5 May 1999. Thanks to PK.
Source: http://www.abanet.org/cpr/fo99-413.html


AMERICAN BAR ASSOCIATION

STANDING COMMITTEE ON ETHICS AND PROFESSIONAL RESPONSIBILITY

Formal Opinion No. 99-413
March 10, 1999

Protecting the Confidentiality of Unencrypted E-Mail

A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint. The same privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to Internet e-mail. A lawyer should consult with the client and follow her instructions, however, as to the mode of transmitting highly sensitive information relating to the client's representation.

The Committee addresses in this opinion the obligations of lawyers under the Model Rules of Professional Conduct (1998) when using unencrypted electronic mail to communicate with clients or others about client matters. The Committee (1) analyzes the general standards that lawyers must follow under the Model Rules in protecting "confidential client information"1 from inadvertent disclosure; (2) compares the risk of interception of unencrypted e-mail with the risk of interception of other forms of communication; and (3) reviews the various forms of e-mail transmission, the associated risks of unauthorized disclosure, and the laws affecting unauthorized interception and disclosure of electronic communications.

The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law.2

The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use.

The conclusions reached in this opinion do not, however, diminish a lawyer's obligation to consider with her client the sensitivity of the communication, the costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly strong protective measures are warranted to guard against the disclosure of highly sensitive matters. Those measures might include the avoidance of e-mail,3 just as they would warrant the avoidance of the telephone, fax, and mail. See Model Rule 1.1 and 1.4(b). The lawyer must, of course, abide by the client's wishes regarding the means of transmitting client information. See Model Rule 1.2(a).

A. Lawyers' Duties Under Model Rule 1.6

The prohibition in Model Rule 1.6(a) against revealing confidential client information absent client consent after consultation imposes a duty on a lawyer to take reasonable steps in the circumstances to protect such information against unauthorized use or disclosure.4  Reasonable steps include choosing a means of communication in which the lawyer has a reasonable expectation of privacy.5  In order to comply with the duty of confidentiality under Model Rule 1.6, a lawyer's expectation of privacy in a communication medium need not be absolute; it must merely be reasonable.

It uniformly is accepted that a lawyer's reliance on land-line telephone, fax machine, and mail to communicate with clients does not violate the duty of confidentiality because in the use of each medium, the lawyer is presumed to have a reasonable expectation of privacy.6  The Committee now considers whether a lawyer's expectation of privacy is any less reasonable when she communicates by e-mail.

B. Communications Alternatives To E-Mail

In order to understand what level of risk may exist without destroying the reasonable expectation of privacy, this Section evaluates the risks inherent in the use of alternative means of communication in which lawyers nonetheless are presumed to have such an expectation. These include ordinary U.S. mail; land-line, cordless, and cellular telephones; and facsimile transmissions.

1. U.S. and Commercial Mail

It uniformly is agreed that lawyers have a reasonable expectation of privacy in communications made by mail (both U.S. Postal Service and commercial). This is despite risks that letters may be lost, stolen or misplaced at several points between sender and recipient. Further, like telephone companies, Internet service providers (ISPs), and on-line service providers (OSPs), mail services often reserve the right to inspect the contents of any letters or packages handled by the service. Like e-mail, U.S. and commercial mail can be intercepted and disseminated illegally. But, unlike unencrypted e-mail, letters are sealed and therefore arguably more secure than e-mail.7

2. Land-Line Telephones

It is undisputed that a lawyer has a reasonable expectation of privacy in the use of a telephone.8

For this reason, the protection against unreasonable search and seizure guaranteed by the Fourth Amendment applies to telephone conversations.9   It also is recognized widely that the attorney-client privilege applies to conversations over the telephone as long as the other elements of the privilege are present.10  However, this expectation of privacy in communications by telephone must be considered in light of the substantial risk of interception and disclosure inherent in its use. Tapping a telephone line does not require great technical sophistication or equipment, nor is the know-how difficult to obtain.11

Multiple extensions provide opportunities for eavesdropping without the knowledge of the speakers. Technical errors by the phone company may result in third parties listening to private conversations. Lastly, phone companies are permitted by law to monitor phone calls under limited conditions.

