Transmitting legal documents over the Internet: how to protect your client and yourself

Transmitting legal documents over the Internet: how to protect your client and yourself

Electronic mail has proved itself so useful to the legal profession


[E]lectronic mail has proved itself so useful to the legal profession that it is a question of when, not whether, e-mail will become universal among all lawyers, their clients, and judges…. [C]lients demand it from their outside law firms [however, e-mail] has a Dark Side — insecurity from hackers — but encryption technology is expected to solve this problem….(1)

Suppose that Pat is an attorney working in a large, Chicago-based law firm that has a New York branch. One of Pat’s clients is a medium-sized manufacturing company that is negotiating a merger deal with a New York-based shipping company. Some complications have arisen and, if the merger is to succeed, the deal must be completed quickly. Pat drafts one of the necessary documents and, rather than sending it by mail or facsimile, he attaches it to an e-mail and sends it to an attorney representing the New York company. A few seconds later, Chris, an attorney in New York, opens the e-mail, reviews the document, and incorporates some proposed changes. Chris makes these changes directly to the electronic document, redlines them, and returns the document to Pat. The entire process is completed in minutes.

As this hypothetical illustrates, e-mail provides numerous benefits over more traditional methods of communication. E-mail is inexpensive and virtually instantaneous, while traditional “snail mail” can take days to reach its destination and overnight shipping services are expensive. E-mail is less costly and troublesome than sending a fax, particularly when one sends a document to multiple recipients. Perhaps e-mail’s most advantageous characteristic is that electronic documents can be easily altered without unnecessary retyping.

Law firms have taken notice of e-mail’s benefits. The use of email and Internet technology in law firms has exploded over the last ten years, and this trend shows no sign of slowing.(2) In addition to the efficiency e-mail provides, technology-savvy clients look favorably upon firms with electronic mailing capabilities.(3) For example, the president of a consulting firm recently noted that “clients are instructing their law firms that they no longer wish to be billed for delivery services or fax charges and that all communications with the firm should be via … e-mail.”(4)

Similarly, the judiciary has recognized the benefits of Internet technology. For example, in 1997, the U.S. District Court for New Mexico initiated an electronic filing system that allows attorneys to file pleadings, access court dockets and case files, and receive notice of judicial action via the Internet.(5) Attorneys simply access the court’s Web page and use a password to log into the court’s filing system.(6) The program has enjoyed great success, with attorneys filing over 2800 civil documents in two years.(7) A court official recently announced plans to expand the program and broaden its available services.(8)

Studies indicate that small businesses using the Internet commonly enjoy average revenues of over a million dollars more than those businesses without Internet access.(9) While such studies typically focus on businesses in general, one can safely assume that law firms can similarly increase their revenue potential by taking advantage of Internet technology. Additionally, Internet technology helps many attorneys satisfy their professional responsibilities. For example, attorneys can use computers to manage their calendars, thereby avoiding the liability problems associated with passing statutes of limitation and missed deadlines and court appearances,(10) Further, attorneys can use computer databases to track clients and opposing parties so as to avoid conflicts of interest.(11)

Internet technology is changing the practice of law. Fifteen years ago, the facsimile had a similar impact. The question evolved from “Do you have a fax machine?” to “What is your fax number?”(12) Similarly, today the question is evolving from “Do you have e-mail?” to “What is your e-mail address?”(13) Unfortunately, each technological advancement opens a Pandora’s box of legal and ethical issues. Just as the telegraph,(14) teletype,(15) telegram,(16) fax machine,(17) and cellular telephone(18) spawned considerable confusion and litigation, e-mail and Internet technology have raised ethical and evidentiary issues that have yet to be fully settled. This Article addresses those issues. First, Part I of this Article examines email security and reviews numerous instances of e-mail interception and monitoring by employers, private citizens, and governments. Part I also discusses the difficulty in identifying an e-mail sender and notes several examples of e-mail forgery. Next, Part II identifies corresponding ethical and evidentiary concerns that arise from inadequate e-mail security. Then, Part III reviews methods to ensure Internet security, including encryption and digital signatures. This Article concludes that encryption and digital signature technology are simple, inexpensive, and effective measures that can protect attorneys and their clients when communicating via e-mail.


Unfortunately, cyberspace, like the real world, is not perfect. With every benefit there is a cost. Among these is the necessity for adequate security. Two security risks are particularly troublesome to attorneys. First, documents sent over the Internet may be intercepted or altered.(19) Because e-mail is transmitted over an “open network,” electronic documents travel through countless interconnected computers on their Internet voyage,(20) and the likelihood that their contents may be intercepted is rather high.(21) Second, the actual sender may be an imposter. Attorneys must be able to verify a document sender’s identity.(22) If an imposter sends an attorney email requesting a document or information, the unsuspecting attorney might release such information and, in the process, destroy its privileged nature and breach his or her duty of confidentiality.(23) Part I reviews the technology behind e-mail and uses examples of breached security to illustrate the seriousness of these two risks and also discusses law firms’ and clients’ vulnerability to such attacks.

A. How E-mail Works

The Internet is known as the “information superhighway.” As the nickname implies, it is an extraordinary tool for accessing information

At several points along the packets’ path, “hackers” or “crackers” can use “packet sniffing” programs to search, intercept, read, alter or prevent them from reaching the recipient.(37) Packet sniffing programs cost pennies and can use key words to search and infiltrate approximately ten billion words of computer-generated messages and files.(38) Typically, hackers place sniffers on electronic commerce sites.(39) Such sites often have valuable or sensitive information such as credit card numbers.(40) After the sniffer intercepts a packet, it copies the information and then sends it along to the intended recipient.(41) Often, the intended parties to the transaction never discover the security breach until the information is used for malicious purposes.(42) Sniffing software is commonly available(43) and capable of capturing information as it passes through a network.(44) Sniffers do not need a password to access computer files containing clients’ secrets.(45)

Additionally, hackers can steal documents not only off the Internet, but off the sender’s and recipient’s computers as well(46). By monitoring network traffic, packet sniffers allow hackers to observe people’s online activities.(47) Hackers can thereby see the user’s logon ID and password as the user logs on to the Internet.(48) Hackers have intercepted hundreds of thousands of usernames and passwords over the last few years.(49) If that user is a system administrator or employee, the hacker may be able to access the confidential information of other users as well.(50)

B. E-mail Interception and Monitoring

Countless experts have voiced wildly varying opinions about email security. Texas attorney David Hricik authored one of the more frequently cited articles on this topic.(51) Hricik opines that attorneys “worry too much” about Internet security.(52) He explains the technological process by which e-mail works and concludes that “[n]o one, without both my screen name and password, can read mail sent to my electronic mailbox.”(53) Hricik’s position, now accepted by some state bar association ethics committees,(54) rests on the assumption that e-mail is virtually impossible to intercept.(55) This assumption is simply incorrect. E-mail not only can be, but is intercepted with surprising frequency. One need only examine documented instances of such interception to conclude that e-mail is not secure.

Perhaps the most common example of e-mail monitoring occurs in the workplace.(56) While commentators often characterize such monitoring as an invasion of privacy,(57) courts often find that employees have no reasonable expectation of privacy with regard to email messages sent over their employers’ networks.(58) For example, in Smyth v. Pillsbury C0.,(59) Pillsbury maintained an e-mail system to facilitate internal communication.(60) Pillsbury “repeatedly assured its employees … that all e-mail communications would remain confidential and privileged[,]” and that it would not intercept or use e-mails as grounds for discipline or termination.(61) Nevertheless, Pillsbury intercepted Smyth’s e-mail and terminated him for making inappropriate and unprofessional comments.(62) Smyth brought suit, arguing that Pillsbury violated his right to privacy.(63) The court rejected Smyth’s claims, finding that no reasonable expectation exists with regard to e-mail sent over an employer’s email system, notwithstanding the employer’s confidentiality assurances.(64) The court further found that no “reasonable person would consider the defendant’s interception of these communications to be a substantial and highly offensive invasion of privacy.”(65) The court also noted that even if such an invasion occurred, “the company’s interest in preventing inappropriate and unprofessional comments … outweighs any privacy interest the employee may have in those comments.”(66)

Similarly, hacking by private individuals is on the rise. In August 1996, police charged a University of Iowa student with electronic eavesdropping after he copied approximately 2,400 university e-mail files.(67) In October 1998, hackers used a sniffing program to steal e-mail passwords belonging to 4,500 students and staff members at Stanford University.(68) A University of San Diego official reacted to the Stanford attack by commenting that “[w]e… need to have more security safeguards, and one of the biggest holes in security is in e-mail.”(69) In April 1999, authorities arrested David Smith for spreading the Melissa virus, which wreaked havoc on email systems around the world and caused $80 million in damage.(70) Smith used a stolen AOL account to distribute the virus.(71) In February 1999, New York police charged Cheryl Snyder with computer trespass after she intercepted e-mail intended for her former employer.(72) One of the college students that produced the “I Love You” e-mail virus submitted a Master’s Degree thesis proposal in which he envisioned a password-stealing program.(73) In August 1999, Microsoft temporarily took its Hotmail e-mail service offline after it discovered that any Internet user could access Hotmail e-mail accounts as long as they had a registered user’s name.(74) Microsoft repaired the glitch in a few hours but nevertheless hired an outside firm to conduct additional security checks.(75)

Governments are quite possibly the most notorious eavesdroppers.(76) American law enforcement agencies have successfully tapped e-mail accounts on a number of occasions. In 1996, Julio Cesar Ardita stole several computer passwords and used them to break into Harvard’s computer system.(77) From there, he was able to access computers at other universities as well as computers at military research laboratories.(78) Federal agents tapped the computer line and tracked Ardita to Buenos Aires.(79) The federal prosecutor supervising the investigation admitted that agents “inadvertently read the mail of innocent users `a couple of times.'”(80) In another case, Secret Service Agent Brian Gimlet noted that a trio of suspects in a Seattle case erroneously “believ[ed] that Internet communications were immune from interception, [and therefore] spoke relatively openly in [their] e-mail communications.”(81)

The FBI recently admitted that it regularly uses a packet-sniffing system known as “Carnivore” to capture e-mail, file downloads, and chat-room conversations.(82) The Carnivore system is reportedly capable of scanning millions of e-mail messages per second and has been used in approximately 100 criminal cases since its inception.(83) Critics note the numerous possibilities for abuse of Carnivore. Mark Rasch, a former federal computer-crimes prosecutor, opines that `”[i]t’s the electronic equivalent of listening to everybody’s phone calls to see if it’s the phone call you should be monitoring…. You develop a tremendous amount of information.”‘(84)

Government eavesdropping is becoming a worldwide concern. Consumer groups reacted angrily to legislation proposed in Great Britain that would allow police to intercept e-mail for crime-prevention Activities.(85) The British plan to build a forty million dollar spy center capable of tracking every e-mail and Internet hit in the country.(86) Similarly, the Chinese Ministry of Public Security regularly monitors e-mail sent by suspected members of the spiritual group Falun Gong, and hackers.(87) A U.S. State Department report confirmed that the Chinese authorities “often monitor … electronic mail and Internet communications” and have “created special Internet police units to increase control over Internet content and access.”(88) Further, the Chinese are attempting to develop software that will filter and block antigovernment messages.(89)

Indeed, governments have provided the most disturbing example of e-mail’s vulnerability. According to the ACLU, credible reports have begun to surface around the world that the United States National Security Agency (NSA) has developed a global electronic surveillance system named Echelon that can eavesdrop on satellite, microwave, cellular, and fiber-optic communications.(90) Purportedly used to identify drug traffickers and terrorists, Echelon monitors faxes, e-mails and telephone conversations by looking for key words.(91) Echelon reportedly monitors “billions of messages per hour”(92) and then sends the recorded material to the NSA.(93) The NSA supposedly operates Echelon through cooperation with Canada, Australia, New Zealand, and Great Britain.(94) While Australia has publicly acknowledged Echelon’s existence,(95) American officials have declined to do so.(96)

In response to Congressional concerns over privacy, the NSA sent a letter to each member of Congress assuring them that “the NSA’s activities are conducted in accordance with the highest constitutional, legal and ethical standards, and in compliance with statutes and regulations designed to protect the privacy rights of U.S. persons.”(97) However, some members of Congress are not so sure. Representative Bob Barr, a former United States Attorney and CIA official, recognized the “sheer power and potential for abuse created by Project Echelon,” and demanded a Congressional investigation.(98) To combat possible abuses of the Carnivore and Echelon systems, Barr has announced his intention to introduce the “Digital Privacy Act of 2000.”(99)

