Size: px
Start display at page:



1 CURRENT TRENDS INVOLVING ATTORNEY-CLIENT PRIVILEGE AND THE HIGHER EDUCATION ATTORNEY I. Introduction June 27 30, 2012 Phyleccia Reed Cole Senior Associate General Counsel Southern Illinois University Edwardsville As an in-house attorney on a college or university campus, we face a myriad of challenges from day to day. One of the many challenges relates to separating our roles as a business partner for the organization, and as an attorney whose primary duty is to provide sound legal advice and guidance to our clients. Another major challenge associated with this dynamic is determining and clearly articulating who our client is at any given time. Depending upon the size of our legal staffs and the organization of our offices, although many of us ultimately report to and represent the Board of Trustees or the Board of Governors of our institution, we may not actually interact with those bodies very often. Many of us provide day-to-day guidance to department chairs, deans, provosts, chancellors and/or presidents on issues ranging from contract disputes and negotiations, to student discipline decisions, to employee terminations, to faculty grievances to litigation related to all of these areas and more. Protecting our conversations, opinions and writings along the way is of the utmost importance in protecting the interests of our ultimate client, and the other agents working on behalf of that client throughout the process. Many of the individuals we work with as in-house counsel every day also serve in a multitude of roles, and when we are communicating with those individuals, we must be clear to outline the role we are playing and the nature of the advice or guidance that we are conveying. For example, we might be representing a faculty member one day in a suit brought against the institution, individual faculty members and administrators for a denial of tenure; whereas on the next day we might be interacting with that same faculty member in her capacity as the faculty union president. In this type of situation in-house counsel must be very careful to separate their communications and note those related to representation in litigation as privileged, as opposed to those where counsel is on the other side of the table discussing a union grievance. In one circumstance the faculty member is our client, while the next day, in her other capacity, she is not. Another situation that arises often for in-house counsel on the topic of privilege relates to circumstances where conflicts of interest arise between an administrator and the governing board. Although normally administrators such as the president, chancellor, vice chancellors and deans, seek legal advice from in-house counsel related to their various job duties and issues that arise, once their decisions present conflicts or potential liability for the institution who is our ultimate client then it is the duty of counsel to inform those individuals that our conversations with them will be shared with others in the institution or possibly the board. Hopefully, if inhouse counsel has been clear about his or her role all along, this information will not be of surprise to administrators.

2 II. Managing Client Perceptions It is imperative as in-house counsel that we manage the perceptions of our various clients, and that we clarify our roles to them, and immediately correct any misperceptions that they have. For example, despite being advised repeatedly to the contrary, many university clients still believe that as long as they copy legal counsel on their s or other communications, the communications are automatically privileged. However, only communications that are made for the purpose of obtaining legal advice are protected by the attorney-client privilege. Moore v. Board of Trustees of Illinois Community College District No. 508 d/b/a City Colleges of Chicago d/b/a WYCC-TV, et al., 2010 WL (N.D.Ill.) at *2 (citing Matter of Grand Jury Proceeding, Cherney, 898 F2d 565, 567 (7 th Cir. 1990)). Thus, constant education is required to inform and remind our clients that communications to in-house counsel are only privileged and protected if legal advice is being sought or provided. This concept becomes very difficult in practice, because many of us discuss and advise on business matters, and provide what courts sometimes see as business advice, rather than legal advice. III. Managing Multiple Roles as In-House Counsel In the circumstance where in-house counsel also holds another position within the organization, issues of attorney-client privilege become even more blurred than they normally are for other in-house counsel. In Moore v. Board of Trustees of Illinois Community College District No. 508, an employment case, the Defendants moved to file the deposition transcript of City College s then general counsel, Yolande Bourgeois, under seal, so that they could assert claims of attorney-client privilege and the work product doctrine for parts of Bourgeois testimony. The Defendants sought to withhold approximately ninety of the transcript s one-hundred-ninety-two pages, and nine exhibits used during the deposition, citing attorney-client privilege and the attorney work product doctrine. Ms. Bourgeois also served as the College s ethics officer, as required under the Illinois State Officials and Employees Ethics Act (Ethics Act), a position which requires among other things, reporting of employee ethical violations to the Illinois State Office of Executive