Despite this lack of absolute security in the medium, using a telephone is considered to be consistent with the duty to take reasonable precautions to maintain confidentiality.12

3. Cordless and Cellular Phones

Authority is divided as to whether users have a reasonable expectation of privacy in conversations made over cordless and cellular phones.13  Some court decisions reached the conclusion that there is no reasonable expectation of privacy in cordless phones in part because of the absence, at the time, of federal law equivalent to that which protects traditional telephone communications.14  After the 1994 amendment to the Wiretap Statute, which extended the same legal protections afforded regular telephone communications to cordless phone conversations,15 at least one ethics opinion addressed the advisability of using cordless phones to communicate with clients and concluded that their use does not violate the duty of confidentiality.16

The nature of cordless and cellular phone technology exposes it to certain risks that are absent from e-mail communication. E-mail messages are not "broadcast" over public airwaves.17  Cordless phones, by contrast, rely on FM and AM radio waves to broadcast signals to the phone's base unit, which feeds the signals into land-based phone lines. Therefore, in addition to the risks inherent in the use of a regular telephone, cordless phones also are subject to risks of interception due to their broadcast on radio signals that may be picked up by mass-marketed devices such as radios, baby monitors, and other cordless phones within range.18  Further, the intercepted signals of cordless and analog cellular telephones are in an instantly comprehensible form (oral speech), unlike the digital format of e-mail communications.

Similarly, cellular phones transmit radio signals to a local base station that feeds the signals into land-based phone lines. The broadcast area from the phone to the station is larger than that of a cordless phone, and receivers and scanners within range may intercept and overhear the conversation. Although the Committee does not here express an opinion regarding the use of cellular or cordless telephone, it notes that the concerns about the expectation of privacy in the use of cordless and cellular telephones do not apply to e-mail transmitted over land-based phone lines.19

4. Facsimile

Authority specifically stating that the use of fax machines is consistent with the duty of confidentiality is absent, perhaps because, according to some commentators, courts assume the conclusion to be self-evident.20 Nonetheless, there are significant risks of interception and disclosure in the use of fax machines. Misdirection may result merely by entering one of ten digits incorrectly. Further, unlike e-mail, faxes often are in the hands of one or more intermediaries before reaching their intended recipient, including, for example, secretaries, runners, and mailroom employees. In light of these risks, prudent lawyers faxing highly sensitive information should take heightened measures to preserve the communication's confidentiality.

C. Characteristics Of E-Mail Systems

The reasonableness of a lawyer's use of any medium to communicate with or about clients depends both on the objective level of security it affords and the existence of laws intended to protect the privacy of the information communicated. We here examine the four most common types of e-mail and compare the risks inherent in their use with those of alternative means of communication, including the telephone (regular, cordless and cellular), fax, and mail.

Like many earlier technologies, "e-mail" has become a generic term that presently encompasses a variety of systems allowing communication among computer users. Because the security of these e-mail systems is not uniform, the Committee here evaluates separately the degree of privacy afforded by each. As set forth below, we conclude that a lawyer has a reasonable expectation of privacy in such use.

1. "Direct" E-Mail21

Lawyers may e-mail their clients directly (and vice versa) by programming their computer's modem to dial their client's. The modem simply converts the content of the e-mail into digital information that is carried on land-based phone lines to the recipient's modem, where it is reassembled back into the message. This is virtually indistinguishable from the process of sending a fax: a fax machine dials the number of the recipient fax machine and digitally transmits information to it through land-based phone lines. Because the information travels in digital form, tapping a telephone line to intercept an e-mail message would require more effort and technical sophistication than would eavesdropping on a telephone conversation by telephone tap.