The international community has also expressed its displeasure with the Echelon project. For example, the European Parliament is conducting an investigation of the Echelon eavesdropping system.(100) Belgian Foreign Minister Louis Michel fears that “[i]n effect, democratic states and a member of the European Union could … organize[] large-scale espionage operations in order to reinforce their economic interest to the detriment of Belgium and other European countries.”(101) Rene Galy-Dejean, a member of the French parliament, agrees, noting that “[t]he Anglo-Saxon Echelon eavesdropping network constitutes a serious infringement on national security and on the freedoms of all French people.”(102)

Such concerns may be well founded. Echelon reportedly eaves-dropped on one woman’s telephone conversation when she confided in her friend that her son “bombed” in the school play.(103) London’s Sunday Times reported that Echelon monitored Princess Diana’s phone calls in 1997.(104) British agents also monitored conversations from the Vatican and Mother Theresa.(105) Ironically, a Wall Street Journal survey indicated that Americans’ greatest fear in the new millennium is a loss of personal privacy.(106) Privacy concerns topped fears of crime and terrorism,(107) which are the very concerns that Echelon is supposed to protect against.(108) One should also consider that, even though the government controls Echelon technology, it may not be long before related technology falls into private hands. After all, the Internet itself was initially used as a Department of Defense Research tool.(109) Frequently, such technology trickles down to the private market.(110)

C. Falsified Return E-mail Addresses

Attorneys utilizing Internet technology must face a second threat — the use of forged e-mail. E-mail with falsified return addresses may be used to trick an e-mail recipient into releasing confidential information. For example, an attorney could receive an e-mail purportedly from a client. The e-mail might instruct the attorney to send a copy of a confidential document, sell property, or take some unusual course of action. If the unknowing attorney were to do so, he or she could destroy the privileged nature of such communications and could incur ethical problems.

The practice of sending forged e-mails, called “spoofing,” is most commonly used in conjunction with junk e-mail or “spam.”(111) Spammers send mass e-mailings with falsified return addresses to increase the likelihood that the recipient will open and read the message.(112) Further, by falsifying the return address, spammers can avoid a bombardment of angry return e-mails from such recipients.(113) While generally not impossible, the spoofer’s true identity (or at least his or her own e-mail address) is difficult to ascertain.(114) Such a task generally requires an expert to follow an e-mail’s transmissions.(115) However, in most instances, a person “can send harassing email that says the author is anyone he or she chooses, such as `,'” without ever disclosing his or her true identity.(116)

Although one might think spoofing requires a significant degree of technical knowledge, changing the mail settings on one’s computer is a fairly simple process and can be completed in about ten seconds.(117) The Internet mail protocol provides virtually anyone the opportunity to connect to the SMTP port on the Internet service provider’s site.(118) From there, a spoofer can “issue commands to send e-mail that appears to be from the address of the transgressor’s choice — either an actual user’s address or a fictitious address formatted correctly.”(119) Additionally, spoofers can send forged emails by modifying the Web-browser interface.(120) Still another method of sending anonymous e-mail is through a “remailer.”(121) With a remailer, the sender can send a message to a computer programmed for remailing.(122) After receiving the message, the computer removes the sender’s return address and replaces it with the sender’s assigned identification number.(123) The remailer then forwards the e-mail to the intended recipient.(124)

Another scam hackers commonly run is “web spoofing.”(125) Web spoofers could set up a fake website that appears to belong to a legitimate company.(126) For example, spoofers could send an e-mail directing the recipient to visit a website purportedly belonging to the Chicago law firm McBride, Baker & Coles. McBride, Baker & Coles’ web address is However, if the e-mail instructed the recipient to visit, the unknowing recipient could reasonably believe that this site belongs to McBride, Baker & Coles. Alternatively, the web spoofer could accomplish the same deception by taking an otherwise legitimate domain name, such as and altering the extension to In either case, once the recipient visits these sites, he or she may run the risk of contracting a computer virus that could compromise confidential information stored on his or her computer. The website could also direct the unknowing recipient to send confidential information to an address contained on the spoofed website, again creating a security risk.(127)

As with eavesdropped and intercepted mail, e-mail with falsified return addresses are also a common and serious problem. For example, in October 1998, an imposter wreaked havoc on AOL systems after he sent a forged e-mail to the company that maintains AOL’s electronic address book and instructed it to change AOL’s Internet address.(128) Officials noted that AOL apparently failed to employ a security system sufficient to thwart such an attack.(129) The disruption lasted over six hours and affected approximately five million e-mail messages.(130) The Wall Street Journal observed that this attack “served as a dramatic new reminder of security risks online.”(131) This problem has also affected the legal community. The same month that AOL experienced its problems, LEXIS-NEXIS sent law schools an “Urgent Security Notice” warning of an e-mail e-mail scam in which imposters purporting to act for LEXIS-NEXIS requested customers to provide their LEXIS-NEXIS passwords.(132)

In Parker v. C.N. Enterprises,(133) plaintiff Tracy Parker filed an action alleging that defendant, C.N. Enterprises, mailed spam email messages with the false return address “”(134) Parker used the domain name “” in conjunction with her business and configured the mail server to forward all “” e-mail to her.(135) Because many of the addresses to which the messages were sent were invalid, computers rerouted those messages to the false return address.(136) Additionally, many of the people who received the message assumed that it originated from and sent angry protests to that address.(137) Thus, she received the rerouted messages as well as the angry protests.(138) This avalanche of e-mails forced Parker to suspend her mail system, possibly losing business.(139) Parker alleged in her suit that the defendant’s intentional use of false return address information constituted a common law nuisance, trespass and conversion.(140)

Falsified e-mail is such a serious problem that it has spawned considerable litigation.(141) For example, in Juno Online Services, L.P. v. Scott Allen Export Sales, internet service provider Juno filed an action alleging that, inter alia, defendant sent spam e-mails with a falsified Juno return address.(142) Juno further alleged that the forged e-mails interfered with its business, infringed on its trademark, and damaged its business.(143) The parties settled following a consent decree enjoining defendants from such activities.(144) Similarly, in Earthlink Network, Inc., v. Cyber Promotions, Inc.,(145) CompuServe, Inc., v. Cyber Promotions,(146) America Online, Inc., v. LCGM, Inc.,(147) and Hotmail Corp., v. Vans Money Pie, Inc.,(148) Internet service providers sought and received injunctive relief from spammers’ use of forged e-mail addresses.(149) Specifically, in America Online, Inc., v. IMS, AOL sought damages for unauthorized e-mail advertising.(150) There, the court found that defendant violated the Lanham Trademark Act by sending over sixty million e-mails with a forged AOL return address.(151)

D. Law Firms and their Clients are Particularly at Risk to Security Breaches

Law firms typically have sensitive client information on their computer systems and are particularly prone to security problems.(152) For example, in 1994, a Kentucky firm sued a former paralegal to prevent him from distributing confidential client documents.(153) In 1996, a California firm brought suit against a former associate for breaking into the firm’s network to steal sensitive materials.(154) In 1991, a movie theater chain hired corporate spies to break into a New York firm’s office and photocopy a client files.(155) Today, the information age has substantially increased the necessity for security. Computer theft is “quicker, safer, cheaper and more effective than the traditional ways of stealing corporate secrets, such as bribing janitors and `dumpster diving.'”(156) While a conventional thief might leave a telltale broken window, firms may never know that their computer systems were compromised.

Law firms have traditionally been easy targets for criminals looking for sensitive documents.(157) Corporate espionage is on the rise, and unless firms have sufficient computer security systems in place, “it’s quite possible that [they] have already experienced undetected break-ins.”(158) Carol L. Schlein, president of Law Office Systems, a computer consulting firm specializing in law firm technology, comments that “[i]t always amazes me how lax law firms can be regarding computer security. Many firms never change the original passwords their vendors used when installing their network … [and] they become vulnerable to hackers.”(159) Another computer consultant opines that when it comes to security, “[l]awyers for the most part are sticking their heads in the sand and hoping nothing happens to them.”(160) While attorneys continue to increase their reliance on computers and Internet technology, computer-related theft will almost certainly increase too.(161)

Because hacking attempts often involve large corporations, attorneys representing such corporations should be particularly wary of computer risks. For example, In November 1999, authorities charged online bookseller Alibris with unlawful interception of email messages and possession of passwords with intent to defraud.(162) Alibris’ corporate predecessor, Interloc, owned an online book-selling business and operated an Internet service provider called Valinet.(163) According to prosecutors, Interloc attempted to gain a competitive edge by programming its e-mail service to automatically intercept and copy messages mailed from competitor Prosecutors alleged that “in a matter of weeks INTERLOC intercepted and copied thousands of e-mail communications to which [it] was not a party and was not entitled.”(165) Prosecutors further alleged that Interloc “obtained and retained unauthorized copies of the confidential and proprietary password files and customer lists of its competitor Internet service providers.”(166)

A few companies even assist hackers in their quest to intercept email and confidential information.(167) In February 1998, Lopht Heavy Industries released a password-cracking program called “Ophtcrack.”(168) Lopht boasted that “It’s big. It’s bad. It cuts through … passwords like a diamond-tipped steel blade. It ferrets them out from the registry, from repair disks, and by sniffing the Net like an anteater on Dexedrine.”(169) While Lopht intended its software to help system administrators identify weaknesses in their systems, it can be used maliciously.(170) Nonetheless, such software is necessary. As one Lopht employee notes, “[f]rom our experience in the computer security world, the only way to get people to shore up [their] vulnerabilities is to prove they exist and are a threat to the people who have to pay for the fixes.”(171)

Despite increased security risks, many corporations have demonstrated a lack of interest in safeguarding their computer systems.(172) For example, in February 2000, Richard Fromm discovered that the eBay website transmits passwords without encryption, or “in the clear.”(173) According to Fromm, this glitch allows hackers to use sniffing programs to steal an eBay user’s password and conduct business on eBay.(174) After repeated efforts to persuade eBay to fix the problem, Fromm took matters into his own hands.(175) He wrote a sniffing program that allowed users to examine information directed to eBay’s site, scan for usernames and passwords, and then capture such information.(176) He then posted his program on the Internet, making it available to anyone who wanted to download it.(177) Fromm commented that “[t]his isn’t rocket science. I don’t pretend to have discovered anything fundamental or new here. It’s a simple little [program]. The pitfalls of sending passwords in the clear have been recognized for many years. The only surprising thing is that too many people still don’t take security seriously….”(178)


As this Article has illustrated, attorneys using the Internet face significant security risks. These security risks raise corresponding ethical and confidentiality issues. This Part examines those issues and discusses them in the context of a technology-driven law firm.

