Attorney-Client Privilege and Email Privacy
A recent case involving the former president of the United States and his attorney illustrates the possible harm which can occur when you communicate with your lawyer using anything other than a personal email address. On March 28, 2022, California Federal District Court Judge David O. Carter ruled that president Trump’s election lawyer, John Eastman, did not waive the attorney-client and work product protections that would have applied to his communications simply by using an email account at Chapman University’s Fowler School of Law (where Eastman worked) due to the specific language in the law school’s privacy policy. However, judge Carter’s ruling found that the information was not privileged on other grounds.
Putting aside the ultimate question of the privilege that should be afforded discussions surrounding the election and the January 6, 2021 storming of the U.S. capitol building, the case raises an important issue for anyone who decides to email their lawyer using their employer’s email account and the importance of companies drafting data and email privacy policies that appropriately protect—or, alternatively, don’t protect—the privilege in such communications.
Scope of Privilege
Ordinarily, in order for communications with a lawyer to be subject to attorney-client privilege, not only must they be made in an effort to secure legal advice and representation (and not mere ‘business advice’), they must be made under circumstances where it is reasonable for the parties to expect that the communication will be confidential. While the presence of third parties outside the scope of the privilege is not necessarily fatal to the assertion of the privilege, courts consider things like the security of the communications, the nature of the persons present during the communication and the method of communications. That’s where email policies come into play.
If a company is sending a privileged email to its lawyer (in-house or outside) the communication is ordinarily considered to be privileged (assuming the subject matter is privileged) provided that there are not persons outside the scope of the privilege included in the communication in a way that would be inconsistent with the privilege and provided that the communications channel is not so insecure that it would be unreasonable to consider the matter as confidential.
While early cases questioned whether “insecure” email constituted a waiver of privilege, most jurisdictions accept that email (even unencrypted email) is an acceptable method of communicating privileged matters—although it is often useful to use more secure methods of communication in light of targeted attacks. But for legal purposes, email (including Gmail and other public providers) does not destroy the privilege.
The problem arises when a corporate (or government) employee uses their employer’s email to send what they think is a privileged communication to their personal lawyer. Maybe the employee is involved in a business dispute, a real estate matter or a messy divorce. It might be easier or more convenient for the employee to send email through their employer’s corporate email system. Maybe they are an officer or director of the company; maybe an owner. The Eastman case addresses the issue of the circumstances under which a company email policy effectuates a waiver of the attorney-client privilege.
As a general rule, whether or not a communication between lawyer and client is privileged is influenced by whether each party had a “reasonable expectation of privacy” in the content of the email. If either party did not expect that their communication was “private,” then they may be found to have waived their privilege. This may mean not only that the employer can read what otherwise would have been a privileged communication between lawyer and client but also that opposing counsel might be able to access that communication. So, if a corporate executive is in the midst of a highly contentious divorce and uses his or her corporate email account to communicate with his or her lawyer, depending on the corporate privacy and email use policy that executive may have exposed these communications to subpoena or discovery and may have waived the privilege not only as to the individual emails but potentially to the entire subject matter.
In the context of email communication over an employer’s email system, “the question of privilege comes down to whether the intent to communicate in confidence was objectively reasonable.” In one case, a Michigan federal prosecutor was under investigation by the Department of Justice’s internal watchdog, the Office of Professional Responsibility (OPR) and hired private counsel to advise him. Unfortunately, he communicated with that private law firm using his DOJ email account. The DC federal court found that the communications over the DOJ network remained privileged because the client “had no intentions of allowing the DOJ, his employer, to read the emails he was sending to his personal attorney through his work email account” and because he “took steps to delete the emails as they were coming into his account—failing to realize that his employer had the emails.”
