'You've Got Mail' But Is It Privileged?

E-mail evidence is one of the newest and sharpest arrows in the government's quiver. In recent years the government has won several convictions based on little more than damning e-mail evidence. Nonetheless, people continue to use e-mail casually or even thoughtlessly, producing a data stream of potential admissions. To make matters worse, with the proliferation of portable e-mail devices, such as the ubiquitous Blackberry, the attention paid to each e-mail diminishes while the amount sent rises dramatically. The Blackberry is so addictive it's been dubbed the “Crackberry.” More than ever, people are using portable e-mail devices owned by their employer to send slapdash messages about sensitive matters without a second thought for whether the e-mail truly is confidential. This recklessness extends even to e-mail communications between attorneys and clients — a troubling development because, while clients write things to their attorneys that they never would want a judge or jury to read, such communications, if sent over company e-mail systems, may not be privileged. Attorney-client e-mail may wind up in the jury room, much to the chagrin of its author and contrary to an attorney's obligation to ensure that client communications are handled in a confidential manner.

E-mail As Evidence

With increasing frequency, regulators, prosecutors, and employers are seeking to bolster their cases by obtaining sensitive e-mail between individuals and their personal attorneys concerning the very facts at issue in lawsuits, investigations, and prosecutions. And even criminal defendants are seeking the personal e-mail of cooperating witnesses and others to assist in their defense. For example, in United States v. Kumar, No. 04 Cr. 846, currently before Judge Glasser in the Eastern District of New York, defendants Kumar and Richards, the former CEO and Head of Sales at Computer Associates, respectively, sought access to e-mail between Steven Woghin, a cooperating witness and former general counsel of Computer Associates, and Woghin's personal attorneys.

Although seeking attorney-client e-mail may appear unseemly, recent case law establishes that the arguments for disclosure are legitimate and might sometimes prevail. In general, the attorney-client privilege is destroyed when the author of the e-mail lacked an objectively reasonable expectation of privacy in the e-mail system used. Although each case turns on its own facts, disclosure arguments gain special force when: 1) the e-mail was typed on a company computer and sent over a company e-mail system; 2) the company had a policy that employee e-mail was not private, ie, the company's IT employees could easily access employee e-mail; 3) the employee-author knew of the policy; and 4) the policy was enforced on previous occasions.

Recent Case Law

In two recent decisions, courts have protected from disclosure attorney-client e-mail sent over company systems, but have not set forth broad, bright-line principles that would create certainty or security.

In In re Asia Global Crossing, Ltd., 322 B.R. 247 (Bank. S.D.N.Y. 2005), the Chapter 11 trustee of Asia Global Crossing, Ltd. and Asia Global Crossing Development Co. (collectively “Asia Global”) moved to compel production of e-mail sent via Asia Global's e-mail system between five corporate employees and their attorney. The court assumed that the e-mail was privileged in the first place and focused on whether use of Asia Global's e-mail system destroyed the confidentiality necessary to maintain the attorney-client privilege.

The court accepted the general proposition that the use of a corporate e-mail system by itself does not destroy the privilege based in part on ethics opinions issued by the American Bar Association and the State and City Bar Associations of New York holding that a lawyer may communicate with his clients via e-mail without violating the duty to safeguard client confidences. The court also relied in part on a New York evidence rule (C.P.L.R. ' 4548), which provides that a communication is not stripped of its privileged character “for the sole reason that it is communicated by electronic means[.]”

Crucially, however, the analysis did not end there. The court proceeded to consider whether, in light of other aspects of the workplace e-mail system, the risk of disclosure was significant enough to render unreasonable any expectation of privacy. The court identified the following four factors that on balance can increase the risk of disclosure and may potentially destroy the attorney-client privilege:

• whether the company maintains a policy banning personal or objectionable use of its e-mail system;
• whether the company monitors its employees' use of their computers or e-mail accounts;
• whether third parties have a right of access to employees' computer or e-mail accounts; and
• whether the employee was notified of or otherwise aware of the policies regarding the use and monitoring of their computers; and e-mail.

