E-mail security risks: taking hacks at the attorney-client privilege.
The emergence of electronic mail ("e-mail") as a commonplace form of communication has been accompanied by an equally commonplace debate regarding the medium's security.(1) Given the vulnerability of e-mail systems to the threat of hackers, it is difficult for an e-mail user to remain confident in the security of electronic communications. This debate is particularly germane to attorneys acting within the ambit of the attorney-client privilege. Participants in this security debate have expressed attitudes ranging from anxiety(2) to a confident lack of concern.(3)
Attorneys who wish to use e-mail to communicate with clients should consider the degree of security it offers and its implications for the attorney-client privilege.(4) E-mail communications become computerized records when saved and are subject to discovery requests during litigation.(5) E-mail is also subject to discovery if the privilege is unintentionally waived through a failure to maintain confidentiality.(6) Thus, waiver is possible where e-mail does not offer sufficient security.
This Note addresses the largely unexplored issue of whether e-mail is secure enough to preserve the attorney-client privilege in a situation where an e-mail communication is unintentionally disclosed to a third party. E-mail security turns upon many factors, including the size of the network used, the servers and software employed, whether the communication is en route or in storage, and, perhaps most importantly, the attractiveness of the client and the firm to eavesdroppers ("hackers"). Maintenance of the attorney-client privilege rests on a reasonableness standard. All of the above factors should be considered in applying the privilege to e-mail. Furthermore, given e-mail's efficiency and convenience,(7) determinations regarding waiver of the privilege should not be so strict as to effectively prohibit its use by attorneys and their clients.
Section II of the Note provides background regarding the attorney-client privilege necessary to apply the privilege to e-mail. Section III applies the privilege to e-mail and suggests standards that courts might use to determine outcomes in various situations. Section IV presents a survey reflecting the views of law firms concerning the risks of e-mail.
A. The Attorney-Client Privilege
The attorney-client privilege protects communications between attorneys and their clients from disclosure.(8) The purpose of the privilege, as set forth by the United States Supreme Court in Upjohn Co. v. United States,(9) is "to encourage full and frank communication between attorneys and their clients."(10) The public's interest in sound legal assistance depends upon clients' willingness to fully inform their attorneys(11) without the consequences or fear of disclosure.(12) The privilege is strictly construed because it may have the side effect of acting as "an obstacle to the investigation of the truth."(13)
1. Elements of the Attorney-Client Privilege
The essential elements of the attorney-client privilege are as follows:
1) Where legal advice of any kind is sought
2) from a professional legal adviser in his capacity as such,
3) the communications relating to that purpose,
4) made in confidence
5) by the client,
6) are at this instant permanently protected
7) from disclosure by himself or by the legal adviser,
8) unless the protection be waived.(14)
The privilege extends to an attorney's advice in response to a client's communication,(15) protecting against disclosure of communications, but not against disclosure of the facts underlying the communications.(16) The party asserting the privilege must prove that the privilege applies to the communication.(17)
In applying the attorney-client privilege to e-mail, this Note proposes that the most crucial elements to consider are the requirements that the communications be confidential and that the privilege has not been waived.(18) The remainder of this section of the Background will outline the significant trends in case law concerning these elements. These trends will later be applied to the e-mail medium. To simplify matters, unless otherwise noted, the communications discussion will be limited to communications from the client to the attorney.
2. The Confidentiality Requirement
The attorney-client privilege protects communications that are "intended to remain confidential, and [are] made under such circumstances that [they are] reasonably expected and understood to be confidential."(19) Furthermore, confidentiality must be continually maintained even after the communication is sent.(20) The tests used to assess the expectation of confidentiality--the subjective and objective tests--are closely related factual questions(21) generally resolved through consideration of the client's purpose in communicating with the attorney (i.e., whether the communication was also intended for a third party outside the attorney-client relationship),(22) and the circumstances surrounding each communication (i.e., whether it is made in the presence of, or is disseminated to, third parties).(23)
Subjective expectations of confidentiality can be determined by examining the client's expressed intentions, the circumstances surrounding the communication,(24) as well as the client's subsequent efforts to maintain the communication's confidentiality.(25) The mere fact that a communication was initiated by a client to an attorney is insufficient to fulfill this requirement; there must be an indication of an intention to maintain secrecy.(26) Failure to mark a communication "confidential" may indicate that the sender did not anticipate confidentiality, but this alone is not dispositive.(27) Wide dissemination of a communication is also not dispositive.(28) If the client intends a communication to be disseminated to a third party, courts will find the privilege destroyed, regardless of whether or not the communication reaches the third party.(29)
The "objective test," i.e., whether a client's anticipation of confidentiality was reasonable, is a determination generally based on the circumstances surrounding the communication.(30) The factual circumstance which most commonly impacts upon the determination is the presence of a third party at the time of the communication.(31) An expectation of confidentiality is generally unreasonable in situations where a third party is present who is neither an agent of the client or the attorney,(32) a joint client,(33) nor a participant in a joint or common defense.(34) This rule holds true even when the third party is "casual" and "disinterested."(35)
The determination of what circumstances constitute "in the presence of third parties" is essential to an objective test analysis. For instance, in In re Sealed Case,(36) the privilege was held to apply to a conversation between an attorney and a client who were sitting next to each other in the first-class section of an airplane and "speaking in tones not likely to be overheard."(37) The privilege was held to be inapplicable in another case where the client had his accountant deliver documents to his attorney; the accountant himself could have examined the documents.(38) Generally, when a client seeks legal services with the expectation that the attorney will relay the client's communication to others, the client can have no reasonable expectation of confidentiality.(39)
Analyses of the circumstances surrounding communications under the subjective and objective tests often merge; courts have assumed subjective expectation is lacking where such expectation would have been objectively unreasonable.(40) Some courts focus on neither test, and instead look to whether the communications were, in fact, confidential or whether they were inaccessible to third parties.(41)
3. Waiver o the Privilege
The attorney-client privilege applies only if it has not been waived. The privilege can be waived by the client or an agent of the client authorized to do so, including the client's attorney.(42) In Commodity Futures Trading Commission v. Weintraub,(43) the court held that if the client is a corporation, authority to waive the privilege is generally limited to the corporation's "control group," comprised of corporate officers and directors.(44) This rule regarding corporations remains true despite the fact that the privilege's protection can extend to the communications of other employees. In Upjohn Co. v. United States,(45) the Supreme Court held that employees' communications were protected where: (1) employees made them at the direction of superiors; (2) the communications concerned matters within the scope of the employees' corporate duties; and (3) the employee was aware of the legal context of the communication.(46) The court determined that employee communications containing information unavailable from upper-echelon management, and yet necessary to "supply a basis for legal advice," were protected by the attorney-client privilege.(47)
As another consideration, in Jonathan Corp. v. Prime Computer, Inc.,(48) the court held that an employee outside the "control group" can waive the privilege through voluntary disclosure of a communication.(49) Jonathan Corp. narrowly interpreted Weintraub as applying only to a corporation in bankruptcy; the court noted that a corporation whose noncontrol group communications benefit from the privilege's protection under Upjohn must accept the risk that a noncontrol group employee will waive the privilege.(50) The employee in Jonathan Corp. was in a position to voluntarily disclose the communication, and the corporation failed to take precautions necessary to preserve confidentiality.(51)
A client can waive the privilege expressly(52) although, more commonly, waiver is implied(53) through conduct that is inconsistent with a reasonable claim of confidentiality, making extension of the privilege unfair.(54) Both the client(55) and the attorney(56) can destroy the confidentiality that supports the privilege. To preserve the privilege, a client must take reasonable precautions to protect confidentiality.(57) Judge Friendly stated, "[I]t is not asking too much to insist that if a client wishes to preserve the privilege ... he must take some affirmative action to preserve confidentiality."(58)
Suburban Sew `N Sweep, Inc. v. Swiss-Bernina, Inc.(59) set forth the standard for determining whether a client has taken reasonable precautions to maintain confidentiality: "(1) the effect on uninhibited consultation between attorney and client of not allowing the privilege in these circumstances; and (2) the ability of the parties to the communication to protect against the disclosures."(60)
It is crucial to note that a third party who is privy to the communication need not be an adversary in litigation for the privilege to be destroyed.(61) In fact, the privilege may be deemed waived even where the third party has access to the communication but has not viewed it.(62)
Waiver of the privilege has been found where documents were stored in a place accessible to third parties,(63) placed in a public hallway for delivery to an attorney,(64) or left on a table in another person's hotel room.(65) The privilege was held waived for documents kept in files routinely viewed by third parties.(66) Inadequate screening procedures, leading to the production of privileged documents for opposing counsel, can also constitute failure to institute reasonable precautions.(67)
Where communications are taken from the client without the client's permission (e.g., through theft or eavesdropping), the disclosure is involuntary and does not constitute waiver if the client has taken reasonable precautions to avoid such an intrusion.(68) Similarly, otherwise privileged wire, oral, or electronic communications intercepted either legally or illegally do not lose their privileged status.(69)
Voluntary waiver occurs when a client voluntarily releases documents to a third party.(70) The release need not have been made in connection with the related legal action to constitute waiver.(71) Certain situations, however, are excepted from the possibility of voluntary waiver. An exception to the voluntary waiver rule is made for joint clients of the same attorney who share a community of interests: there is no waiver where one joint client communicates with the attorney in the presence of the other client,(72) or where the joint clients communicate with one another for purposes of facilitating more effective legal representation.(73) Clients with separate attorneys who have a community of interests may also share attorney-client communications with each other without waiving the privilege.(74)
A client's "inadvertent" disclosure of privileged communications, despite reasonable precautions to protect confidentiality, is viewed by many courts as an exception to voluntary waiver of the privilege.(75) The exception applies where the release of the confidential communications "is sufficiently involuntary and inadvertent as to be inconsistent with a theory of waiver."(76) Some courts determine inadvertence on a case-by-case basis.(77) Factors include "the reasonableness of the precautions to prevent inadvertent disclosure, the time taken to rectify the error, the scope of the discovery and the extent of the disclosure."(78)
Some jurisdictions apply bright-line rules in cases of possible "inadvertent" disclosure. Some courts have held that such disclosure constitutes waiver since confidentiality was in fact breached.(79) Other courts subscribe to the notion that there can be no waiver without intent and hold that inadvertent disclosure can never result in waiver.(80)
The attorney-client privilege applies equally to all forms of communication (e.g., oral, written, photocopied, via a recording); the form of the attorney-client communication is irrelevant to the privilege's application.(81) The use of telefaxes and telecopies, which sometimes pass through the hands of several individuals en route to the intended recipient, raises a confidentiality concern.(82) However, since agents (e.g., secretaries) have had access to confidential letters in the past without conflict, telefaxes and telecopies likely present little risk.(83) The same care that is taken with more conventional modes of communication that involve assistance from third-party agents should be taken with these forms of communication.(84)
B. Electronic Mail
Electronic mail, commonly referred to as e-mail, is a means of transmitting messages or computer files between computers.(85) It has vast appeal and is used by corporate and other private enterprises, universities, government agencies, and individuals.(86)
E-mail is easy to use and affords many advantages over other forms of communication, such as telephones and fax machines.(87) E-mail is fast, requires no physical delivery,(88) and can be sent to more than one recipient by merely adding their e-mail address to the distribution list of users on the system.(89) A group of e-mail users can share information and make decisions over their computers.(90) Since e-mail is created within a computer, it can easily be reused in other computer documents, forwarded to other people, or reviewed and revised by the recipient.(91) E-mail is also asynchronous, in that senders and recipients need not be on their computers at the same time; users can leave each other substantive messages, while eliminating "phone-tag."(92) Moreover, e-mail is comparatively inexpensive(93) and uses no paper.