Inspector General (OEIG). The Plaintiff had expressed concerns to Ms. Bourgeois regarding certain activities she felt to be unethical, and Ms. Bourgeois took steps to investigate the allegations, and subsequently made a report to the OEIG. First, the Moore court looked to determine the scope of the attorney-client privilege as it applied to Ms. Bourgeois, who as stated above, served in the dual roles of general counsel and ethics officer for City Colleges. It is well established that when an attorney provides both legal and non-legal services to a client, the legal aspect must predominate in the communication under review in order for it to be protected by the attorney-client privilege. The privilege will not apply where the legal advice is incidental to business advice. Moore, 2010 WL at *3 (citing Allendale Mut. Ins. Co. v. Bull Data Systems, Inc., 152 F.R.D. 132, 137 N.D.Ill. 1993)). The dual role as in-house counsel and ethics officer does not easily lend itself to the traditional analysis previously adopted by the Seventh Circuit, which consists of eight principles that define the existence and scope of the attorney-client privilege: 2

3 (1) Where legal advice of any kind is sought (2) from a professional legal adviser in his capacity as such, (3) the communications relating to that purpose, (4) made in confidence, (5) by the client, (6) are at his instance permanently protected (7) from disclosure by himself or by the legal advisor (8) except the protection be waived. Moore, at *2 (citing United States v. White, 950 F , 430 (7 th Cir.1991)). In Moore, the Defendants argued that the attorney-client privilege applied to advice given by in-house counsel in her role as ethics officer; and alternatively, the Plaintiff argued that the ethics role was separate from her function as general counsel, because as ethics officer she merely served as a liaison between City Colleges and the OEIG, which is actually charged with investigating allegations of fraud. Contrary to the Plaintiff s argument, pursuant to the Ethics Act, ethics officers are required to do more than simply act as a liaison. Specifically, although the Act does not require ethics officers to be attorneys, it contemplates a quasi-legal function for the officer, who must: Provide guidance to officers and employees in the interpretation and implementation of this Act, which the officer or employee may in good faith rely upon. Such guidance shall be based, whenever possible, upon legal precedent in court decisions, opinions of the Attorney General, and the findings and opinions of the Executive Ethics Commission. ILCS 430/20-23(3). An ethics officer, therefore, is required to give advice on compliance with Illinois law based on the officer s interpretation of legal precedents. Moore, at *3. There would be no privilege issue if the ethics officer were a non-attorney, however where the ethics officer is also the general counsel, it can be very difficult to draw the line between non-legal advice and traditional legal counsel. Id. A college employee could reasonably expect that she was making confidential communications designed to seek legal advice on whether certain actions would be, or were, in compliance with the Ethics Act. Id. Thus, the Court in Moore held that communications between the City Colleges general counsel/ethics officer and the Plaintiff employee relating to potential violations of the Ethics Act were the types of communications that the attorney-client privilege is designed to protect, and therefore if the eight stated factors are met, the communications would be privileged. Id., at 4-5. Based upon this framework, the Court determined that notes from one conversation between the Plaintiff and counsel, and the deposition testimony related to that conversation were protected by the attorney-client privilege. Id. In contrast, a subsequent conversation between the Plaintiff employee and the general counsel, where other potential ethical violations were discussed, was found not to be protected by the attorney-client privilege, because of the setting of the conversation. The plaintiff and general counsel were personal friends as well as co-employees, and this subsequent conversation took place in that context. Based upon the setting and circumstances, even though similar topics were discussed among the same two people, the Court found the subsequent conversation not to be covered by the attorney-client privilege, and instead an expression of private frustrations and job concerns. Id. at 6. The 3

4 attorney-client privilege is limited to situations in which the attorney is acting in the capacity as a legal advisor, not merely as a friend who happens to be an attorney. Id. The Moore case highlights several important points for in-house college and university counsel that many of us encounter on a daily basis, whether or not we officially serve in dual roles on our campuses. First, in-house counsel must distinguish between advice and conversations that really are legal in nature, as opposed to those which relate to day-to-day business matters. Because many day-to-day business matters can have serious legal implications if handled inappropriately, this analysis can prove difficult. For example, on a college campus disciplining a student for misconduct is a regular occurrence, however many disciplinary actions can lead to legal claims being brought against the institution. In order to protect communications to the greatest extent possible, in-house counsel should