TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Best practice considerations for preserving attorney-client privilege Related reading: A view from Brussels: EDPS sends signal on data transfers 

rss_feed

""

One of the oldest legal principles in Anglo-American jurisprudence, attorney-client privilege, is facing a paradigm shift given today’s rapid work culture evolution. Technological advancement, while providing faster and more efficient communication and productivity, has presented an increased risk landscape for maintaining attorney-client privilege. Specifically, the maintenance of confidentiality, a central tenet of this privilege, is positioned to become an unintended and unnoticed casualty given the velocity and complexity of the modern business environment.

Given this shift, in-house counsels are expected to be knowledgeable about an already-complex legal doctrine while navigating various cloud collaboration tools and other electronic means of communication. Here are some best practice considerations for in-house counsel to preserve privilege and maintain confidentiality in a modern corporate setting.

In-house counsel and attorney-client privilege

The attorney-client privilege is one of the more complicated yet most respected areas of legal practice and covers oral and written communications to, from or with an attorney for the purpose of requesting or receiving legal advice. The attorney-client privilege protects certain communications from disclosure to third parties. To qualify for this protection, these communications must be confidential, between an attorney and client, and made for the purpose of obtaining or providing legal advice. The communication is not privileged if these three elements are not met. The overall purpose of this privilege is to encourage open dialogue and sharing of information to obtain legal advice without fear of disclosure to unintended parties.

The application of privilege is not a clear-cut process, particularly given jurisdiction considerations. For example, privilege application is even more complex for multinational corporations, where the concept of privilege for in-house counsel is either limited in some countries or does not exist at all (and engagement of outside counsel, such as a hired firm, may be needed to help preserve the privilege in other jurisdictions).

Despite the complex nature of attorney-client privilege application, confidentiality is a critical element for maintaining the privilege — specifically, the oral or written communication must be kept confidential for the privilege to apply. The privilege may be extinguished if the substance of the communication is disclosed or accessible to internal staff not directly involved in the matter or individuals outside of the corporation.

It’s a brave new world

Historically, society has accepted the need to maintain a balance between privileged discussions in the office on one hand versus societal interest in effectively prosecuting corporate malfeasance on the other hand. Technological advancement adds a complicating factor forcing privilege’s risk landscape to shift and evolve considering various ways to communicate, including texting, agile project management platforms, instant messaging and video communication systems.

For example, should an attorney place legal advice on a Jira ticket or in a Slack space? What should attorneys be mindful of when utilizing cloud storage or joining Zoom calls? Here are some best practice considerations for in-house counsel.

Take the time to learn

The American Bar Association and several states have adopted Model Rule 1.1, recommending that a lawyer “should keep abreast of changes in the law and its practice, including benefits and risks associated with relevant technology.” As a result, lawyers are expected to be mindful of the risks and benefits associated with technology and use it wisely. We advise that lawyers should take advantage of any and all opportunities to advance their technical competence, as well as cybersecurity best practice knowledge base. Consider, for example, taking advantage of CLE course offerings, state and local bar seminars, as well as classes offered by the International Association of Privacy Professionals.

Protect it in the cloud

Many states specifically require that lawyers know, for example, how their cloud service provider handles storage and security and recommend consulting with an expert if the lawyer does not have the necessary knowledge. If you store in the cloud, ensure that it is stored securely with encryption at rest, and if possible, in transit, too. You should also put access controls on the data. This tip applies particularly for recorded meetings and transcripts such as within Zoom. Keep in mind that these tools are designed for easy collaboration, not privileged communications. This tip also applies to stored documents and memos on company servers — limit access with passwords, etcetera. These should only be directed to others on a need-to-know basis. 

Careful communications

In-house counsel should be mindful of communications in open space environments. Open spaces generally are not considered confidential, so preserve certain communications for closed meeting spaces/conference rooms as needed.

In addition, counsel should ensure that communications are sent to the correct recipients. Confidential communications should not include unnecessary individuals — if they do, it may be more difficult to demonstrate that privilege applies. This principle applies across the board for all methods of communication, including new messaging systems, like Slack, or agile project management solutions, such as Jira or Trello platforms.

