HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Employers have a right, and in some cases a duty, to monitor the e-mail communications of their employees that are sent from the employer's e-mail system. As a general matter, employees have no expectation of privacy in e-mails sent through their workplace system. Since employees who communicate with their personal lawyers through their employer's e-mail are subject to employer monitoring, the American Bar Association has issued a formal ethics opinion stating that lawyers have a duty to warn such employees that their e-mails may not be confidential. 

The Opinion expressly reserves on the question of whether the breach of confidentiality  would vitiate the attorney-client privilege, declaring "the law appears to be evolving." But the cases cited in the ethics opinion on when employee communications with counsel through workplace e-mail will remain privileged show that the circumstances are limited when the privilege is likely to survive, leading to this observation:

Nevertheless, we consider the ethical implications posed by the risks that these communications will be reviewed by others and held admissible in legal proceedings.

Thus, the ABA concluded that a lawyer has an ethical obligation to advise a client of the risks of sending attorney-client communications via workplace e-mail.

The ABA ethics opinion raises the question of whether lawyers who know that their clients are using modes of communication that may not be secure, and may be subject to interception and review by others (thus jeopardizing the privilege) have an ethical duty to warn their clients beyond the context of workplace e-mail. 

In 2008, the New York State Bar opined that the use of Gmail for attorney-client communications, even though e-mails sent through Gmail are subject to scanning by Google computers for the delivery of contextual advertising, retained the attorney-client privilege. But with the advent of many new means of electronic communication, from Facebook to Twitter and beyond, and with smart mobile devices becoming a dominant method of communication, and with varying individual privacy and data security practices on the part of clients, quaere whether a lawyer has an ethical duty to evaluate a client's communications practices and to advise on the risks that confidentiality may be lost. The ABA Opinion opens the door to such an inquiry. 

• Email This
• Print

The U.S. Court of Appeals for the Ninth Circuit held on August 6, 2009 that standing for private plaintiffs under the CAN-SPAM Act is limited.  Judge Richard Tallman, who authored the court's opinion in Gordon v. Virtumundo, Inc., No. 07-35487 (Aug. 6, 2009, 9th Cir.), noted that this was the first case in which the Ninth Circuit had attempted to comprehensively address the standing requirements under CAN-SPAM. 

The plaintiff, James S. Gordon, operated a website through which he provided email addresses for himself and friends and family members.  He intentionally registered these email addresses with 100-150 email mailing lists.  After the addresses began receiving commercial email, Gordon filed suit against many of the companies, including Virtumundo, Inc., that had sent such email.

The CAN-SPAM Act is primarily enforced by the Federal Trade Commission and state Attorneys General.  However, the Act does provide a private right of action for a "provider of Internet access service adversely affected by a violation."  The Ninth Circuit held that Gordon failed to satisfy either prong of this standing requirement. 

In addressing the service provider prong of the standing requirement, the court noted that the CAN-SPAM Act does not limit standing to traditional Internet service providers and cited to two lower court decisions that held that the social networking services MySpace and Facebook qualified as "access services."  While explicitly declining the opportunity to set forth a general test as to what it means to be "a provider of Internet access service ," the court found that Gordon's service was limited to setting up email accounts and passwords and executing other administrative tasks, which was not enough to raise him to the level of Internet access service provider within the meaning of CAN-SPAM.  Gordon's online access was provide by Verizon, and GoDaddy provided the service that enabled Gordon to create the email addresses and the personalized web site; according to the court, both of these entities could have a compelling argument that they are Internet access service providers.

As for the second prong of the standing requirement, CAN-SPAM itself does not define "adversely affected."  The Ninth Circuit noted that "the harm must be both real and of the type experienced by ISPs."  Where there is suspicion that "a plaintiff is not operating a bona fide Internet access service," courts should take an especially close look at the cited harms.  The court found that Gordon had failed to argue that he had suffered any real harm as contemplated by the CAN-SPAM Act.  He did not have to hire additional personnel, nor did he experience the technical concerns or costs that may be attributed to commercial email.  Rather, the court found that Gordon intentionally sought out and benefited financially from the burdens of which he later complained and could not be considered "adversely affected."

Finally, the court also held that Gordon's state law claims regarding allegedly misrepresented email header information were preempted by CAN-SPAM.  The court held that Gordon's claim that the "from lines" of the emails failed to clearly identify Virtumundo as the sender, did not rise to the level of "falsity or deception," the only type of state law commercial email claim excepted from CAN-SPAM preemption.

Gordon's claims were therefore denied on three counts:  (1) he was not an Internet access service provider; (2) he was not adversely affected; and (3) his state law claims were preempted by CAN-SPAM.  Three strikes and this plaintiff is out.

• Email This
• Print