instruct their clients to frame communications and questions directed to counsel around the specific legal implications that are of concern; and likewise in-house counsel should frame their responses as to specifically address legal aspects of the situation. Next, in-house counsel must be cognizant of the circumstances and settings surrounding conversations with their institutional clients. In-house counsel work closely with their co-employees on a daily basis, and thus it is not unusual that friendships may arise, and at times counsel may socialize with such friends, during which conversations regarding work related topics may arise. In-house counsel should be careful in these circumstances not to discuss topics that could or should be privileged, if such discussions were to occur in the office setting. IV. Public Document Requests Public colleges and universities, and other public institutions have experienced increases in the number of Freedom of Information Act (FOIA) or Sunshine Act requests for documents such as s and other internal communications, in efforts to obtain documents that otherwise might not be disclosed except through discovery in litigation. Because requestors or becoming more savvy, and are challenging denials of the release of requested public documents, in-house counsel must be even more vigilant with respect to appropriately characterizing documents as privileged. FOIA requests may be submitted at any time, and in many states, including Illinois, the time frame to respond to requests is short. In addition to the necessary vigilance in the review the responses to FOIA requests, this situation highlights another duty of in-house counsel to constantly monitor the communications being made by agents of the institution, to ensure that negative offhand comments or opinions are not being made in written communications that can be requested at any time by members of the public. This task is easier said than done, however it has become a necessary one required of many in-house counsel due to the magnitude of electronic communication, and the volatility of many ongoing disputes, which either have or could result in litigation or outside agency complaints. 4

5 On another note with respect to public records requests, in a very recent binding Illinois Attorney General Opinion, a claim by Central School District No. 104 of attorney-client privilege submitted for the purpose of withholding outside counsel legal bills was unsuccessful. Public Access Opinion (March 12, 2012). The Illinois Freedom of Information Act (FOIA) (5 ILCS 140/9.5(f)) authorizes the Office of the Illinois Attorney General to issue binding opinions when disputes arise related to FOIA requests in the State. Section 7(1)(m) of the Illinois FOIA statute exempts from disclosure communications between a public body and an attorney which would not be subject to discovery in litigation, including communications covered by the attorney-client privilege. It is well recognized that information regarding the amount of fees paid by a public institution for legal services is not considered to be a confidential communication, and therefore is not protected by the attorney-client privilege. The payment of fees is merely incidental to the attorney-client relationship, and typically does not involve the disclosure of confidential communications arising from the relationship. People ex rel. Ulrich v. Stukel, 294 Ill.App.3d 193, (1997). However courts have acknowledged that certain types of billing records may contain explanations of legal fees, and may indicate the type of work done or the matters discussed between the attorney and client. As such, they could reveal the substance of confidential attorney-client communications and be subject to valid claims of attorney-client privilege or exemption under FOIA. Id. at 201. In the instant opinion, the Attorney General held that the portions of the invoices that contained substantive descriptions of the work performed could be redacted from the documents disclosed, and withheld as exempt communications under FOIA. On the other hand, generic descriptions such as telephone conference or court appearance must be disclosed along with the amount of the fees. Illinois Attorney General Public Access Opinion (March 12, 2012). Thus, in our review of outside legal counsel bills requested for release, we must make sure that we protect the attorney-client privilege and redact any substantive descriptions which could waive an otherwise valid claim of privilege. V. Conclusion As in-house counsel we provide advice and counsel on a daily basis, in a wide variety of contexts and circumstances. We must be vigilant in the protection of such communications, where the attorney-client privilege is warranted, and we must also educate our many clients on how they should frame their communications to us in order to protect themselves, and the institutions that we all represent. Finally, although the various standards utilized in different jurisdictions are discussed in our attorney-client privilege overview materials, it is important to note that in-house counsel should consult the laws specific to their jurisdiction in order to ensure that appropriate steps are taken to meet the relevant standard. 5