Among the ethical issues surrounding attorneys and Internet technology, perhaps the most important is an attorney’s duty to preserve a client’s confidence, as dictated by agency law and professional responsibility codes.(179) The American Bar Association (ABA) Model Rules of Professional Conduct state that “[a] lawyer shall not reveal information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation….”(180) Further, attorneys must make every practicable effort to avoid unnecessary disclosure of information related to their representation of a client.(181) Similarly, the ABA Model Code of Professional Responsibility states that “[a] lawyer should preserve the confidences and secrets of a client.”(182) Moreover, lawyers are obligated to protect the client’s confidences even after the attorney-client relationship ends.(183) Failure to satisfy such obligations may result in disciplinary action as well as civil liability.(184) Given an attorney’s ethical duties and the insecure nature of Internet communications,(185) attorneys wishing to send documents electronically should think twice before doing so. Failure to take adequate precautions, such as securing the document’s contents and verifying the identity of the person with whom you are communicating, may lead to drastic consequences for attorneys and their clients.(186)

In addition to protecting a client’s confidences, an attorney has a fiduciary duty to safeguard the client’s property and funds.(187) Client property left in a lawyer’s possession must be labeled(188) or identified(189) as such and adequately safeguarded. While “property” typically refers to stock certificates, deeds, jewels, and other valuables, the term is general and includes documents.(190) Given the increasing use of e-mail in law firms and in attorney-client communications, it is possible that email might contain intellectual property or trade secrets.(191) If such an email was intercepted, the failure to adequately protect its contents could result in the loss of legal protection afforded to the trade secrets, which would be detrimental to a client’s interests.(192) The fiduciary rule requiring attorneys to safeguard a client’s property is “applied without regard to [attorney’s] good or bad faith.”(193) Therefore, defenses such as an attorney’s “ignorance of the rules, poor bookkeeping methods, the carelessness or ignorance of non-lawyer employees, or because an [attorney] had left the matter to be handled by others such as accountants, are not usually successful.”(194)

Attorneys must also keep a client reasonably informed about matters relating to the representation.(195) The integration of computers into the law firm and the ease of e-mail makes this duty easier to satisfy. However, unless the attorney’s computers are secure, attorneys may not be able to fulfill this requirement in a timely, professional manner.(196) Lawyers are also required to “make reasonable efforts to expedite litigation consistent with the interests of the client.”(197) At a minimum, this rule requires that law firms protect their computer systems from hackers.(198) A breached computer system leads to unnecessary expenses, delays in document drafting and filing, and may jeopardize clients’ interests.(199)

In addition to ethical considerations, attorneys must be cautious to preserve the privileged nature of attorney-client communications.(200) As more clients insist that their attorneys communicate with them via e-mail,(201) the importance of the attorney-client privilege becomes more critical.(202) The attorney-client privilege is technically not an ethical rule, but rather an evidentiary rule that protects clients from mandatory disclosure of confidential information.(203) The purpose of the privilege is to encourage open communication between clients and their lawyers.(204) It generally applies to both communications made by the client to the attorney as well as advice by the attorney to the client when such advice relates to confidential information conveyed by the client.(205) Wigmore’s classic rendition of the rule states that:

(1) Where legal advice of any kind is sought (2) from a professional legal

advisor in his capacity as such, (3) the communications relating to that

purpose, (4) made in confidence (5) by the client, (6) are at his instance

permanently protected (7) from disclosure by himself or by the legal

advisor, (8) except the protection be waived.(206)

Courts construe the privilege narrowly,(207) and attorneys and clients must make reasonable efforts to preserve it.(208) Such steps should include securing the document’s contents and verifying the identity of the person with whom the attorney is communicating.(209) As one court noted, “[i]t is not asking too much to insist that if a client wishes to preserve the privilege … he must take some affirmative action” to do so.(210) Failure to take such precautions could result in waiver.(211) To determine whether precautions are adequate, courts primarily consider two factors:(212) first, the effect waiver would impose under the circumstances,(213) and second, the parties’ ability to protect against disclosure.(214)

Commonly, waiver occurs through a party’s carelessness. Courts have held that storing documents in a place accessible to third parties without taking adequate security measures destroys the privilege.(215) Clients have waived the attorney-client privilege by leaving papers in a public hallway for delivery to their attorney(216) or on a table in a hotel room occupied by others.(217) Courts have also held that clients waived the privilege by placing confidential documents in files routinely accessed by third parties.(218) Waiver can exist even when clients disposed of privileged communications and third parties retrieved them from a dumpster.(219) Most of these cases involved situations where parties simply failed to take adequate precautions to preserve the privilege of attorney-client communications. In order not to waive the attorney-client privilege when communicating with clients via the Internet, attorneys must take special precautions to adequately protect electronic documents that are particularly vulnerable to theft, alteration, copying, and transmission.

Some commentators argue that, because e-mail interception is a crime, attorneys need not worry about the security implications of e-mail.(220) Indeed, in 1986, Congress enacted the Electronic Communications Privacy Act (ECPA).(221) Under the ECPA, anyone who intentionally intercepts or attempts to intercept an electronic communication is subject to substantial penalties under federal law.(222) Further, “[n]o otherwise privileged wire, oral, or electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character.”(223)

However, complete reliance on the ECPA may be misplaced. The ECPA contains a key exception, allowing:

[E]lectronic communication service [providers] whose facilities are used in

the transmission of a wire or electronic communication, to intercept,

disclose, or use that communication in the normal course of [their]

employment while engaged in any activity which is a necessary incident to

the rendition of [their] service or to the protection of [their] rights or

property of the provider of that service.(224)

Further, such providers may “utilize service observing or random monitoring … for mechanical or service quality control checks.”(225) Also, the ECPA does not prohibit employers from intercepting, monitoring, and reading employees’ “intra-company electronic communications.”(226) Therefore, the ECPA does not preserve the attorney-client privilege when communications are intercepted lawfully.(227) In addition, the ECPA does not apply if a reasonable connection exists between the monitoring and the service provider’s legitimate operational or security concerns.(228) Under such circumstances, e-mail users should assume that their communications are unprotected and should behave accordingly.(229) As one commentator opined, one ECPA provision, in particular, “should terrify us as lawyers.”(230) “[This] provision says that the system[s] administration, for systems administration purposes, can essentially do anything. It is perfectly legitimate for a systems administrator to read all e-mail messages for those purposes.”(231)

Another concern is that the ECPA’s effect on attorney-client privilege remains largely untested by courts. Further, as one commentator noted, the ECPA “incorporates into [the Wiretap Act] the relevant state law of privileged communications”(232) and “does not, by itself, guarantee the preservation of the attorney-client privilege where e-mail communications are intercepted by a third party.”(233) Such a conclusion would ignore the word “otherwise.”(234) Thus, “the common law attorney-client privilege must still be applied.”(235) As previously noted, for a communication to fall within the ambit of the attorney-client privilege in the first instance, there must be a reasonable expectation of privacy.(236) The few courts that have addressed whether e-mail is sent with a reasonable expectation of privacy have reached varying conclusions.(237) Further, the examples discussed in Part I indicate that a reasonable expectation of privacy may not exist.

Further, illegality is not necessarily dispositive because illegally intercepted evidence is not always inadmissible.(238) Under early common law, the attorney-client privilege did not extend to stolen documents or conversations overheard by eavesdropping

Similarly, with regard to communications that are not stolen but merely overheard or inadvertently disclosed, Wigmore notes that:

[s]ince the privilege is a derogation from the general testimonial duty and

should be strictly construed, it would be improper to extend its

prohibition to third persons who obtain knowledge of the communications.

One who overhears the communication, whether with or without the client’s

knowledge, is not within the protection of the privilege. The same rule

ought to apply to one who surreptitiously reads or obtains possession of a

document in original or copy.(245)

Thus, e-mail that inadvertently discloses privileged communications to a third party may similarly lack privileged status.(246) As with stolen communications, many courts have asserted that the appropriate test in considering inadvertent disclosures is whether “the privilege holder” uses reasonable efforts to protect the communication.(247)


The legitimate security problems associated with e-mail raise several ethical and evidentiary problems. However, that is not to say that attorneys should not use Internet technology. To the contrary, we may be approaching a point where attorneys must use Internet technology. Fortunately, there are simple and inexpensive measures that allow attorneys to use the Internet safely. This Part discusses two such measures and their effect on the ethical and evidentiary considerations raised in Part II.

A. Protecting Confidentiality Through Encryption

E-mail can be intercepted, and therefore the confidentiality of its contents may be compromised. However, there are several measures that can help attorneys avoid this problem. The most effective method of safeguarding e-mail confidentiality is through cryptography.(248) Cryptography is “the art and science of keeping messages secure … [, and] the process of disguising a message in such a way as to hide its substance is called `encryption.'”(249) Through encryption, one can convert standard text, or “plaintext,” into unreadable gibberish, or “ciphertext.”(250) Encrypted documents are unreadable until they are “decrypted.”(251)

The necessity for securing sensitive documents is not novel. “From the Spartans to Julius Caesar, from the Old Testament ciphers to the Papal plotters of the Fourteenth Century, from Mary, Queen of Scots to Abraham Lincoln’s Civil War ciphers, cryptography has been part of war, diplomacy, and politics.”(252) Cryptographers played a key role in World War II by “breaking the Enigma machine” and “cracking … the German `Ultra’ codes and the Japanese `Purple’ codes.”(253) Today, cryptography is commonly used to protect the confidentiality of e-mail.

Two different types of cryptography commonly exist. The more basic form is called “private-key” encryption.(254) Private-key encryption uses the same key to encrypt messages from plaintext to ciphertext and then to decrypt the message back into plaintext.(255) Historians credit Julius Caesar for developing one of the first private-key cryptosystems.(256) Ancient Roman military commanders communicated through correspondence encrypted by using “Caesar’s Cipher.” This simple algorithm offset one alphabetic sequence against another. The key to decrypt messages was the number of characters by which it had been offset in the encryption.(257) For example, if the phrase “attack from the north” were to be encrypted with a key value of 6, the letters of the alphabet would shift by 6 characters. Thus, an “A” would become “G,” “N” would become “T,” “Z” would become “F” and so on. Therefore, the phrase “attack from the north” would be expressed as “gzzgiq lxus znk tuxzn.”

Private-key encryption has two inherent weaknesses.(258) First, the parties must find a secure method of distributing the keys.(259) Second, both the sender and recipient must trust one another to safeguard the key while it is in their possession.(260)

In 1976, Stanford scientists Whitfield Diffie and Martin Hellman addressed the problems related to private-key encryption by introducing “public-key encryption.”(261) This system of encryption uses a pair of mathematically related keys: a public key that encrypts data, and a corresponding private key that decrypts data.(262) The public key is published, often on a website or through a trusted third-party known as a certification authority, while the private key is available only to the sender.(263) Even though the keys are mathematically related, it is “computationally infeasible” to ascertain the private key from the public key.(264) A user can draft a message, encrypt it by accessing the recipient’s public key, and then send it.(265) Only the recipient can decrypt the message by using a corresponding private key.(266) This system eliminates the need for the two users to transmit and share a key and therefore eliminates the two major security concerns of private-key encryption.

Historically, governments showed the most interest in cryptography.(267) However, as the Internet continues to affect the way we communicate and conduct business, encryption technology is quickly becoming a valuable tool for protecting personal and proprietary information. For example, e-commerce sites typically offer “secure connections” and “encrypted data transmission” options for credit-card transactions. Similarly, attorneys can protect the confidentiality of client information by encrypting e-mail and attached documents before transmitting them over the Interact.

B. Verifying an E-mail Sender’s Identity through Digital Signatures

The second problem attorneys face when using e-mail is not being able to identify whom they are communicating with.(268) Without out the ability to adequately identify an e-mail sender, attorneys could unknowingly release confidential information and possibly violate their ethical obligations. Digital signatures provide an answer to this dilemma. A digital signature is not a computerized image of a handwritten signature.(269) Instead, a digital signature is a term of art describing a systematic scrambling of characters to guarantee security and authenticity.(270) More specifically, digital signatures are created and verified through the use of cryptography, which ensures the authenticity of an electronic document’s content and the sender’s identity.(271)

Digital signatures serve the same functions as hand-written signatures. Like hand-written signatures, digital signatures offer authenticating evidence by identifying the signer with the signed document.(272) Also, the ceremonial act of signing a document calls the signer’s attention to the legal significance of his or her act.(273) Further, both types of signatures express the signer’s approval or authorization of the writing.(274) Finally, both handwritten and digital signatures signify “a sense of clarity and finality to the transaction” and may lessen the necessity to examine the agreement beyond the document’s four comers.(275)

Digital signatures offer additional advantages over handwritten signatures.(276) Most importantly, digital signatures give e-mail recipients the ability to verify the identity of an e-mail sender.(277) Digital signatures are also far more difficult to forge or reproduce than handwritten signatures.(278) Additionally, digital signatures give e-mail recipients the ability to verify that a document has not been altered.(279) While handwritten signatures generally authenticate only the page containing the signature, digital signatures authenticate the entire document down to the last punctuation mark.(280) Therefore, the documents’ contents are practically impossible to alter without detection.(281) Further, electronic documents can be encoded with digital time stamps, which allow the transmission time to be ascertained.(282) Finally, digital signatures eliminate the possibility that the sender will successfully repudiate or deny having sent the document.(283)

Digital signatures will change the way attorneys practice law. For example, in California, judges can now issue arrest warrants via e-mail from their home computers using digital signatures.(284) Previously, judges issued warrants via fax.(285) However, officials mandated the switch to e-mail with digital signatures because they feared that unencrypted fax transmissions could be easily intercepted.(286) As another example, lawyers traditionally will draft contracts or settlement agreements, present them to their clients for signatures, and then send them to other law firms for their clients’ signatures. Through the conventional process, this could take days. With the aid of digital signatures, parties can enter into binding agreements without the necessity of costly overnight shipping and postal delays. Many commentators similarly opine that “a secure digital signature is … the key to allowing technology to further revolutionize electronic commerce.”(287)

To digitally sign an electronic document, our hypothetical attorney Pat must send the document through a mathematical algorithm called a “one-way hash function.”(288) The one-way hash function scrambles the document into an unintelligible form to create a “message digest.”(289) Every time Pat sends the same message through the same one-way hash function, the same message digest will always result.(290) Conversely, two different messages always produce different message digests.(291) Next, Pat must encrypt the message digest with his private key (known only to Pat),(292) and attach the original unencrypted message.(293) Pat then transmits both documents to Chris.(294)

After receiving the documents, Chris obtains Pat’s public key and uses it to decrypt the message digest.(295) Chris also sends the original unencrypted message through the same one-way hash function as that Pat used, which creates a second message digest.(296) Chris compares the message digest produced by Pat to the one she created from the original, unencrypted message.(297) If the message digests match, Chris is assured that the document’s integrity has not been compromised.(298) Through this process, Chris verified that Pat sent the message and that the message was not altered in transit.