1. E-mail Transmission and Security
There are both public and private e-mail systems.(94) Public systems are facilitated by communication companies such as MCI Mail and AT&T,(95) while private systems operate through local area networks (LANs), minicomputers, or mainframes.(96) LANs are the fastest growing private-based system(97) used by many corporate legal departments" and law firms.(99)
A LAN is a group of computers, often within a single building, connected together so that information can be sent between computers.(100) LANs can be connected to form a larger network, termed a wide area network (WAN), enabling the computers within the network to communicate with one another.(101) Likewise, a LAN can be connected to the Internet to become a subnet of the Internet.(102) The Internet itself is essentially a single vast network,(103) connecting over 9.5 million users.(104)
A significant security concern facing network users is the threat of eavesdroppers, commonly known as "hackers". A message sent between computers within a network, such as a LAN, remains within that network or system during transmission and is only vulnerable to hackers that are on computers within that network.(105) A message sent to a computer outside the sender's LAN must travel over a larger network, and consequently becomes vulnerable to a greater number of hackers.(106) Generally, the larger the network used for transmission, the less secure the message.(107)
E-mail sent between networks often travels over the Internet; these messages experience a relatively high level of vulnerability compared with messages sent over smaller networks.(108) The many networks that make up the Internet are "interconnected at various points to provide multiple routes to destinations.(109) Information transmitted from one user to another on the Internet usually passes through a number of routers.(110) The information also may pass through subnets of the Internet other than those on which the sender and recipient are located.(111) The intermediate routers and subnets are usually not under the control of either the sender or the recipient;(112) it is possible for the information to remain on an intermediate computer for several seconds.(113) During that time, "[i]t is relatively easy for anyone with access to the intermediate routers or subnets to eavesdrop and/or modify the passing information."(114)
The route of an e-mail message on the Internet, as it seeks an efficient route, appears random.(115) The message is broken up and its parts take different routes(116) to the same destination.(117) While this splintering renders it that much more difficult for an outsider to access a particular communication,(118) this characteristic makes it harder to predict who, or how many outsiders, will have potential access to a communication.
The security risk presented by hackers is heightened by several factors. First, many users connect to the Internet without considering its complexity and dangers.(119) Network access controls on newly installed systems are often pre-set, leaving the networks highly accessible and virtually without security.(120) Access controls are often difficult to "configure and monitor";(121) their "accidental misconfigur[ation] can result in unauthorized access."(122) Network administrators often remain unaware of unauthorized access until they discover it by accident.(123) Users sometimes enhance the danger by storing sensitive information on such network-accessible systems, or setting up guest accounts without passwords.(124)
An information services director at one Los Angeles law firm believes that most law firms lack the technical sophistication to use e-mail safely and should therefore, not use this technology.(125) He noted that the Internet home pages set up by some firms offer little benefit.(126) Yet, these sites can simultaneously increase accessibility to the firm's computer system if the firm does not take precautions against users going further into the system than the firm's home page.(127) Merely having an Internet address gives the outside world "a pointer to your computer," increasing exposure and accessibility.(128)
Additionally, some information transfer services offered on the Internet are inherently vulnerable to hackers.(129) "Ironically, some of these services . . . are widely used to coordinate local area network [LAN] security," and to distribute system resources; exploitation of their vulnerabilities compromises the security of the LANs.(130) Adding to the dangers of e-mail use on the Internet, network administrators often remain unaware of unauthorized access unless discovered accidentally.(131)
2. The Hacker Threat
"Hackers, sometimes called crackers, are a real and present danger to most organizational computer systems linked by networks."(132) Some contend that any system can be accessed by a determined hacker.(133) Hackers break into an organization's system and "compromise the privacy and integrity of data before the unauthorized access is even detected."(134) Hackers sometimes "monitor connections to well-known Internet sites seeking information that would allow them to crack security or to steal valuable information."(135) For instance, officials monitoring access to a Pentagon computer system found that hackers attacked the system 4,300 times during a three-month period in 1995.(136) Hackers can find information that allows them to "spoof," or trick, a network "into permitting normally disallowed network connections."(137) A hacker might attempt to intercept usernames and passwords(138) which are occasionally transmitted over the Internet.(139) The hacker can then use the username and password to "impersonate" the real user, gaining access to the user's host and its resources.(140)
Hackers have various purposes: "Some . . . browse, some steal, some damage."(141) Corporate hackers might attempt to improve their competitive advantage by accessing the computers of other companies or government agencies, seeking "manufacturing and product development information[,] . . . sales and cost data, client lists, and research and planning information."(142) Technological information is the primary target, but hackers also seek "corporate proprietary information such as negotiating positions and other contracting data."(143) This information is likely to be the subject of attorney-client communications in many fields, including intellectual property and commercial law. The threat of hackers therefore must be considered when such information is transmitted by e-mail.
3. Other Dangers of E-mail
Hackers are not the only threat to the security of e-mail communications. Other dangers include: (1) the lack of guaranteed security for transmissions between different e-mail systems; (2) the accessibility of e-mail messages by e-mail providers; (3) the informal use of e-mail which may result in legal problems; (4) the employer's right to read employees' e-mail that is sent over the employer's e-mail system; (5) the disorganization of computerized information in general, and (6) the difficulty of destroying computerized information. These problems are addressed below.
Mistransmissions can occur because different e-mail systems use different addressing schemes.(144) For a message to be sent properly between systems, its address must match the addressing scheme of the recipient's system.(145) If the format does not match, the message will not be delivered or could be delivered to an unintended intended recipient.(146) To facilitate transmission between e-mail systems, a special type of software called a gateway is used which translates addresses from one format to another.(147) Successful transmission requires proper addressing which both indicates which gateway must be used and tells the gateway where to send a message.(148)
Commercial e-mail providers(149) can give transmissions limited guarantees. For example, MCI Mail ("MCI") guarantees messages sent within its system.(150) MCI is capable of tracing e-mail sent within its system, ensuring that it arrives with the correct recipient.(151) However, MCI's ability to trace these messages ends when the messages are transferred to the Internet(152) because MCI has no authority to trace e-mail sent outside its system.(153) Imperfectly addressed messages could be sent to unintended recipients.(154) MCI can trace, however, and thereby guarantee, messages sent between MCI Mail and certain other providers, such as CompuServe and AT&T Mail, because the e-mail does not have to travel over the Internet.(155)
E-mail's accessibility to the e-mail provider itself presents a threat to the security of e-mail communications. Under the Electronic Communications Privacy Act of 1986, system administrators are allowed access to e-mail to the extent necessary to maintain service quality and protect their own rights.(156)
Another danger results from informal use of e-mail.(157) Users tend to view e-mail as more temporary and approach it more spontaneously than paper messages. Consequently, offensive messages might be sent through e-mail that would not otherwise be sent in a formal letter or written inter-office memo.(158) Thus, this informal use of e-mail makes it a potentially large source of damaging information.(159)
Employers and employees have different expectations regarding property rights to e-mail.(160) Employees often regard electronic mail as their private property, equating it to a personal letter.(161) Their belief in the privacy of e-mail communications is reinforced through the required use of passwords.(162) However, employers argue that e-mail is a business resource to be used solely for business purposes. Employers claim e-mail becomes part of the company computer system and, therefore, is company property.(163) They often assert legitimate business reasons for reading employees' email, including the need to be certain that employees do not use computers for personal communications.(164) Some courts have allowed employers to read e-mail sent by employees over the employer's computer system.(165)
Finally, there are matters of practical concern regarding e-mail maintenance. Information stored in a large corporation's computer system is often disorganized(166) and frequently files are not organized into subdirectories.(167) If potentially privileged information is not segregated from non-privileged information, litigation can necessitate the time-consuming task of sorting files.(168) More importantly, if a privileged document leaks out during discovery, the party risks waiver of the privilege. (169)
Furthermore, unlike paper documents, information stored in a computer is difficult to destroy.(170) Deletion does not remove a document from a system. Rather, the document is marked so that it can later be "overwritten" with new information.(171) Remnants of the document remain in the computer until the entire document is overwritten.(172) A computer expert, or a user with an over-the-counter utility program, can retrieve these remnants.(173) Even documents that have been overwritten can be deciphered.(174) Unfortunately, unlike paper documents, many corporations have not applied retention and destruction policies to computer records.(175)
4. Means to Protect E-mail
The security risks discussed above create a need for the protection of e-mail while it is in transit between the sender and the recipient (particularly if it travels over the Internet), and while it is stored in the systems of either the sender or the recipient.
a. Protection of E-mail in Transit
Encryption is one form of protection and should be used for all confidential information that is transmitted over the Internet.(176) Encryption involves the application of complex mathematical transformations to e-mail messages through special bit patterns called keys.(177) Users without the proper key, i.e., unauthorized recipients or browsers, cannot read encrypted messages.(178) One widely-used military-grade encryption program is PGP ("Pretty Good Privacy"), which offers the advantages of public key encryption.(179)
While encryption is relatively simple to implement within an organization, it may not be practically feasible to implement between organizations.(180) In the law firm setting, for example, both the firm and its clients must be equipped with encryption software. Since it is unlikely that all of the firm's clients will have encryption hardware and software,"(181) encryption may be cost-prohibitive to implement.(182) Some firms have found that the effort outweighs the benefit.(183)
b. Protection of E-mail in Storage
Measures to protect messages and other information stored within a computer system include the use of TCP/IP service access policies, authentication, secure gateways,(184) and the partitioning of a firm's systems.(185) A service access policy must assess what types of connectivity with other systems will be permitted."(186) If email is the only needed service, then a firm can restrict other forms of access, such as telnet and ftp, and reduce overall risks.(187) Eliminating unnecessary services makes a network more manageable."(188) Likewise, server hosts, which provide service to other hosts on the Internet,(189) "should activate only those services designated to be provided on that host."(190)
Systems that are accessible either from the Internet or via modem should also use an authentication device to identify anyone seeking access.(191) Passwords, the most common authentication device, can help prevent user impersonation if well-chosen and changed often.(192) Stronger authentication can be achieved via systems which use one-time passwords.(193) Another authentication tool is the digital signature.(194) The digital signature, or "signed" document, tells a recipient, with certainty, both who signed the document and that nothing contained therein has been altered.(195)
Traffic to a network that is connected to the Internet can also be restricted by a firewall.(196) A firewall, or secure gateway, consists of a "collection of systems and routers placed at a site's central connection to a network" which polices traffic to internal systems.(197) A firewall can log and examine all network connections, filter incoming communications, require authentication, restrict access to selected systems, and block particular TCP/IP services.(198) A good general network policy, possible through the use of a firewall, is to provide unrestricted access from internal to external systems, but to allow limited access, other than to e-mail, in the other direction.(199) Generally, access into and out of the network should be limited to only that which is necessary.(200)
A site connected to the Internet should also be partitioned so that internal computer resources are inaccessible.(201) For the same reasons, confidential documents, particularly confidential client data and communications, should not be stored on a publicly accessible system.(202) Furthermore, a publicly accessible system should not be run on a firm's internal network.(203) In general, in dealing with security risks, a site administrator must keep abreast of developments in e-mail security,(204) update site's security accordingly, and know who to contact when security problems arise.(205)
An alternative to network e-mail providers is the use of a direct modem link. With a direct modem link, messages are transmitted directly between modems over telephone lines,(206) using computer systems designed to accept such links.(207) Since these messages do not have to pass through a third-party computer, security risks are minimized.(208) However, a message sent by direct modem link requires that the recipient's modem and computer be available to receive the message at the time it is sent.(209) Provided the recipient is available to receive the message as it arrives, direct modem links may be more secure than communication via network.(210) In fact, there is some preference for direct links over encrypted network communications.(211)
5. E-mail Services Available to Attorneys
E-mail users operate through many types of e-mail providers and services.(212) Commercial e-mail providers include MCI Mail, CompuServe, America Online and Prodigy.(213) Using passwords, these services guarantee system security for messages and files sent and received within the respective individual service.(214) In light of the fact that mail can be stolen from a mailbox, this means of communication is perhaps safer than the United States Postal Service.(215) Generally, commercial services also enable subscribers to send e-mail to other services (e.g., from CompuServe to America Online).(216)
E-mail systems can be particularly useful to legal professionals. For example, a corporate legal department may set up a network, e.g., a LAN, with the corporation's outside counsel.(217) The legal department may also create a central repository of research to which the outside counsel contributes.(218) In addition, a law firm may set up a case management system that is accessible to its clients and through which attorney-client communications can take place.(219)
The bulletin board system ("BBS") is another e-mail service which provides users with access to a common communications area where messages are posted.(220) A BBS can be used for a public or private forum or conference,(221) and can be useful for lawyers working collectively on a particular matter.(222) This system, how ever, does present some privacy concerns. The messages posted on a BBS, unless encrypted, are never truly private because they are accessible to those who run the BBS.(223)
Legal-specific electronic information services are now available for use by both in-house and outside counsel to facilitate electronic communication between members of the service and to provide access to various on-line databases.(224) These services include Lexis Counsel Connect, Law Journal Extra, West Network, Microsoft's Windows `95 Legal Forum and ABA/Net.(225)
III. APPLICATION OF THE ATTORNEY-CLIENT PRIVILEGE TO ELECTRONIC MAIL
Federal and state courts have yet to universally apply the attorney-client privilege to e-mail, which inherently poses security risks. Congress addressed the possibility that privilege-related issues might arise in the 1986 amendments to the Omnibus Crime Control and Safe Streets Act of 1968 (the "Wiretap Act"), which regulates private and governmental interception of wire, oral, and electronic communications.(226) The Act provides: "No otherwise privileged wire, oral, or electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character."(227) This section "incorporates into [the Wiretap Act] the relevant state law of privileged communications."(228) Thus, section 2517(4) does not, by itself, guarantee the preservation of the attorney-client privilege where e-mail communications are intercepted by a third party.(229) The common law attorney-client privilege must still be applied.