7 By Stephen H. Pugh, President Pugh, Jones & Johnson, P.C. Attorney-Client Privilege Considerations for College and University In-House Counsel I. Introduction When asked, all attorneys can quickly define the phrase attorney-client privilege : A communication, between privileged persons, made in confidence, for the purpose of providing legal assistance to the client. On its face, the parameters of this privilege seem clear. In practice, however, deciding what is and is not privileged can be much more difficult. This is particularly so with college and university in-house counsel, who often are afforded a much narrower privilege between themselves and their employers than that typically provided to outside counsel. In short, the determination of college and university in-house counsel privilege is complicated by the fact that, on any given day, in-house counsel serve in many different capacities and not all of them are centered around providing legal advice. College and university counsel can have multiple roles within the same interaction with in-house employees. And when a dispute arises, it can often be difficult to determine, as the courts must, whether there was: a communication ; between privileged persons ; made in confidence ; for the purpose of providing legal assistance to the client. The goal of this paper is to provide guidance on the attorney-client privilege to college and university counsel, so that the privilege can be fully defended when appropriate and counsel can more readily understand its limits. Specifically, we provide an overview of the attorney-client privilege; key rules and decisions outlining the attorney-client privilege for college and university counsel; guidelines for counsel in the context of litigation, institutional transactions and investigations; and practical considerations for protecting the attorneyclient privilege. II. Overview of Attorney-Client Privilege One of the tenets of legal practice is the attorney-client privilege, which protects confidential communications between a client and his attorney from disclosure. However, the mere fact that a communication is made directly to an attorney, or an attorney is copied on a memorandum, does not mean the communication is necessarily privileged. U.S. Postal Service v. Phelps Dodge Refining Corporation, 852 F. Supp. 156, 160 (E.D. N.Y. 1994). 1/ Importantly, the attorney-client privilege does not apply when an attorney is acting in a non -legal capacity. See SR Int l Business Insurance Co. v. World Trade Center Properties LLC, No. 01 Civ (JSM), 2002 WL at *4 (S.D.N.Y. July 3, 2002). Further, the attorney-client privilege only protects legal information in a communication, and may not extend to the underlying facts incorporated in the communication. UpJohn Co. v. U.S., 449 U.S. 383, 389 (1981). 1/ See Rumain v. Baruch College of the City University of New York, No. 06 Civ. 8256, 2007 WL , *2 (S.D.N.Y. 2007) (in ruling on discovery dispute arising out of an employment discrimination claim, court ordered university to produce in-house counsel s e- mails, when the s [did] not address any legal issues or call upon [in-house counsel] for legal advice but instead were a purely administrative matter ). PUGH, JONES & JOHNSON, P.C. 180 North LaSalle Street, Suite 3400, Chicago, IL P: 312/ F: 312/ PJJLAW.COM

8 As a consequence, when in-house counsel's job responsibilities involve business-oriented duties, communications pertaining to those duties may amount to no more than business advice and may fall outside the privilege. Michael L. Turrill, Adam W. Bentley, Applying the Attorney-Client Privilege to In-House Counsel, Los Angeles Lawyer, February 2012, at 17. Thus, an attempt to cloak an entire conversation in a business meeting with the privilege by inviting in-house counsel to merely sit in the room is futile. Id. Courts often look to the primary purpose of the advice in-house counsel provide. Therefore, to be protected by the attorneyclient privilege, the advice must be predominantly legal advice, not solely, or even largely legal advice. See United States v. IBM Corp., 66 F.R.D. 206, (S.D.N.Y. 1974). Thus, while always keeping the primary purpose test in consideration, college and university counsel should evaluate advice in the context of the following questions to determine if that advice will be considered privileged: (1) do your communications reflect use of legal skill or the application of legal principles; (2) is the communication necessary for you to give legal advice; (3) did your client use the communication to make a legal decision; (4) do you have a duty and responsibility to provide legal advice on this subject; and (5) did your communications occur in a situation in which the client needed legal advice. 2/ Based on the principles of the primary purpose test, generally, pure business advice and pricing strategy are not privileged, whereas pure legal advice, as well as an analysis of the corporation s potential criminal exposure, are privileged. A closer call is whether mixed business-legal advice is privileged, and it depends on whether the legal advice is merely incidental, or is it instead the primary purpose of the communication. See Allendale Mut. Ins. Co. v. Bull Data System, Inc., 152 F.R.D. 132, 138 (N.D. Ill. 1993). III. Rules and Legal Precedent Governing Attorney-Client Privilege for In-House Counsel Although the line between privileged and non-privileged communications for in-house counsel may seem unclear, legal rules and case law provide some guidance. We discuss below the critical differences between the federal definition of attorney-client privilege, compared to the Illinois definition. A. Subject Matter vs. Control Group Standard. Attorney-Client Privilege Considerations for College and University In-House Counsel Page Two There are two leading standards that are used to evaluate whether a communication is protected by the attorney-client privilege. Under the Subject Matter Test utilized by the federal courts, there is no third-party right (i.e., discovery) to written or oral communications between an employee and in-house counsel that are made for the purpose of facilitating the attorney s legal advice to the company. UpJohn Co. v. United States, 499 U.S. 383, 389 (1991). Consistent with the UpJohn decision is Fed. R. Evid. 501, which states, the common law as interpreted by the United States Courts... governs a claim of privilege, unless the U.S. Constitution, federal statutes, or the Supreme Court provides otherwise. 