As an additional security measure, electronic documents may be sent through an intermediary known as a certification authority.(299) A certification authority acts as a trusted third party by assigning key pairs and digital certificates that verify the sender’s identity.(300) Digital certificates identify the public key as the “subject of the certificate” and verify that the sender controls the matching private key.(301) The certification authority typically publishes the certificate in a repository or on a website.(302) Chris can access the certification authority’s website, access Pat’s certificate and obtain a copy of Pat’s public key.(303) Thus, Chris is assured that the Pat is indeed the sender and that the document has not been altered.(304)

In many respects, a certification authority’s duty is similar to that of an attorney. As one commentator notes, certification authorities will need to have extensive training and will occupy “a high-level legal position … requiring a good understanding of contract law, international law, technology in general, and … [will] very likely need to have a substantial legal infrastructure around them.”(305) Moreover, just as an attorney is limited in the manner in which he can terminate services,(306) so is a certification authority.(307) Before terminating services, a certification authority must (1) notify the subscribers listed in any outstanding certificates

The duty of a certification authority is so interrelated with a lawyer’s duty that the ABA has opined that only attorneys should be qualified to act as certification authorities.(309) The ABA has embraced the use of digital signatures by establishing the “Digital Signature Guidelines.”(310) The Digital Signature Guidelines seek to “(1) minimize … electronic forgery, (2) enable and foster the reliable authentication of [electronic] documents, (3) facilitate [electronic] commerce … and (4) give legal effect to the general import of the technical standards for authenticating [electronic communication.]”(311) The Digital Signature Guidelines also explain the digital signature process, propose technological standards, and define the obligations of certification authorities and relying parties.(312)

In addition to the Digital Signature Guidelines, numerous digital signature and electronic commerce statutes have appeared in the last few years. In June 2000, President Clinton signed the Electronic Signatures in Global and National Commerce Act, which states, inter alia, that:

(a) no one is obligated to agree to use or accept electronic records or signatures

(b) if a notice must be provided to a consumer in writing, an electronic version will fulfill that requirement only if the consumer [consents] to accepting an electronic version and [demonstrates] that he can access the information in electronic form

(c) a state may preempt the Act only by adopting the Uniform Electronic Transactions Act (approved and recommended for enactment by the National Conference of Commissioners on Uniform State Laws in July 1999) or by passing a law that is technologically neutral

(d) [the Act] does not apply to the creation and execution of wills, codicils and testamentary trusts

Congress passed the Act, in part, to reconcile the varying array of state statutes that have appeared over the last few years.(314) Such statutes typically fall into one of three categories: (1) those that deem any type of electronic signature to be valid

One recent state statute is the Illinois Electronic Commerce Security Act.(316) Several statutes require that documents must be “a Writing” and must be “signed” to have a legal effect.(317) The Illinois statute attempts to clarify whether electronic data and documents satisfy these requirements.(318) R.J. Robertson and Thomas J. Smedinghoff served on the commission that developed the Illinois Act and explained that:

The Act introduces an important new concept to Illinois law–a “record.” It

defines a “record” as “information that is inscribed, stored or otherwise

fixed on a tangible medium or that is stored in an electronic or other

medium and is retrievable in perceivable form.” The term “record” is

intended to encompass both traditional paper documents and newer,

electronic forms of information. The Act defines an “electronic record” as

“a record generated, communicated, received, or stored by electronic means

for use in an information system or for transmission from one information

system to another.”

The Act provides that “[w]here a rule of law requires information to be `written’ or `in writing’ or provides for certain consequences if it is not, an electronic record satisfies that rule of law. “This provision” is intended to remove any doubt regarding the enforceability of electronic records where a writing is required.(319)

Specifically, the Illinois statute provides that no signature shall be deemed ineffective simply because it appears in electronic form.(320) Further, the effect of the Statute is that digitally signed documents generally satisfy the Statute of Frauds(321) and the Best Evidence Rule.(322)

In order to fall within the purview of the Illinois statute, parties must use a “qualified security procedure.”(323) If the parties used such a procedure, and the procedure was (1) commercially reasonable under the circumstances

Attorneys should familiarize themselves with digital signature technology. While digital signatures do not generally provide a strong defense against interception (unlike encryption), they help attorneys identify the parties with whom they are communicating. Just as a stolen communication could destroy the attorney-client privilege, so could a confidential message sent to an imposter. Digital signatures identify the parties to a transaction and provide numerous benefits that extend beyond those of hand-written signatures. Further, the Digital Signature Guidelines state that reliance on a digital signature is presumptively reasonable.(326)

Additionally, attorneys should utilize e-mail encryption. As noted, the ABA has embraced attorneys’ use of digital signatures. However, attorneys cannot seem to agree upon the necessity of encryption.(327) Indeed, varying bar associations that have examined whether e-mail encryption is necessary have reached different conclusions.(328) For example, the American Bar Association (ABA) Standing Committee on Ethics and Professional Responsibility concluded that:

A lawyer may transmit information relating to the representation of a

client by unencrypted e-mail sent over the Internet without violating the

Model Rules of Professional Conduct (1998) because the mode of

transportation affords a reasonable expectation of privacy from a

technological and legal standpoint. The same privacy accorded U.S. and

commercial mail, land-line telephonic transmissions, and facsimiles applies

to Internet e-mail.(329)

The ABA opinion has met with significant criticism. With regard to its affect on the attorney-client privilege, one commentator noted that the opinion ignored the well-settled principle that the privilege should be treated as the exception rather than the rule.(330)

In 1996, the Iowa Supreme Court Board of Professional Ethics and Conduct opined that attorneys must encrypt confidential e-mail communications.(331) A few months later, the board reversed itself, concluding that attorneys need not encrypt e-mail, provided that the client acknowledges the corresponding loss of confidentiality, or alternatively, if the e-mail is protected by a password, firewall, or equivalent safety measure.(332) In 1997, the Board further modified its position by requiring attorneys to obtain clients’ written acknowledgement of the risk of confidentiality loss regardless of whether the communication is encrypted.(333) Further, the acknowledgement must include an agreement as to the manner in which emails shall be secured.(334) Upon the client’s written agreement, the attorney and client may communicate without additional security measures.(335) Similarly, the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility determined that attorneys can communicate with clients via unencrypted e-mail after warning the client of the risks associated with such communication.(336)

The North Carolina Bar Association’s Ethics Committee analogized e-mail security concerns with those related to cellular and cordless telephone concerns and therefore attorneys must use similar precautions.(337) For example, attorneys must consider the surrounding circumstances when selecting a reasonable form of communication and select one that best protects the communication’s confidentiality.(338)

In 1997, the South Carolina Bar Ethics Advisory Committee opined that e-mail is subject to a reasonable expectation of privacy, but nevertheless noted that a finding of confidentiality and privileged communication is not necessarily dispositive.(339) Attorneys owe a duty of reasonable care in keeping information confidential.(340) As a result, attorneys should consider encryption to safeguard against even inadvertent disclosure of confidential information.

In 1997, the Illinois State Bar Association concluded that e-mail is entitled to a reasonable expectation of privacy and attorneys need not encrypt e-mail.(341) Furthermore, attorneys need not obtain client consent before communicating via e-mail.(342) However, the Illinois State Bar Association recognized that extraordinarily sensitive matters might nevertheless require enhanced security measures such as encryption.(343) Such unique circumstances would be of the type that telephone and other forms of communications would be similarly inappropriate.(344) Similarly, the District of Columbia Bar’s Legal Ethics Committee opined that “in most instances [ e-mail] is an acceptable form of conveying client confidences even where the lawyer does not obtain specific client consent.”(345) However, certain circumstances may require that attorneys use additional security measures to protect such communications.(346) The Kentucky, Vermont, New York, and North Dakota Bar Associations have adopted similar approaches.(347)

As the foregoing indicates, an attorney’s ethical and professional obligations with respect to e-mail vary from state to state. Unfortunately, as e-mail makes communication faster and easier, we often fail to consider whether our message is sent to a recipient in another state.(348) Further, some ethics opinions rest on the mistaken belief that e-mail is secure since they have become so common.(349) To the contrary, e-mail theft frequently occurs as evidenced by the countless examples previously noted.(350) Additionally, e-mail theft may be even more common when one considers that e-mail theft can generally go undetected for an extended amount of time. One should also remember that ethical opinions issued by the Bar Associations of each state are strictly advisory.(351) They are not legally binding and do not necessarily insulate attorneys from liability.(352)

Although many attorneys use the Internet, they are still hesitant when using e-mail. For example, a 1998 survey conducted by the ABA Legal Technology Resource Center indicated that attorneys in solo practice or small law firms (constituting almost 75% of American lawyers in private practice) indicated that they utilize technology extensively.(353) Over 53% of survey respondents reported using the Internet to communicate with clients and 21.5% of those surveyed use the Internet to collaborate with clients on documents.(354) However, approximately 75% of those firms surveyed indicated that they choose not to transmit sensitive information by e-mail.(355) In a similar ABA survey of the 500 largest private law firms, 60% of the respondents stated that they do not transmit sensitive information across the Internet.(356)

Unfettered reliance on these advisory opinions ignores other problems as well. Attorneys following the Illinois approach must make a judgment call as to whether a particular message requires enhanced security measures. Also, many such opinions focus on the ethical side of e-mail but ignore the evidentiary issue of the attorney-client privilege.(357) Additionally, many opinions rely on the assumption that e-mail is secure.(358) As previously noted, this assumption is simply incorrect.(359) Finally, attorneys should try to go beyond the “minimal security standard” advocated by the advisory opinions. Careful attorneys generally go beyond the “minimal security standard” and are not comfortable with simply avoiding a potential ethical problem. Rather, these attorneys are more likely to take necessary steps to ensure that communications between attorneys and clients are secure. The old adage about an ounce of prevention is appropriate here. Encryption software is fairly inexpensive, easy to use, and practically eliminates the possibility of unauthorized access to sensitive information.(360) Thus, it satisfies the “reasonable precautions” test that is used to determine whether a stolen document should remain privileged.(361) In contrast, total reliance on advisory opinions, which vary from state to state, simply create a hope that one will be insulated from an ethical violation. They offer no guarantee and cannot make a client whole when his or her confidential information is compromised. “Neither polite conduct nor federal law can be an effective bar for the ungentle or unscrupulous, particularly as the information gained can often be used in such a way that you’ll never know [if,] how or where you were blindsided.”(362) Attorneys sending documents over the Internet would be wise to utilize significant security measures, particularly when they are available at such a minimal expense. After all, “[e]ven if the lawyer wasn’t [legally] at fault, [if a] disaster occur[s], the (former) client is unhappy, and who needs that.?”(363)

Finally, these ethics opinions fail to recognize that the recurring test in professional responsibility and attorney-client privilege analyses is whether the parties took reasonable steps to protect the information.(364) This test generally applies even when the communication is overheard or stolen.(365) One need not have a doctorate in computer science or a vast fortune to use both encryption and digital signature technology. For example, the CertifiedMail program provides users with both encryption and digital signature measures.(366) Further, it costs less than $100 per year per user and works seamlessly with e-mail programs like Microsoft Outlook, Exchange, and Outlook Express.(367) Similarly, ZixMail works with the click of a mouse and costs only a few dollars per user.(368) The significant benefit of such software should constitute a reasonable precaution against theft and inadvertent disclosure, particularly in light of its low cost. These technologies offer significant benefits with minimal cost and effort and can be licensed in one package for a nominal fee.(369) Finally, because only a handful of states and few cases have addressed this issue, with varying results, the best course of action at this time is to take the utmost care to ensure that client communications are secure. Therefore, attorneys should use both digital signature and e-mail encryption technology to help ensure that they are satisfying their ethical obligation as attorneys.