Based on the difficulty of intercepting direct e-mail, several state bar ethics opinions and many commentators recognize a reasonable expectation o privacy in this form of e-mail.22  Further, in two recent federal court decisions, the attorney-client and work-product privileges were considered applicable to e-mail communications.23  The Committee agrees that there is a reasonable expectation of privacy in this mode of communication.

2. "Private System" E-Mail

A "private system" includes typical internal corporate e-mail systems and so-called "extranet" networks in which one internal system directly dials another private system. The only relevant distinction between "private system" and "direct" e-mail is the greater risk of misdirected e-mails in a private system. Messages mistakenly may be sent throughout a law firm or to unintended recipients within the client's organization. However, all members of a firm owe a duty of confidentiality to each of the firm's clients.24   Further, unintended disclosures to individuals within a client's private e-mail network are unlikely to be harmful to the client.

The reliance of "private system" e-mail on land-based phone lines and its non-use of any publicly accessible network renders this system as secure as direct e-mail, regular phone calls, and faxes. As a result, there is a widespread consensus that confidentiality is not threatened by its use,25 and the Committee concurs.

3. On-line Service Providers

E-mail also may be provided by third-party on-line service providers or "OSPs."26  Users typically are provided a password-protected mailbox from which they may send and retrieve e-mail.

There are two features of this system that distinguish it from direct and private-system e-mail. First, user mailboxes, although private, exist in a public forum consisting of other fee-paying users. The added risk caused by the existence of other public users on the same network is that misdirected e-mails may be sent to unknown users. Unlike users of private system e-mail networks who, as agents of their employers, owe a duty of confidentiality to them and, in the case of a law firm, to all firm clients, the inadvertent user owes no similar duties.27   The risk of misdirection is, however, no different from that which exists when sending a fax. Further, the misdirection of an e-mail to another OSP can be avoided with reasonable care.28

The second distinctive feature of e-mail administered by an OSP is that the relative security and confidentiality of user e-mail largely depends on the adequacy of the particular OSP's security measures meant to limit external access and its formal policy regarding the confidentiality of user e-mail. Together, they will determine whether a user has a reasonable expectation of privacy in this type of e-mail.

The denial of external access ordinarily is ensured by the use of password-protected mailboxes or encryption29. The threat to confidentiality caused by the potential inspection of users' e-mail by OSP system administrators who must access the e-mail for administrative and compliance purposes is overcome by the adoption of a formal policy that narrowly restricts the bases on which system administrators30 and OSP agents31 32 are permitted to examine user e-mail.

Moreover, federal law imposes limits on the ability of OSP administrators to inspect user e-mail, irrespective of the OSP's formal policy. Inspection is limited by the ECPA to purposes "necessary to the rendition of services" or to the protection of "rights or property."33   Further, even if an OSP administrator lawfully inspects user e-mail within the narrow limits defined by the ECPA, the disclosure of those communications for purposes other than those provided by the statute is prohibited.34

Accordingly, the Committee concludes that lawyers have a reasonable expectation of privacy when communicating by e-mail maintained by an OSP, a conclusion that also has been reached by at least one case as well as state bar ethics committees and commentators.35

4. Internet E-Mail

E-mail may be sent over the Internet between service users without interposition of OSPs. Internet e-mail typically uses land-based phone lines and a number of intermediate computers randomly selected to travel from sender to recipient. The intermediate computers consist of various Internet service providers or "routers" that maintain software designed to help the message reach its final destination.