3/ 2/ See Kobluk v. University of Minnesota, 574 N.W. 2d 436, 443 (Minn. 1998) (drafts of letters exchanged between university s provost and in-house counsel were privileged, as drafts came into existence by reason of the attorney-client relationship and they represent, respectively, a request for and the rendition of legal advice ). 3/ See State ex rel. Oregon Health Sciences University v. Hass, 325 Or. 492 (Or. 1997) (in Oregon, which applies Upjohn s subject matter test, comments by university department head regarding report by university s in-house counsel did not waive attorney-client privilege regarding contents of report, as university department head and members of department faculty were representatives of university, when it was clear that the underlying report was privileged). PUGH, JONES & JOHNSON, P.C. 180 North LaSalle Street, Suite 3400, Chicago, IL P: 312/ F: 312/ PJJLAW.COM

9 Attorney-Client Privilege Considerations for College and University In-House Counsel Page Three The Control Group Test, used in Illinois state courts, provides for a narrower privilege and specifically, a much narrower definition of privileged persons than the Subject Matter Test. Under the Control Group Test, courts will focus on the status of an employee that counsel communicates with, and only communications with employees in the control group are privileged. The control group is defined as an employee whose advisory role to top management in a particular area is such that a decision would not normally be made without his advice or opinion, and whose opinion in fact forms the basis of any final decision by those with actual authority. See Consolidation Coal v. Bucyrus-Erie, 89 Ill. 2d 103, 120 (Ill. 1982). 4/ And as with the federal system, there is a corresponding Illinois Rule of Evidence. Illinois R. Evid. 501 provides that [e]xcept as otherwise required by the Constitution of the United States, the Constitution of Illinois, or provided by applicable statute or rule prescribed by the Supreme Court, the privilege of a witness shall be governed by principles of common law as they may be interpreted by Illinois courts in light of reason and experience. Hence, the varying scope of privilege, depending on the applicable standard, underscores the need for being prepared to ensure that your communications are protected, even under the narrowest standard. For instance, suppose you are in-house counsel for a nationwide company, and there is the threat of litigation that arises from events that occurred in Illinois. If there are communications that you want to ensure are protected by the attorney-client privilege, you must make sure those communications stay within the control group, particularly if there is any chance that state claims can arise in the threatened litigation. B. Case Law Analyzing the Attorney-Client Privilege for In-House Counsel. Due to the rise of electronic discovery, the number of documents that need to be reviewed in any given privilege analysis have grown exponentially. This growth has led to decisions that seek to establish the rules with respect to electronic discovery. One such case is In re Vioxx Prods. Liability Litig., 501 F. Supp. 2d 789 (E.D. La. 2007), and it shows just how strict the rules can be. In the Vioxx litigation, Defendant Merck produced over two million documents, and asserted attorney-client privilege as to approximately 30,000 of them, seeking protection under a number of theories, the most notable of which are the pervasive regulation theory and the collaborative effort theory. Id. Specifically, in seeking to establish the pervasive regulation theory, Merck argued that virtually every communication sent to its legal department (or in which the legal department was involved) was privileged by virtue of the pervasive nature of governmental regulation of the drug industry. Id. A court-appointed special master noted that accepting such a theory would effectively immunize most of the industry s internal communications because most drug companies are structured such that virtually every communication leaving the company must first go through the legal department for review, comment and approval. Id. at / See Osborne v. Johnson, 954 S.W. 2d 180 (Tx. App. Ct. 1997) (during an investigation conducted by Baylor University s Associate General Counsel, investigation documents and reports were distributed to individuals outside of the control group. Due to that disclosure, court held that documents were no longer protected by the attorney-client privilege, and thus court ordered production to opposing counsel). PUGH, JONES & JOHNSON, P.C. 180 North LaSalle Street, Suite 3400, Chicago, IL P: 312/ F: 312/ PJJLAW.COM