The Internet has radically changed the way attorneys practice law by making them more efficient and effective. Unfortunately, increased efficiency in the information age comes at a price. Legal professionals should stake steps to minimize security concerns. Some pundits opine that such fears are exaggerated. However, numerous well-document examples exist wherein e-mails are stolen, eavesdropped, and forged. Some commentators view federal eavesdropping statutes and advisory opinions as creating safe harbors. However, such statutes are riddled with exceptions and are largely untested in this context. Bar Association advisory opinions addressing this issue rely on incorrect assumptions and do not fully address the security issues posed by e-mail.

This is not to say that attorneys should not use e-mail. In fact, despite these risks, attorneys should embrace technology. Indeed, as Interact usage among lawyers increases, we may be reaching a point where professional responsibility requires the use of the Internet technology.(370) When doing so, attorneys can ensure e-mail security and avoid any corresponding ethical and evidentiary problems by utilizing encryption and digital signature technology. Such technology is simple, inexpensive, and can protect both attorneys from malpractice and their clients from theft and inadvertent disclosure of confidential information.

(1.) Charles R. Merrill, E-mail for Attorneys from A to Z, N.Y. ST. B.J., May-June 1996, at 20.

(2.) The vast majority of law professors, law students, judges, and corporate in-house counsel have Internet access. Id.

(3.) Colleen L. Rest, Note, Electronic Mail and Confidential Client-Attorney Communications: Risk Management, 48 CASE W. RES. L. REV. 309, 318-19 (1998).

(4.) Id. (quoting Michael J. DiCorpo, Technology–What Clients Demand, 68 CLEVELAND B.J. 8 (1996)).

(5.) Tod Newcombe, Justice Online: Uniting Our Fractured Judicial System with Technology, GOV’T TECH., Feb. 1999, at 58, 59.

(6.) Id.

(7.) Id.

(8.) Id.

(9.) Key Facts on the Internet, THE PATRIOT LEDGER, Aug. 1, 1998, at 22, available at 1998 WL 8096129.

(10.) Duane A. Daiker, Computer-Related Malpractice: An Overview of the Practitioner’s Potential Liability, FLA. B.J., Apr. 1995, at 12, 14.

(11.) Id.

(12.) David Hricik, Lawyers Worry Too Much About Transmitting Client Confidences by Internet E-Mail, 11 GEO. J. LEGAL ETHICS 459, 460 (1998).

(13.) Id.

(14.) See, e.g., Anheuser-Busch Brewing Co. v. Hutmacher, 21 N.C. 626, 628 (Ill. 1889) (deeming the written telegraph message that is delivered to the recipient to be the “original,” and thus, the primary evidence where the sender initiates the telegraph and there is no evidence of any error in the message’s transmission).

(15.) See, e.g., Joseph Denunzio Fruit Co. v. Crane, 79 F. Supp. 117 (S.D. Cal. 1948) (addressing whether a teletype constitutes a writing).

(16.) See, e.g., Matteson v. Noyes, 25 Ill. 481 (1861) (applying the best evidence rule to telegrams).

(17.) See, e.g., Parma Tile Mosaic & Marble Co., Inc. v. Estate of Short, 663 N.E.2d 633 (N.Y. 1996) (rejecting the contention that a fax machine that automatically imprints the sender’s name on each page satisfied the Statute of Frauds’ signature requirement).

(18.) See, e.g., 1 Ill. State Bar Ass’n Op. (1990) (addressing the use of cellular telephones), available at,’ see also McKamey v. Roach, 55 F.3d 1236, 1238-39 (6th Cir. 1995) (holding that conversations on a cordless telephone are not subject to Fourth Amendment protection).

(19.) Merrill, supra note 1, at 23.

(20.) ACLU v. Reno, 929 F. Supp. 824, 830-49 (E.D. Pa. 1996) (discussing the Internet).

(21.) Daniel J. Greenwood & Ray A. Campbell, Electronic Commerce Legislation: From Written on Paper and Signed in Ink to Electronic Records and Online Authentication, 53 Bus. LAW. 307, 310-11 (1997).

(22.) The New Yorker printed a cartoon wherein two dogs chatted over the Internet. The caption quipped, “On the Internet, nobody knows you’re a dog.” Peter Steiner, NEW YORKER, July 5, 1993, at 61 (cartoon).

(23.) Rest, supra note 3, at 319-20.

(24.) ACLU v. Reno, 929 F. Supp. at 830-49.


(26.) Id. at 88.

(27.) Id. at 85.

(28.) Id. at 88, 100.

(29.) Id. at 88.

(30.) Id. at 93.


(32.) Id.


(34.) Id.

(35.) Id. The store-and-forward process raises yet another security problem because deleted files may remain on a computer’s hard drive indefinitely. Susan E. Davis, Elementary Discovery, My Dear Watson, 16 CAL. LAW, Mar. 1996, at 53. Computers simply alter the deleted file to indicate that the file is no longer in use and that the corresponding disk space can be overwritten if necessary. Id. “Data can be restored unless it has been overwritten.” Marianne Lavalle, Digital Information Boom Worries Corporate Counsel, NAT’L L.J., May 30, 1994, at BI, B3. This is sometimes called the “data remnants phenomenon.” Id. For further discussion, see MICHEL E. KABAY, THE NSCA GUIDE TO ENTERPRISE SECURITY: PROTECTING INFORMATION ASSETS 44-45 (1996). Even when the computer overwrites the disk space with another program or file, computer experts can sometimes retrieve the document. Id.

(36.) GRALLA, supra note 25.

(37.) Id.

(38.) Martin E. Hellman, Implications of Encryption Policy on the National Information Infrastructure, 11 COMPUTER LAW., Feb. 1994, at 28.

(39.) WANG, supra note 37.

(40.) Id.

(41.) Id.

(42.) Id.

(43.) E.g., Bella Cooler Corp., Bella Cooler Sniffer Series, at (last visited Nov. 12, 2000).

(44.) Robert L. Jones, Client Confidentiality: A Lawyer’s Duties with Regard to Internet E-mail, at (Aug. 16, 1995).

(45.) Id.

(46.) AMRIT TIWANA, WEB SECURITY 328 (1999).

(47.) Id.

(48.) Id.

(49.) See id. at 54.

(50.) See id.

(51.) Hricik, supra note 12, at 459.

(52.) Id.

(53.) Id. at 465.

(54.) See ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 413 (1999) (concluding that a lawyer sending confidential information by unencrypted email does not violate an Ethics rule “because [this] type of transaction affords a reasonable expectation of privacy from a legal standpoint.”)

(55.) See Hricik, supra note 12, at 465.

(56.) One 1999 survey indicated that 67% of American employers monitored their employees’ use of electronic forms of communication, including 27% of employers that monitored employee e-mail. Anna Wilde Mathews, For Truckers, Electronic Monitors Rev Up Fears of Privacy Invasion, WALL ST. J., Feb. 25, 2000, at B1, available at 2000 WL-WSJ 3019413. Employers abroad also regularly monitor employee e-mail. For example, 75% of Australian companies admit that they monitor their employees’ email, often without notifying their employees that they do so. You’ve Got Mail. Who Else Knows?, THE AGE, Feb. 28, 2000, available at 2000 WL 2315176.

(57.) See, e.g., Larry O. Natt Gantt, II, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace, 8 HARV. J.L. & TECH. 345,34649 (1995).

(58.) See GEORGE B. DELTA & JEFFREY H. MATSUURA, LAW OF THE INTERNET, 6.02, at 6-15 (Supp. 1999).

(59.) 914 F. Supp. 97 (E.D. Pa. 1996).

(60.) Id. at 98.

(61.) Id.

(62.) Id. Smyth was an at-will employee. Id. at 99.

(63.) Id. at 100.

(64.) See id. at 101.

(65.) Id.

(66.) Id.

(67.) Ex-Student Charged With Harassment, DES MOINES REG., Sept. 3, 1998, available at 1998 WL 3223784.

(68.) See Rodel Divina, Lt. San Diego: Stanford Deals with E-mail Hackers, UWIRE, Nov. 18, 1998, available at 1998 WL 22129591.

(69.) Id.

(70.) See Ira Sager et al., Cyber Crime, Bus. WK., Feb. 21, 2000, at 37, 38

(72.) Teri Weaver, Woman Charged with Cybercrime: Cazenovia Woman is Accused of Intercepting E-Mail Intended for Her Employer, POST-STANDARD (Syracuse, N.Y.), Apr. 22, 1999, at 23, available at 1999 WL 4678695.

(73.) Dirk Beveridge, Student May Have Accidentally Released `Love Bug’ Virus, CHI. SUN-TIMES, May 11, 2000, at 38.

(74.) Courtney Macavinta, Microsoft Orders Security Audit After Hotmail Breach, CNET, at (Sept. 9, 1999). (75.) Id.

(76.) For example, in 1997 and 1998, the total number of court-authorized intercepts rose 12%. See Charles Arthur, et al., Cyber Snoops: Who’s Looking over Your Shoulder?, INDEPENDENT (London), Sept. 26, 1999, at 17, available at 1999 WL 27991337. Of those intercepts, 46% were related to electronic wiretaps of email and pager messages. Id. The American Civil Liberties Union (ACLU) has released a white paper discussing government wiretaps of e-mail. ACLU, Big Brother in the Wires: Wiretapping in the Digital Age, Mar. 1998, at (last visited Nov. 12, 2000).

(77.) Linnet Myers, Cybersleuthing vs. Civil Rights: Hacker Identified After Network is Wiretapped, CHI. TRIB., Mar. 30, 1996, at 1, available at 1996 WL 2657346.

(78.) Id.

(79.) Id.

(80.) Id.

(81.) Julie Robotham, American Secret Service Turns on E-mail Taps, SYDNEY MORNING HERALD, Jan. 16, 1996, at 29, available at 1996 WL 16868568.

(82.) Nell King Jr. & Ted Bridis, FBI Lobbies to Show Carnivore Doesn’t Eat Privacy, WALL ST. J. EUR., July 21, 2000, at A3, available at 2000 WL-WSJE 21066796.

(83.) Neil King Jr. & Ted Bridis, FBI’s Wiretaps to Scan E-mail Spark Concern, WALL ST. J., July 11, 2000, at Al, available at 2000 WL-WSJ 3035880.

(84.) Id.

(85.) Angry Reaction to UK Net Tapping Legislation, COMPUTERGRAM INT’L, July 1, 1999, available at 1999 WL 21236866.

(86.) British to Spy on E-mail, CHI. SUN-TIMES, May 11, 2000, at 38

(87.) Kevin Platt, China’s `Cybercops’ Clamp Down, CHRISTIAN SCI. MONITOR, Nov. 17, 1999, at 6, available at 1999 WL 5383704.

(88.) Id.

(89.) Id.

(90.) ACLU, Super-Secret Global Surveillance System Eavesdrops on Conversations Worldwide, at (modified Feb. 25, 2000).

(91.) Robyn E. Blumner, The Words that Can Get You Spied On, ST. PETERSBURG TIMES, Oct. 17, 1999, at 1D, available at 1999 WL 27322865

(92.) Charles Trueheart, Eavesdropping System Raises Ire

(93.) See supra sources cited at note 91.

(94.) Id.

(95.) Bart Reacts to Australian Confirmation of “Echelon” Spy Network, GOV’T PRESS RELEASE, Nov. 3, 1999, at 1999 WL 28846330.

(96.) Trueheart, supra note 92.

(97.) Top-Secret Agency Denies Abuses in Letter to Congress, supra note 91

(98.) Barr Reacts to Australian Confirmation of “Echelon” Spy Network, supra note 95. Congress held such hearings in April 2000. U.S. SpyFears Rock Europe, CHI. SUN-TIMES, July 6, 2000, at 22. The American Civil Liberties Union similarly urged Congress to scrutinize the Echelon Project. Love, supra note 91. According to the ACLU, the NSA operates Echelon “without the oversight of either Congress or the courts. Shockingly, the NSA has failed to adequately disclose … the legal guidelines for the project … [therefore,] there is no way of knowing if the NSA is using Echelon to spy on Americans in violation of federal law.” ACLU, supra note 90.

