California Bar Journal
spacer.gif (810 bytes)

Ethical issues bedevil lawyer e-mail

spacer.gif (810 bytes)
Contributing Writer
spacer.gif (810 bytes)

As an experiment, attorney Albert Barsocchini used his wife's e-mail account one day to go online and find software that enabled him to hack into his own e-mail account. It took him just two hours.

Had Barsocchini chosen an unsuspecting target, the victim may never have discovered the breach.

For Barsocchini, a consultant for law firms on technology issues for 10 years, the experiment simply confirmed what others have warned: E-mail interception is not difficult.

And with e-mail becoming more common, some attorneys and consultants continue to raise questions regarding the attorney's legal and ethical obligations to clients in communicating via e-mail.

"My policy would be to avoid using e-mail in attorney-client communications," said Barsocchini, currently retained by West Group to provide technology consulting to law firms. "There are so many unknowns out there, it's not worth the risk."

According to Kathryn Thompson, senior research specialist for the American Bar Association's Legal Technology Resource Center, some states initially required attorneys to encrypt such e-mail and/or obtain the client's consent before using it. However, a 1998 amendment to the Electronic Communications Privacy Act of 1986 extended the scope of an earlier wiretapping statute to include "electronic communications." This, Thompson said, established a presumption of lawful behavior in connection with e-mail and "kind of opened up the door" for some states to approve e-mail use.

And in 1999, the ABA issued a formal opinion (99-413) concluding that lawyers sending confidential client information by unencrypted e-mail do not violate their duty to use reasonable means to maintain confidentiality. The opinion states that unencrypted e-mail affords "a reasonable expectation of privacy from a technological and legal standpoint."

However, it also states that attorneys should consult with their clients and follow their instructions as to the mode of transmitting "highly sensitive" information.

Currently, Thompson says, there is a consensus among states that encryption is not required. The State Bar of California, however, has yet to weigh in.

At least one local bar - the Orange County Bar Association - has issued a formal opinion. The opinion (97-002) concludes that encryption is encouraged but not required. However, the opinion also notes that "the wide availability of commercially unbreakable encryption software at affordable prices dictates that the prudent practitioner will investigate and use this technology."

In the meantime, issues surrounding e-mail, encryption and confidentiality remain open to debate. Some attorneys feel sufficient guidelines exist. Some call for required encryption. And some believe attorneys should obtain permission in a retainer agreement before using e-mail.

Barsocchini sees many good uses for e-mail, he says, but he finds insufficient guidelines and case law defining attorneys' legal and ethical requirements regarding attorney-client e-mail.

He points to inherent "traps." For example, he says, sending e-mail to a client's corporate mailbox might be considered a waiver of the attorney-client privilege if the client's employer has a business-use-only policy in which the employer can access the employees' e-mail.

In addition, he says, there's case law to suggest that an attorney might face liability if an unencrypted e-mail winds up in the wrong hands and results in a costly loss to the client. A key factor, he said, is that encryption services are available at little or no cost. Currently, attorneys can choose from some 30 products, including,, and

Still, Barsocchini finds that few attorneys opt to use encryption regularly. And, he said, a "surprising" number of attorneys use unencrypted e-mail when dealing with trade secrets in corporate transactions. In some cases, he said, firms have encryption systems in place but attorneys fail to use them.

Recent ABA survey findings appear to show a similar climate. Of the small law firms responding to the ABA's 1998 web-based technology survey, 76.9 percent said they sent no confidential information over the internet. One year later, however, just 38.95 percent still avoided sending such information. Similarly, in 1998, only 20.8 percent of the small firms took no precautions with their internet communications. In the 1999 survey, however, 51.44 percent reported taking no precautions.

David BellAttorney David Bell, vice chair of the State Bar's law practice management and technology section and the bar's former ethics guru, suggests that the lack of a practical problem may have pushed e-mail confidentiality issues to a back burner for many. Bell and others agree that reports of confidentiality breaches via e-mail are rare.

But he points out that attorneys might never discover such a breach, unless they happen to spot the information being put to use.

Still, he says, all forms of communication, including the telephone, fax machine and mail, carry risks. "Where the problem might be with e-mail," he said, "is there's a false sense of security."

What Bell suggests is that attorneys recognize e-mail's risks and trade-offs and work with clients to set communication guidelines on a case-by-case basis. Encryption, he says, may not always be necessary.

Silicon Valley attorney Mark Radcliffe, a partner at Gray Cary, suggests that taking a hard line against attorney-client e-mail would be impractical. "It's not a black-and-white issue," he said.

Radcliffe, whose clients include highly sophisticated, multibillion-dollar technology companies, says that his clients often insist on using e-mail and "are willing to take the risk."

Don Jaycox, Gray Cary's chief technology officer, stresses that the nature of the deal drives the decision of whether to use encryption. "I don't know that there's a one-size solution that fits all," he said. "The important point is to have a dialogue before e-mail and attached documents start flying back and forth."

Jaycox and others predict, however, that e-mail encryption will become increasingly common as the process becomes simpler and more transparent.

But Bell is quick to point out that even the confidentiality of an encrypted message can be compromised - displayed on an unattended computer screen or in a printout - once it has been decoded. Attorneys should never rely on encryption alone, or any other single precaution, to protect a client's confidences, he said.

"My belief is that you don't need to be running scared," he said. "But should you be paying attention to this issue? Yes."