Because Internet e-mail typically travels through land-based phone lines, the only points of unique vulnerability consist of the third party-owned Internet services providers or "ISPs," each capable of copying messages passing through its network. Confidentiality may be compromised by (1) the ISP's legal, though qualified, right to monitor e-mail passing through or temporarily stored in its network, and (2) the illegal interception of e-mail by ISPs or "hackers."36

The ISPs' qualified inspection rights are identical to those of OSPs.37  The same limits described above therefore apply to ISPs. In addition, the provider of an electronic communications service may by law conduct random monitoring only for mechanical or service quality control checks.38

The second threat to confidentiality is the illegal interception of e-mail, either by ISPs exceeding their qualified monitoring rights or making unauthorized disclosures, or by third party hackers who use ISPs as a means of intercepting e-mail. Although it is difficult to quantify precisely the frequency of either practice, the interception or disclosure of e-mail in transit or in storage (whether passing through an ISP or in any other medium) is a crime and also may result in civil liability.39

In addition to criminalization, practical constraints on the ability of third parties and ISPs to capture and read Internet e-mail lead to the conclusion that the user of Internet e-mail has a reasonable expectation of privacy. An enormous volume of data travelling at an extremely high rate passes through ISPs every hour. Further, during the passage of Internet e-mail between sender and recipient, the message ordinarily is split into fragments or "packets" of information. Therefore, only parts of individual messages customarily pass through ISPs, limiting the extent of any potential disclosure. Because the specific route taken by each e-mail message through the labyrinth of phone lines and ISPs is random, it would be very difficult consistently to intercept more than a segment of a message by the same author.

Together, these characteristics of Internet e-mail further support the Committee's conclusion that an expectation of privacy in this medium of communication is reasonable. The fact that ISP administrators or hackers are capable of intercepting Internet e-mail - albeit with great difficulty and in violation of federal law - should not render the expectation of privacy in this medium any the less reasonable, just as the risk of illegal telephone taps does not erode the reasonable expectation of privacy in a telephone call.40

CONCLUSION

Lawyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client's representation.

Although earlier state bar ethics opinions on the use of Internet e-mail tended to find a violation of the state analogues of Rule 1.6 because of the susceptibility to interception by unauthorized persons and, therefore, required express client consent to the use of e-mail, more recent opinions reflecting lawyers' greater understanding of the technology involved approve the use of unencrypted Internet e-mail without express client consent.

Even so, when the lawyer reasonably believes that confidential client information being transmitted is so highly sensitive that extraordinary measures to protect the transmission are warranted, the lawyer should consult the client as to whether another mode of transmission, such as special messenger delivery, is warranted. The lawyer then must follow the client's instructions as to the mode of transmission. See Model Rule 1.2(a).

ENDNOTES

1 As used in this opinion, "confidential client information" denotes "information relating to the representation of a client" under Model Rule 1.6(a), which states:

(a) a lawyer shall not reveal information relating to representation of a client unless a client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation.

2 The Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986), amended the Federal Wiretap Statute of 1968 by extending its scope to include "electronic communications." 18 U.S.C.A. ( 2510, et seq. (1998) (the "ECPA"). The ECPA now commonly refers to the amended statute in its entirety. The ECPA provides criminal and civil penalties for the unauthorized interception or disclosure of any wire, oral, or electronic communication. 18 U.S.C.A. ( 2511.

3 Options other than abandoning e-mail include using encryption or seeking client consent after apprising the client of the risks and consequences of disclosure.

4 See also RESTATEMENT (THIRD) OF THE LAW GOVERNING LAWYERS ( 112 cmt. d (Proposed Official Draft 1998), which provides that confidential client information must be "acquired, stored, retrieved, and transmitted under systems and controls that are reasonably designed and managed to maintain confidentiality."

5 Whether a lawyer or a client has a reasonable expectation of privacy also governs whether a communication is "in confidence" for purposes of the attorney-client privilege. As a result, analysis under the attorney-client privilege is often relevant to this opinion's discussion of e-mail and the duty of confidentiality. The relevance of privilege is not exhaustive, however, because of its more restrictive application in prohibiting the introduction of privileged communications between a lawyer and client in any official proceeding. In contrast to the requirement imposed by the duty of confidentiality to avoid disclosing any information "relating to the representation" of the client, see Model Rule 1.6(a), supra n.1, the attorney-client privilege applies only to actual "communications" made "in confidence" by the client to the lawyer. See JOHN H. WIGMORE, 8 EVIDENCE § 2295 (McNaughton rev. 1961).