(99.) Barr Bill Updates Wiretap Laws, GOV’T PRESS RELEASE, July 28, 2000, at 2000 WL 7980250. The measure would block the use of illegally obtained evidence, extend statutes requiring law-enforcement officials to report the interception of communications, would ban unchecked government access to computer users’ identities, and would require a court order to track cellular telephone calls. Id.

(100.) U.S. Spy Fears Rock Europe, supra note 98.

(101.) Trueheart, supra note 92.

(102.) Id.

(103.) Top-Secret Agency Denies Abuses in Letter to Congress, supra note 91.

(104.) Id.

(105.) Id.

(106.) Blumner, supra note 91.

(107.) Christy Harvey, American Opinion (Special Report), WALL ST. J., Sept. 16, 1999, at Al0, available at 1999 WL-WSJ 24914077.

(108.) Id.

(109.) David L. Chandler, If Not Al Gore, Who Invented the Internet?, BOSTON GLOBE, Oct. 17, 2000, at F1.

(110.) See e.g., Clayton Collins, Latest Invasion of Military Technology, CHRISTIAN SCI. MONITOR, May 25, 2000, at 15, available at 2000 WL 4428315.

(111.) Lawrence M. Hertz, Advertising on the Web: Understanding and Managing the Risks, 571,581 (PLI Pat., Copyrights, Trademarks & Literary Prop. CourseHandbook Series No. G0-00A2, 2000)

(112.) Hertz, supra note 111.

(113.) Id.

(114.) James Garrity & Eoghan Casey, Internet Misuse in the Workplace: A Lawyer’s Primer, 72 FLA. B.J. 22, 24 (Nov. 1998). Sending truly anonymous e-mail is technically possible but requires substantial effort. Id.

(115.) Id.

(116.) Id.

(117.) Tim Richardson, Electronic Signatures and Internet Security, an Explanation and Practical How-To Notes, at (Aug. 16, 2000). The ease of altering one’s email settings depends heavily upon the e-mail program one uses. Id.

(118.) GELMAN, supra note 37, at 129.

(119.) Id. Spoofing is often used in conjunction with junk e-mail, or “spam.” Id.

(120.) Id.

(121.) For further discussion of remailers, see John Schwartz, With E-mail Privacy in Jeopardy, “Remailer” Closes Up Shop, WASH. POST, Sept. 16, 1996, at F19.

(122.) DELTA & MATSUURA, supra note 58, [sections] 6.02, at 6-18.

(123.) Id.

(124.) Id. One company with involvement in remailers is ApolloMedia. Its website address is

(125.) WANG, supra note 37, at 193.

(126.) Id.

(127.) Id.

(128.) Thomas E. Weber, E-mail Sent to AOL Users Falls Victim to Attack on Internet’s Address Book, WALL ST. J., Oct. 19, 1998, at B10.

(129.) Sara Nathan, AOL Computer Service Fixes Problem After Forged Message Tangles E-mail, USA TODAY, Oct. 19, 1998, at 7A.

(130.) Id.

(131.) Weber, supra note 128.

(132.) See John C. Anderson & Michael L. Closen, Document Authentication in Electronic Commerce: The Misleading Notary Public Analog for the Digital Signature Certification Authority, 17 J. MARSHALL J. COMPUTER & INFO. L. 833,869-70 n.262 (citing letter from LEXIS-NEXIS, to Law School Faculty & Staff (Oct. 29, 1998) (stating that a “seam is currently being perpetrated upon a few LEXIS-NEXIS customers by both e-mail and telephone. This seam asks the customer to provide their LEXIS-NEXIS ID (code) to a generic e-mail box….”)).

(133.) No. 97-06273 (Travis County D. Ct., Texas 1997) available at (last visited Nov. 12, 2000).

(134.) Id.

(135.) Id.

(136.) Id.

(137.) Id.

(138.) Id.

(139.) Id.

(140.) Id.

(141.) Despite the efforts of many state legislatures, the practice continues. For example, Section 16-9-93 of the Georgia Code makes it illegal to transmit data via a computer with a false or unauthorized name. The statute has criminal and civil penalties. GA. CODE ANN. [sections] 16-9-93 (1999).

(142.) Juno Online Servs., L.P. v. Scott Allen Exp. Sales, No. 97CV08694 (S.D.N.Y. filed Nov. 21, 1997).

(143.) Id.

(144.) John F. Delaney & William I. Schwartz, The Law of the Internet: A Summary of U.S. Internet Caselaw and Legal Developments, 29, 177 (PLI Pat., Copyrights, Trademarks & Literary Prop. Course Handbook Series No. G0-00FS, 2000).

(145.) No. BC 167502 (Los Angeles Cty. Sup. Ct., filed Mar. 13, 1997).

(146.) 962 F. Supp. 1015 (S.D. Ohio 1997).

(147.) 46 F. Supp. 2d 444 (E.D. Va. 1998).

(148.) 47 U.S.P.Q.2d 1020 (N.D. Cal. 1998).

(149.) For further discussion of these cases, see Delaney & Schwartz, supra note 144, at 181

(150.) Am. Online, Inc. v. IMS, 24 F. Supp. 2d 548, 549 (E.D. Va. 1998).

(151.) Id. at 551-52.

(152.) See generally Mike France, Increasing Threat: Law Firm Data a Juicy Target for Hack Attack, NAT’L L.J., Apr. 3, 1995, at Al.

(153.) Id. (citing Wyatt v. Williams, 892 S.W.2d 584 (Ky. 1995)).

(154.) Arnold Ceballos, Law Firms May Not Be Immune from Computer Security Snags, WALL ST. J., Aug. 15, 1996, at B2, available at 1996 WL-WSJ 3114580.

(155.) France, supra note 152.

(156.) Id.

(157.) Id.

(158.) Dave James, Barbarians at the Gate: Internet Security in the Law Firm/Corporate Environment, 277, 284 (PLI Pat., Copyrights, Trademarks & Literary Prop. Course Handbook Series No. G4-3944, 1995).

(159) Carol L. Schlein, Keeping Tabs on Your Computers, N.J. LAW., Aug. 2, 1999, at 23.

(160.) Ceballos, supra note 154.

(161.) Computer crime is likely higher than statistics suggest. A 1995 Michigan State University Cyber Crime study indicated that unauthorized access to computer files is one of the most commonly reported forms of computer theft. COMPUTER LAW GUIDE, (CCH) [paragraph] 15,230, at 26,008 (Oct. 1996). The same survey indicated dramatic increases in reported incidents of trade secret and client information theft. Id.

(162.) Steven Wilmsen, Internet Merchant Accused of Intercepting Rival’s Email, BOSTON GLOBE, Nov. 23, 1999, at Al, available at 1999 WL 6091746

(163.) Wilmsen, supra note 162.

(164.) Id.

(165.) ISP Charged with Intercepting Customer E-mail, Possessing Unauthorized Password Files, EDP WEEKLY’S IT MONITOR, Nov. 29, 1999, at 7, available at 1999 WL 9504340.

(166.) Id.

(167.) See Ben Heskett, A New Windows Password Cracker, CNET, at (Feb. 13, 1998).

(168.) Id.

(169.) Id.

(170.) Id.

(171.) Id.

(172.) See Timothy C. Barmann, eBay Passes on Bid to Fix Password Security Lapse, PROVIDENCE J., Feb. 22, 2000, at El, available at 2000 WL 5094625.

(173.) Id.

(174.) Id.

(175.) Id.

(176.) Id.

(177.) See Richard Fromm, The eBay Password Daemon, PROVIDENCE J., Feb. 22, 2000, available at 2000 WL 5094625.

(178.) Id.

(179.) See generally CHARLES W. WOLFRAM, MODERN LEGAL ETHICS 242 (1986) (discussing attorney-client confidentiality).

(180.) MODEL RULES OF PROF’L CONDUCT R. 1.6(a) (1983) [hereinafter MODEL RULES].

(181.) MODEL RULES, supra note 180, at R. 1.6 cmt.

(182.) MODEL CODE OF PROF’L RESPONSIBILITY Canon 4 (1977) [hereinafter MODEL CODE].

(183.) MODEL CODE, supra note 182, at EC 4-6 (“The obligation of a lawyer to preserve the confidences and secrets of his client continues after the termination of his employment.”).

(184.) For example, in American Motors Corp. v. Huffstutler, 575 N.E.2d 116, 119 (Ohio 1991) and Maritrans GP, Inc. v. Pepper, Hamilton & Sheetz, 602 A.2d 1277, 1288 (Pa. 1992), courts granted injunctive relief to protect clients from abuses by their former attorneys.

(185.) Some of the security risks associated with e-mail are due to “weak links” and “community vulnerability,” which are inherent in network systems. Rest, supra note 3, at 314-16. Other security risks are due to “store-and-forward” technology, which saves email on computer systems that may be vulnerable to hackers and other user errors, such as misaddressing an email. Id.

(186.) Id. at 325 (“The consequences of [a confidentiality breach via insecure email] are disciplinary sanctions, attorney malpractice claims, and waiver of the attorney-client privilege.”).

(187.) MODEL RULES, supra note 180, at R. 1.15 cmt.

(188.) MODEL CODE, supra note 182, at DR 9-102(B)(2).

(189.) MODEL RULES, supra note 180, at R. 1.15(a).

(190.) See, e.g., In re Kaleidoscope, Inc., 15 B.R. 232, 246-47 (Bankr. N.D. Ga. 1981) (holding that legal files created during representation of a client were property of the client).

(191.) Corporations may typically keep over 80% of their intellectual property in digital form. Sager, supra note 70, at 70.

(192.) See Rest, supra note 3, at 325 (stating that an intercepted or misaddressed email may result in “danger … that, if not controlled, may lead to … consequence[s] unintended by and actually or potentially harmful to a law firm or practitioner.”) (quoting ANTHONY E. Davis, RISK MANAGEMENT 15 (1995)).

(193.) WOLFRAM, supra note 179, at 176.

(194.) Id. (citations omitted).

(195.) MODEL RULES, supra note 180, at R. 1.4(a) (“A lawyer shall keep a client reasonably informed about the status of a matter and promptly comply with reasonable requests for information.”)

(196.) Should hackers compromise a firm’s security system, such e-mails could be lost or redirected. Further, the attorney or firm may be too preoccupied with the task of restoring the system to devote proper time to client responsibilities.

(197.) MODEL RULES, supra note 180, at R. 3.2

(198.) MODEL RULES, supra note 180, at R. 3.2. A lawyer must “take steps reasonable under the circumstances to protect confidential client information … against use or disclosure by others.” RESTATEMENT OF THE LAW GOVERNING LAWYERS [sections] 111 (Tentative Draft No. 3, 1990).

(199.) See Rest, supra note 3.

(200.) See id.

(201.) Id. (quoting Michael J. DiCorpo, Technology–What Clients Demand, 68 CLEV. B.J. 8 (1996)).

(202.) Id. at 325.

(203.) An attorney’s duty of confidentiality is broader than the attorney-client privilege rule. See generally Geoffrey C. Hazard, Ethics, NAT’L L.J., Jan. 25, 1993, at 17-18. The client confidentiality rule encompasses all information with regard to the representation. Id. In contrast, the attorney-client privilege relates more narrowly to communications. Id. Moreover, attorneys’ confidentiality obligation restricts disclosure to third parties in general, while the attorney-client privilege prevents the government from compelling disclosure. Id. Therefore, it is possible that the failure to adequately safeguard an electronic document may not result in waiver of the attorney-client privilege but may nevertheless constitute a breach of the confidentiality duty.


(205.) See, e.g., Bank Brussels Lambert v. Credit Lyonnais, 160 F.R.D. 437, 441-42 (S.D.N.Y. 1995).

(206.) 8 JOHN HENRY WIGMORE, EVIDENCE [sections] 2292, at 554 (McNaughton rev. ed. 1961) (citation and emphasis omitted). The rule differs somewhat when the client is a corporation. In such cases, the attorney-client privilege applies in a situation where:

[C]ommunications … were made by … employees … to counsel … at the

direction of corporate superiors in order to secure legal advice…. [Such]

[i]nformation, [which was] not available from upper-echelon management, was

needed to supply a basis for [such] legal advice…. The communications …

concerned matters within the scope of the employees’ corporate duties, and

the employees themselves were sufficiently aware that they were being

questioned in order that the corporation could obtain legal advice.