Judged against this standard, the court found the e-mail privileged. Although Asia Global's policy allowed the company to access e-mail sent over the company's server, the court found that the evidence was “equivocal” as to “the existence or notice of corporate policies banning certain uses or monitoring employee e-mails.” 322 B.R. at 259. Accordingly, although the court concluded that the e-mail should not be turned over, it left open the possibility that in another case with less equivocal evidence, the privilege might be destroyed.

E-mail between attorney and client was also protected from disclosure in U.S. v. Kumar. After the government mistakenly produced discovery materials to defendants which included e-mail communications between Steve Woghin and his personal attorneys, Woghin moved for a protective order compelling defendants to return all privileged materials. Defendants opposed the motion, claiming the e-mail was not privileged and, even if it were, any privilege was waived. Ironically, Woghin, a cooperating witness, was assisted in his position by affidavits from the U.S. Attorney's Office and the SEC — parties that normally would be expected to argue that such e-mail was not privileged and should be produced if responsive to a subpoena. (The SEC has in fact taken that position in informal exchanges with counsel.)

Woghin had sent the e-mail from both his office computer and a company-issued laptop, and had used both his corporate e-mail account and his personal e-mail account. In an earlier investigation of Computer Associates, the SEC had requested copies of Woghin's corporate computer hard drives. Woghin's attorneys agreed to provide them so long as Woghin's own computer expert could first filter any privileged communications. Instead, the SEC required that Woghin's attorneys produce the hard drives intact to the SEC's computer expert, who would work with Woghin's attorneys to filter out the communications. Striking a cooperative posture, Woghin agreed. The expert copied Woghin's original hard drives, and Woghin's attorneys filtered out privileged e-mail and sent the redacted copies to the SEC. The expert retained a copy of the intact hard drives.

In a strange twist, the SEC's expert later mistakenly forwarded the unredacted hard drive images to the U.S. Attorney's Office, which was prosecuting defendants. The Office, in turn, mistakenly produced the unredacted copies to defendants. When Woghin's attorneys became aware that defendants possessed the privileged e-mail, they sought a protective order.

The defendants advanced two arguments for disclosure of the e-mail: first, that Woghin had no reasonable expectation of privacy in the e-mail communications, and second, even if the e-mails were privileged, Woghin waived the privilege because he voluntarily produced his intact hard drives to the government's computer expert.

To establish that Woghin lacked a reasonable expectation of privacy in the e-mail, defendants relied on Computer Associates' e-mail access policy, which provided that no employee “can expect that e-mail in CA's Information System will remain private or that such e-mail will not be disclosed to persons other than the intended recipients of the e-mail.” Moreover, when Woghin signed on to Computer Associate's network, he was required to acknowledge and agree to the terms of the e-mail policy by clicking on an “Accept” button displayed on his screen. Woghin responded that during the U.S. Attorney's Office's investigation of Computer Associates, the company made clear that it would not review e-mail between its employees and their personal attorneys, and actively sought to filter out such e-mail. Woghin further claimed that the company rarely enforced its e-mail policy. At a hearing on Dec. 21, 2005, Judge Glasser informed the parties that he was granting Woghin's motion. See Dec. 21, 2005 Tr. at 76.

Notwithstanding their outcomes, Global Crossing and Kumar make clear that communicating with one's lawyer over a corporate e-mail system creates an unnecessary risk of destroying the attorney-client privilege and opening a goldmine of information to one's adversary. In fact, New York state courts recently have issued several unpublished decisions indicating that information transmitted via company e-mail systems may not be confidential (although those decisions did not address the attorney-client privilege). See Larcher & Lovell Taylor v. Postnieks, Index No. 120807/03 (May 19, 2005) (unpublished); Cardace v. Hume, Index No. 000077/02 (July 1, 2003) (unpublished); Silverberg & Hunter, LLP v. Futterman, Index No. 002976/02 (July 3, 2002) (unpublished).

The law of privilege as applied to corporate e-mail communications affords no bright-line rules. Instead, the analysis is ad hoc and therefore somewhat unpredictable. See Plotkin SP: Dawn Raids Here at Home? The Danger of Vanishing Privacy Expectations for Corporate Employees. 17 St. Thomas L. Rev. 265, 286-90 (2004). As courts issue more decisions addressing this question, companies may respond by tightening their own policies and eliminating all vestiges of confidentiality from corporate e-mail systems. Accordingly, when employees want to contact their lawyer, the best approach is to pick up the phone.