10 Attorney-Client Privilege Considerations for College and University In-House Counsel Page Four The special master also considered Merck s attempt to invoke the collaborative effort theory, i.e., the argument that internal s distributing drafts to multiple legal and non-legal departments within the company were privileged because they were part of a collaborative effort to accomplish a legal sufficient draft. Id. at 803. While the special master agreed that privilege protection should be afforded to in-house counsel s internal comments on legal instruments, such as patent applications or contracts, and to internal drafts and communications of in-house counsel regarding preparation of the company s response to warning letters issued to the Food and Drug Administration ( FDA ), the special master did not agree that the theory applied to nonlegal instruments such as scientific reports, articles and study proposals. Id. at 802. Merck also attempted to convert non-privileged documents into privileged ones under a reverse engineering theory. In re Vioxx, 501 F. Supp. 2d at 804. Under this theory, Merck argued that opponents could become apprised of privileged information: (1) if initial drafts are discoverable from the files of non-lawyers; (2) adversaries isolate the recommendations made by the non-lawyers on those drafts; and (3) then compare those changes to the final version approved for publication. Id. Merck argued that the remaining changes would be the substance of the advice their legal department offered (and hence an opponent could reverse engineer their way to the comments provided by in-house counsel). The special master rejected this theory, because in his view: (1) the fact that legal departments recommend that certain actions be taken by their corporations does not mean that the corporations must follow that advice; (2) alterations can be made in the absence of recommendations from the legal department; (3) all recommendations prompting revisions are not necessarily proposed in writing; and (4) corporations do not have the power to change in-house counsel s role from that of a legal advisor to a corporate decision-maker. (emphasis in original). Id. at 805. The district court adopted the special master s report. Id. at 815. With the evolution of the roles of in-house college and university counsel and their close working relationships with their fellow employees, the question of who in-house counsel represents has become blurred. Recent cases seek to correct that course. For example, United States v. Ruehle, 583 F.3d 600 (9 th Cir. 2009) illustrated the rule that counsel must make clear that he represents the company, and not its employees. In Ruehle, Broadcom s CFO disclosed the results of an internal investigation to Broadcom s outside auditors and the government, which subsequently began an official investigation. Id. at 602. The CFO then sought to apply the attorney-client privilege to extend to statements he made during the internal investigation. Id. at 605. The trial court held that the CFO s communications were privileged, but that counsel had breached ethical duties for inadequately informing the officer as to exactly who was the attorney s client. Id. at 606. The Ninth Circuit reversed the trial court s finding that the attorney-client privilege applied, and held that the CFO could not assert the privilege because he knew at the time of the communication that the company would disclose the results of the investigation to the government. Id. at 609, 613. As a result, the CFO failed to demonstrate that his communications were made in confidence. Id. The Ninth Circuit also emphasized the need for corporate counsel to provide UpJohn warnings. Id. at 604, n.3. IV. Considerations for Corporate Transactions and Investigations Although much of the case law involving attorney-client privilege ultimately arises in the context of litigation disputes, it is important to remember that questions regarding the scope of attorney-client privilege also can arise in corporate transactions and internal investigations. Below are some considerations for college and university counsel in those contexts. PUGH, JONES & JOHNSON, P.C. 180 North LaSalle Street, Suite 3400, Chicago, IL P: 312/ F: 312/ PJJLAW.COM

11 Attorney-Client Privilege Considerations for College and University In-House Counsel Page Five A. Corporate Transactions. Protecting the attorney-client privilege in corporate transactions can be difficult because many of the legal decisions in transactions heavily rely upon business judgments. What also can complicate matters in transactional work is that third-party professionals (i.e., investment bankers, auditors) may become involved early on in business transactions, and questions can arise regarding whether their involvement waives the attorney-client privilege. 