Upjohn Co. v. United States, 449 U.S. 383, 394 (1980) (footnote omitted).

(207.) United States v. Goldberger & Dubin, P.C., 935 F.2d 501, 504 (2d Cir. 1991) (stating that the attorney-client privilege “cannot stand in the face of countervailing law or strong public policy, and should be strictly confined within the narrowest possible limits underlying its purpose”).

(208.) PAUL RICE, ATTORNEY-CLIENT PRIVILEGE IN THE UNITED STATES [subsections] 9:23, 9:26 (1993) (citing WIGMORE, supra note 206, [sections] 2325).

(209.) See supra text accompanying note 22.

(210.) In re Horowitz, 482 F.2d 72, 82 (2d Cir. 1973).

(211.) See id. (holding that a client’s failure to take affirmative actions toward preserving privilege brought confidentiality relationship to an end).

(212.) Suburban Sew `N Sweep, Inc., v. Swiss-Berina, Inc., 91 F.R.D. 254, 260 (N.D. Ill. 1981) (“[T]he relevant consideration is the intent of the defendants to maintain the confidentiality of the documents as manifested in the precautions they took.”).

(213.) Id.

(214.) Id. As this Article discusses later, there are reasonable security measures that parties can utilize when sending documents electronically to protect against waiver. See infra, Part III.

(215.) RICE, supra note 208, [sections] 9:23 (citing In re Horowitz, 482 F.2d 72, 82 (2d Cir. 1973)

(216.) Id. (citing In re Victor, 422 F. Supp. 475,476 (S.D.N.Y. 1976)).

(217.) Id. (citing Bower v. Weisman, 669 F. Supp. 602, 605-06 (S.D.N.Y. 1987)).

(218.) Id. (citing Jarvis, Inc. v. Am. Tel. & Tel. Co., 84 F.R.D. 286, 292 (D. Colo. 1979).

(219.) Id. (citing United States v. McMahon, 151 F.3d 1031 (4th Cir. 1998)

(220.) See, e.g., Todd H. Flaming, Internet E-Mail and the Attorney Client Privilege, 85 ILL. B.J. 183, 184 (1997).

(221.) 18 U.S.C. [subsections] 2510-2520 (1994). Several states have enacted statutes similar to the ECPA. Hricik, supra note 12, at 473 n.75 (citing multiple state statutes).

(222.) Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified as amended at 18 U.S.C. [subsections] 2510-2520 (1986)).

(223.) 18 U.S.C. [sections] 2517(4) (Supp. 1999).

(224.) 18 U.S.C. [sections] 2511(2)(a)(i) (Supp. 1999).

(225.) Id.

(226.) Lois R. Witt, Comment, Terminally Nosy: Are Employers Free to Access Our Electronic Mail?, 96 DICK. L. REV. 545,550-51 (1992).

(227.) While few cases that address e-mail exist, several cases exist in other contexts. See, e.g., United States v. Turner, 528 F.2d 143, 155 (9th Cir. 1975) (“Title III [of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. [subsections] 2510-20], in providing for judicially authorized telephone interceptions, contradicts any claim of privilege attaching generally to all conversations so intercepted.”)

(228.) DELTA & MATSUURA, supra note 58, [sections] 6.02, at 6-17. While few cases dealing with the ECPA vis-a-vis e-mail exist, there have been several cases in which courts have admitted into evidence damaging statements overheard by telephone operators and others working in the ordinary course of business. See, e.g., Williams v. State, 507 P.2d 1339 (Okla. Crim. App. 1973).

(229.) DELTA & MATSUURA, supra note 58, [sections] 6.02, at 6-17.

(230.) Symposium, The Privacy Debate: To What Extent Should Traditionally “Private” Communications Remain Private on the Internet?, 5 FORDHAM INTELL. PROP. MEDIA & ENT. L.J. 329, 382 (1995).

(231.) Id.

(232.) Jonathan Rose, Note, E-mail Security Risks: Taking Hacks at the Attorney-Client Privilege, 23 RUTGERS COMPUTER & TECH. L.J. 179, 212 (1997) (citing United States v. Hall, 543 F.2d 1229, 1241 (9th Cir. 1976)). “The word `otherwise,’ and the legislative history relating to [sections] 2517(4), see S. REP. NO. 1097, reprinted in 1968 U.S. CODE CONG. & ADMIN. NEWS, at 2189, indicate that the subsection’s assurance of protection still depends on whether adequate precautions were taken under common-law standards,” Rose, supra, at 212 n.229.

(233.) Rose, supra note 232, at 212.

(234.) Id. at 212 n.229.

(235.) See id. at 212.

(236.) See supra Part II.

(237.) See, e.g., United States v. Maxwell, 42 M.J. 568, 575 (A.F.C.M.R. 1995), rev’d on other grounds, 45 M.J. 406 (C.A.A.F. 1996) (finding that a reasonable expectation of privacy exists in e-mail sent via America Online). But see Bohach v. Reno, 932 F. Supp. 1232 (D. Nev. 1996) (finding no reasonable expectation of privacy in a city-operated e-mail paging system)

(238.) See Kevin J. Connolly, Cryptography Can Ensure E-mail Confidentiality, 19 NAT’L L.J., June 9, 1997, at B13

(239.) RICE, supra note 208, [sections] 9:26, at 68 & n.66 (citing In re Grand Jury Proceedings Involving Berkley & Co., 466 F. Supp. 863, 869-70 (D. Minn. 1979), aff’d as modified, 629 F.2d 548 (8th Cir. 1980) (“The protection afforded by the privilege … does not apply to the documents obtained from Berkley’s former employee, for the privilege does not apply to stolen or lost documents.”). Wigmore similarly notes that:

All involuntary disclosures, in particular, through loss or theft of

documents from the attorney’s possession, are not protected by the

privilege, on the principle that, since the law has granted secrecy so far

as its own process goes, it leaves to the client and attorney to take the

measures of caution sufficient to prevent being overheard by third parties.

The risk of insufficient precautions is upon the client. This principle

applies equally to documents.

WIGMORE, supra note 206, [sections] 2325.

(240.) See RICE, supra note 208, [sections] 9:26 at 68-69 & n.68 (citing United States v. Cable News Network, Inc. 865 F. Supp. 1549 (S.D. Fla. 1994) (“It is a fundamental principle of law that only the client, not the attorney, may waive the attorney-client privilege.”)

(241.) See Connolly, supra note 238. Connolly advocates the use of cryptography as a reasonable precaution to preserve the confidentiality of communications between attorneys and their clients over e-mail. Id.

(242.) RICE, supra note 208, [sections] 9:26, at 68-69 n.68 (citing U.S. ex rel. Mayman v. Martin Marietta Corp., 886 F. Supp. 1243, 1245 (D. Md. 1995)

(243.) Connolly, supra note 238.

(244.) RICE, supra note 208, [sections] 9:26, at 69-70

(245.) WIGMORE, supra note 206, [sections] 2326.

(246.) See generally Amy M. Fulmer Stevenson, Comment, Making a Wrong Turn on the Information Superhighway: Electronic Mail, the Attorney-Client Privilege, and Inadvertent Disclosure, 26 CAP. U.L. REV. 347 (1997). An attorney who reads an inadvertently disclosed document has not committed an ethical violation. Ill. St. Bar Ass’n. Comm. n Prof’l Conduct, Op. 98-4 (Jan. 1999).

(247.) RICE, supra note 208, [sections] 9:70, at 303-06.

(248.) Connolly, supra note 238.

(249.) Karn v. United States Dep’t of State, 925 F. Supp. 1, 3 n.1 (D.C. 1996) (quoting BRUCE SCHNEIER, APPLIED CRYPTOGRAPHY 1 (1994)). In contrast, “cryptoanalysis” is the science of analyzing and breaching secured data. NATIONAL RESEARCH COUNCIL, CRYPTOGRAPHY’S ROLE IN SECURING THE INFORMATION SOCIETY 62 (Kenneth W. Dam & Herb S. Lin eds., 1996). Collectively, these two related sciences are known as cryptology.

(250.) David L. Gripman, Electronic Document Certification: The Technology Behind Digital Signatures, 17 J. MARSHALL J. COMPUTER. & INFO. L. 769, 774 (1999).

(251.) Id.

(252.) J. Terrence Stender, Too Many Secrets: Challenges to the Control of Strong Crypto and the National Security Perspective, 30 CASE W. RES. J. INT’L L. 287, 299 (1998) (quoting DEBORAH RUSSELL & G.T. GANGEMI, ENCRYPTION, in COMPUTER SECURITY BASICS 11 (1991)).

(253.) Id. at 300.

(254.) See Phillip E. Reiman, Cryptography and the First Amendment: The Right to Be Unheard, 14 J. MARSHALL J. COMPUTER & INFO L. 325, 328 (1996). Private encryption is also called conventional, secret-key, or symmetric-key encryption. Gripman, supra note 250, at 774-75.

(255.) Gripman, supra note 250, at 774 n.45. (citing Bernstein v. United States Dep’t of State, 922 F. Supp. 1426, 1429 (N.D. Cal. 1996)). “A `key’ is a stream of bits of a specified length randomly created by a computer to encrypt or decrypt a message.” Id. Longer keys create more secure messages. Id. For example, “a 64-bit key is more secure than a 40-bit key.” Id.

(256.) Stender, supra note 252.

(257.) Id.

(258.) See Gripman, supra note 250, at 775.

(259.) Id.

(260.) Id.

(261.) Elizabeth Lauzon, The Philip Zimmermann Investigation: The Start of the Fall of Export Restrictions on Encryption Software Under First Amendment Free Speech Issues, 48 SYRACUSE L. REV. 1307, 1318 (1998). Public-key encryption is also called an “asymmetric cryptosystem.” Kaveh Ghaemian, An Internet Security Primer, GOV’T TECH., Mar. 1999, at 76.

(262.) Ghaemian, supra note 261.

(263.) See DIGITAL SIGNATURE GUIDELINES: LEGAL INFRASTRUCTURE FOR CERTIFICATION AUTHORITIES AND SECURE ELECTRONIC COMMERCE, 1996 A.B.A. SEC. SCI. & TECH., at 8 [hereinafter GUIDELINES]. There are several methods in which the signer can safeguard the private key. A particularly safe method is the use of a “cryptographic token” (a “smart card,” for example). Id. at n.20.

(264.) Id. at 9.

(265.) Ghaemian, supra note 261.

(266.) Id.

(267.) Dam & Lin, supra note 249, at 53.

(268.) Taking measures to assure the validity of documents is not a new practice. Historically, the possibility of fraud has encouraged parties to transactions to memorialize their agreements in writing, dating back at least hundreds of years. For instance, in medieval England, illiteracy was so common that documents were often authenticated with seals rather than signatures. RESTATEMENT (SECOND) OF CONTRACTS [sections] 94, Topic 3 (1981).

(269.) Greenwood & Campbell, supra note 21, at 310.


(271.) GUIDELINES, supra note 263, at 8. Cryptography is a mathematical process that scrambles documents into an unintelligible form (known as encryption) and then converts them back to original form (known as decryption). Id.

(272). Id. at 4 n.3 (citing Joseph M. Perillo, The Statute of Frauds in the Light of Functions and Dysfunctions of Form, 43 FORDHAM L. REV. 39, 48-64 (1974)) (stating that handwritten signatures constitute probative evidence in part because of the signer’s handwriting style).

(273.) Id. at 4 n.5 (citing JOHN AUSTIN, LECTURES ON JURISPRUDENCE 939-44 (4th ed. 1873)).

(274.) Id. at 4 n.6 (citing Model Law on Electronic Commerce, United Nations Commission on International Trade Law (UNCITRAL) 29th Sess., Art. 7(1), at 3, U.N. Doc. A/CN.9/XXIX/CRP. 1/Add. 13 (1996)) (“Where a law requires a signature of a person, that requirement is met in relation to a data message if: (a) a method is used to identify that person and to indicate that person’s approval of the information contained in the date message….”).

(275.) Id. at 4.

(276.) For further discussion, see Anthony Martin Singer, Note, Electronic Commerce: Digital Signatures and the Role of the Kansas Digital Signature Act, 37 WASHBURN L.J. 725 (1998). A digital signature provides a higher degree of security and authenticity than its handwritten counterpart because of the binding between a sender and the signed message. Randy V. Sabett, International Harmonization in Electronic Commerce and Electronic Date Interchange: A Proposed First Step Toward Signing On the Digital Dotted Line, 46 AM. U. L. REV. 511, 521 (1996).

