Picture this:   You’re travelling across U.S. borders, heading home from a client meeting abroad.  However, unlike other trips, this time a Customs and Border Protection agent requests that you unlock and hand over for inspection your computer and cell phone — full of client confidential information.  You’ve been concerned about this issue, and so you’ve had your IT department encrypt all of the sensitive data on your devices.  Will that protect you client’s information from disclosure?

Ethics duties at the border

We wrote here last year about the ethics issues with border searches of e-devices, including the New York City Bar Association’s July 2017 opinion on how to deal with the duty of confidentiality in that scenario.

The NYCBA ethics committee advised that you may of course ethically comply with lawful government orders, but also that you should not comply “unless and until” you “undertake reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”

The concern about this issue was heightened by a sharp uptick in border searches of e-devices.  Customs officers searched an estimated 30,200 cellphones, computers and other electronic devices of people entering and leaving the U.S. last year — an almost 60 percent increase from 2016, according to Homeland Security Department data.

Most recently, in January 2018, the CBP revised Directive No. 3340-049, which includes procedures for searching information subject to attorney-client privilege.  Section 5.2 calls for segregating privileged material to ensure that it is “handled appropriately.”

Encryption – it’s no panacea

What about encrypting the client information on your e-device to make sure it stays confidential and won’t be revealed during a potential border search? That approach may be of limited use.

Section 5.3.3 of the revised CBP directive provides that if border officers can’t inspect your device “because it is protected by a passcode or encryption,” they may detain it and convey it (or a copy of its contents) to third parties who can supply “technical assistance.”

This is an indirect reference to the various U.S. intelligence agencies that are authorized pursuant to Section 2.6 of Executive Order 12333 to provide technical support and assistance to the CBP.  This aid may be derived from the National Security Agency, which leads the federal government in cryptology, or from the National Media Exploitation Center which consists of representatives from multiple intelligence agencies that are  responsible for decrypting, translating and analyzing documents and electronic devices in the federal government’s possession.

If CBP officers seek to decrypt and access the confidential information on your device, they likely have the authority and the technical resources, through federal intelligence agencies, to do so.

The magnitude of the risk, and what to do

Even though the 5,000 devices searched in February last year sounds like a lot, it’s only a tiny percentage according to CBP’s Office of Public Affairs. The agency says that in FY 2017, only about .007 percent of arriving international travelers screened and processed by CBP officers were required to submit to an e-device search.  That possibly points to a low risk for any one lawyer who might be returning from international travel.

But given the breadth of your ethics duty, and the limits on the ability of encryption to protect confidential client information on your devices, it would be a best practice to heed the advice that the NYCBA gave last year:

  • Depending on the circumstances, including the sensitivity of the information, you should consider not carrying any client confidential information across the border.
  • Rather than exposing your client’s information to disclosure in a search, you should securely back up client information and cross the border only with a blank “burner” phone or laptop.
  • And before coming back across the border, you should also turn off syncing of cloud services, sign out of web-based services, and/or uninstall applications providing local or remote access to confidential information.

Lawyers and their firms should consider incorporating these measures into their data security policies and practices. It’s what the times, and your ethics duties, would seem to call for.

The former general counsel for clothing retail giant Zara USA, Inc. can’t claim privilege in his discrimination-wrongful discharge suit for e-mails he created on a company-issued computer, said New York’s First Department court of appeals in an opinion last month — but the same material might be protected by the work-product doctrine, the court held.

The discovery dispute and ruling arose from a now-common scenario:  an employee who uses a company computer for personal communications about litigation against the company — and apparently, even corporate GC’s do it.

GC suit alleges discrimination, harassment

The backstory starts in June 2015, when the former GC sued his employer for bias and harassment.  In his complaint, the GC alleged that, for instance, after learning that he is gay and Jewish, company personnel sent sexually-charged e-mails to him, used Yiddish expressions in speaking to him and sent his long-time partner an e-mail with an image of a tattooed penis.  The GC alleges that after he complained about his treatment, company leaders told him that his job was in jeopardy, and eventually terminated him.