A. The Confidentiality of Attorney-Client E-mail
The attorney-client privilege is strictly construed,(230) and thus should not be completely immune to e-mail's substantial security risks.(231) The privilege's requirements clearly suggest that e-mail should be used cautiously: Clients and attorneys must intend confidentiality(232) and must take reasonable precautions to maintain it.(233) Specifically, they must guard against casual third party listeners,(234) as well as willful eavesdroppers.(235) Illegality or lack of etiquette in the third party's conduct are not factors; courts focus instead on the conduct of the sender and the recipient.(236) Further more, mere accessibility to a third party can destroy the privilege, even if that party does not actually hear or see the communication.(237) Finally, some courts take away the privilege where confidentiality has in fact been breached.(238)
Judge Friendly's remark bears repeating: "It is not asking too much to insist that if a client wishes to preserve the privilege ... he must take some affirmative action to preserve confidentiality."(239) In the same vein, the District of Columbia Circuit Court of Appeals placed the burden on the client to "treat the confidentiality of attorney-client communications like jewels--if not crown jewels."(240)
The above-mentioned precedents suggest that the privilege's protections should not be extended to all e-mail, regardless of the amount of security risk involved. Instead, courts should make case-by-case determinations based on the amount of risk that particular e-mail communications entail.(241) Hackers pose a significant threat, and concrete measures to enhance e-mail security are readily available. Attorney-client communications would not be unduly hindered if courts restrained reckless use of e-mail.(242) How ever, since e-mail is efficient and convenient, courts should not completely curtail the use of e-mail by attorneys and their clients.(243)
1. A List of Factors
A court must essentially decide whether both attorney and client have adequately protected their e-mail communications against the security threat they face.(244) The threat to e-mail security varies, depending on the attractiveness of the e-mail user to hackers,(245) and the size of the network used.(246) The resulting threat must be countered with protective measures.(247) From the interplay among these factors arises an overall security risk that varies among different e-mail users. The next section illustrates this interplay.
2. A Basic Principle: Big Targets Need Big Armor
A user's attractiveness to hackers turns on the identity and nature of the user and the subject of the communication. Certain types of users attract more hackers than others. The Pentagon, for example, endures a number of hacker attacks on a daily basis.(248) Digital Corp.'s computer system was successfully assaulted by a hacker for over a year; despite the company's advanced protective measures, the hacker accessed valuable information before the corporation could retaliate.(249) Some hackers are drawn to technological information, while others seek product development information, negotiating positions and contracting data.(250) Some hackers only browse.(251)
Use of a large network enhances the hacker threat, since larger networks are accessible to proportionally more hackers. A serious security risk might arise where a client with valuable technological information communicates with an attorney over a vast, unsecured network like the Internet.(252) In such situations, the danger of a security breach will be great unless adequate measures are taken to guard confidentiality. The serious security breaches experienced by the Pentagon and Digital Corp. necessitated strong precautionary measures.(253)
Thus, where client and attorney have taken significant protective measures to counter a significant hacker threat, sufficient to support a reasonable expectation of confidentiality, and an actual breach nevertheless occurs, i.e., an e-mail message is actually exposed to a third party, courts should preserve the privilege. However, where client and attorney have failed to take protective measures despite a particularly high security risk, courts should find no attorney-client privilege exists if an actual breach occurs.(254)
A low-profile client who draws little hacker interest probably requires less protective measures to maintain the confidentiality of attorney-client e-mail communications. Thus, during a minor personal injury suit between two ordinary individuals, lesser protective measures might constitute reasonable precaution and preserve the privilege,(255) unless or until a high-profile insurance company becomes involved.
One could argue that the difficulty of proving an actual breach of e-mail security supports applying a stricter standard. A client's e-mail message to an attorney may be intercepted by a third-party hacker without the knowledge of the client or the client's adversary. Also, litigants might not disclose intrusions into their computer systems, thereby creating an impression that their systems are secure. Finally, a party who obtains an adversary's e-mail communication by hacking would not try to introduce the communication into evidence, given the possible penalties for hacking,(256) and yet might use the intercepted information to its advantage. Courts might give the privilege's reasonable precaution standard teeth by taking the privilege away from those who do not actively counter a high security risk, regardless of whether an actual breach of confidentiality has been proved. However, this rule might chill the use of a valuable communication medium.(257)
B. Application of the Privilege to Particular Situations
1. Unrelated Clients of the Same Firm
Joint clients represented by the same attorney cannot endanger each others' privilege as against a common adversary.(258) However, unrelated clients sharing the same attorney may place one another at risk.(259) Dangers can easily arise where a law firm connects its network to those of two or more of its clients. Clients may monitor communications transmitted through local networks and gain access to the communications of other clients. Additionally, if each client's access is not limited, or if partitions are not created between the systems accessible to each client,(260) then each client can potentially access the stored communications of another client. Finally, an attorney can easily send a message to the wrong client with the press of an incorrect button.
2. Organization and Maintenance of Stored E-mail
If potentially privileged information is not segregated from nonprivileged information, litigation can necessitate the time consuming task of sorting files.(261) Since computer files have a tendency to become disorganized,(262) attorneys and clients should take particular care in separating privileged e-mail from unprivileged e-mail when it is stored in a computer. If screening procedures are inadequate, accidental disclosure of a privileged document during discovery could constitute voluntary waiver of the privilege.(263) Of course, where reasonable screening procedures are employed, such disclosure may be considered "inadvertent" and thus would not constitute waiver.(264)
Some practitioners suggest that most e-mail can and should be destroyed immediately after it is read by its recipient.(265) E-mail users who purge their communications must take care to completely destroy what they intend to destroy. A document that has been deleted from a computer can be accessed and read as long as the document has not been completely overwritten.(266) Deleted e-mail may still be accessible to hackers, and thus may be vulnerable to loss of the privilege.(267)
3. Corporate Clients
Generally, only those within a corporation's "control group" (the officers and directors) have authority to waive the privilege.(268) However, at least one court has held that an employee outside the control group can waive the privilege.(269) In any case, corporations must ensure that any employees who can possibly waive the privilege know of, and guard against, the risks associated with e-mail. Employees should be told not to re-route privileged communications to third parties. Additionally, the computers and communications of all employees covered by the privilege must be protected from third-party accessibility. A corporation may even have to guard confidential communications from its own employees, even though they are not third parties for purposes of the privilege.(270)
4. Employee's E-Mail is Property of Employer
Confidentiality concerns arise in the question whether e-mail left in an employee's workplace computer is the property of the employee or the employer. If the employee uses the computer to communicate with an attorney and the communications in the computer are the employer's property (and thus are accessible to the employer), the employee's privilege may be destroyed. Some courts have held that employers can read e-mail sent over their computer systems;(271) thus, employees should not communicate with their attorneys via e-mail through the workplace computers.
5. Accessibility to E-Mail Providers and Imperfect E-Mail Transmission
E-mail providers are allowed access to e-mail to the extent necessary to maintain service quality and to protect the provider's rights.(272) This accessibility should not endanger the privilege since the access is quite limited. Moreover, e-mail providers are functionally similar to other persons serving agency roles who have not threatened the privilege in the past, e.g., secretaries.(273)
An e-mail communication may unexpectedly be sent to a third party because of imperfections in transmission between networks or providers.(274) Unless transmissions are consistently erratic, such that the client and attorney should know that a substantial risk to confidentiality exists, courts should find by mistransmission "inadvertent" and preserve the privilege's protection.(275) Where transmissions are consistently unpredictable, the use of encryption should constitute a reasonable precaution against breach of confidentiality.
Even if it is illegal or socially unacceptable for an accidental e-mail recipient to read a misdirected e-mail message, neither status will necessarily preserve the privilege; the crucial issue is whether the client took reasonable precautions to preserve confidentiality.(276)
6. General Practitioners
All attorney-client e-mail communications should be protected. Large corporate clients, clients who have trade secrets, and other clients that might attract hackers should take particular care; so should their attorneys. A client and attorney should use a direct modem link, a small private network, or the same commercial provider(277) rather than the Internet. For clients and attorneys connected to the Internet, encryption should provide protection adequate to maintain the privilege. However, it may be cost-prohibitive to implement.(278)
Computer systems should be protected with strong passwords, digital signatures, firewalls, and service access policies.(279) Computers connected to the Internet should be partitioned from computers in which attorney-client communications and other confidential information are stored. Firms should also establish usage policies and controls.(280)
Finally, confidential communications should be explicitly designated as privileged, confidential, and intended only for the stated recipient.(281)
C. Survey of Law Firms
A survey of eighteen large law firms revealed their attitudes towards e-mail and the precautions they take to maintain security. The firms included eleven from New York City (Manhattan), six from New Jersey, and one from Los Angeles.(282) The results were as follows:
Questions Yes No Do you allow attorney-client 14 4 communication via e-mail? Do you allow attorney-client 6 8 e-mail communication via the Internet? Are you concerned about 18 0 the security of e-mail? Are you concerned about 16 2 losing the attorney-client privilege due to e-mail use? Are you concerned that 2 7 the administrator of your e-mail system (e.g., MCI Mail) has access to your e-mail? Do you use encryption 13 5 when communicating with clients online? Do you use direct 6 12 modem links? Do you purge stored e-mail 5 5 messages regularly? Do you have an e-mail 12 4 policy with respect to attorney-client e-mail communications? Questions Notes Do you allow attorney-client Of the fourteen e-mail users, communication via e-mail? ten firms limit e-mail use to non-confidential communications. Do you allow attorney-client Of the six Internet users, e-mail four firms limit use to communication via the generic communications, Internet? and two advise attorneys and clients of the risks. Are you concerned about All firms surveyed were the security of e-mail? concerned about the security of attorney-client communication via e-mail. Are you concerned about Only four firms considered losing the attorney-client the threat serious enough privilege due to e-mail to bar attorney-client use? e-mail communication. Are you concerned that The other firms surveyed the administrator of your expressed no opinion. e-mail system (e.g., MCI Mail) has access to your e-mail? Do you use encryption Of the nine firms who use when communicating with encryption, four limit its clients online? use because it is time-consuming and difficult. Do you use direct Four of the six firms noted modem links? they use direct links specifically for highly confidential communications. Do you purge stored e-mail Two other firms noted that messages regularly? attorneys may purge their e-mail messages at their own discretion. The other firms surveyed either had no purging policy or did not know. Do you have an e-mail Two other firms are policy with respect to formulating e-mail policies. attorney-client e-mail communications?
While many firms use some form of e-mail to communicate with clients, security concerns are widespread. Many firms do not allow Internet communication with clients. Of those that do, very few allow confidential Internet communications. Although pressure to use e-mail is strong-the clients of four firms have asked or requested the firm to communicate by e-mail--firms often place limits on e-mail use and institute protective measures. Many firms fear losing the attorney-client privilege.(283)
Firms often protect confidential messages en route either through encryption or by using direct modem links. Although encryption is popular,(284) its use is often limited because it is complicated to use and administer.(285) Six firms use direct connections; four firms use them specifically for highly confidential communications.(286)
Some firms seek security by using commercial providers and requiring clients to use the same provider.(287) Firms secure their computer systems by using passwords (seven firms) and by partitioning their e-mail systems from the rest of their computer systems (four firms). Only one firm has a home page.
The firms expressed little concern regarding the accessibility of e-mail to system administrators, although they knew such access was possible. The firms considered the resulting disclosure insufficient to destroy the attorney-client privilege.
Although caution is the norm, there is wide variation in the strictness of e-mail policies. Some firms allow no e-mail communication with clients at all. One firm only allows e-mail for generic matters, whether or not encryption is used. Another firm requires that all computer communications with clients be encrypted or sent via direct modem link. Meanwhile, some firms let the individual attorneys and clients make decisions regarding e-mail usage, after advising them of the security risks.
The efficiency of e-mail demands that the legal profession be able to use this technology. Attorneys must be able to match the communication methods of their clients. However, attorneys must address the significant security threat that accompanies e-mail; otherwise, the confidentiality that supports the attorney-client privilege may be destroyed. Measures to protect against the risks of e-mail are readily available. Courts should apply the privilege to e-mail on a case-by-case basis and consider both the level of risk a client and attorney faced and the protective measures taken.
The technology and methods used in the transmission of e-mail continue to develop at a rapid rate.(288) As encryption gains wider use, e-mail is likely to become more secure. Meanwhile, attorneys and their clients who use e-mail should err on the side of caution to ensure the preservation of the attorney-client privilege.