(277.) GUIDELINES, supra note 263, at 13.

(278.) A. Michael Froomkin, The Essential Role of Trusted Third Parties in Electronic Commerce, 75 OR. L. REV. 49, 54 (1996).

(279.) Id. Because a digital signature uses the actual text of the message as input to the formulation of the encryption algorithm, the slightest alteration will prevent the message from decrypting properly. Id.

(280.) C. Edward Good, An E-mail Education. What You Don’t Know About Email Can, and Will, Hurt You, TRIAL, Feb. 1999, at 28, 35

(281.) See Froomkin, supra note 278. Alternatively, cases do exist where parties have altered signed documents.

(282.) DAVE BAYER ET AL., IMPROVING THE EFFICIENCY AND RELIABILITY OF DIGITAL TIME-STAMPING, in SEQUENCES II: METHODS IN COMMUNICATION, SECURITY, AND COMPUTER SCIENCE 329, 331-33 (Renato Capocelli et al. eds., 1993). A digital time stamp also provides an extra measure of security should a private key become compromised. Id.

(283.) Sabett, supra note 276 at 522. For example, imagine that two parties enter into a contract based on an offer communicated electronically. Later, the offeror attempts to repudiate by denying that an offer was made. The offeree can prove the existence of the offer by using the offeror’s public key to decrypt the document. This would eliminate the possibility of repudiation, since only the offeror and his private key could have created the original encrypted message. Id.

(284.) Peter Blumberg, Judges May Soon Issue Arrest, Search Warrants Using E-Mail, L.A. DAILY J., Apr. 17, 1998, at 1.

(285.) Id.

(286.) Id.

(287.) Elizabeth Wasserman, Signing on with Digital Signatures: New Laws May Allow Computer Validation, PHOENIX GAZ., Aug. 29, 1995, at Al.

(288.) Greenwood & Campbell, supra note 21, at 314.

(289.) Id. The resulting message digest, also called a “hash result” or “hash value,” is unique to each digitally signed message. GUIDELINES, supra note 263, at 9.

(290.) Greenwood & Campbell, supra note 269, at 314.

(291.) GUIDELINES, supra note 263, at 9 n.25. See also Greenwood & Campbell, supra note 21, at 314 (stating that if anyone alters a message while it is in transit over the Internet, a different message digest will result).

(292.) “Private key” describes the mathematical algorithm which creates the actual digital signature. Greenwood & Campbell, supra note 21, at 314. Situations may arise where a private key is compromised and forgery becomes possible. GUIDELINES, supra note 263, at 81 n.20. The ABA seeks to resolve this threat by establishing safeguards. Id. First, subscribers with private keys must conform to a duty of care with respect to the key’s safekeeping to ensure that the key remains confidential. Id. Second, if a key is compromised subscribers must distinguish themselves from the keys by suspending or revoking the certificates and then informing others of the compromise by disclosing the revocation in a `certificate revocation list,’ or CRL.” Id. Other methods that will help to ensure a document’s integrity include dating certificates when issued and limiting periods of validity. Froomkin, supra note 278, at 61. The certificate should give explicit reference to the CRL, insisting that it be checked regularly. Id. Individual receivers might decide to accept certificates issued in the last few days, or will have to determine which Certification authorities are the most reputable and trustworthy. Id. Certification authorities are required to use trustworthy systems to perform their services. GUIDELINES, supra note 263, [sections] 3.1

(293). See Greenwood & Campbell, supra note 21, at 314.

(294.) Id.

(295.) Id. “Public key” describes the mathematical algorithm which verifies the sender’s signature. GUIDELINES, supra note 263. The public key can be stored in some type of repository or even on a web site where it can be easily accessed by the party wishing to verify the signature. Id.

(296.) Greenwood & Campbell, supra note 21, at 314.

(297.) Id.

(298.) Id.

(299.) Froomkin, supra note 278, at 58. One such service provider is a company called VeriSign, Inc. VeriSign provides digital certificates of varying types, from the “Class 1” certificate for casual web and e-mail use to the ultra-secure “Class 4,” issued only after a thorough investigation. Id.

(300.) ABA, 38 JURIMETRICS J. 243,253 (1998)

(301.) “A certificate is a digitally signed statement by a certification authority that provides independent confirmation of an attribute claimed by a person proffering a digital signature.” Froomkin, supra note 278, at 58. A certificate must (1) include the identification and digital signature of the certification authority, (2) include the identity of the subscriber, (3) identify the certificate’s valid operational period, and (4) provide the subscriber’s public key. GUIDELINES, supra note 263, [sections] 1.5.

(302.) Jane Kaufman Winn, Open Systems, Free Markets, and Regulation of Internet Commerce, 72 TUL. L. REV. 1177, 1202 (1998).

(303.) Id.

(304.) R.J. Robertson, Jr., Electronic Commerce on the Internet and the Statute of Frauds, 49 S.C.L. REV 787 (1998).

(305.) Victoria Sling-Flor, Legal Locksmith: Moving into Cyberspace As Notaries, The Need to Authenticate Electronic Documents Is a New Frontier for Attorneys, NAT’L L.J., Dec. 18, 1995, at Al. The author predicts that certification authorities “will play an essential role in the digital communications process … [since] the cryptographic system relies upon an impartial third party to verify the authenticity of electronic transactions.” Michael L. Closen & R. Jason Richards,

Notaries Public–Lost In Cyberspace, or Key Business Professionals of the Future?, 15 J. MARSHALL J. COMPUTER & INFO. L. 703,739 (1997).

(306.) See MODEL RULES, supra note 180, R. 1.16 (1981) (restricting attorney withdrawal in circumstances where it could have a “material adverse effect on the interests of the client”).

(307.) GUIDELINES, supra note 263, [sections] 3.13

(308.) Id.

(309.) Michael L. Closen & Thomas W. Mulcahy, Conflicts of Interest In Document Authentication by Attorney-Notaries In Illinois, 87 ILL. B.J., June 1999, at 320, 324-25. Note, however, that the authors, Mr. Closen and Mr. Mulchahy, contend that because the ABA’s rules do not prohibit attorneys from notarizing documents they themselves have created, the ABA’s position allows for serious conflicts of interest. Id.

(310.) See generally GUIDELINES, supra note 263.

(311.) Id. at 18 (Introduction).

(312.) See generally id.

(313.) McBride Baker & Cole, The Federal E-Sign Law: Why It Was Passed–What Does It Mean, at 143381052000 (July 15, 2000) [hereinafter McBride Baker & Cole] (discussing the Electronic Signatures in Global and National Commerce Act (E-Sign), Pub. L. No. 106-229 (codified at 15 U.S.C. [subsections] 7001-7031 (Supp. 2000)).

(314.) Id.

(315.) McBride Baker & Cole, supra note 313.

(316.) 5 ILL. Comp. STAT. ANN. 175/1-101 (West 1998).

(317.) R.J. Robertson, Jr., & Thomas J. Smedinghoff, Illinois Law Enters Cyberspace: The Electronic Commerce Security Act, ILL. B.J. 308, 309 (June 1999).

(318.) Id.

(319.) Id. at 309-10 (footnotes omitted)

(320.) 5 ILL. COMP. STAT. ANN. 175/5-120(a).

(321.) Id. at 175/5-115 (“Where a rule of law requires information to be `written’ or `in writing,’ or provides for certain consequences if it is not, an electronic record satisfies that rule or law.”)

(322.) 5 ILL. COMP. STAT. ANN. 175/5-125 (“Where a rule of law requires information to be presented or retained in its original form, or provides consequences for the information not being presented or retained in its original form, that rule is satisfied by an electronic record if there exists reliable assurance as to [its] integrity ….”)

(323.) 5 ILL. COME. STAT. ANN. 175/10-105 (b)(1)(2) (defining a “qualified security procedure” as one that has been “previously agreed to by the parties,” or alternatively, one that is certified by the state).

(324.) Id. at 175/10-110 (a)(1)(2)(3).

(325.) Id. at 175/10-120 (a)(b).

(326.) GUIDELINES, supra note 263, at 856.

(327.) Id.

(328.) For further discussion, see Michael Trittipo, E-mail, Evidence, Ethics, & Encryption, ABA TECHNOLOGY & PRACTICE GUIDE, at 36-40 (1998).

(329.) ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 99-413 (1999), available at http://www,

(330.) In re Horowitz, 482 F.2d 72, 81 (2d Cir. 1973) (stating that the attorney-client privilege “is to be strictly confined with the narrowest possible limits consistent with the logic of its principle”).

(331.) Iowa Sup. Ct. Bd. of Prof’l Ethics and Conduct, Formal Op. 95-30 (1996), available a http://www,

(332.) Iowa Sup. Ct. Bd. of Prof’l Ethics and Conduct, Formal Op. 96-1 (1996).

(333.) Iowa Sup. Ct. Bd. of Prof’l Ethics and Conduct, Formal Op. 97-1 (1997).

(334.) Id.

(335.) Id.

(336.) Pennsylvania Bar Ass’n Comm. on Legal Ethics and Prof’l Responsibility, Informal Op. 97-130 (1997).

(337.) North Carolina State Bar Ethics, Op. RPC 215 (1995).

(338.) Id.

(339.) South Carolina Bar Ethics Advisory Comm., Op. 97-08 (1997), available at

(340.) Id.

(341.) Illinois State Bar Ass’n Advisory Op. on Prof’l Conduct No. 96-10 (1997).

(342.) Id.

(343.) Id.

(344.) Id.

(345.) District of Columbia Bar’s Legal Ethics Comm. Op. No. 281 (1997).

(346.) Id.

(347.) See e.g., Kentucky Bar Ass’s Comm. on Ethics, Op. E-403 (1998), available at http://uky, edu/Law/Kyethics/opinions/kba403.htm (last visited Nov. 12, 2000)

(348.) Unlike conventional communications forms, e-mail addresses do not contain a city, state, zip code or area code indicating the recipient’s location.

(349.) S.C. Bar Ethics Advisory Op., supra note 339.

(350.) See supra notes 51-110 and accompanying text.

(351.) See, e.g., First Nat’l Bank v. Malpractice Research, Inc., 688 N.E.2d 1179, 1185 (III. 1997).

(352.) See id.

(353.) Small Law Firm Technology Survey: 1998 Survey Report, ABA LEGAL TECHNOLOGY RESOURCE CENTER (1998).

(354.) Id.

(355.) Id.

(356.) Large Law Firm Technology Survey: 1998 Survey Report, ABA LEGAL TECHNOLOGY RESOURCE CENTER 54, 55 (1998).

(357.) See Protecting the Confidentiality of Unencrypted E-mail, ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 99413 (1999) (“The committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy.”)

(358.) See, e.g., id. (opining that e-mail is a technologically secure form of communication).

(359.) See supra notes 51-110 and accompanying text.

(360.) Barry D. Bayer & Benjamin H. Cohen, Inexpensive, Easy Routes to Encrypted E-mail, CHI. DAILY L. BULL., May 10, 2000, at 2.

(361.) See supra notes 238-247 and accompanying text.

(362.) Bayer, supra note 360, at 2.

(363.) Id.

(364.) ABA Comm. on Ethics and Prof’l Responsibility, supra note 345, at 2.

(365.) See supra notes 238-247 and accompanying text.

(366.), Secure One-Click Email, at (last visited Nov. 12, 2000).

(367.) Id.

(368.) What is ZixMail, at http://www.zixmail.comwhatis.html (last visited Nov. 12, 2000).

(369.) See id.

(370.) At one point, not so long ago, lawyers and support staff commonly typed documents on typewriters. Often, the desire to make corrections or additions meant that the entire document would need to be retyped. Today, any attorney or law firm using a typewriter in such a way would arguably be violating the rule that attorneys must expedite litigation. Conceivably, in twenty years, a lawyer filing documents through the mail when he or she could file them electronically may face ethical problems.


(*) The author received his J.D. from The John Marshall School of Law where he was a Law Review Editor. Currently, he is a clerk in the Illinois Appellate Court. He has lectured law students and attorneys on the use of digital signatures. The views expressed in this Article are his own. His previous publications include: John Anderson, Human Rights: Multinational Corporations Strike Out, 2 U. PA. J. LABOR & EMP. L. 463 (2000)