6 See infra Section B. It should be noted that a lawyer's negligent use of any medium - including the telephone, mail and fax - may breach the duty of confidentiality. The relevant issue here, however, is whether, despite otherwise reasonable efforts to ensure confidentiality, breach occurs solely by virtue of the lawyer's use of e-mail.

7 A.C.L.U. v. Reno, 929 F. Supp. 824, 834 (E.D. Pa. 1996), aff'd 521 U.S. 844 (1997) ("Unlike postal mail, simple e-mail is not 'sealed' or secure, and can be accessed or viewed on intermediate computers between the sender and recipient (unless the message is encrypted.").

8 Frequently, what we understand to be regular or land-line telephone conversations are transmitted in part by microwave. For example, many corporate telephone networks are hard-wired within a building and transmitted by microwave among buildings within a corporate campus to a central switch connected by land-line or microwave to a local or interstate carrier.

9 It should be noted that the ECPA preserves the privileged character of any unlawfully intercepted "wire, oral, or electronic communication." 18 U.S.C.A. ( 2517(4). The inclusion of e-mail in this provision is important for two reasons. First, implicit in this provision is the assumption that electronic communications are capable of transmitting privileged material. To argue that the use of e-mail never is "in confidence" or constitutes an automatic waiver of otherwise privileged communications therefore appears to be inconsistent with an assumption of this provision of federal law. Second, the identical federal treatment of e-mail with other means of communication long assumed consistent with the maintenance of privilege likewise is inconsistent with the assertion that the use of e-mail poses unique threats to privileged communications.

10 See Peter R. Jarvis & Bradley F. Tellam, High-Tech Ethics and Malpractice Issues 7 (1996) (paper delivered at the 22nd National Conference on Professional Responsibility, May 30, 1996, in Chicago, Illinois) (on file with its author), reported in 1996 SYMPOSIUM ISSUE OF THE PROFESSIONAL LAWYER, 51, 55 (1996) (hereafter "Jarvis & Bradley"); David Hricik, E-mail and Client Confidentiality: Lawyers Worry Too Much about Transmitting Client Confidences by Internet E-mail, 11 GEO. J. LEGAL ETHICS 459, 479 (1999) (hereafter "Hricik").

11 See Jarvis & Tellam supra n.10, at 57; Hricik supra n.10, at 480.

12 See Hricik supra n.10, at 481.

13 See, e.g., Jarvis & Tellam supra n.10, at 59-61; Hricik supra n.10, at 481-85. Compare Mass. Ethics Opinion 94-5 (1994) (if risk of disclosure to third party is "nontrivial," lawyer should not use cellular phone); N.C. Ethics Op. 215 (1995) (advising lawyers to use the mode of communication that best will maintain confidential information); State Bar of Arizona Advisory Op. 95-11 (1995) (lawyers should exercise caution before using cellular phones to communicate client confidences) with United States v. Smith, 978 F.2d 171, 180 (5th Cir. 1992) (finding that there may be reasonable expectation of privacy in cordless phone communications for Fourth Amendment purposes).

14 McKarney v. Roach, 55 F.3d 1236, 1238-9 (6th Cir. 1995), cert. denied, 576 U.S. 944 (1995); Askin v. United States, 47 F.3d 100, 103-04 (4th Cir. 1995).

15 By 1986, the protection under federal law for cellular phone communications was equal to traditional land-line telephone communications. The Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, 202(a), 108 Stat. 4279 (1994), deleted previous exceptions under the Federal Wiretap Act that limited the legal protections afforded cordless phone communications under 18 U.S.C.A. (( 2510(1), 2510(12) (A). Existing law criminalizes the intentional and unauthorized interception of both cordless and cellular phone communications, 18 U.S.C.A. ( 2511; the privileged status of the communication preserves in the event of intentional interception, 18 U.S.C.A. ( 2517(4); and bars the introduction of the unlawful interception as evidence at trial even if it is not privileged, 18 U.S.C.A. ( 2515.