(1.) This debate has appeared in many sectors, including legal and business circles and, of course, the computer press.
(2.) Charles Merrill, chair of the computer and high-technology practice group at McCarter & English predicted: "There will come a case where an attorney had the tools available to maintain confidentiality but did not use them, and will be liable for that failure." David P. Vandagriff, Who's Been Reading Your E-Mail, ABA Journal, May, 1995, at 98. Merrill noted that it is only a matter of time before a confidential attorney-client e-mail communication is intercepted. See id; Gary H. Anthes, Net Attacks Up, Defense Down, Computer World, Jan. 15, 1996, at 71 (noting that attacks against networked computers are on the rise); Suruchi Mohan, E-Mail Security Ignore: Directory Standards Exist but Enforcement Lacking, ComputerWorld, Sept. 25, 1995, at 53 (likening use of a public e-mail system without encryption to "sending an important message on a postcard").
(3.) See Gary H. Anthes, Internet Security Split: Lack of Security is No Obstacle, ComputerWorld, Aug. 28, 1995, at 59 ("[T]he risk in the U.S. from casual hackers or even pros with supercomputers is, as mathematicians like to say, `vanishingly small'."); Mohan, supra note 2, at 53 (commenting on the minimal attention paid to e-mail security risks by "most companies").
(4.) Attorneys should also consider e-mail security in connection with attorneys' ethical duty of confidentiality, under which an attorney can be disciplined for disclosing a client's confidential information (including communications) without the client's consent. See Model Rules of Professional Conduct Rule 1.6(a) (1983); Model Code of Professional Responsibility DR 4-101(B)(1) (1980). Most states have adopted the ABA's Model Rules; others continue to use its predecessor, the ABA's Model Code. The issue of e-mail security also bears on the attorney's duty of competent representation. See DR 6-101(A).
(5.) See Fed. R. Civ. P. 34(a) (comment to the 1970 Amendment); see also Crown Life Ins. Co. v. Craig, 995 F.2d 1376, 1383 (7th Cir. 1993) (construing Rule 34 to include computer data).
(6.) See infra notes 42-51 and accompanying text.
(7.) See infra notes 87-93 and accompanying text.
(8.) See, e.g., In re Sealed Case, 877 F.2d 976, 979 (D.C. Cir. 1989) (holding that communications sent by both the attorney and the client are protected).
(9.) 449 U.S. 383(1981).
(10.) Id. at 389.
(11.) See id.
(12.) See id. (citing Hunt v. Blackburn, 128 U.S. 464, 470 (1888)).
(13.) 8 Wigmore, Evidence [sections] 2291 (McNaughton rev. ed. 1961). The privilege "should be strictly confined within the narrowest possible limits underlying its purpose." United States v. Goldberger & Dubin, P.C., 935 F.2d 501, 504 (2d Cir. 1991).
(14.) See Admiral Ins. Co. v. United States District Court of Arizona, 881 F.2d 1486 (9th Cir. 1989). These factors are widely-accepted. However, courts may vary in their treatment of elements of the privilege. See id. at 1492. The court adopted these elements from Wigmore, supra note 13, [sections] 2292.
(15.) See In re Fischel, 557 F.2d 209, 211-12 (9th Cir. 1977) (holding that attorney's summaries of client's business transactions did not reveal confidential communications from the client, and thus did not fall within the privilege). The privilege was extended to papers prepared by the attorney for the purpose of advising the client, "provided the papers [were] based on and would tend to reveal the client's confidential communications." Id. at 211.
(16.) See Upjohn Co. v. United States, 449 U.S. 383, 395 (1981).
(17.) See United States v. Gann, 732 F.2d 714, 723 (9th Cir. 1984) (finding that a party did not intend his phone conversation with his attorney to be confidential since he knew that a police officer could hear the conversation).
(18.) Another possible issue that could arise in the context of e-mail, which will be discussed only briefly in this footnote, is whether legal advice has been sought. To obtain the privilege's protection, a client must communicate with an attorney with the intent to obtain legal advice or assistance. See Coastal States Gas Corp. v. Department of Energy, 617 F.2d 854, 862 (D.C. Cir. 1980) (stating that the privilege extends to all communications in which attorney's advice is sought on a legal matter). The communication need not be made in the context of litigation or a specific dispute; rather, general legal advice is sufficient. See id.
The Supreme Court has held that for a client's confidential communication to be protected, it must be a communication "necessary to obtain informed legal advice--which might not have been made absent the privilege." Fisher v. United States, 425 U.S. 391, 403 (1976) (holding that documents transferred by client to attorney, in order to obtain legal assistance, were privileged).
Some courts interpret Fisher loosely, holding that the attorney-client privilege covers communications which the client reasonably believes are necessary to the decision-making process regarding a problem on which legal advice is sought. See, e.g., In re Ampicillin Antitrust Litig., 81 F.R.D. 377, 385 (D.D.C. 1978) (stating that the privilege extended to communications which the client reasonably believed contained information necessary to obtain legal advice).
The status of the attorney is also an important factor in determining a client's intent. Consultations with outside counsel working in a strictly legal capacity are presumed to be held for the purpose of obtaining legal advice or assistance. See Diversified Indus., Inc. v. Meredith, 572 F.2d 596, 610 (8th Cir. 1977) (quoting 8 Wigmore, supra note 13, [sections] 2296 ("[A] matter committed to a professional legal advisor is prima facie so committed for the sake of the legal advice ...." (emphasis omitted)). In-house counsel may have non-legal responsibilities and, consequently, do not operate under this presumption. See In re Sealed Case, 737 F.2d 94, 99 (D.D.C. 1984) (finding in-house counsel's advice was protected only upon a clear showing that the attorney "gave it in a professional legal capacity"). An issue may arise as to whether the communication was primarily intended to be a communication with legal counsel (e.g., when business memoranda are sent to in-house legal counsel and to other employees concerned with both business and legal aspects of the documents). See Paul R. Rice et al., Attorney-Client Privilege in The United States [sections] 7:2 (1993). Additionally, the communications must be primarily legal to retain the privilege. See Barr Marine Prods. Co. v. Borg-Warner Corp., 84 F.R.D. 631, 635 (E.D. Pa. 1979) ("The privilege is not necessarily lost when non-legal information is part of a communication seeking or giving legal advice.").
(19.) United States v. Melvin, 650 F.2d 641, 645 (5th Cir. Unit B July 1981). The purpose of prohibiting disclosure, which is to encourage frank communication between the client and the attorney, ends when the client does not appear to have desired confidentiality. See Wigmore, supra note 13, [sections] 2311.
(20.) See Rice et al., supra note 18, [sections] 6:1.
(21.) See id.
(22.) See, e.g., Harris v. United States, 413 F.2d 316, 319-20 (9th Cir. 1969) (finding that a client's personal check to an attorney is not protected by the privilege because third party bank employees must see the check in order for the check to clear).
(23.) See, e.g., United States v. Gann, 732 F.2d 714, 723 (9th Cir. 1984) (holding that the privilege must fail where defendant made statements while surrounded by police officers searching his residence); see also Bower v. Weisman, 669 F. Supp. 602, 606 (S.D.N.Y. 1987) ("While not quite as careless as communicating in an elevator, leaving a document out on a table (as opposed to putting it in a briefcase or in a drawer) in a public room in a suite in which another person is staying is insufficient to demonstrate [defendant's] objective interest in its confidentiality.").
(24.) See, e.g., United States v. Blasco, 702 F.2d 1315, 1329 (11th Cir. 1983) (finding that conversation in a public hallway "loud enough for any casual passerby to hear" belied confidentiality, even though confidentiality was clearly intended).
(25.) See, e.g., Bower, 669 F. Supp. at 605-06 (holding that leaving a letter on a table in a public room demonstrated a lack of interest in confidentiality).
(26.) See McCormick on Evidence [sections] 91 (Cleary ed. 1972), quoted in Winchester Capital Management Co. v. Manufacturers Hanover Trust Co., 144 F.R.D. 170, 174 (D. Mass. 1992) (holding that party failed to demonstrate intention to maintain confidentiality by showing no indication of intent other than the fact that communication was between client and attorney).
(27.) See American Health Sys., Inc. v. Liberty Health Sys., No. 90-3112, 1991 U.S. Dist. LEXIS 18368, at **7 (E.D. Pa. Dec. 24, 1991) ("[T]he test of confidentiality is not whether the documents are so marked, but whether the communication was made in the presence of or disclosed to someone other than the client or attorney."); see also Wigmore, supra note 13, [sections] 2311 (stating that an express request for secrecy is not required; circumstances are to indicate whether confidentiality was intended).
(28.) See United States v. Exxon Corp., 87 F.R.D. 624, 638 (D.D.C. 1980) ("[W]ide dissemination does indicate a likelihood that the communication was not confidential," but such dissemination is "surely not determinative.").
(29.) See In re Grand Jury Proceedings, 727 F.2d 1352, 1358 (4th Cir. 1984) (holding privilege did not apply to information given by client to attorney to assist in preparation of a prospectus which was to be published for others, even though prospectus was never actually issued).
(30.) See United States v. Blasco, 702 F.2d 1315, 1329 (11th Cir. 1983) (holding that since the conversation took place in a public hallway, surrounding circumstances belied confidentiality); Rice et al., supra note 18, [sections] 6:6. Neither a client's status as an attorney, see ConAgra, Inc. v. Sammons, Misc. No. 4-84-7 (D. Minn. Dec. 17, 1984) (LEXIS, Genfed Library, Dist File), nor an attorney's conflict of interest, see Eureka Inv. Corp., N.V. v. Chicago Title Ins. Co., 743 F.2d 932, 937-38 (D.C. Cir. 1984) (holding that client should not be deprived of the privilege because of attorney's conflict of interest or attorney's ethically questionable conduct), is a factor in the determination of the client's anticipation of confidentiality. Consideration is not given to an attorney's subsequent decision that he cannot represent a client. See In re Grand Jury Proceedings (Auclair), 961 F.2d 65, 70 (5th Cir. 1992) (stating that the impracticability of joint representation cannot defeat the privilege's protection).
(31.) See McCormick, supra note 26, [sections] 91; Rice et al., supra note 18, [sections] 6:7.
(32.) See United States v. Gordon-Nikkar, 518 F.2d 972, 975 (5th Cir. 1975) (finding that a communication revealed to strangers or outsiders cannot be considered confidential).
(33.) See United Coal Cos. v. Powell Constr. Co., 839 F.2d 958, 965 (3d Cir. 1988) (stating that where an attorney represents two clients, "the privilege applies to those clients as against a common adversary").
(34.) See United States v. Melvin, 650 F.2d 641, 646 (5th Cir. Unit B July 1981) (stating that the privilege protects confidential communications among attorneys and their clients for purposes of a common defense).
(35.) McCormick, supra note 26, [sections] 91.
(36.) 737 F.2d 94, 102 (D.C. Cir. 1984).
(37.) Id. at 102.
(38.) See First Interstate Bank v. National Bank & Trust Co., 127 F.R.D. 186, 189 (D. Or. 1989) (holding the privilege waived although the accountant had not looked at the document); see also Bowne of New York City, Inc. v. Ambase Corp., 150 F.R.D. 465 (S.D.N.Y. 1993) (holding the privilege is vitiated if other people are privy to the communication for purposes other than legal advice).
(39.) See, e.g., Colton v. United States, 306 F.2d 633, 638 (2d Cir. 1962) (stating that information transmitted to attorney so attorney could prepare tax return "is given for transmittal by the attorney to [the IRS]" and, thus, is not confidential).
(40.) See Rice et al., supra note 18, [sections] 6:5; see also United States v. Blasco, 702 F.2d 1315, 1329 (11th Cir. 1983) (Ending that conversation in public hallway, loud enough for a casual passerby to hear, "belie[s] confidentiality," although the content of the conversation was clearly intended to be confidential).
(41.) See, e.g., Jarvis, Inc. v. AT&T, 84 F.R.D. 286, 292 (D. Colo. 1979) (finding confidentiality questionable where corporation's documents could routinely be viewed by employees).
(42.) See Rice et al., supra note 18, [sections] 9:1; see also Velsicol Chem. Corp. v. Parsons, 561 F.2d 671, 674-75 (7th Cir. 1977) (holding privilege was waived by in-house counsel who had authority and testified under that authority). Third parties who are neither agents of the client nor successors-in-interest to the client generally do not have the power to waive the client's privilege. See Rice et al., supra note 18, [sections] 9:11; see also Sax v. Sax, 136 F.R.D. 541, 542 (D. Mass. 1991) (finding that waiver of the privilege by one party to the litigation does not result in waiver by another party). One joint client generally may not unilaterally waive the privilege. See, e.g., United States v. Stotts, 870 F.2d 288, 290 (5th Cir. 1989) (holding that a criminal defendant cannot have his attorney testify as to confidential attorney-client statements made by codefendants if those codefendants object); Rice et al., supra note 18, [sections] 9:3.
