IAPP-GDPR Web Banners-300x250-FINAL

Andrew Serwin

The ever-increasing use of e-mail as a communication medium creates a number of issues for employers and employees as courts sort out what is, and is not, proper use of an employer's e-mail system. Courts have reached somewhat inconsistent results on these issues, though there are some general principles that can be drawn from the cases. This muddled legal picture is also complicated by the fact that, while in many cases employers will not want employees using their e-mail system, there are cases, such as certain internal investigations, where employers may want to facilitate employees obtaining, and freely communicating with, their own attorneys. The complex nature of this issue, plus the often significant consequences for violating the attorney-client privilege, means that companies should attempt to proactively address this issue, and tread carefully when reviewing attorney-client communications.

Assessing the scope attorney-client privilege for companies is a complex issue and understanding the context in which this particular issue arises is critical to understanding how to address it. Lawyers retained by a corporation to represent it typically do not owe any duty of confidentiality to the company's officers, directors, or employees, particularly if an "Upjohn" warning is given to the individual. This particular e-mail issue does not arise from a situation involving a corporation's attorney, but instead results from an individual retaining an attorney and using a company e-mail system to communicate with the employee's personal attorney.

Cases on Attorney-Client Privilege Issue Have Been Inconsistent
In one of the first reported decisions on this issue, In re Asia Global Crossing, Ltd., a bankruptcy court addressed the application of the attorney-client privilege to an employee who uses a corporate network to communicate with his personal attorney. This case arose in New York, and New York has, by statute, provided that any communication that is privileged under the attorney-client privilege does not lose its privileged nature simply because it is communicated by electronic means or because persons necessary for the delivery of the electronic communication may have access to the content of the communication.

The court noted that it is generally accepted that attorneys can communicate, without fear of disclosure, with their clients via unencrypted e-mail. This court examined the e-mail privacy cases as a starting point and noted that the application of the privilege must be consistent with objective and subjective components. The court ultimately considered four factors when formulating its test to determine whether e-mails were privileged:

  • does the corporation maintain a policy banning personal or other objectionable use;
  • does the company monitor the use of the employee's computer or e-mail;
  • do third parties have a right of access to the computer or e-mails; and,
  • did the corporation notify the employee, or was the employee aware of the use and monitoring policies?

In the In re Asia Global Crossing, Ltd. case, while the court found that third-parties could review the e-mails because they were sent over the network and stored on the company's servers (a fact that is true in virtually all cases), the remaining factors were not met because the evidence was "equivocal" regarding the existence or notice of monitoring policies. Thus, the court could not conclude that the privilege was inapplicable.

Other courts have considered these factors, as well as related factors. In Curto v. Medical World Communications, Inc., the court considered the non-enforcement of a computer monitoring policy, as well as traditional factors that included the reasonableness of the precautions taken by the producing party to prevent inadvertent disclosure; the delay, if any, in the party's actions in asserting an issue, and an examination of the issue of fairness. Whether the computer was in a home office, or an office that otherwise had restricted access has also been a consideration, though not a dispositive one.

California has also addressed this issue in a related context—protection of electronic files on a work computer. In People v. Jiang, the defendant used his work computer to create electronic files that were communications to his attorney. The employer had a computer use policy that stated there was no reasonable expectation of privacy, but it did not preclude personal use, in contrast to the policy in other California cases. Ultimately the court concluded that the defendant's communications were confidential under the attorney-client privilege and could not be used by the prosecution.

A court in New York recently had occasion to address the scope of the attorney-client privilege on an employer's network, and applied In re Asia Global Crossing. In Scott v. Beth Israel Medical Center, a doctor used his employer's email system to communicate with his personal lawyer in connection with an employment dispute. The employer, Beth Israel Hospital, was monitoring the doctor's email and saw these communications. The doctor brought a motion for protective order seeking the return of the emails.

Beth Israel had a computer use policy that disclosed their right to monitor, and explicitly stated that the computer systems could not be used for personal use. The court also noted that the attorney's emails contained what is a standard footer which stated that the communications were privileged and confidential, and were for the intended recipient only. When the court examined the In re Asia Global Crossing factors, it found that one of the key issues for the prior decision, permitting personal use, was not present and particularly when the right to monitor was clearly disclosed, the employee could not assert the attorney-client privilege over emails sent on the employer's network.

Key Takeaways
While the cases are important, drawing some conclusions from the somewhat inconsistent results is important so that companies can take steps to address these issues. Since the key factor for courts when they assess an employee's ability to send attorney-client privileged e-mails to his personal attorney, is whether the employer permits personal use, you should assess your company's computer use policy to see what is said about personal use by employees. If personal use is permitted by the company's computer use policy then caution must be exercised before attorney-client privileged emails because this factor, among the others identified by the cases, is given strong consideration by courts.

It is also important to note that these cases do not address the use of webmail, or other similar forms of email, even if they are used on the employer's network. Several cases, such as Sims v. Lakeside School and Fischer v. Mt. Olive Lutheran Church have drawn a distinction between the use of the employer's email system, and the use of webmail even if on the employer's network, and companies should exercise due care before webmail communications are reviewed, particularly if the attorney-client privilege or other similar privileges are implicated.

Assessing these issues before an incident occurs is important, and a key part of this assessment is one that is overlooked by companies. The most important factor to consider in this scenario is whether your company would want to review attorney-client communications in any, or all circumstances. In some cases (certain internal investigations) companies may want to facilitate privileged communications, and in other cases companies may not in fact desire to review privileged communications, even if other monitoring occurs.

If that is the case, then policies should be implemented to separate privileged communications, if and when email communications are reviewed. If your company does want to review privileged communications then reviewing your policy and changing it (if necessary) to make sure it bans personal use and bans communications with attorneys or others that could participate in a privileged communication. Finally, in light of the California cases that address electronic files generally, companies should consider whether they can review other electronic files if they potentially implicate privileged communications, even if not contained in emails.

As email and electronic files become more ubiquitous, stay tuned for more developments from courts and more inconsistent results until courts fully clarify their analysis.

Andrew B. Serwin is a partner in the San Diego office of Foley & Lardner LLP and has extensive experience in privacy and security matters, including state, federal and international restrictions on the use and transfer of information, security breach compliance, incident response, marketing restrictions, and the drafting and implementation of privacy and security policies. He is the author of "Information Security and Privacy: A Practical Guide to Federal, State and International Law," as well as the "Internet Marketing Law Handbook." He can be reached at 619.234.6655.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»