Safeguarding confidential information, border searches, and your devices

In February, I will have the opportunity to be part of a panel discussion in Vancouver, Canada at the mid-year meeting of the Association of Professional Responsibility Lawyers focused on privacy and client confidentiality issues.

We will discuss quite a few interesting topics, including something that likely isn’t on the radar of as many U.S. lawyers as it should be — the EU’s General Data Protection Regulation which will become effective on May 25, 2018.  I plan to find some time on another day to write a bit more about that, but for today I just want to offer up a short-ish update on something talked about here before (and that we will also discuss in Vancouver) – concerns for lawyers when crossing the border back into the United States if Customs and Border Patrol demand access to electronic devices.

With a thankful tip of the hat to Wendy Chang with Hinshaw & Culbertson who alerted me to its existence, I can possibly alert you to the fact that CBP put out a new Directive on the topic of border searches of electronic devices on January 4, 2018.  You can go read the full document here.

The piece of it I want to spend just a moment or two elaborating on is the new guidance it provides in Section 5.2 “Review and Handling of Privileged or Other Sensitive Material.”

Before doing so though it makes sense to lay out for you what CBP’s prior directive on this topic indicated – which was dated August 20, 2009 and can be found here.  Section 5.2.1 of that directive provided as follows:

Officers may encounter materials that appear to be legal in nature, or an individual may assert that certain information is protected by attorney-client or attorney work product privilege.  Legal materials are not necessarily exempt from a border search, but they may be subject to the following special handling procedures:  If an Officer suspects that the content of such a material may constitute evidence of a crime or otherwise pertain to a determination within the jurisdiction of CBP, the Officer must seek advice from the CBP Associate/Assistant Chief Counsel before conducting a search of the material, and this consultation shall be noted in appropriate CBP systems of records.  CBP counsel will coordinate with the U.S. Attorney’s Office as appropriate.

Now, assuming that meant what it implied, that seems to paint the guidance as being in the nature of:  if an attorney tells you that something you want to look at is a problem because it is privileged information, then you don’t proceed further with trying to look at it unless you suspect that it might be evidence of a crime or otherwise something that impacts CBP’s jurisdiction (i.e. you really think that maybe the person shouldn’t be let into the country unless you can read what that is).  And, if so, you first have to start talking with a lawyer for the CBP about whether to do so.

Now compare that to the much more extensive language on this issue in the new directive.   (Spoiler alert:  it appears to me to be more extensive but less friendly to traveling lawyers.)

5.2.1  Officers encountering information they identify as, or that is asserted to be, protected by the attorney-client privilege or attorney work product doctrine shall adhere to the following procedures.

5.2.1.1  The Officer shall seek clarification, if practicable in writing, from the individual asserting this privilege as to specific files, file types, folders, categories of files, attorney or client names, email addresses, phone numbers, or other particulars that may assist CBP in identifying privileged information.

5.2.1.2  Prior to any border search of files or other materials over which a privilege has been asserted, the Officer will contact the CBP Associate/Assistant Chief Counsel office.  In coordination with the CBP Associate/Assistant Chief Counsel office, which will coordinate with the U.S. Attorney’s Office as needed, Officers will ensure the segregation of any privileged material from other information examined during a border search to ensure that any privileged material is handled appropriately while also ensuring that CBP accomplishes its critical border security mission.  This segregation process will occur through the establishment and employment of a Filter Team composed of legal and operational representatives, or through another appropriate measure with written concurrence of the CBP Associate/Assistant Chief Counsel office.

5.2.1.3  At the completion of the CBP review, unless any materials are identified that indicate an imminent threat to homeland security, copies of materials maintained by CBP and determined to be privileged will be destroyed, except for any copy maintained in coordination with the CBP Associate/Assistant Chief Counsel office solely for purposes of complying with a litigation hold or other requirement of law.

So, it does seem to me that this more extensive guidance is likely good for protecting privileged materials from improper use if actually reviewed and held and does seem to be clearer guidance about how CBP could go about, for example, reviewing some information on an electronic device but segregating items asserted to be privileged or work-product.  But it also seems to me that this guidance does not move the needle in a helpful direction for lawyers who want to attempt to protect review of their client’s information at all by asserting privilege as it both (1) imposes a more onerous process on the lawyer to do so (including the potential for demanding something in writing akin to a privilege log) and (2) appears to drop what was at least the implication of the prior directive that the assertion alone is likely enough to move the burden over to CBP to justify trying to do something further.

Which also makes me think that any attorney put in this situation is, at the very least, not going to be making any connecting flight if they seek to protect client materials from review.

Of course, neither the older directive nor this directive even mentions things that attorneys have to treat as confidential under their ethical obligations even though not privileged, which remains unfortunate.  But I am interested in hearing from anyone wanting to weigh in about whether you think I am misreading this guidance and that this directive is better for lawyers than the 2009 directive.

 

Traps for the Unwary – Employer email systems

I like to think I am “warier” than the average attorney.  But a recent attorney-client privilege opinion out of New York was a good reminder that being “wary” can be much like being “woke.”  Even if you think you are, you probably aren’t as much as you think you are, and you can always be a bit more.

I’ve spoken and written in the past about the risk for lawyers’ clients to using an email system provided by an employer to communicate with them but my focus in doing so has largely involved assumptions about ways in which the nature of the representation could be one in which the client wouldn’t actually want to the employer to be able to access the communications.  For example, where the client and the employer would actually have contrary interests.