(43.) 471 U.S. 343 (1985).
(44.) See id. at 348-49 (holding that a trustee in bankruptcy proceeding who had assumed managerial powers could waive the privilege). Courts generally use the "control group" test despite the fact that any employee with access to confidential communications could destroy that confidentiality by disclosing the communications to third parties. See Rice et al., supra note 18, [sections] 9:7.
(45.) 449 U.S. 383 (1981).
(46.) See id. at 394. Upjohn rejected the "control group test," see id. at 397, which limited the privilege's protection to communications by any employee in a position to control or take a substantial part in a decision regarding any action the corporation may take upon the attorney's advice. See City of Philadelphia v. Westinghouse Elec. Corp., 210 F. Supp. 483, 485 (E.D. Pa. 1963).
The "subject matter test," an alternative to the "control group test," was set forth in Harper & Row Publishers, Inc. v. Decker, 423 F.2d 487 (7th Cir. 1970). Under this test, a communication made by an employee who is not a member of the corporation's control group may still be protected where the employee makes the communication at a superior's direction, and where the subject matter of the communication and the legal advice sought is the employee's performance of the duties of employment. See id. at 491-92. A minority of courts have adopted the subject matter test. See Rice et al., supra note 18, [sections] 4:14 n.94; see also Diversified Indus., Inc. v. Meredith, 572 F.2d 596 (8th Cir. 1977) (en banc) (holding that a client must communicate with an attorney seeking legal advice in order for the privilege to apply); In re Sealed Case, 737 F.2d 94, 99 (D. D.C. 1984) (finding in-house counsel's advice was protected only upon a clear showing that the attorney "gave it in a professional legal capacity").
(47.) Upjohn, 449 U.S. at 394. Upjohn's broad protection of communications between corporate employees and corporate counsel was founded on the proposition that "[a]pplication of the attorney-client privilege to communications [from corporate employees to corporate counsel] puts the adversary in no worse position than if the communications had never taken place." Id. at 395.
(48.) 114 F.R.D. 693 (E.D. Va. 1987).
(49.) See id at 698-700.
(50.) See id, see also supra notes 11-13 and accompanying text.
(51.) See Jonathan Corp., 114 F.R.D. at 700.
(52.) See, e.g., Commodity Futures Trading Comm'n v. Weintraub, 449 U.S. 3 83, 348-49 (1985) (holding that the trustees of a corporation can expressly waive the privilege).
(53.) See Rice et al., supra note 18, [sections] 9:22.
(54.) See Bieter Co. v. Blomquist, 156 F.R.D. 173, 176 (D. Minn. 1994) (noting that determinations regarding implied waiver include two considerations: "(1) implied intention, and (2) fairness and consistency").
(55.) See, e.g., United States v. Mendelsohn, 896 F.2d 1183, 1189 (9th Cir. 1990) (stating that client's intent or lack of intent to waive the privilege was not dispositive); see also McCormick, supra note 26, [sections] 93; Wigmore, supra note 13, [sections] 2327.
Some courts, however, hold that waiver must be intentional. See, e.g., Eisenberg v. Gagnon, 766 F.2d 770, 788 (3d Cir. 1985) (finding that "the waiver must be knowing").
(56.) See In re Grand Jury Investigation of Ocean Transp., 604 F.2d 672, 674-75 (D.C. Cir. 1979) (holding privilege was waived where attorney accidentally disclosed privileged documents in response to subpoena). Some courts have held that an attorney's negligence does not waive the privilege. See, e.g., Rice et al., supra note 18, [sections] 9:73.
It is unclear to whom within a corporation the rules of implied waiver apply. This Note proposes that the logic of Jonathan Corp. should control. For instance, employees placed in a position to disclose privileged communications should be required to take reasonable precautions to maintain confidentiality. See Jonathan Corp. 114 F.R.D. at 700.
(57.) See In re Horowitz, 482 F.2d 72, 80-82 (2d Cir. 1973) (finding precautions to protect confidentiality insufficient where client let accountant review attorney-client communications for non-legal purposes); Parkway Gallery Furniture, Inc. v. Kittinger/Pennsylvania House Group, Inc., 116 F.R.D. 46, 50-51 (M.D.N.C. 1987) (holding that privilege was waived where parry did not take reasonable precautions in reviewing documents before disclosure during discovery).
Where a client fails to take such reasonable precautions, the scope of the resulting waiver is limited to the actual documents disclosed. See In re Horowitz, 482 F.2d at 82; Rice et al., supra note 18, [sections] 9:24. However, a client may not disclose communications favorable to his position while hiding related unfavorable communications; waiver will apply to all the relevant communications. See, e.g., In re Martin Marietta Corp., 856 F.2d 619, 623-24 (4th Cir. 1988) (holding that where a client submitted paper to United States Attorney's Office against its indictment summarizing privileged communications, privilege was deemed waived for the paper and for the underlying communications). Such maneuvering does not usually occur when there is an unintentional failure to take reasonable precautions to maintain confidentiality; thus, the scope of the waiver is limited to the documents actually disclosed. See Golden Valley Microwave Foods, Inc. v. Weaver Popcorn Co., 132 F.R.D. 204, 208 (N.D. Ind. 1990); Rice et al., supra note 18, [sections] 9:24.
(58.) Horowitz, 482 F.2d at 82. Judge Friendly also noted that "[flaking or failing to take precautions may be considered as bearing on intent to preserve confidentiality." Id. at 82 n. 10.
(59.) 91 F.R.D. 254 (N.D. Ill. 1981).
(60.) Id. at 260 (holding that privilege was waived where client disposed of documents into a waste basket and the documents were later retrieved from a dumpster by a third party).
(61.) See, e.g., Horowitz, 482 F.2d at 82 (finding precautions to protect confidentiality insufficient where client let accountant review attorney-client communications for non-legal purposes); McCormick, supra note 26, [sections] 91 (stating privilege can be destroyed by presence of a "casual disinterested" third party).
(62.) See, e.g., First Interstate Bank v. National Bank & Trust Co., 127 F.R.D. 186, 189 (D. Or. 1989) (deeming privilege waived where client had her accountant deliver communications to her attorney, although accountant had not read the materials). But see In re Sealed Case, 737 F.2d 94, 102 & n. 13 (D.C. Cir. 1984) (holding that the privilege applied to a conversation in an airplane, while noting that "[t]here were no other parties to the conversation .... [T]here [was also] no evidence that the discussion was overheard by anyone either passing or seated nearby.").
(63.) See, e.g., Horowitz, 482 F.2d at 82 (stating that the privilege was waived when documents were stored in an accountant's office).
(64.) See In re Victor, 422 F. Supp. 475, 476 (S.D.N.Y. 1976).
(65.) See Bower v. Weisman, 669 F. Supp. 602, 605-06 (S.D.N.Y. 1987) ("leaving a document out on a table (as opposed to putting it in a briefcase or in a drawer) in a public room in a suite in which another person is staying is insufficient to demonstrate [client's] objective interest in its confidentiality").
(66.) See Jarvis, Inc. v. American Tel. & Tel. Co., 84 F.R.D. 286 (D. Colo. 1979).
(67.) See, e.g., Advanced Med., Inc. v. Arden Med. Sys., Inc., No. 87-3059, 1988 U.S. Dist. LEXIS 7297 (E.D. Pa. July 18, 1988) (disallowing privilege where client, during discovery, disclosed to opposing side privileged documents interspersed with many ordinary business documents).
(68.) See, e.g., In re Grand Jury Proceedings, 727 F.2d 1352, 1356 (4th Cir. 1984) (noting privilege may be lost where reasonable steps are not taken to avoid eavesdroppers); In re Dayco Corp. Derivative Sec. Litig., 102 F.R.D. 468, 470 (S.D. Ohio 1984) (finding no waiver where client's privileged document came into reporter's possession and was published, all without client's permission). "[C]ommunications which were intended to be confidential but are intercepted despite reasonable precautions remain privileged .... If ... the communication takes place in a crowded elevator the client should expect that there will be persons listening and he will be taken not to have intended the statements to be in confidence." J. Weinstein & M. Berger, Weinstein's Evidence, [paragraph] 503(a)(4), at 503-31 (1982 ed.); see also McCormick, supra note 26, [sections] 91; Rice et al., supra note 18, [sections] 9:23. However, the client must establish that the possession of the privileged communications by a third party is due to theft or deceit. See Status Time Corp. v. Sharp Elecs. Corp., 95 F.R.D. 27, 34 (S.D.N.Y. 1982).
Illegal seizure of confidential communications by government officials does not end the privilege's protection. See, e.g., Klitzman, Klitzman & Gallagher v. Krut, 744 F.2d 955, 960-61 (3d Cir. 1984) (holding privilege was maintained for clients of attorney whose office was illegally searched).
(69.) See 18 U.S.C. [sections] 2517(4) (1994); see also infra note 227 and accompanying text. Intentional interception of any wire, oral, or electronic communication, and the disclosure or use of any communication known to be intercepted, with certain exceptions, is prohibited. See 18 U.S.C. [sections] 2511(1). "`Electronic communication' means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce . . . ." Id. [sections] 2510(12).
Violators may be fined, imprisoned, or both. See [sections] 2511(4)(a). A person whose communications are intercepted, disclosed, or used in violation of this Act may bring a civil action seeking relief, including damages. See [sections] 2520. Aggrieved persons can also move to suppress unlawfully intercepted communications. See [sections] 2518(10)(a)(i).
Exceptions to the prohibition are provided for persons acting under communication service providers, the Federal Communications Commission, color of law, or the United States. See [sections] 251](2)(a)-(c), (e). Interception is also not prohibited if it is by a party to the communication, see [sections] 2511(2)(d), or if it is of a communication "readily accessible to the general public," see [sections] 2511(2)(g).
Upon application approved by the United States Attorney General, a federal judge may authorize the interception of wire, oral, or electronic communications by the Federal Bureau of Investigation or other federal investigatory agency when the interception may provide evidence of certain enumerated offenses. See [sections] 2516(l). Equivalent powers are provided to state-level law enforcement agencies. See [sections] 2516(2). Interceptions under section 2516 must "be conducted in such a way as to minimize the interception of communications not otherwise subject to interception under [the Wiretap Act], and must terminate upon attainment of the authorized objective...." [sections] 2518(5).
Law enforcement officers who have obtained knowledge of the contents of intercepted communications under authorization of this Act may disclose and use such contents in the performance of his/her duties. See [sections] 2517(1), (2). Furthermore, any person who receives information concerning an intercepted communication in accordance with this Act may disclose the contents of that communication while giving testimony. See [sections] 2517(3). Intercepted wire or oral communications may not be used as evidence in any trial, hearing, or other hearing if their disclosure would be a violation of the Wiretap Act. See [sections] 2515. Section 2515 also applies to intercepted electronic communications. See United States v. Smith, 978 F.2d 171, 175 (5th Cir. 1992).
The Electronic Communication Privacy Act of 1986 provides further protection for electronic communications. See 18 U.S.C. [subsections] 2701-11 (1994). The Act provides that whoever intentionally accesses, without authorization, facilities which provide electronic communication service, and thereby "obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished . . . ." [sections] 2701 (a). Exceptions to this prohibition are made for systems administrators and those authorized by parties to the communication. See [sections] 2701 (c).
(70.) See, e.g., United States v. Bernard, 877 F.2d 1463, 1465 (10th Cir. 1989) (finding privilege waived where client disclosed confidential communication in order to convince third party to engage in nominee loan).
(71.) See, e.g., In re John Doe Corp., 675 F.2d 482, 489 (2d Cir. 1982) (holding privilege was waived where reports were disclosed by client to accounting firm for commercial purposes).
(72.) See, e.g., United States v. Moscony, 927 F.2d 742, 753 (3d Cir. 1991) (holding client does not waive privilege upon showing affidavits to co-client of his attorney).
(73.) See Rice et al., supra note 18, [subsections] 4:30, 9:66.
(74.) See id. [subsections] 4:35, 9:67; see also United States v. Bay State Ambulance & Hosp. Rental Serv., Inc., 874 F.2d 20, 28 (1st Cir. 1989) (finding that the privilege protects communications between one party and the attorney for another party where the communications are part of an effort by the parties to create a joint strategy).
