Last month, Edward Snowden provided the press a document describing “how Australian intelligence conducted surveillance of trade talks between Indonesia and the United States and, in the process, monitored communications between Indonesian officials and an American law firm retained by Indonesia for help with the trade dispute.”

Web-based email service providers may use automated processes to review email you send and receive.  This may be done to look for spelling errors and spam.  But it also may be done to target advertising based on the content of the email.

The terms of service of some cloud providers give the provider the right to access the content of material you create or store for purposes ranging from technical support to refining the cloud services they provide.

In this new digital world, is it reasonable to expect that a communication between client and lawyer for the purpose of obtaining legal advice is confidential (and, therefore, privileged)?  The attorney-client privilege faces new tests with the advent of “the cloud” and other digital innovations.  This was one of the topics covered in the Association of Certified E-Discovery Specialists’ program, “Inviting Scrutiny:  The Impact of Digital Age Innovations on the Attorney-Client Privilege,” in which I participated with U.S. Magistrate Judge James Francis (SDNY) and Phil Favro of Recommind.

Is it reasonable to expect that communications made through, or stored with, third-party service providers are confidential for purposes of attorney-client privilege?  The bad news is, “it depends.”  Even worse, to answer the question, you — or someone smarter than you in the ways of technology — may have to actually read and understand those pesky third-party “terms of service.”

All lawyers are subject to a duty to maintain the confidentiality of information “relating to the representation of a client” (ABA Model Rule 1.6).  Yes – I know – attorney-client privilege is an evidentiary privilege and is not a creature of the rules governing the conduct of lawyers.  But stick with me for a moment, because a number of state ethics opinions discuss the ethical duty to “take reasonable precautions to protect the security and confidentiality of client documents and information” where information is stored with a third party, including a third-party cloud provider.  It is likely that a court wrestling with the question of whether a confidentiality expectation was reasonable for an attorney-client communication made through or stored in “the cloud” will look to these decisions for guidance.

That said, the roadmap provided by these opinions suggests that one placing confidential client information in the cloud must understand the security used by the cloud provider or rely on someone with that understanding.  As the State Bar of California observed:

Many attorneys, as with a large contingent of the general public, do not possess much, if any, technological savvy. Although the Committee does not believe that attorneys must develop a mastery of the security features and deficiencies of each technology available, the duties of confidentiality and competence that attorneys owe to their clients do require a basic understanding of the electronic protections afforded by the technology they use in their practice. If the attorney lacks the necessary competence to assess the security of the technology, he or she must seek additional information or consult with someone who possesses the necessary knowledge, such as an information technology consultant.

Courts might look to the following factors in analyzing whether an expectation of confidentiality was reasonable:

  • Does the provider acknowledge that you own the information?
  • Does the provider’s Terms of Service include the provider’s commitment to confidential handling of the data?
  • Can the provider review the content of information stored with the provider?  If so, for what reasons?  It may be one thing for a provider to look at information for the purpose of providing the storage or communication service.  A court may look at it differently if the provider is mining your confidential information for other purposes.
  • Is the information so sensitive that it should not be stored with a third party at all (or without additional security steps like encryption)?
  • Where is the information stored?  If outside the U.S., is it a country whose laws concerning data ownership and privacy are at least as protective as the U.S.?
  • What are the legal ramifications of third-party interception of the information?  Actions are more likely to be considered reasonable when interception or disclosure is illegal.
  • Does the provider have effective protocols to guard against and provide notification of a data breach?

If you’ve finished reading all the relevant ethics decisions and are ready for a deeper dive into the exciting privilege questions raised by current and emerging technologies, you should try to get out more. No?  Then do what I did and take a look at Phil Favro’s excellent article in the Richmond Journal of Law and Technology, “Inviting Scrutiny: How Technologies are Eroding the Attorney Client Privilege.”