Over at Attorney at Work, Carol Gerber blogs about steps that lawyers should take when choosing to use Cloud services. She notes that lawyers are finding that cloud transfer and storage services (like Box, Dropbox, Google Drive and iCloud) are a great way to access client materials on their smartphones, tablets or off-site computers when working away from the office. Carol notes that state bars that have addressed the topic say lawyers may use Cloud services provided they use reasonable care. I blogged about this topic on the ZixCorp blog.
These bar opinions distinguish Cloud file storage and transfer services from Cloud email services in ways that are not defensible. The state bars impose restrictions on lawyers’ use of Cloud file storage and transfer services, but they do not apply similar restrictions to Cloud email services. The state bar opinions from the 1990s say lawyers are simply entitled to rely on an expectation of privacy in email.
There is no logical basis for this ethics rules distinction. Email is a Cloud service that is used to transmit and store content. It makes no sense to differentiate the transmission and storage of documents using Cloud email services versus the transmission and storage of documents using other types of Cloud services. The key functions of Cloud document transmission and storage solutions are essentially the same as transmitting and storing documents via Cloud email. From an ethics perspective, it should not matter whether the server on which a confidential document is stored belongs to a document storage provider (such as Dropbox) or a webmail provider (such as Yahoo!).
Unencrypted email actually raises more security concerns than those other Cloud services. Once email leaves their firms’ networks, lawyers cannot know or control the locations of the multiple servers through which the data might be routed, whether and for how long the data is stored on those servers, how the data is secured by the various service providers, the ability of third parties to access the data, or the terms and conditions of all of the relevant email service participants.
Pundits often claim that we should rely on an expectation of privacy in email because of laws that criminalize intercepting email or accessing email without authorization. The South Carolina Supreme Court recently ruled (Jennings v. Jennings, et al.) that accessing online e-mail without permission does not violate the 1986-era Stored Communications Act (SCA). The Court reasoned that an opened email on a webmail provider’s servers is not stored for “backup” and is therefore not protected by the SCA. Thus, at least in South Carolina, it is unreasonable to point to the SCA as creating any expectation of privacy in stored webmail.
More fundamentally, the assertion that email should be deemed confidential because the law criminalizes its interception or unauthorized access is like saying that because burglaries are illegal we should pretend they never occur so there’s no need to lock client files or law offices. Lawyers should take the same reasonable, proactive steps to protect the content of email that they take to protect other content that is stored or transmitted via the Cloud.