16 State Bar of Arizona Advisory Op. 95-11 (1995). Some commentators have argued that in light of the 1994 amendment and the recent improvements in the security of both media (including the introduction of digital cellular phones), the expectation of privacy in communications by cordless and cellular telephones should not be considered unreasonable. Jarvis & Tellam supra n.10, at 60-61. See also Hricik supra n.10, at 483, 485 (arguing that despite the fact that their privileged status would not be lost if cellular and cordless phone conversations were intercepted, lawyers should consider whether the cost of potential disclosure is outweighed by the benefit derived from the use of cordless or cell phones). Further, 18 U.S.C.A. ( 2512 prohibits the manufacture and possession of scanners capable of receiving cellular frequencies, and cordless and cellular phone communications have been afforded greater legal protection under several recent state court decisions. See, e.g., State v. Faford, 128 Wash.2d 476, 485-86, 910 P.2d 447, 451-52 (1996) (reversing trial court's admission of defendants' cordless phone conversations violated state privacy act because defendants had reasonable expectation of privacy in such communication); State v. McVeigh, 224 Conn. 593, 622, 620 A.2d 133, 147 (1995) (reversing trial court's admission of defendants' cordless telephone conversations because such communications were within scope of state law forbidding the intentional interception of wire communications).

17 Hricik supra n.10, at 497.

18 See United States v. Maxwell 42 M.J. 568, 576, 43 Fed. R. Evid. Serv. (Callaghan) 24 (A. F. Ct. Crim. App. 1995) (holding that user of e-mail maintained by OSP was protected against warrantless search of e-mails because user had reasonable expectation of privacy in such communications, unlike cordless phone communication) aff'd in part and rev'd in part, 45 M.J. 406 (U.S. Armed Forces 1996) (expectation of privacy exists in e-mail transmissions made through OSP).

19 The risks of interception and disclosure may be lessened by the recent introduction of digital cellular phones, whose transmissions are considered more difficult to intercept than their analog counterparts. New communications technology, however, does not always advance privacy concerns. The use of airplane telephones, for example, exposes users to the interception risks of cellular telephones as well as a heightened risk of disclosure due to eavesdropping on the airplane itself. Most recently, a world-wide, satellite-based cellular telephone system called Iridium has been introduced by Motorola. The principles articulated in this opinion should be considered by a lawyer when using such systems.

20 See, e.g., Practice Guide, Electronic Communications, in ABA/BNA LAWYERS' MANUAL ON PROFESSIONAL CONDUCT 55:403 (1996) ("[C]ourts seem to have taken it for granted that fax machines may be used [to transmit confidential information]," citing State ex rel. U.S. Fidelity and Guar. Co. v. Canady, 144 W.Va. 431, 443-44, 460 S.E.2d 677, 689-90 (1995) (holding that faxed communication was protected by the attorney-client privilege)). See also Jarvis & Tellam supra n.10, at 61 ("[T]here seems to be no question that faxes are subject to the attorney-client privilege . . . no one asserts that the use of a fax machine or the possibility of misdirection destroys any hope of a claim of privilege," citing ABA Comm. on Ethics and Professional Responsibility, Formal Ops. 94-382 and 92-368).

21 The names for the varieties of e-mail described in this section of the opinion are based on those used by Hricik, supra n.10, at 485-92.

22 See, e.g., Alaska Bar Ass'n Op. 98-2 (1998); Ill. State Bar Ass'n Advisory Op. on Professional Conduct No. 96-10 (1997); S.C. Bar Ethics Advisory Comm. Op. No. 97-08 (1997); Vermont Advisory Ethics Op. No. 97-5 (1997). See also, Jarvis & Tellam, supra n.10, at 61; Hricik supra n.10, at 502-06.