During discovery, Zara sought documents from the former GC’s laptop, asserting that it and its contents were company property under a policy that the GC had helped draft.  The policy was in the company employment handbook, and like many such policies, it:

  • restricted use of company-owned devices to “business purposes”;
  • specified that content created/stored company resources belonged to Zara “exclusively”;
  • emphasized that employees lacked any expectation of privacy in information transmitted or stored on company computers; and
  • said that Zara could access such information without prior notice.

No privilege for documents on employer-issued computer

In the trial court, the GC won a motion for protective order.  The judge wrote that Zara seemed to be “merely trying to gain litigation advantage by accessing documents that may be privileged,” referring to 101 documents on his computer that the GC created after the litigation began.

But the First Department found no privilege, reasoning that given the employee handbook provisions (which he had at least constructive knowledge of), the GC had no reasonable expectation of privacy, and thus lacked “the reasonable assurance of confidentiality that is foundational to attorney client privilege.”

This ruling is consistent with the case law in most jurisdictions, holding that attorney-client privilege does not apply to communications between an employee and the employee’s personal lawyer if made using the employer’s computer network and if the employer has informed employees that they have no expectation of privacy with respect to communications using the employer’s e-mail system.

Will work-product work?  

However, the appeals court also said that even though Zara reserved the right to access company-issued computers, it never did so, and so there was never any actual disclosure to any third party of the material that the former GC sought to shield.

As a result, even though attorney-client privilege was unavailable, the work-product doctrine might be applicable if no one other than the former GC and his counsel had actually reviewed the materials.  Accordingly, said the court, the GC’s use of Zara’s computer “for personal purposes does not, standing alone, constitute a waiver of attorney work product protections.”

Now, on remand, it will be up to the trial court to review the documents in camera and determine the work-product question.

At the crossroads

This case is at the intersection of employment law and privilege law, with facts that have become more common recently.  In fact, the First Department cited its own privilege decision earlier this year in a similar dispute over access to e-mails that Marvel Entertainment’s CEO exchanged with his wife using the company e-mail system.  There too, the court found no privilege (spousal, this time), but possible work-product protection.

The twist in this latest case is that it was Zara’s former chief legal officer who used his company-issued computer to communicate with his private counsel — making this decision one that GC’s should take note of.

ContractWhether you are in-house or outside counsel, your clients want the attorney-client privilege and/or work-product shield to apply to materials created as part of an internal corporate investigation.  But the applicability of these doctrines is very fact-specific, and difficult facts can doom that desired outcome.  That was the conclusion of the Washington, D.C. district court in an opinion last month involving the D.C. transit authority  board.

Development dispute

The transit authority  was negotiating with a developer on a construction project.  After discussions broke down in March 2010, the developer sent a letter to the transit board detailing what it believed to be improper actions of the authority and its board, and indicting that it would seek its available “remedies at law or in equity” if negotiations did not resume.  The alleged “improper actions” (set out in an earlier decision), centered on a transit board member who was also a D.C. city council member and who favored a different developer — a major campaign contributor — for the project.  The situation generated a “public outcry.”

Over two years later, the transit authority hired Cadwalader, Wickersham & Taft to “provide investigative and legal services” regarding the board’s actions in connection with the failed project.

The investigation included interviews with current and former transit personnel as well as non-transit-personnel.  It generated 51 interview memos, each marked “Attorney Work Product.”

After Cadwalader submitted its report and recommendations, the board decided to release it to the public.  The report cited and referred to the interview memos prepared during the investigation.  The developer sued the board, and sought the memos, arguing that the work-product doctrine did not apply and that the board had waived any attorney-client privilege.

The district court agreed, denied the board’s motion for protective order, and ordered the transit authority to turn over all the memos, subject only to some limited redaction.

Timing is (nearly) everything

The work-product shield did not apply to the 21 memos of interviews with non-transit-board personnel, the court said, because too much time had elapsed between the letter threatening legal action and the preparation of the memos.  Even if litigation could reasonably have been anticipated at the time the board received the letter, it did not hire Cadwalader until two years later, and did nothing in the interim.  Although acknowledging that  “there is no standard or rule regarding how close in time potential litigation must be,” two years was too long, the court said.