That type of scenario was the focus of the kind of warning ABA Formal Ethics Opinion 11-459 provided to lawyers who handle employment law matters:

This opinion addresses this question in the following hypothetical situation.
An employee has a computer assigned for her exclusive use in the course of her employment. The company’s written internal policy provides that the company has a right of access to all employees’ computers and e-mail files, including those relating to employees’ personal matters. Notwithstanding this policy, employees sometimes make personal use of their computers, including for the purpose of sending personal e-mail messages from their personal or office e-mail accounts. Recently, the employee retained a lawyer to give advice about a potential claim against her employer. When the lawyer knows or reasonably should know that the employee may use a workplace device or system to communicate with the lawyer, does the lawyer have an ethical duty to warn the employee about the risks this practice entails?

[snip]

The situation in the above hypothetical is a clear example of where failing to warn the client about the risks of e-mailing communications on the employer’s device can harm the client, because the employment dispute would give the employer a significant incentive to access the employee’s workplace e-mail and the employer’s internal policy would provide a justification for doing so. The obligation arises once the lawyer has reason to believe that there is a significant risk that the client will conduct e-mail communications with the lawyer using a workplace computer or other business device or via the employer’s e-mail account. This possibility ordinarily would be known, or reasonably should be known, at the outset of the representation. Given the nature of the representation–an employment dispute–the lawyer is on notice that the employer may search the client’s electronic correspondence. Therefore, the lawyer must ascertain, unless the answer is already obvious, whether there is a significant risk that the client will use a business e-mail address for personal communications or whether the employee’s position entails using an employer’s device.

With hindsight it certainly seems an obvious extension of the same point to be worried that the privilege is in jeopardy even when the underlying matter is not one in which client and the employer are adverse, yet I’ll admit that I was initially surprised to hear about through this (as always) quite good write up in the ABA/BNA Lawyers’ Manual on Professional Conduct and then dig in and read the Peerenboom v. Marvel Entertainment opinion itself (which is remarkable for its brevity) which found that Marvel’s CEO’s emails to his personal attorney on Marvel’s email system could not be shielded from discovery by a third party pursuing litigation against Marvel based on attorney-client privilege.  (Simultaneously also saying that no marital privilege existed either.)

The New York court explained that Marvel’s email policy provided that it “‘owned’ all emails on its system, and that the emails were ‘subject to all Company rules, policies, and conduct statements.’ Marvel ‘reserve[d] the right to audit networks and systems on a periodic basis to ensure [employees’] compliance’ with its email policies. It also ‘reserve[d] the right to access, review, copy and delete any messages or content,’ and ‘to disclose such messages to any party (inside or outside the Company).'”  Based on that, the court considered it easy to conclude that the CEO had no reasonable expectation of privacy in email communications to others using his Marvel email address.

Interestingly, but not surprisingly, the opinion does not reference or discuss in any fashion whether the CEO’s lawyer would still be obligated to treat all of the communications as confidential under the relevant ethics rules in New York(spoiler alert: he would).

Since I’ve got your webcam turned on remotely, show of hands if you’ve 100% of the time been making sure your clients’ email communications with you are only happening on a platform provided by someone other than their employer – like gmail, Yahoo, Bellsouth, or Comcast, or some other personal source of email access.

Yeah, me neither.

It certainly feels like a harsh result — particularly when you stop and think about how much email traffic takes place on email platforms that are company provided to all involved — but it can be a difficult outcome to argue against given the traditional strict construction of the privilege and how readily it can be waived as a result of exposure to anyone who is a stranger to the relationship.

The Peerenboom opinion also serves, however, as a good reminder of just how different the attorney-client privilege and the attorney work-product doctrine are and how differently they are waived.

Given the lack of evidence that Marvel viewed any of Perlmutter’s personal emails, and the lack of evidence of any other actual disclosure to a third party, Perlmutter’s use of Marvel’s email for personal purposes does not, standing alone, constitute a waiver of attorney work product protections (see People v Kozlowski . . .898 N.E.2d 891 . . . .

That point is one I’ve always found easiest to explain to lawyers with reference to another New York case (albeit one in federal court) involving a different very famous brand, Martha Stewart, United States v. Stewart, 287 F. Supp. 2d 461 (S.D.N.Y. 2003).  That was the case in which a New York federal court explained the different ramifications as to privilege waiver versus work product waiver flowing from Martha Stewart sharing her lawyer’s communications with her daughter.  While, because she was a stranger to the attorney-client relationship Stewart had with her lawyer and thus eviscerated the attorney-client privilege, as to work product:

By forwarding the e-mail to a family member, Stewart did not substantially increase the risk that the Government would gain access to materials prepared in anticipation of litigation. Martha Stewart stated in her affidavit that “Alexis is the closest person in the world to me. She is a valued confidante and counselor to me. In sharing the e-mail with her, I knew that she would keep its content strictly confidential.” Martha Stewart Aff. ¶ 6. Alexis Stewart stated that while she did not recall receiving the June 24 e-mail, she “never would have disclosed its contents.” Alexis Stewart Aff. ¶ 2. The disclosure affected neither side’s interests in this litigation: it did not evince an intent on Stewart’s part to relinquish work product immunity for the document, and it did not prejudice the Government by offering Stewart some litigation-based advantage. Accordingly, I hold that Stewart did not waive work product protection over the June 23 and 24 e-mails.

And, it seems fair to say that the more robust ability of the work-product doctrine to withstand waiver in a world in which people use their work email for a lot of things, allow me to echo Ms. Stewart to say.

That’s a good thing.