Similarly, in another case, a military court found that a lance corporal did not lose her attorney-client privilege when she communicated over a DoD email network with her private lawyer while she was under investigation by the Marine Corps for drug use despite the DoD policy that warned that the use of the computer, network and email systems “are provided only for authorized U.S. government use. DoD computer systems may be monitored for all lawful purposes …”
On the other hand, when a corporate policy expressly states that users have no reasonable expectation of privacy with regard to the contents of their email, the use of email for what would otherwise be privileged communications may constitute a waiver of that privilege. Applying these principles to the Trump/Eastman emails over the Chapman University email account, judge Carter noted that it considered four factors in determining whether Eastman (and Trump) had any reasonable expectation that these emails would be privileged. They are:
- Does the corporation maintain a policy banning personal or other objectionable use?
- Does the company monitor the use of the employee’s computer or email?
- Do third parties have a right of access to the computer or emails? And
- Did the corporation notify the employee or was the employee aware of the use and monitoring policies?
Despite Chapman’s policies which stated, “Users should not expect privacy in the contents of University-owned computers or email messages” and that all university computing and network systems and services are a “University-owned resource and business tool to be used only by authorized persons for educational purposes or to carry out the legitimate business of the University” and that Chapman reserves “the right to retrieve the contents of University-owned computers and e-mail messages for legitimate reasons,” Carter found that Eastman (and his client, Donald Trump) had a reasonable expectation of privacy in the content of the communication through the university computer system. The court found that Chapman’s “outside legal work” with Trump was known to and permitted by the university, was “in the law school’s interest” and that the briefs filed on Trump’s behalf included Eastman’s law school affiliation. The computer policy created in Eastman (and therefore Trump) a reasonable expectation of privacy when it stated:
“Although Chapman University does not make a practice of monitoring e-mail, the University reserves the right to retrieve the contents of University-owned computers or email messages for legitimate reasons, such as to find lost messages, to comply with investigations of wrongful acts, to respond to subpoenas, or to recover from system failure.”
Chapman’s use of a personal password to access his email account—which was not known to the sysadmin—was further evidence that Eastman had a “subjective expectation of privacy.” Moreover, there was no evidence that Eastman knew of or read the Chapman policy that stated:
“Use of this computer system constitutes your consent that your activities on, or information you store in, any part of the system is subject to monitoring and recording by Chapman University or its agents, consistent with the Computer and Network Acceptable Use Policy without further notice. You are responsible for being familiar with the University policies related to the use of this computer system.”
The court was convinced that, despite what it called the ambiguity of the boundaries of Eastman’s expectation of privacy, it would not find that the privilege was waived since doing so would also place into jeopardy the privilege associated with the law school’s clinical work and other work done by law professors and students on behalf of clients. The court was also concerned that the clients never expected that there would be a waiver by the lawyer, noting that “clients of law school clinics should not be expected to research that particular university’s email policies before feeling secure in emailing their attorneys.”
The Takeaways
It is important that when lawyers communicate with clients—and vice versa—they do so under circumstances that protect confidentiality and privilege. For clients, this means understanding that using a corporate email system (or personal email over a corporate network, or personal email on a corporate-provided computer, or even a personal phone or computer where the employer reserves the “right” to monitor or inspect) may put you in the position of having waived the attorney-client privilege. This is particularly true where the interests of the client are adverse or potentially adverse to those of the employer who provides the network or email system. Thus, whistleblowers or qui tam plaintiffs should eschew using their employers’ email systems to communicate with private counsel.
It’s always a good idea to separate “personal” issues from “company” issues. From a company standpoint, counsel should examine email policies, computer use policies and other policies not only to ensure that the company has the appropriate “right to monitor” and right to control the use of computer networks and email, but also that the policies are not so broad as to constitute an inadvertent waiver of privileges that the company (or its employees) may responsibly wish to preserve at some later date. A broad, “no employee has any expectation of privacy” policy may be used by some to later assert that no privilege can ever be established. Conversely, a policy that does not allow for any monitoring of employee or agent activity can frustrate internal investigations and the ability of a company to know what its employees are doing.
It’s a good idea for companies to revisit their privacy policies (internal and external), their computer use policies and their actual practices at least on an annual basis, in light of changes in technology and the law. You may have created—or extinguished—privileges or privacy rights without even knowing it.