Further, the D.C. Circuit has adopted the “because of” standard to assess the motivation for creating materials later claimed to be attorney work product.  For instance, Cadwalader’s recommendation to the board said it had been retained “to provide general governance recommendations” and to evaluate the board’s code of ethics.  The court said the evidence showed that the board did not commission the investigation “because of” possible future litigation, and would have conducted an  investigation to evaluate its business and ethics practices even without any anticipated litigation.

Attorney-client privilege waived

Citing D.C.’s strict definition and narrow construction of privilege, the court also held that no privilege shielded the remainder of the memos, created after interviews of transit authority personnel.

Cadwalader’s report, with its legal and factual conclusions about the construction project negotiations, had originally been intended to  be disclosed only to the transit board.  Intentionally releasing the report to the public, with multiple references to at least 23 different witness interviews, was not consistent with “zealously protect[ing]” the privileged materials.  Rather, publication constituted a subject-matter waiver of the privilege as to the memos used to compile the report, and “fairness dictat[ed]” that the memos be considered together with the report, the court said.

Takeaways? 

In the investigation context, facts dictate the outcome of a privilege battle.  Here, the transit authority couldn’t get out from under some difficult facts that sank its work product and privilege arguments:  waiting so long after the threat of litigation to launch an investigation; and making the report public, which was likely a political necessity in any event.  The court’s strict holdings were the result.

.
.

Thinking of using a public relations firm to help manage a corporate crisis?  Divergent interpretations of the privilege rules have led to differing legal opinions on whether communications between a PR firm and the company or defense counsel are privileged.  A California state court of appeals decided last month that such communications were not privileged, illustrating the privilege risk that can arise in communications with PR firms.

No California exception available

Behunin v. Superior Court involved an unsuccessful real estate investment deal.  “As part of a plan to induce the Schwabs to settle” the resulting lawsuit, Behunin’s lawyers hired a public relations firm to create a website linking the Schwabs and their Indonesian investments to the family of former Indonesian dictator Suharto.

In Schwab’s suit against Behunin for libel and slander, he sought to discover communications among Behunin, his counsel and the PR firm about the creation of the website.

The court of appeals, denying a writ of mandamus, concluded that although California law may extend privilege to some communications with a PR consultant, privilege did not apply here:  Behunin failed to prove that communications with the PR firm were reasonably necessary for his lawyer to represent him in the underlying case.

Section 952 of California’s evidence code codifies exceptions to the usual rule that disclosing a lawyer-client communication to a third person destroys the privilege. But the Behunin court bluntly said in this case that “There is no ‘public relations privilege’ in California,” and that no exception to the general rule applied to the PR firm’s involvement in generating negative publicity that “would help get the Schwabs to the settlement table.”

  • Behunin did not provide evidence proving that the communications among the lawyer, the PR consultant and himself were reasonably necessary to assist the lawyer in representing him, the court ruled.  Rather than being able to show that the lawyer and consultant were involved together in “developing, discussing, or assisting in executing a legal strategy,” it appeared that the lawyer only acted as a liaison in hiring the PR firm.
  • Nor, said the court, was the PR consultant the functional equivalent of the client’s employee (a status which could potentially raise the privilege shield).  There was no detailed factual showing that the consultant was responsible for a key corporate job, had a close working relationship with the company’s principals on critical matters, and had information that no one else at the company possessed.

Differing opinions on PR firms

The application of privilege and work-product principles has generated opinions that have extended the privilege to communications among lawyers, clients and PR firms.  See King Drug Co. v. Cephalon, Inc. (E.D. Pa. 2013) (privilege applied; consultants preparing business and marketing plans were the client’s “functional equivalent”).  Other opinions are to the contrary.  See Kirby Pemberton v. Republic Services, Inc. (E.D. Mo. 2015) (no privilege; no Missouri authority extends privilege to public relations consultants, and privilege should be narrowly construed); McNamee v. Clemens (E.D.N.Y. 2013) (no privilege; PR firm only provided standard services not necessary in order to provide legal advice, and therefore disclosing documents to firm resulted in waiver).