E-mail evidence is one of the newest and sharpest arrows in the government's quiver. In recent years the government has won several convictions based on little more than damning e-mail evidence. Nonetheless, people continue to use e-mail casually or even thoughtlessly, producing a data stream of potential admissions. To make matters worse, with the proliferation of portable e-mail devices, such as the ubiquitous Blackberry, the attention paid to each e-mail diminishes while the amount sent rises dramatically. The Blackberry is so addictive it's been dubbed the “Crackberry.” More than ever, people are using portable e-mail devices owned by their employer to send slapdash messages about sensitive matters without a second thought for whether the e-mail truly is confidential. This recklessness extends even to e-mail communications between attorneys and clients — a troubling development because, while clients write things to their attorneys that they never would want a judge or jury to read, such communications, if sent over company e-mail systems, may not be privileged. Attorney-client e-mail may wind up in the jury room, much to the chagrin of its author and contrary to an attorney's obligation to ensure that client communications are handled in a confidential manner.

E-mail As Evidence

With increasing frequency, regulators, prosecutors, and employers are seeking to bolster their cases by obtaining sensitive e-mail between individuals and their personal attorneys concerning the very facts at issue in lawsuits, investigations, and prosecutions. And even criminal defendants are seeking the personal e-mail of cooperating witnesses and others to assist in their defense. For example, in United States v. Kumar , No. 04 Cr. 846, currently before Judge Glasser in the Eastern District of New York, defendants Kumar and Richards, the former CEO and Head of Sales at Computer Associates, respectively, sought access to e-mail between Steven Woghin, a cooperating witness and former general counsel of Computer Associates, and Woghin's personal attorneys.

Although seeking attorney-client e-mail may appear unseemly, recent case law establishes that the arguments for disclosure are legitimate and might sometimes prevail. In general, the attorney-client privilege is destroyed when the author of the e-mail lacked an objectively reasonable expectation of privacy in the e-mail system used. Although each case turns on its own facts, disclosure arguments gain special force when: 1) the e-mail was typed on a company computer and sent over a company e-mail system; 2) the company had a policy that employee e-mail was not private, ie, the company's IT employees could easily access employee e-mail; 3) the employee-author knew of the policy; and 4) the policy was enforced on previous occasions.

Recent Case Law

In two recent decisions, courts have protected from disclosure attorney-client e-mail sent over company systems, but have not set forth broad, bright-line principles that would create certainty or security.

In In re Asia Global Crossing, Ltd., 322 B.R. 247 (Bank. S.D.N.Y. 2005), the Chapter 11 trustee of Asia Global Crossing, Ltd. and Asia Global Crossing Development Co. (collectively “Asia Global”) moved to compel production of e-mail sent via Asia Global's e-mail system between five corporate employees and their attorney. The court assumed that the e-mail was privileged in the first place and focused on whether use of Asia Global's e-mail system destroyed the confidentiality necessary to maintain the attorney-client privilege.

The court accepted the general proposition that the use of a corporate e-mail system by itself does not destroy the privilege based in part on ethics opinions issued by the American Bar Association and the State and City Bar Associations of New York holding that a lawyer may communicate with his clients via e-mail without violating the duty to safeguard client confidences. The court also relied in part on a New York evidence rule (C.P.L.R. ' 4548), which provides that a communication is not stripped of its privileged character “for the sole reason that it is communicated by electronic means[.]”

Crucially, however, the analysis did not end there. The court proceeded to consider whether, in light of other aspects of the workplace e-mail system, the risk of disclosure was significant enough to render unreasonable any expectation of privacy. The court identified the following four factors that on balance can increase the risk of disclosure and may potentially destroy the attorney-client privilege:

• whether the company maintains a policy banning personal or objectionable use of its e-mail system;
• whether the company monitors its employees' use of their computers or e-mail accounts;
• whether third parties have a right of access to employees' computer or e-mail accounts; and
• whether the employee was notified of or otherwise aware of the policies regarding the use and monitoring of their computers; and e-mail.

Judged against this standard, the court found the e-mail privileged. Although Asia Global's policy allowed the company to access e-mail sent over the company's server, the court found that the evidence was “equivocal” as to “the existence or notice of corporate policies banning certain uses or monitoring employee e-mails.” 322 B.R. at 259. Accordingly, although the court concluded that the e-mail should not be turned over, it left open the possibility that in another case with less equivocal evidence, the privilege might be destroyed.

