Technology has certainly been a game-changer for the attorney-client relationship. In particular, digital age innovations have facilitated communication between companies and their counsel. While messaging was previously limited to traditional options such as telephone calls, paper letters and facsimiles, lawyers and clients now enjoy an abundance of media to instantaneously exchange information. In addition, the methods for doing so have also expanded, with smartphones and tablet computers replacing desktop computers and other antiquated tools. And with the proliferation of cloud computing, both client and counsel essentially have an unlimited virtual warehouse in which to store their digital discussions.
Yet these same technological innovations also present a myriad of complications for the attorney-client privilege. As both a procedural rule and an evidentiary hurdle that exclude relevant information from legal proceedings, strong policy reasons have traditionally mandated that the privilege be narrowly construed. That limited scope of protection continues to shrink as technologies provide unexpected transparency into the zone of confidential exchanges between clients and lawyers. Unless appropriate safeguards are taken, the use of social networks, cloud computing and bring your own device (BYOD) policies could jeopardize enterprise privilege claims.
Technological challenges for the privilege
For example, third party access to discussions on social networking sites between in-house counsel and corporate employees could destroy the element of confidentiality required for a justiciable privilege claim. This is because information exchanged on social networks could be accessed and monitored by site representatives under the governing terms of service. While those terms typically provide privacy settings that would allow corporate employees to limit the extent to which information may be disseminated, they also notify those same users that site representatives may access their communications. Though the justification for such access varies from site to site, the terms generally delineate the lack of confidentiality associated with user communications. This includes ostensibly private communications sent through the direct messaging features available on social networks like LinkedIn, Twitter and Facebook.
In like manner, providers of cloud computing services often have access and monitoring rights to a company’s privileged communications that are stored in the provider’s cloud. Memorialized in service level agreements, those rights may allow provider representatives to access, review or even block transmissions of company data to and from the cloud. Just like social networking sites, provider access could destroy the confidentiality required to maintain the privileged status of communications with counsel.
BYOD also presents a difficult challenge for preserving the privileged character of communications with counsel. This is due to the lack of corporate control that BYOD has introduced into a company’s information ecosystem. Unless appropriate safeguards are deployed, employees may unwittingly disclose proprietary information to third parties by using personal cloud storage providers for storage or transmission of company data. In addition, family, friends or even strangers who have access to the employee device could retrieve such information. Indeed, it is not difficult to envision how a roommate, a teenage child or even a stranger could take, text or tweet company information. Such third party access could destroy the confidentiality of any privileged messages found on the device.
Best practices for preserving the privilege
Confronted with these factors, the question becomes what steps a company can take to preserve the confidentiality of its ostensibly privileged communications. On the social media front, a company could prohibit counsel from using social networks for business communications. While such a policy could theoretically address the issue, it would likely be difficult to enforce. In addition, it may prove unpopular given that many employees (including lawyers) prefer communicating over social networks.
Alternatively, the company could deploy an on-site social network environment that would provide a secure ecosystem for its employees to communicate with in-house counsel about internal corporate matters. Conceptually similar to private clouds that house data behind the company firewall, an on-site network could be jointly developed with a third party provider to ensure specific levels of confidentiality. For example, the company could create specific forums or groups with limited membership for addressing legal matters or alternatively permit direct messaging with counsel. Under either of these scenarios, employees would have the benefit of using a social network while the company could eliminate site representative access to those communications.
For the enterprise that is considering cloud computing for its ESI storage needs, it should require a cloud service provider to offer measures to preserve the confidentiality of privileged messages. That may include specific confidentiality terms or a separate confidentiality agreement. In addition, the provider should probably have certain encryption functionality to better preserve confidentiality. Such functionality – a secure sockets layer connection, password hashing, encryption key storage – are all designed to prevent unauthorized access by the provider’s employees (or other third parties) to company data that is transmitted to and hosted in the cloud.
To address the confidentiality problems associated with BYOD, a company should prepare a cogent policy and deploy technologies that facilitate employee compliance. Such a policy would discourage workers from using personal cloud storage providers to facilitate data transfers or for ESI storage. It would also delineate the parameters of access to employee devices by the employee’s family, friends, or others. To make such a policy more effective, employers would need to provide a secure portal to ensure that data transmissions between employee devices and employer databases remain confidential. To address the other third party access issue, software could be downloaded on to an employee’s personal device to segregate and encrypt employer information from personal data. Such a measure would undoubtedly help prevent employee family or friends from accessing privileged content.
By developing reasonable policies, training employees, and deploying effective, enabling technologies, organizations can better prevent unauthorized disclosures of privileged information. Only by taking such professionally recognized best practices can companies hope to shield their privileged information from the prying eyes of third parties in the digital age.