23 In re Grand Jury Proceedings, 43 F.3d 966, 968 (5th Cir. 1994) (court considered e-mail messages along with other documents in work-product privilege analysis); United States v. Keystone Sanitation Co. Inc., 903 F. Supp. 803, 808 (M.D. Pa. 1995) (defendants waived privileged nature of e-mail messages due to inadvertent production).

24 Hricik supra n. 10, at 487.

25 See e.g., Alaska Bar Ass'n Op. 98-2 (1998); Ill. State Bar Ass'n Advisory Op. on Professional Conduct No. 96-10 (1997); S.C. Bar Ethics Advisory Comm. Op. No. 97-08 (1997); Vermont Advisory Ethics Op. 97-5 (1997). See also, Hricik supra n.10, at 486-87.

26 Examples include America Online ("AOL"), CompuServe, and MCI Mail.

27 Hricik supra n.10, at 487-88.

28 If the inadvertent recipient is a lawyer, then the lawyer must refrain from examining the information any more than necessary to ascertain that it was not intended for her and must notify the sender, ABA Comm. on Ethics and Professional Responsibility, Formal Op. 92-368 (1992), an obligation that extends to information received by e-mail or fax, ABA Comm. on Ethics and Professional Responsibility, Formal Op. 94-382 (1994).

29 For a basic explanation of encryption technology, including the use of digital signatures, see Kenneth E. Russell, Dealing with Security, Encryption, and Ethics Concerns, in THE LAWYER'S QUICK GUIDE TO E-MAIL 93-105 (ABA Law Practice Management Section 1998) ("Russell").

30 For a discussion of some additional matters such formal policies might address (deletion and retention of e-mail messages, remote checking of messages while out of office, etc.), see Russell, supra n. 29, at 104-05.

31 For example, the terms of AOL's policy forbid access to e-mail except (1) to comply with the law, (2) to protect its own rights, or (3) to act in the belief that someone's safety is at risk. Hricik supra n. 10, at 489.

32 18 U.S.C.A. ( 2511(2) (a) (i) (It is "not unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks"). The qualified right of interception of OSPs cannot be argued to create unique risks to the confidentiality of e-mail communications because phone companies (and other providers of wire or electronic communication services) are given identical rights under 18 U.S.C.A. ( 2511(2) (a) (i)). Moreover, many commercial mail services reserve the right to inspect all packages and letters handled, yet no one suggests this diminishes the user's expectation of privacy. See Hricik supra n.10, at 492. It also is noteworthy that in 1998, the New York Legislature amended the state's rules of evidence to provide that no otherwise privileged communication "shall lose its privileged character for the sole reason that it is communicated by electronic means or because persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication." N.Y. Civ. Prac. L. & R. § 4547 (1998).

33 18 U.S.C.A. ( 2511(3) (a).

34 See e.g., supra n.18. See also Alaska Bar Ass'n Op. 98-2 (1998); D.C. Bar Op. 281 (1998); Ill. State Bar Ass'n Advisory Op. on Professional Conduct No. 96-10 (1997) (users of e-mail maintained by OSP have reasonable expectation of privacy despite greater risks than private network e-mail); S.C. Bar Ethics Advisory Comm. Op. No. 97-08 (1997); Vermont Advisory Ethics Op. 97-5 (1997); Jarvis & Tellam supra n.10, at 61; Hricik supra n.10, at 492.

35 Confidentiality also may be compromised by computer viruses, some of which have the capability of causing the user's document to be propagated to unintended recipients. However, a virus scanning program containing up-to-date definition files will detect and clean such viruses. See generally Carnegie Mellon Software Engineering Institute's CERT(r) Coordination Center Website, http://www.cert.org/index.html, for descriptions of these and other computer viruses.