(75.) See, e.g., Gray v. Bicknell, 86 F.3d 1472, 1484 (8th Cir. 1996) (holding that the district court did not err by holding that inadvertent disclosure of two letters did not waive attorney-client privilege); Alldread v. City of Grenada, 988 F.2d 1425, 1435 (5th Cir. 1993) (finding that an analysis which permits the court to consider both the inadvertance of the disclosure as well as precautions taken to prevent disclosure on a case-by-case basis is preferable to a per se rule of waiver); Transamerica Computer Co. v. IBM Corp., 573 F.2d 646, 651-52 (9th Cir. 1978) (holding that where 17 million pages of documents had to be inspected and produced for discovery within three months, disclosure of a small number of privileged documents was inadvertent and did not constitute waiver). Inadvertent disclosure often occurs during an expedited exchange of a large number of documents during discovery. See Rice et al., supra note 18, [sections] 9:69.
(76.) See United States v. Zolin, 809 F.2d 1411, 1417 (9th Cir. 1987) (finding no waiver where church secretary delivered tapes of privileged communications, mistakenly believing them to be blank), aff'd in part, vacated in part and remanded, 491 U.S. 554 (1989).
(77.) See Rice et al., supra note 18, [sections] [sections] 4:3 0, 9:7 1. Although an attorney can waive a client's privilege, see supra note 42 and accompanying text, some courts may not find waiver where the attorney has negligently disclosed a privileged communication. See, e.g., Heiman v. Murry's Steaks, Inc., 728 F. Supp. 1099, 1104 (D. Del. 1990) (finding no loss of privilege where attorney negligently revealed privileged communication and no precautions had been taken). But see, e.g., In re Grand Jury Investigation of Ocean Transp., 604 F.2d 672, 675 (D.C. Cir. 1979) (finding waiver where counsel failed to mark documents as potentially privileged). Failure to designate documents as confidential does not necessarily mean later disclosure of the documents cannot be inadvertent. See Lois Sportswear, U.S., Inc. v. Levi Strauss & Co., 104 F.R.D. 103, 105 (S.D.N.Y. 1985) (holding waiver had not occurred although client did not designate confidential documents at the time of creation).
(78.) Lois Sportswear, 104 F.R.D. at 105.
(79.) See In re Sealed Case, 877 F.2d 976, 980 (D.C. Cir. 1989) (stating that privilege was lost, even if disclosure was inadvertent and that "a client ... must treat the confidentiality of attorney-client communications like jewels--if not crown jewels"); Golden Valley Microwave Foods, Inc. v. Weaver Popcorn Co., 132 F.R.D. 204, 208-09 (N.D. Ind. 1990) (holding that while the discovery effort in the case was tremendous, the disclosure at issue constituted waiver whether inadvertent or not); Underwater Storage, Inc. v. United States Rubber Co., 314 F. Supp. 546, 549 (D.D.C. 1970) (holding any privilege which may have attached to the document was destroyed by the voluntary act of disclosure, whether inadvertent or not).
(80.) See, e.g., Connecticut Mut. Life Ins. Co. v. Shields, 18 F.R.D. 448, 451 (S.D.N.Y. 1955); Mendenhall v. Barber Greene Co., 531 F. Supp. 951, 954 (N.D. Ill. 1982) (holding that the accidental disclosure of four letters to counsel did not constitute waiver of the privilege).
(81.) See Rice et al., supra note 18, [sections] 5:18.
(82.) See id. [sections] 5:20.
(83.) See Macario v. Pratt & Whitney Canada, Inc., No. 90-3906, 1991 U.S. Dist. LEXIS 597 (E.D. Pa. Jan. 17, 1991) (finding privilege applied to telefax from corporate client's agent to attorney); Rice ET AL., supra note 18, [sections] 5:20.
(84.) See Rice et al., supra note 18, [sections] 5:20.
(85.) See Joyce Cutlip et al., The Joys and Drawbacks of E-Mail, Legal Times, Jan. 22, 1996, Special Report: Technology and the Law, at S32.
(86.) See John F. Barkley, Reducing the Risks of the Internet Computer Use, CSL Bull., May 1994, at 1. CSL, the Computer Systems Laboratory, is a division of the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, which develops and promulgates cost-effective computer security standards and guidelines. Information about and publications by both NIST and CSL can be accessed on the Internet at http://ncsl.csrc.nist.gov/.
(87.) See Cutlip et al., supra note 85, at S32.
(88.) See id.
(89.) See id.
(90.) See id.
(91.) See id.
(92.) See id.
(93.) See Janet Mann & Melanie Freely, LAN-Based E-mail Takes Off, Datamation, Nov. 15, 1990, at 105.
(94.) See Cutlip et al., supra note 85, at S32.
(95.) Other commercial providers include Compuserve, America Online, and Prodigy.
(96.) See Cutlip et al., supra note 85, at S32.
(97.) See Mann & Freely, supra note 93, at 105.
(98.) See Gary Griffith, Departments Discovering the Advantages of Networks, Corp. Legal Times, July 1994, at 26.
(99.) See, e.g., Cutlip et al., supra note 85, at S32.
(100.) See Ed Tittel & Margaret Robbins, E-mail Essentials 9 (1994). Many LANs allow users to send messages to multiple recipients. See Mann & Freely, supra note 93, at 105.
(101.) See Telephone Interview with Matthew Ghourdjian, MIS Director, Hennigan, Mercer& Bennett (Sept. 11, 1996).
(102.) See Barkley, supra note 86, at 2. The Internet has been called the "international network of networks". See id. at 1. It provides various types of services, including electronic mail (smtp), file exchange (ftp), terminal emulation and remote system access (telnet), and other information exchange services. See John Wack, Connecting to the Internet: Security Considerations, CSL BULL., July 1993, at 1.
There are several ways to connect to the Internet. See Barkley, supra note 86, at 5. The Internet can be accessed by a user obtaining an account with a host that is itself connected to the Internet. See id. A user can connect a personal computer directly to the Internet through a commercial service; the computer then becomes an Internet host with an Internet address. See id. Finally, an organization may connect its network to the Internet. See id. Wilmer, Cutler & Pickering, based in Washington, D.C. is one law firm that has connected its LAN to the Internet. See Cutlip et al., supra note 85, at S32.
There are two types of Internet hosts: "client hosts, generally a DOS/Windows PC, which only access services on the Internet provided by other hosts; or server hosts, generally Unix PCs (a multiuser, multitasking operating system originally developed for use on minicomputers or workstations, which provide service on the Internet to other hosts but may also access services from other hosts)." Barkley, supra, note 86, at 2.
(103.) See Tittel & Robbins, supra note 100, at 10, 263.
(104.) This number was posted on September 11, 1996 on the Web-site of Carnegie Mellon's Computer Emergency Response Team (CERT). That Website's address is http://www.cert.org.
(105.) See Telephone interview with Daniel Koft, Programmer Analyst, Rutgers Univ. Computing Serv. (Mar. 25, 1996).
(106.) See id.
(107.) See id. To illustrate this point, Koft stated that a message sent within the system of a commercial provider, such as CompuServe, would be less secure than one sent within a small local network because CompuServe is a larger system. See id.
(108.) See id.; see also Peter R. Jarvis & Bradley F. Tellam, The Internet: New Dangers of Ethics Traps, 56 Or. St. Bar Bull. 17 (Dec. 1995).
(109.) See Wack, supra note 102, at 2.
(110.) See Barkley, supra note 86, at 2. Routers route traffic between networks on the Internet. See Interview with Matthew Ghourdjian, supra note 101. The names and addresses of these routers can be found using the commands "ping s1Rv <remote-host>" or "traceroute <remote-host>." Barkley, supra note 86, at 2.
(111.) See id.
(112.) See id.
(113.) See Telephone Interview with Alexander Lee, Network Group, Skadden, Arps, Slate, Meagher & Flom (Sept. 11, 1996).
(114.) Barkley, supra note 86, at 2; Interview with Alexander Lee, supra note 113. Thus, users along the route taken by the communication can access that communication. See id.
(115.) See Interview with Alexander Lee, supra note 113.
(116.) See id.
(117.) See id.
(118.) See id.
(119.) See Wack, supra note 102, at 2.
(120.) See id.
(122.) Id. Moreover, where one Internet site is comprised of several systems, "mistakes in one system's configuration can cause problems for other interconnected systems." Id.
(123.) See id.
(124.) See id.
(125.) See Interview with Matthew Ghourdjian, supra note 101.
(126.) See id.
(127.) See id. Home pages operated through a service provider, rather than on the firm's own system, do not increase accessibility to the firm's system; these home pages obtain the security of the provider. See id.
(128.) See id. The ease of creating an Internet address and "establishing a dedicated connection," Cutlip et al., supra note 85, at S34, is thus seductive; firms sign on with ease, failing to recognize the technical sophistication required to maintain security.
(129.) See Wack, supra note 102, at 1. Particularly vulnerable services include rlogin and rsh, which rely on "mutually trusting systems." See id. at 2.
(130.) See id. Moreover, many users permit more TCP/IP services than they need. See id.
(131.) See id.
(132.) Barbara Guttman & Edward Roback, Threats to Computer Systems: An Overview, CSL Bull., Mar. 1994, at 1, 3. The hacker threat is such that various organizations have been formed specifically to deal with computer security incidents. See infra note 205.
(133.) See Interview with Matthew Ghourdjian, supra note 101; see also Charles Babcock, A Hacker's Lines of Attack, ComputerWorld, Mar. 6, 1995, at 8 (relating how a hacker invaded Digital's computer system for 18 months before getting caught, although "Digital's network security at the time ranked among the best"). Ghourdjian characterized the e-mail arena as a constant battle between users and hackers. See Interview with Matthew Ghourdjian, supra note 101.
(134.) Guttman & Roback, supra note 132, at 3.
(135.) Wack, supra note 102, at 2; see also Interview with Daniel Koft, supra note 105.
(136.) See Gary H. Anthes, The Secret Struggle: Defense Department, Corporate Users at Odds About How to Secure, Protect Key Data, ComputerWorld, Feb. 19, 1996, at 29. At one point, the Pentagon discovered hackers from 14 countries attacking a defense computer. See id. The Pentagon, realizing it was the "underground target of choice," instituted stringent protection measures. Id.
(137.) Wack, supra note 102, at 2.
(138.) See Barkley, supra note 86, at 3. The username/password mechanism is the most common identification and authentication method on the Internet. See id. A user logging into an Internet host using this method is "prompted for a username and a password." Id.
(139.) See id. at 3.
(140.) See id. Password appropriation coupled with user impersonation constitute only one of the "virtually endless" ways in which "unauthorized host access" can be achieved. See id. Unauthorized access to a host can also result in the "disclosure, modification, and/or destruction of data." Id.
(141.) Guttman & Roback, supra note 132, at 3.
(142.) Id. Governments might also conduct such hacking. See id.
(143.) Id. at 4. This is the assessment of the Federal Bureau of Investigation. See id.
(144.) See Tittel & Robbins, supra note 100, at 17-18. An address contains the information the computer needs to send a message. The information and format requirements for addresses vary between e-mail systems. See id. at 8. The Internet format is one common addressing scheme used by the Internet and many other networks; it is alternatively called RFC-822, or Domain Name System (DNS) addressing. See id. at 15. A sample address in this format is "admin@ramsay. comp.nonu.edu". See id. Another important addressing scheme is X.400, created by the European International Standards Committee (CCITT) and adopted by the International Standards Organization as a part of the Open Systems Interconnect standards (ISO/OSI). See id. X.400 has received strong support internationally and from government bodies but is used by relatively few networks and little software. See id. Observers disagree as to whether the Internet format or X.400 will predominate in the future. See id.
(145.) See id. at 17-18.
(146.) See id. at 18.
(147.) See id.
(148.) See id. A gateway is specific to a particular pair of e-mail systems. To communicate with multiple e-mail systems, multiple gateways are required. See id.
(149.) Examples include MCI Mail, CompuServe, America Online, AT&T Mail and Prodigy. See generally Mann & Freely, supra note 93, at 105 (describing the links to commercial providers offered by local networks).
(150.) See Telephone Interview with Customer Support Representative, MCI Mail (Mar. 25,1996).
(151.) See id.
(152.) See id. Commercial e-mail providers often do not guarantee security for messages sent outside their own system, where they have no control over system security. See Griffith, supra note 98, at 22.
(153.) See Interview with Customer Support Representative, supra note 150. Such messages are thus vulnerable to the dangers of the Internet where hackers may try to access these messages. See id.
(154.) See id. Similarly, MCI cannot guarantee messages sent between MCI and America Online, since America Online is on the Internet. See id.
(155.) See id. These transmissions are sent via an X.400 connection. See id.; see also supra notes 102-104 and accompanying text.
