How would you feel if you learned that the U.S. Postal Service was opening and reading every letter you sent or received from your clients, scanning the letters so it could market additional products to you and also claimed it had the right to disclose the contents of your mail to anyone it wanted? You would be outraged.
Fortunately, it is a federal offense for someone to read your mail. It isn't a federal offense, however, for an email provider to do exactly what the post office cannot — email providers can read, store and even disseminate the contents of your email, and do so with impunity. Why? Because when you signed up for your account, you agreed to their terms of service, which you almost certainly didn't read.
If you use Google's Gmail service, for example, you have agreed that your presumably confidential attorney-client communications are no longer private, and are instead available for Google to use in almost any way it wants.
Thus, it is clear that email users give these mega-corporations literally free rein to do anything they want with their customers' email. This isn't supposition. In a recent Associated Press report, Google attorney Whitty Somvichian said it was "inconceivable" that Gmail users would not be aware that the information in their email would be known to Google. The article further explained that "Google repeatedly described how it targets its advertising based on words that show up in Gmail messages," although the company claims that "the process is automated and no humans read your email."
Although Google believes it is inconceivable that its customers don't know that the contents of their email are known to Google, the opposite is actually true. Every time I consult with a law firm about email security or lecture to attorneys about the dangers of unprotected email, they profess incredulity when they learn this information. As the AP article noted, quoting Consumer Watchdog President Jamie Court, "'People believe, for better or worse, that their email is private correspondence, not subject to the eyes of a $180 billion corporation and its whims.'"
By simply using Gmail, AOL and similar services, you risk disclosing confidential client communications and violating your ethical obligation to preserve that information. This danger is not confined to online email services such as Gmail; it applies to all email.
As the website emailprivacy.info explained years ago, "[Email] is quick, convenient, cheap … and is as unprivate as it could be while being so quick, convenient and cheap. Email is as public as a postcard! Every message you send through the Internet can easily be snatched and scanned for interesting details by anyone having the necessary know-how. Privacy is virtually nonexistent online."
With public providers, such as Gmail, AOL and others, users need to be aware that their email is being scanned, saved and used for whatever purpose the provider wants. If your firm has its own email domain, then it presumably controls the manner in which your email is sent, received and stored; your firm still has no control over who can see your emails and their contents as they travel across the Internet from one computer to another. At each of those locations, your email and any attachments can be viewed by anyone with a computer and access to the email server. This means that someone could see all types of confidential documents, including agreements, complaints, financial data — you name it.
Historically, email was presumed to be private simply because there was an expectation it would not be read. Ethics committees no longer subscribe to this viewpoint. For example, in Formal Opinion 11-459 ("Duty to Protect the Confidentiality of Email Communications With One's Client") the American Bar Association standing committee on ethics and professional responsibility concluded that "a lawyer sending or receiving substantive communications with a client via email or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or email account, where there is a significant risk that a third party may gain access."
Similarly, in Formal Opinion 2011-200 ("Ethical Obligations for Attorneys Using Cloud Computing/Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property"), the Pennsylvania Bar Association committee on legal ethics and professional responsibility concluded that "Web-based email is a common way to communicate for individuals and businesses alike. … While pervasive, webmail carries with it risks that attorneys should be aware of and mitigate in order to stay in compliance with their ethical obligations. As with all other cloud services, reasonable care in transmitting and storing client information through webmail is appropriate."
Consequently, no matter what type of email they use, lawyers must take reasonable steps to prevent their electronic communications from being seen by prying eyes. Years ago, for example, when I oversaw mass tort litigation, we regularly refused to send information to attorneys using these online services, because the documents we were attaching to the email may have been confidential or subject to court orders requiring the attorneys to prevent the information from being released to unauthorized parties.
Regardless of whether your email and attachments are marked confidential, they remain attorney-client or client-related communications. As lawyers learn from the first days of law school, they have an ethical obligation to keep client communications confidential. This requirement is also part of the Rules of Professional Conduct. Rule 1.6(a) ("Confidentiality of Information") states that "a lawyer shall not reveal information relating to representation of a client unless the client gives informed consent."
Despite the lack of privacy with email, it is not difficult for lawyers and law firms to take affirmative actions to protect their electronic communications with or about clients. I suggest the following initial steps:
• Stop using services like Gmail and AOL for client-related communications. Instead, set up a private email account for your law firm. In other words, get a Web domain such as weareyourlawyers.com and set up email accounts for you and your staff. Stop using these online services. This will, at a minimum, avoid allowing Google and others to read, index and use your email for whatever purposes they want.
• Disclose to clients in your fee agreements and engagement letters that email communications may not be private, and also explain that the client must (1) decide whether to permit email communications, and (2) if the client approves, determine how to preventing disclosure of confidential information.
These steps are easy.
As noted above, you should not use these services for client email and should instead set up your own email domain. Not only is this good practice, but it is also good business. Clients expect their lawyers to be professional, and using AOL or Yahoo as your email provider creates the impression that you are still in the dark ages of technology. In addition, when you have your own domain, you can control your email far more extensively.
Next, you have to decide how you are going to communicate by email. Is it sufficient to send email (and attachments) the traditional way, with the understanding that they may be read by unauthorized people?
Or, is it sufficient that your email be sent in the traditional manner, with all attachments password-protected or otherwise secured? You can do this easily enough with a product like Adobe Acrobat, which makes it easy to password-protect documents. There are other alternatives that accomplish the same result.
Or, do you avoid using email, and store attachments in a secure password-protected location? Doing so, with a secure service like Box or SpiderOak, will prevent unauthorized people from viewing the contents of your client's documents.
By taking these steps, you also prevent unauthorized eyes from viewing the client's information on the client's computer. For example, if you are sending your client a divorce complaint, you certainly do not want his or her spouse to look at the computer and view the complaint simply by opening the attachment.
Regardless of the situation, the days of assuming that email communications are presumptively confidential are behind us, and lawyers need to recognize this fact as well as their obligation to protect electronic client communications. The alternative, that "inconceivable" fact that Google may use information in your email for commercial purposes, is unacceptable. Otherwise, the consequences for your client, and for you, could be severe.
Daniel J. Siegel is the principal of the Law Offices of Daniel J. Siegel, which provides appellate, writing and trial preparation services to other attorneys, as well as ethical and disciplinary guidance. He is also the president of Integrated Technology Services LLC, a consulting firm that helps law offices improve their workflow through the use of technology.