Takeaway – caution required

Managing the media can be an important part of managing a corporate crisis.  Creating and preserving privilege in this setting demands caution, and involves a nuanced analysis that can be both fact-specific and jurisdiction-specific.

  • Stephen Williger, of Thompson Hine’s Cleveland office,  will present the keynote address, “Legal Aspects of Corporate Crisis Management,” at the 2017 Continuity Insights Management Conference in Denver, April 24-26.  He will speak on the legal aspects of pre-crisis planning, mitigation, remediation, and recovery.  Conference program   Registration

Investigation and notesBoth in-house and outside counsel can learn valuable lessons from In re General Motors, a recently-issued federal opinion on the attorney-client privilege and work-product doctrine. While some recent decisions have chipped away at the protections for attorney notes and internal memos, this opinion reaffirms that documents a lawyer creates during a corporate investigation will be protected if kept confidential.

Notes and memos from ignition switch investigation

In connection with GM’s investigation of ignition switch problems, the company’s outside counsel conducted more than 350 interviews of over 200 current and former employees. The interview notes were used to generate a report that was later publicly disclosed, referred to in the opinion as the “Valukas Report.”

Plaintiffs moved to compel production of the notes and memos. But Judge Furman, of the Southern District of New York, held that both the attorney-client privilege and the attorney work-product doctrine protected: (1) attorney notes taken during interviews; (2) summaries generated after the interviews; and (3) formal memos created after the interviews.

According to the court, Upjohn Co. v. United States – the seminal case on the attorney-client privilege and work-product doctrine in the corporate context – squarely applied.

  • First, the interviews were conducted in connection with GM’s request for legal advice in light of possible misconduct, accompanying government investigations and anticipated litigation.
  • Second, outside counsel began each interview by stating that its purpose was to collect information to assist with providing legal advice, and therefore, the matters discussed would be confidential.
  • Third, the interview materials were shared only with GM’s other outside counsel, and with GM itself.

A promise to disclose facts – not lawyer communications

Plaintiffs argued that the attorney-client privilege did not apply because GM’s CEO testified before Congress that everything related to safety would be shared. That testimony, according to the plaintiffs, demonstrated there was no intent to keep confidential the materials generated in preparing the Valukas Report. The plaintiffs also argued that interview materials were generated to provide business advice, not legal advice. Judge Furman rejected both arguments.

The court distinguished between facts and communications, reasoning that GM’s promise to disclose facts failed to show any lack of intent to keep the communications confidential. A contrary rule, according to the court, would mean attorney-client communications connected to any publicly-filed document or court pleading would be subject to disclosure.

And while GM’s CEO promised transparency with regard to the underlying facts, she did not pledge to disclose attorney-client communications. Moreover, outside counsel informed each interviewee that the interview was to gather information to help provide legal advice and was confidential. That, according to the court, further demonstrated GM’s intent to maintain confidentiality.

Advice “not exclusively legal”

The court recognized that the reason for the ignition switch investigation was “not exclusively legal.” But citing the D.C. Circuit Court’s decision last year in In re Kellogg Brown & Root (which we previously blogged about here), the court recognized that if legal advice is “one of the significant purposes” of the investigation, the privilege applies.

In GM’s case, the company hired lawyers in the face of criminal investigations by the Department of Justice and an inevitable storm of civil litigation. In that context, GM’s outside counsel was retained to provide legal advice on a “wide variety of matters relating to the recalls.” Accordingly, providing legal advice was a significant purpose of the investigation, thus raising the privilege.

Factors supporting confidentiality and privilege

This case points to some key factors that establish a company’s intent to maintain the confidentiality of an internal investigation:

  • Expressly advising the employee that the interview’s purpose is to assist in providing legal counsel and should be kept confidential – before generating work product such as notes and memos;
  • Making clear that the lawyer is providing legal advice, if that is the case.

Business advice may sometimes naturally accompany a corporate investigation. Under the reasoning of the GM decision, mixed business and legal advice may be privileged if a significant purpose is to give legal advice.  Check the law in the applicable jurisdiction, however, on the extent to which mixed business and legal advice can be deemed privileged, and the tests used to analyze that issue.