(156.) See 18 U.S.C. [subsections] 2511(2)(a)(i), 2701(c). See supra note 69 for a discussion of this Act and the related Wiretap Act.
(157.) See Heidi L. McNeil & Robert M. Kort, Discovery of E-mail and Other Computerized Information, Ariz. Atty, Apr. 1995, at 16-18.
(158.) See id. at 16.
(159.) See id. at 18.
(160.) See Note, Addressing the New Hazards of the High Technology Workplace, 104 Harv. L. Rev. 1898, 1909 (1991).
(161.) See id. E-mail is often used for private notes and negative assessments of supervisors. See id.
(162.) See id. at 1909-10.
(163.) See id. at 1910.
(164.) See id
(165.) See Smyth v. Pillsbury, 914 F. Supp. 97, 101 (E.D. Pa. 1996) (holding that employee has no reasonable expectation of privacy in his e-mail communications sent over employer's e-mail system, notwithstanding management's assurances that e-mail would not be intercepted).
(166.) See McNeil & Kort, supra note 157, at 18.
(167.) See Andrew Johnson-Laird, Smoking Guns and Spinning Disks, Computer Law., Aug. 1994, at 10.
(168.) See McNeil & Kort, supra note 157, at 18.
(169.) See supra note 75 and accompanying text.
(170.) See McNeil & Kort, supra note 157, at 18.
(171.) See id.
(172.) See id.
(173.) See Johnson-Laird, supra note 167, at 12. A cottage industry of such experts has appeared. See Marianne Lavalle, Digital Information Boom Worries Corporate Counsel, Nat'l L.J., May 30, 1994, at B1, B3.
(174.) See Lavalle, supra note 173, at B1.
(175.) See id.
(176.) See Barkley, supra note 86, at 2. Most Internet communications are unencrypted and consequently are "easily readable." Thus, "e-mail, passwords, and file transfers can be monitored and captured using readily available software." Wack, supra note 102, at 2.
(177.) See Tittel & Robbins, supra note 100, at 261.
(178.) See id
(179.) See Vandagriff, supra note 2, at 98. A public key encryption system uses one key to encode (the "public key") and another to decode (the "private key"). See id. Since only the private key can decode messages encoded by the public key, it does not matter who obtains the sender's public key. See id. A lawyer can distribute a public key to clients so their communications can be safely encrypted. See id.; see generally Cross-Industry working Team, Electronic Cash, Tokens and Payments in the National Information Infrastructure, (visited Oct. 3, 1996) <http// www.cnri.reston.va.us: 3000/ XIWT/ documents/ dis-cash-doc/ ElecCash. html> (discussing public key encryption).
(180.) See Robert Bagwill, The World Wide Web: Managing Security Risks, CSL Bull., May 1996, at 3.
(181.) See Interview with Alexander Lee, supra note 113.
(182.) See Bagwill, supra note 180 at 3 (noting that encryption hardware, software and processing time can be expensive).
(183.) See, e.g., Cutlip et al., supra note 85, at S34 (noting that Wilmer, Cutler & Pickering, a Washington, D.C. law firm, expressed this sentiment). Several firms interviewed for the survey in this Note concurred. See infra notes 284-86 and accompanying text.
Another problem with e-mail has been a controversy regarding encryption standards. See Anthes, supra note 136, at 29. The government has favored hardware-based "key escrow" encryption, which requires that encryption keys be escrowed with a third party. In contrast, the commercial sector has favored software-based products that do not use key escrow. See id.
(184.) See Wack, supra note 102, at 3.
(185.) See Bagwill, supra note 180, at 5.
(186.) See Wack, supra note 102, at 3.
(187.) See id; see also supra note 102 and accompanying text. TCP/IP services such as DNS zone transfers, tftp, RPC (e.g., nis or nfs), flogin, rsh, x windows, and Openwindows all can leave a system more vulnerable. See Wack, supra note 102, at 2. Additionally, host configuration should be monitored and properly maintained. See Barkley, supra note 86, at 4. Software which checks configuration is currently available. See id.
(188.) See Wack, supra note 102, at 2; see also Gary H. Anthes, Guarding the Internet: Users Identify Security Risks and Debate Potential Solutions, ComputerWorld, Aug. 29, 1994, at 55 (noting that companies should establish usage policies and controls, since employees will inevitably connect to the Internet on their own).
(189.) See supra note 102.
(190.) Barkley, supra note 86, at 3.
(191.) See Wack, supra note 102, at 3.
(192.) See Barkley, supra note 86, at 3. Software that checks for strong passwords is available. See Wack, supra note 102, at 3.
(193.) See Barkley, supra note 86, at 3. See generally Wack, supra note 102, at 3 (discussing smart cards, authentication tokens, and the use of one-time passwords to prevent "spoofing").
(194.) See Vandagriff, supra note 2, at 98.
(195.) See id. For further information regarding authentication techniques, see generally Jim Dray, Advanced Authentication Technology, CSL Bull. Nov. 199 1, at 1; see Barkley, supra note 86, at 3. Public key encryption can also be used to identify and authenticate users. See Bagwill, supra note 180, at 2.
(196.) See Barkley, supra note 86, at 4.
(197.) See Wack, supra note 102, at 3.
(198.) See id.
(199.) See id. at 4. Modem pools must also be configured "to deny access to unauthorized users" and to close the "backdoors" into secure gateways. Id. at 4.
(200.) See Barkley, supra note 86, at 4.
(201.) See Bagwill, supra note 180, at 5.
(202.) See id. Conceivably, e-mail communications that are deleted from a publicly accessible system and transferred to an isolated system would not be completely protected until they were actually overwritten on the accessible system. See McNeil & Kort, supra note 157, at 18; see also Carole Patton, Locked? Shred? File Undead!, Computerworld, Apr. 18, 1994, at 5 (noting that deleted e-mail messages remain in the PC until it is shut down for the day); see also supra notes 170-75 and accompanying text.
(203.) See Bagwill, supra note 180, at 5.
(204.) See Barkley, supra note 86, at 4. E-mail users must always be observant of changes that occur in e-mail technology and protection. This technology changes by the month. See Interview with Matthew Ghourdjian, supra note 101.
(205.) See Barkley, supra note 86, at 4. Groups that deal with computer security incidents include Carnegie Mellon's Computer Emergency Response Team (CERT), Forum of Incident Response and Security Teams (FIRST) (coordinated by the National Institute of Standards and Technology (NIST)), and the Federal Bureau of Investigation's National Computer Crime Squad. See Gary Anthes, Net Attacks Up, Defenses Down, ComputerWorld, Jan. 15, 1996, at 71.
(206.) See Interview with Alexander Lee, supra note 113.
(207.) See id.
(208.) See id.
(209.) See Interview with Daniel Koft, supra note 105.
(210.) See id. Koft noted that such transmissions may be less safe than network transmissions because they are often transmitted at a slower speed. See id. communications.
(211.) See Interview with Alexander Lee, supra note 113.
(212.) See Griffith, supra note 98, at 22.
(213.) See id.
(214.) See id. E-mail sent in this way cannot be read without the proper password. See id. Users are encouraged to change their passwords frequently. See id.
(215.) See id.
(216.) See id. See infra notes 149-55 and accompanying text.
(217.) See Cynthia M. Munger, Information Strategies for the 1990s: What Corporate Clients are Telling Their Law Firms, Corp. Legal Times, Sept. 1992, at 7, 28.
(218.) See id.
(219.) See id.
(220.) See Mann & Freely, supra note 93, at 105.
(221.) See Paul Bernstein, Lawyers Should Learn Bulletin Board System Technology, A Widening Information Network, Corp. LEGAL Times, Dec. 1993, at 11.
(222.) See id. For example, a BBS can be useful for lawyers of record working on a particular case. Such a BBS was set up, pursuant to a court order, for the lawyers working on the silicone breast implant litigation. The litigation involved several districts and approximately 1,000 lawyers. See id at 13; see also Lindsey v. Dow Coming Corp., No. CV94-P-11558-S, 1994 U.S. Dist. LEXIS 12521 (N.D. Ala. Sept. 1, 1994).
(223.) See id. at 11.
(224.) See Cary Griffith, Two More Networks to Compete for Lawyers On Line News, E-Mail, Chit-Chat and Easy Internet Access, Corp. LEGAL Times, July 1995, at 21.
(225.) See id.
(226.) See 18 U.S.C. [subsections] 2510-22 (1968), as amended by the Electronic Communications Privacy Act of 1986 (current version at 18 U.S.C. [subsections] 2510-22 (1994)).
(227.) 18 U.S.C. [sections] 2517(4) (1994) (as amended in 1986). There is some concern regarding the amount of protection the Wiretap Act offers privileged wire, oral and electronic communications. One article notes its failure to prohibit both the interception and any use or disclosure of those communications short of introducing them into evidence. See Michael Goldsmith & Kathryn Ogden Balmforth, The Electronic Surveillance of Privileged Communications: A Conflict in Doctrine, 64 S. Cal. L. Rev. 903, 929 (1991).
Several states have enacted similar statutes. See, e.g., N.J. Stat. Ann. [sections] 2A: 156A-11 (West Supp. 1996); 18 Pa. Cons. Stat. Ann. [sections] 5711 (West 1983 & Supp. 1996); Haw. Rev. Stat. Ann. [sections] 803-45(d) (Michie 1994); Fla. Stat. Ann. [sections] 934.08(4) (West Supp. 1996).
(228.) United States v. Hall, 543 F.2d 1229, 1241 (9th Cir. 1976). The Hall court quoted the Senate Report relating to section 2517(4): "The scope and existence of these privileges varies from jurisdiction to jurisdiction. The proposed provision is intended to vary the existing law only to the extent it provides that an otherwise privileged communication does not lose its privileged character because it is intercepted by a stranger .... Otherwise, it is intended to reflect existing law ...." Id. at 1241 n. 10 (quoting S. Rep. No. 1097, reprinted in 1968 U.S. Code Cong. & Admin. NEWS, at 2189). State law concerning the attorney-client privilege generally mirrors the corresponding common law of the federal courts, which is discussed in Section II of this Note.
(229.) But see Albert Gidari, Privilege and Confidentiality in Cyberspace, Computer Law., Feb. 1996, at 2. Gidari contends that section 2517(4) should prevent the inherent risk of interception of Internet communications from resulting in waiver of the attorney-client privilege. See id. Gidari fails to note that the subsection applies only to "otherwise" privileged communications. The word "otherwise," and the legislative history relating to [sections] 2517(4), see S. Rep. No. 1097, reprinted in 1968 U.S. Code Cong. & Admin. News, at 2189, indicate that the subsection's assurance of protection still depends on whether adequate precautions were taken under common law standards.
(230.) See 8 Wigmore, supra note 13, [sections] 2291 (noting the privilege is an obstacle to the investigation of the truth); see also United States v. Goldberger & Dubin, P.C., 935 F.2d 501, 504 (2d Cir. 1991) (stating the privilege "cannot stand in the face of countervailing law and a strong public policy and should be strictly confined within the narrowest possible limits underlying its purpose").
(231.) See Ilene Knable Gotts & Janell Mayo Duncan, Liability On-Line: Electronic Traps for the Unwary, 42 Prac. Law. 15, 18 (Jan. 1996) (discussing the privilege's vulnerability in the context of e-mail).
(232.) See United States v. Melvin, 650 F.2d 641, 645 (5th Cir. Unit B July 1981) (stating that privilege protects communications that are "intended to remain confidential, and [are] made under such circumstances that [they are] reasonably expected and understood to be confidential."); see also supra notes 21-41 and accompanying text (discussing the reasonable expectation of confidentiality standard).
(233.) See In re Horowitz, 482 F.2d 72, 80-82 (2d Cir. 1973) (finding precautions to protect confidentiality insufficient where client let accountant review attorney-client communications for non-legal purposes); see also Parkway Gallery Furniture, Inc. v. Kittinger/Pennsylvania House Group, Inc., 116 F.R.D. 46, 50-51 (M.D.N.C. 1987) (holding that privilege was waived where party did not take reasonable precautions in reviewing documents before disclosure during discovery). See also supra notes 52-67 and accompanying text (discussing the implied waiver standard).
(234.) See United States v. Blasco, 792 F.2d 1315, 1329 (11th Cir. 1983) (finding that conversation in a public hallway, "loud enough for any casual passerby to hear," belied confidentiality); see also McCormick, supra note 26, [sections] 91 at 128 (stating privilege can be destroyed by the presence of a "casual disinterested" third party).