Despite the convenience and efficiencies presented by many platforms available today, the legal system is struggling to keep up with such rapid technological development. However, some recent case law touches on attorney-client privilege on the Jira platform, a popular cloud-based collaboration platform.

Consider, for example, Garvey v. Hulu, LLC, a discovery dispute involving confidentiality concerns regarding internal access at Hulu to Jira system tickets. The defendant redacted content on Jira tickets where Hulu employees directly asked their in-house counsel for legal advice on a matter. The court rejected the plaintiff's argument that "confidentiality was destroyed by the fact that the Jira system is generally accessible to Hulu employees beyond those immediately participating in [the Jira] tickets.” The court highlighted the fact that only Hulu employees had access to the privileged communication and confidentiality was not destroyed by the possibility that other Hulu employees, not directly participating on those tickets, could have accessed them. It also noted that “material need not be kept under lock and key to remain confidential.”

While this case did not endorse a “lock and key” approach while using Jira, a risk-averse approach with all communication methods to mitigate potential attorney-client privilege issues is recommended. Considering the lack of precedent on attorney-client privilege on platforms like Jira, in-house counsel use caution with posting privileged communications on internal cloud-based platforms, particularly given the level of access that unintended parties may have to those conversations. Overall, if you’re not confident that your communication is limited to intended parties only, consider changing your communication delivery method in order to remove or help mitigate those concerns.

BYOD policies

On the surface, bring-your-own-device policies appear to lower company costs, they present a number of hidden costs, including problems associated with attorney-client privilege. In a BYOD environment, companies have less control over the devices and are limited in their ability to build in adequate protection. In addition, companies have less control over information accessibility and how it is transmitted and stored on personal devices, which is potentially problematic from a confidentiality and attorney-client privilege perspective.  

Revise corporate policy

Many companies use Acceptable Use Policies that inform users that they essentially have no expectation of privacy in corporate systems. However, these policies should carve out an exception for legal advice from attorneys and other confidential communications. If your handbook and AUP inform all employees that the company may monitor any usage on its system, then it may be more difficult to claim confidential communications in certain instances. Your information classification policy should specifically include a confidential tab that covers privileged communications. Take care to label documents and emails appropriately. There are also some companies that start meetings with disclaimers about the communication that is probably about to take place.

Lastly, consider implementing internal guidelines for the legal team to properly handle the nuances associated with new communication technologies.

Use encryption

If you have any concern about keeping certain information confidential, then you should encrypt it both in transit and at rest. Encrypting in transit protects against a common attack: the “man in the middle attack.” This is essentially a hacker version of eavesdropping. Encrypting at rest defends against accidental disclosure. Most state data breach notification laws provide an exception to breach notification for encrypted information provided the key is not also compromised.

In addition to encryption, also consider proper access controls and logging procedures. Consider, for example, Harleysville Ins. Co. v. Holding Funeral Home, Inc., in which the plaintiff used an online file-sharing service to exchange files with multiple users, including its counsel. The plaintiff didn’t use a control, like a password requirement, to limit access to the files, leaving the files unprotected and accessible by opposing counsel. The plaintiff’s failure to limit access to the files resulted in an inadvertent, unintended disclosure and therefore waived attorney-client privilege in this instance.

The adage “if you want to go fast, go alone; if you want to go far, go together” applies to attorney-client privilege and its evolution alongside rapid technological advancement. Legal professionals should consider seeking expert guidance in order to navigate this evolving area and ensure the wise use of technology and a strategic, mindful approach with confidentiality protocol. While these tips are not an exhaustive list, following these best practice considerations will help mitigate risks associated with navigating the legal quagmire of attorney-client privilege in your organization.

Photo by Romain V on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

1 Comment

If you want to comment on this post, you need to login.

  • comment Karen Ford • Jul 10, 2020
    Does this apply to the UK too?: The privilege may be extinguished if the substance of the communication is disclosed or accessible to internal staff not directly involved in the matter or individuals outside of the corporation.