36 See supra notes 30 & 31 and accompanying text.

37 18 U.S.C.A. ( 2511(2) (a) (i).

38 See 18 U.S.C.A. (( 2511, 2701, 2702.

39 See Katz v. U.S., 389 U.S. 347, 352 (1967) (Fourth Amendment protection extended to conversation overheard by listening device attached to outside of public telephone booth).

40 See, e.g., Alaska Bar Ass'n Op. 98-2 (1998) (lawyers may communicate with clients via unencrypted e-mail; client consent is unnecessary because the expectation of privacy in e-mail is no less reasonable than that in the telephone or fax); D.C. Bar Op. 281 (1998) (lawyers' use of unencrypted e-mail is not a violation of duty to protect client confidences under District of Columbia Rule of Professional Conduct 1.6); Ky. Bar Ass'n Ethics Comm. Advisory Op. E-403 (1998) (absent "unusual circumstances" lawyers may use e-mail, including unencrypted Internet e-mail, to communicate with clients); New York State Bar Ass'n Comm. on Professional Ethics Op. 709 (1998) (lawyers may use unencrypted Internet e-mail to transmit confidential information without breaching the duty of confidentiality under state analogue to ABA Model Rule 1.6); Ill. State Bar Ass'n Advisory Op. on Professional Conduct No. 96-10 (1997) (lawyers may use unencrypted e-mail, including e-mail sent over the Internet, to communicate with clients without violating Rule 1.6 of the Illinois Rules of Professional Conduct; client consent is not required absent "extraordinarily sensitive" matter; expectation of privacy in e-mail is no less reasonable than that in ordinary telephone calls); N.D. St. B. Ass'n Ethics Comm. Op. 97-09 (1997) (attorneys may communicate with clients using unencrypted e-mail unless unusual circumstances warrant heightened security measures); S.C. Bar Ethics Advisory Comm. Op. No. 97-08 (1997) (finding reasonable expectation of privacy when sending confidential information by e-mail, including that sent through a private network, commercial service, and the Internet; use of e-mail to communicate client confidences does not violate South Carolina Rule of Professional Conduct 1.6); Vermont Advisory Ethics Op. 97-5 (1997) (lawyers may use unencrypted Internet e-mail to transmit confidential information without breaching the duty of confidentiality under state analogue to ABA Model Rule 1.6). Two opinions similarly endorsed e-mail as a means of communicating client confidences, but advised lawyers to seek client consent or consider the use of encryption prior to its use, unlike the present opinion: Pa. Bar Ass'n Comm. on Legal Ethics Op. 97-130 (1997) (lawyers should not use unencrypted e-mail to communicate with or about a client absent client consent); State Bar of Arizona Advisory Op. 97-04 (1996) (lawyers should caution client or consider the use of encryption before transmitting sensitive information by e-mail). Two other opinions advised lawyers to avoid the use of e-mail to communicate with or about clients: Iowa Bar Ass'n Op. 1997-1 (1997) (sensitive material should not be transmitted by e-mail - whether through the Internet, a non-secure intranet, or other types of proprietary networks - without client consent, encryption, or equivalent security system); N.C. State Bar Opinion 215 (1995) (advising lawyers to use the mode of communication that will best maintain confidential information, and cautioning attorneys against the use of e-mail). Commentary supportive of the conclusions reached in this opinion, in addition to Hricik supra n.10 and Jarvis & Tellam supra n.10, include William Freivogel, Communicating With or About Clients on the Internet: Legal, Ethical, and Liability Concerns, ALAS LOSS PREVENTION JOURNAL 17 (1996) (concluding that it is not ethically or legally necessary to encrypt Internet e-mail but cautioning them in light of the absence of controlling legal authority). For a list of Web pages containing articles on e-mail and confidentiality, see Russell, supra n. 29, at 103.

© 1999 by the American Bar Association. All rights reserved