(235.) See In re Grand Jury Proceedings, 727 F.2d 1352, 1356 (4th Cir. 1984) (noting privilege may be lost where reasonable steps are not taken to avoid eavesdropping); see also Suburban Sew `N Sweep, Inc. v. Swiss-Bernina, Inc., 91 F.R.D. 254, 260-61 (N.D. Ill. 1981) (deeming privilege waived where privileged documents disposed of by client into waste basket were later retrieved from dumpster by adversary). "If ... the communication takes place in a crowded elevator the client should expect that there will be persons listening and he will be taken not to have intended the statements to be in confidence." Weinstein & Berger, supra note 68, [paragraph] 503(a)(4) at 503-43.
(236.) See In re Grand Jury, 727 F.2d at 1356 (noting privilege may be lost where reasonable steps are not taken to prevent eavesdropping); see also 18 U.S.C. 2517(4) (1994) (stating that the privilege is retained where communications are illegally intercepted if they are otherwise privileged).
(237.) See First Interstate Bank v. National Bank & Trust Co., 127 F.R.D. 186, 189 (D. Or. 1989) (finding privilege waived where client had his accountant deliver documents to his attorney, even though accountant had not read the documents).
(238.) See Golden Valley Microwave Foods, Inc. v. Weaver Popcorn Co., 132 F.R.D. 204, 208-09 (N.D. Ind. 1990) (holding that confidentiality is waived even where disclosure is inadvertent).
(239.) In re Horowitz, 482 F.2d 72, 82 (2d Cir. 1973).
(240.) In re Sealed Case, 877 F.2d 976, 980 (D.C. Cir. 1989).
(241.) See Jarvis & Tellam, supra note 108, at 17 (suggesting that solid arguments can be made for and against the proposition that the privilege should apply to Internet communications).
(242.) One commentator proposes that prudence in the use of e-mail should be a business decision rather than a decision made out of concern over the privilege. See Gidari, supra note 230, at 3. In fact, the same level of prudence should be exercised no matter what the purpose of the use. It is axiomatic that the level of confidentiality required by the privilege should be equivalent to the level of confidentiality sought by a client for the purely business purpose of preventing disclosure to an adversary. This level of confidentiality must, of course, be sufficient to encourage a client's full communication with the client's attorney.
(243.) See Cutlip et al., supra note 85, at S34 (discussing the ease of e-mail communication with clients and suggesting that the ease of e-mail encourages communication). A reasonable precaution standard which altogether prohibited such an efficient form of attorney-client communication would conflict with the guidelines set forth in Suburban Sew `N Sweep, Inc. v. Swiss-Bernina Inc., 91 F.R.D. 254, 257, 260 (1981) (noting that privilege is granted to encourage complete disclosure between attorneys and clients, and that consultation should be uninhibited).
(244.) Courts should presume that e-mail users are aware of some degree of risk. Such a presumption would not be unrealistic and would eliminate the trouble of proving or disproving such awareness.
(245.) See supra notes 134-43 and accompanying text.
(246.) See supra notes 105-08 and accompanying text. Security also turns on which e-mail providers have been employed. Where a third-party provider is involved, communications are accessible to that provider. See supra note 132 and accompanying text. Furthermore, communications between providers can be mistransmitted. See supra notes 144-48 and accompanying text.
(247.) Protective measures include the use of encryption, strong passwords, digital signatures, firewalls, partitioning, service access policies and direct modem links. See supra notes 176-211 and accompanying text.
(248.) See Anthes, supra note 136, at 29.
(249.) See Babcock, supra note 133, at 8.
(250.) See Guttman & Roback, supra note 132, at 3-4 (discussing the findings of the Federal Bureau of Investigation).
(251.) See id. at 3. Of course, the attorney-client privilege is vulnerable to any hacker, whether a browser or a thief.
(252.) Many large corporate clients are probably aware of the risks of e-mail and either avoid large networks like the Internet or implement protective measures, e.g., encryption, passwords, etc. See Anthes, supra note 2, at 71. These large corporate clients probably experience the most significant threat from hackers.
(253.) See Babcock, supra note 133, at 8; Anthes, supra note 136, at 29.
(254.) The client and attorney who have failed to take reasonable precautions in their use of e-mail cannot have a reasonable expectation of confidentiality.
(255.) Risk would be particularly low if the attorney's other clients are also of little interest to hackers. Such litigants are not completely safe, however. The possibility of one litigant eavesdropping on an adversary persists. Additionally, hackers might be attracted to less prominent systems, in the belief they will have little protection. See Interview with Daniel Koft, supra note 105. Hackers also sometimes seek entry into systems purely for the challenge. See id.
(256.) See supra note 69, discussing the Wiretap Act.
(257.) A rule, such as the one articulated in First Interstate Bank v. National Bank & Trust Co., 127 F.R.D. 186 (D. Or. 1989), would be too strict in the context of e-mail communications. In First Interstate, the court held that a client who had his accountant deliver documents to his attorney waived the attorney-client privilege, even though the accountant never read the documents. See id. at 189. Exposing a message to the threat of hackers is qualitatively different from leaving a communication directly in the hands of a third party. Third-party accessibility is more certain in the latter situation, and the lack of a reasonable expectation of confidentiality is even more evident.
(258.) See United Coal Co. v. Powell Constr. Co., 839 F.2d 959, 965 (3rd Cir. 1988) (finding that where an attorney represents joint clients, "the privilege applies to those clients as against a common adversary"); cf. United States v. Moscony, 927 F.2d 742, 753 (3d Cir. 1991) (stating that when joint clients' interests are adverse, the privilege will be denied).
(259.) See Hodges, Grant & Kauffman v. United States Gov't, Dep't of the Treasury, Internal Revenue Serv., 768 F.2d 719, 721 (5th Cir. 1985) (finding that the existence of a "common legal interest" determines whether information disclosed by an attorney to a client and another party will be held viewed as a privileged communication).
(260.) See Interview with Alexander Lee, supra note 113.
(261.) See McNeil & Kort, supra note 157, at 18.
(262.) See id.; see also Johnson-Laird, supra note 167, at 10 (noting that computer files are frequently not organized into subdirectories).
(263.) See, e.g., Parkway Gallery Furniture, Inc. v. Kittinger/Pennsylvania House Group, Inc., 116 F.R.D. 46, 50-51 (M.D.N.C. 1987) (holding that privilege was waived where party did not take reasonable precautions in revising documents before disclosure during discovery); see also In re Sealed Case, 877 F.2d 976, 980 (D.C. Cir. 1989) (holding that privilege is lost, even if disclosure is inadvertent).
(264.) See Alldread v. City of Grenada, 988 F.2d 1425, 1433-35 (5th Cir. 1993) (finding that the court should consider circumstances surrounding a disclosure on a case-by-case basis rather than by applying a per se rule of waiver).
(265.) See Charles A. Lovell & Roger W. Holmes, The Dangers of E-Mail.: The Need for Electronic Data Retention Policies, 44 R.I. BAR J. 7, 9 (Dec. 1995). Destruction of relevant documents may be regarded as an admission if it is done in bad faith. See McCormick, supra note 26, [sections] 273, at 660-61; see also Shepherd v. American Broad. Cos., Inc., 151 F.R.D. 179, 191-92 (D.D.C. 1992) (finding destruction of crucial documents warranted a default judgment). However, destruction pursuant to routine procedures in the absence of bad faith brings no adverse inference. See Vick v. Texas Employment Comm'n, 514 F.2d 734, 737 (5th Cir. 1975) (holding no adverse inference warranted where destruction of documents was routine, without bad faith, and well in advance of the opposition's service of interrogatories). Lewy v. Remington Arms Co., 836 F.2d 1104 (8th Cir. 1988), sets forth the following factors for assessing whether a company's record retention policy is reasonable: (1) whether the policy is "reasonable considering the facts and circumstances surrounding the relevant documents;" (2) the frequency and magnitude of similar suits against the company, such that the company should have known to retain the document; and (3) whether the policy was instituted in bad faith. See id. at 1112.
(266.) See Lovell & Holmes, supra note 266, at 8.
(267.) Of course, the use of authentication devices would lower this accessibility, and perhaps preserve the privilege. See supra notes 191-95 and accompanying text.
(268.) See Commodity Futures Trading Comm'n v. Weintraub, 471 U.S. 343, 349-50 (1985) (holding that a trustee in bankruptcy proceeding who had assumed managerial powers could waive the privilege).
(269.) See Jonathan Corp. v. Prime Computer, Inc., 114 F.R.D. 693, 698-700 (E.D. Va. 1987).
(270.) See Rice et al., supra note 18, [sections] 4:20 (stating that all employees or shareholders privy to confidential corporate communications have the power to refuse to disclose them during discovery; however, only those who speak for the corporation have right to preclude disclosure).
(271.) See, e.g., Smith v. Pillsbury Co., 914 F. Supp. 97, 101 (E.D. Pa. 1996) (holding that employee has no reasonable expectation of privacy in his e-mail communications sent over employer's e-mail system, notwithstanding management's assurances that e-mail would not be intercepted); see also supra notes 160-65 and accompanying text.
(272.) See 18 U.S.C. [subsections] 2511(2)(a)(i), 2701(c); see also supra note 69 and accompanying text.
(273.) See Rice et al., supra note 18, [sections] 5:20; see also supra note 83 and accompanying text.
(274.) See supra notes 144-48 and accompanying text.
(275.) Disclosure is legally "inadvertent" if it "is sufficiently involuntary and inadvertent as to be inconsistent with a theory of waiver." United States v. Zolin, 809 F.2d 1411, 1417 (9th Cir. 1987), aff'd in part, vacated in part and remanded, 491 U.S. 554 (1989).
(276.) See supra note 68 and accompanying text. The American Bar Association Standing Committee on Ethics and Professional Responsibility addressed the ethical obligations of an attorney who receives material that appears on its face to be confidential and may have been misdirected. See ABA Standing Comm. on Ethics and Professional Responsibility, Formal Op. 92-368 (1992). The Committee advised that the receiving attorney must refrain from examining the materials, notify the sending attorney, and abide by that attorney's instructions. See id. at 1.
(277.) See Jarvis & Tellam, supra note 108, at 17 (stating that use of a "reputable" commercial provider should protect the privilege).
(278.) See Bagwill, supra note 180, at 3 (noting that encryption hardware, software and processing time can be expensive). Even if a firm is equipped with encryption software, often its clients are not. See Interview with Alexander Lee, supra note 113. Some firms have found that "with current encryption software, the effort outweighs the benefit." See, e.g., Cutlip et al., supra note 85, at S34 (noting that Wilmer, Cutler & Pickering, a Washington, D.C. law firm, expressed this sentiment). Several firms interviewed for the survey in this Note concurred. See infra notes 285-86 and accompanying text.
(279.) See generally supra notes 191-205 and accompanying text (discussing these forms of protection).
(280.) See Gary H. Anthes, Guarding the Internet: Users Identify Security Risks and Debate Potential Solutions, ComputerWorld, Aug. 29, 1994, at 55 (noting that companies should establish policies to control usage, since employees will inevitably connect to the Internet on their own).
(281.) See Gotts & Duncan, supra note 232, at 18.
(282.) The survey was conducted by telephone during March, September and October, 1996, by the author and other members of the Rutgers Computer & Technology Law Journal. Each interviewee worked in the information services department of their firm, and many were the directors of these departments. Two were also attorneys. The interviewees; were all familiar with the security issues regarding e-mail. They were assured that neither their names, nor the names of their firms, would be disclosed in this Note.
(283.) One firm predicted that an attorney who communicated with a client via the Internet would be sued for malpractice. Another remarked that they would not send anything via e-mail that they would not want on the front page of a newspaper.
(284.) Two firms use software called Pretty Good Privacy (PGP), which provides military standard encryption. See supra note 179 and accompanying text.
(285.) For example, one firm encrypts only Internet communications. This firm uses encryption as an extra layer of security for messages that must leave the firm's e-mail provider (MCI Mail) and go on the Internet to reach the client. The firm also mandates that highly confidential communications be sent via direct modem link.
(286.) One firm noted that modem links are safer than MCI Mail, the firm's e-mail provider.
(287.) The most commonly used provider is MCI Mail (seven firms). Firms using commercial providers receive the benefits of the provider's secure gateways/firewalls.
Five firms indicated that they use private e-mail networks.
(288.) See Tittel & Robbins, supra note 100 and accompanying text.
Jonathan Rose, J.D. Candidate 1997, Rutgers School of Law--Newark.
|Printer friendly Cite/link Email Feedback|
|Publication:||Rutgers Computer & Technology Law Journal|
|Date:||Mar 22, 1997|
|Previous Article:||Personal jurisdiction and the World-Wide Web: bits (and bytes) of minimum contracts.|
|Next Article:||The Rosetta Stone for the doctrine of means-plus-function patent claims.|