E-mail between attorney and client was also protected from disclosure in U.S. v. Kumar. After the government mistakenly produced discovery materials to defendants which included e-mail communications between Steve Woghin and his personal attorneys, Woghin moved for a protective order compelling defendants to return all privileged materials. Defendants opposed the motion, claiming the e-mail was not privileged and, even if it were, any privilege was waived. Ironically, Woghin, a cooperating witness, was assisted in his position by affidavits from the U.S. Attorney's Office and the SEC — parties that normally would be expected to argue that such e-mail was not privileged and should be produced if responsive to a subpoena. (The SEC has in fact taken that position in informal exchanges with counsel.)

Woghin had sent the e-mail from both his office computer and a company-issued laptop, and had used both his corporate e-mail account and his personal e-mail account. In an earlier investigation of Computer Associates, the SEC had requested copies of Woghin's corporate computer hard drives. Woghin's attorneys agreed to provide them so long as Woghin's own computer expert could first filter any privileged communications. Instead, the SEC required that Woghin's attorneys produce the hard drives intact to the SEC's computer expert, who would work with Woghin's attorneys to filter out the communications. Striking a cooperative posture, Woghin agreed. The expert copied Woghin's original hard drives, and Woghin's attorneys filtered out privileged e-mail and sent the redacted copies to the SEC. The expert retained a copy of the intact hard drives.

In a strange twist, the SEC's expert later mistakenly forwarded the unredacted hard drive images to the U.S. Attorney's Office, which was prosecuting defendants. The Office, in turn, mistakenly produced the unredacted copies to defendants. When Woghin's attorneys became aware that defendants possessed the privileged e-mail, they sought a protective order.

The defendants advanced two arguments for disclosure of the e-mail: first, that Woghin had no reasonable expectation of privacy in the e-mail communications, and second, even if the e-mails were privileged, Woghin waived the privilege because he voluntarily produced his intact hard drives to the government's computer expert.

To establish that Woghin lacked a reasonable expectation of privacy in the e-mail, defendants relied on Computer Associates' e-mail access policy, which provided that no employee “can expect that e-mail in CA's Information System will remain private or that such e-mail will not be disclosed to persons other than the intended recipients of the e-mail.” Moreover, when Woghin signed on to Computer Associate's network, he was required to acknowledge and agree to the terms of the e-mail policy by clicking on an “Accept” button displayed on his screen. Woghin responded that during the U.S. Attorney's Office's investigation of Computer Associates, the company made clear that it would not review e-mail between its employees and their personal attorneys, and actively sought to filter out such e-mail. Woghin further claimed that the company rarely enforced its e-mail policy. At a hearing on Dec. 21, 2005, Judge Glasser informed the parties that he was granting Woghin's motion. See Dec. 21, 2005 Tr. at 76.

Notwithstanding their outcomes, Global Crossing and Kumar make clear that communicating with one's lawyer over a corporate e-mail system creates an unnecessary risk of destroying the attorney-client privilege and opening a goldmine of information to one's adversary. In fact, New York state courts recently have issued several unpublished decisions indicating that information transmitted via company e-mail systems may not be confidential (although those decisions did not address the attorney-client privilege). See Larcher & Lovell Taylor v. Postnieks, Index No. 120807/03 (May 19, 2005) (unpublished); Cardace v. Hume, Index No. 000077/02 (July 1, 2003) (unpublished); Silverberg & Hunter, LLP v. Futterman, Index No. 002976/02 (July 3, 2002) (unpublished).

The law of privilege as applied to corporate e-mail communications affords no bright-line rules. Instead, the analysis is ad hoc and therefore somewhat unpredictable. See Plotkin SP: Dawn Raids Here at Home? The Danger of Vanishing Privacy Expectations for Corporate Employees. 17 St. Thomas L. Rev. 265, 286-90 (2004). As courts issue more decisions addressing this question, companies may respond by tightening their own policies and eliminating all vestiges of confidentiality from corporate e-mail systems. Accordingly, when employees want to contact their lawyer, the best approach is to pick up the phone.