The opinion states that
unencrypted e-mail affords "a reasonable expectation of privacy from
a technological and legal standpoint."
However, it also states that attorneys should
consult with their clients and follow their instructions as to the
mode of transmitting "highly sensitive" information.
Currently, Thompson says, there is a consensus
among states that encryption is not required. The State Bar of
California, however, has yet to weigh in.
At least one local bar - the Orange County Bar
Association - has issued a formal opinion. The opinion (97-002)
concludes that encryption is encouraged but not required. However, the
opinion also notes that "the wide availability of commercially
unbreakable encryption software at affordable prices dictates that the
prudent practitioner will investigate and use this technology."
In the meantime, issues surrounding e-mail,
encryption and confidentiality remain open to debate. Some attorneys
feel sufficient guidelines exist. Some call for required encryption.
And some believe attorneys should obtain permission in a retainer
agreement before using e-mail.
Barsocchini sees many good uses for e-mail, he
says, but he finds insufficient guidelines and case law defining
attorneys' legal and ethical requirements regarding attorney-client
He points to inherent "traps." For example,
he says, sending e-mail to a client's corporate mailbox might be
considered a waiver of the attorney-client privilege if the client's
employer has a business-use-only policy in which the employer can
access the employees' e-mail.
In addition, he says, there's case law to
suggest that an attorney might face liability if an unencrypted e-mail
winds up in the wrong hands and results in a costly loss to the
client. A key factor, he said, is that encryption services are
available at little or no cost. Currently, attorneys can choose from
some 30 products, including HushMail.com,
Still, Barsocchini finds that few attorneys opt
to use encryption regularly. And, he said, a "surprising" number
of attorneys use unencrypted e-mail when dealing with trade secrets in
corporate transactions. In some cases, he said, firms have encryption
systems in place but attorneys fail to use them.
Recent ABA survey findings appear to show a
similar climate. Of the small law firms responding to the ABA's 1998
web-based technology survey, 76.9 percent said they sent no
confidential information over the internet. One year later, however,
just 38.95 percent still avoided sending such information. Similarly,
in 1998, only 20.8 percent of the small firms took no precautions with
their internet communications. In the 1999 survey, however, 51.44
percent reported taking no precautions.
Attorney David Bell, vice chair of the State
Bar's law practice management and technology section and the bar's
former ethics guru, suggests that the lack of a practical problem may
have pushed e-mail confidentiality issues to a back burner for many.
Bell and others agree that reports of confidentiality breaches via
e-mail are rare.
But he points out that attorneys might never
discover such a breach, unless they happen to spot the information
being put to use.
Still, he says, all forms of communication,
including the telephone, fax machine and mail, carry risks. "Where
the problem might be with e-mail," he said, "is there's a false
sense of security."
What Bell suggests is that attorneys recognize
e-mail's risks and trade-offs and work with clients to set
communication guidelines on a case-by-case basis. Encryption, he says,
may not always be necessary.
Silicon Valley attorney Mark Radcliffe, a partner
at Gray Cary, suggests that taking a hard line against attorney-client
e-mail would be impractical. "It's not a black-and-white issue,"
Radcliffe, whose clients include highly
sophisticated, multibillion-dollar technology companies, says that his
clients often insist on using e-mail and "are willing to take the
Don Jaycox, Gray Cary's chief technology
officer, stresses that the nature of the deal drives the decision of
whether to use encryption. "I don't know that there's a one-size
solution that fits all," he said. "The important point is to have
a dialogue before e-mail and attached documents start flying back and
Jaycox and others predict, however, that e-mail
encryption will become increasingly common as the process becomes
simpler and more transparent.
But Bell is quick to point out that even the
confidentiality of an encrypted message can be compromised -
displayed on an unattended computer screen or in a printout - once
it has been decoded. Attorneys should never rely on encryption alone,
or any other single precaution, to protect a client's confidences,
"My belief is that you don't need to be
running scared," he said. "But should you be paying attention to
this issue? Yes."