5/ The privilege can be easily determined when in-house counsel perform legal tasks, and business decisions are left to non-lawyers. If, through the course of performing legal work, concerns arise that appear to fall on the business rather than legal line, the company should have a dedicated non-legal professional available to quickly address those concerns, so that in-house counsel can continue to sufficiently address the legal questions. B. Internal Investigations. Internal investigations are a common reality for many legal departments, as they often are the first response to government investigations, allegations of employee wrongdoing, or a threat of litigation against the company. However, it is important to ensure that certain safeguards and procedures are implemented, so that the attorney-client privilege is maintained throughout the course of the investigation. Here, it is all too easy to mix legal advice (i.e., did the employee break the law) with business decisions (i.e., whether someone should be disciplined, terminated, etc.). If it appears that in-house counsel will serve in both a legal and business capacity, but the employer wants to maintain the privilege, then the employer should consider engaging outside counsel to conduct the investigation. Moreover, if it appears that in-house counsel had a role in the underlying activity which led to the investigation (i.e., recommended firing the employee who now is suing the company), the employer should require other in-house counsel to conduct the investigation, or engage outside counsel. V. Best Practices for Maintaining the Attorney-Client Privilege In light of the above discussion, below are several practice pointers that we recommend: Consider the organization s structure and, if possible, place college and university counsel (and their staff) within the organization s legal department. Use the title of legal counsel when communicating about legal matters. Whenever possible, separate legal and business communications. 5/ See U.S. v. Massachusetts Institute of Technology, 129 F.3d 681 (1 st Cir. 1997) (during IRS investigation concerning whether MIT still qualified for 501(c)(3) status, First Circuit held that MIT could not assert the attorney-client privilege or work product doctrine to documents that previously had been disclosed to the Defense Contract Audit Agency). PUGH, JONES & JOHNSON, P.C. 180 North LaSalle Street, Suite 3400, Chicago, IL P: 312/ F: 312/ PJJLAW.COM

12 Attorney-Client Privilege Considerations for College and University In-House Counsel Page Six Review written corporate policies for any committees with legal counsel representation. Emphasize in written policies the role of legal counsel to provide legal advice to such committees and the purpose of such committees to act on such legal advice. Where appropriate, advise employees in writing that communication/cooperation with in-house counsel is required to assist in providing legal advice to the company. Don t mark everything circulated by in-house counsel as privileged. Marking everything privileged could end up sending a red flag to a court and/or government investigator. Counsel should ensure that any communications (i.e., s) only go to those employees that absolutely need to receive them. Try to avoid s with department-wide cc s. Likewise, consider a college/university practice where employees are given instructions on whom to (and perhaps whom not to ) if they have questions or concerns of a legal nature. Consider retaining outside counsel to handle particularly sensitive matters. Confidential communications with outside counsel are more likely to be characterized as legal advice. About Pugh, Jones & Johnson, P.C. Pugh, Jones & Johnson, P.C. (PJJ) provides legal services in civil and white collar criminal trials and appeals, public finance, commercial real estate transactions and other transactional expertise to educational institutions, corporations, governmental entities, financial institutions, not-for-profit entities and entrepreneurs. Our lawyers are former federal prosecutors, former general counsel and in-house counsel, experienced public finance and tax attorneys, and experienced trial counsel. About the Author STEPHEN H. PUGH, President and co-founder of PJJ and a former federal prosecutor with the Department of Justice, has over 30 years of experience in complex commercial litigation, civil rights, directors and officers liability cases, internal and external corporate investigations, and in representing major governmental and educational entities in a variety of areas ) Mr. Pugh was assisted in the preparation of this article by PRESTON L. PUGH, Partner ), and SHAUNA L. FULBRIGHT-PAXTON, Associate ). Legal Notice: The information provided herein is for general information purposes only and does not claim to be comprehensive or provide legal or other advice. ing an attorney at Pugh, Jones & Johnson, P.C. shall not and does not create an attorney client relationship between you and the attorney. If you do not have an existing attorney client relationship, your will not be privileged or confidential. PUGH, JONES & JOHNSON, P.C. 180 North LaSalle Street, Suite 3400, Chicago, IL P: 312/ F: 312/ PJJLAW.COM

13 WHO STOLE MY IPHONE... AND WAS THE PASSCODE ACTIVIATED? TECHNOLOGY RISK AND RISK MANAGEMENT FOR CLIENT INFORMATION June 27 30, 2012 Michael Downey Armstrong Teasdale LLP Saint Louis, MO To avoid waiving the attorney-client privilege, lawyers and clients generally must take reasonable precautions to protect the confidentiality of the communication. Thus, it is perhaps not surprising that the American Bar Association s Ethics 20/20 Commission recently proposed adding a section to ABA Model Rule 1.6 that would specifically require lawyers to take reasonable efforts to protect client information. As proposed in the Commission on Ethics 20/20 s February 2012 draft, the new provision, Rule 1.6(c), would state: A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. ABA Commission on Ethics 20/20, Revised Draft Resolutions for Comment Technology and Confidentiality at 8 (Feb. 21, 2012)available at (proposal for Rule 1.6(c)). Many of the threats to client information now are linked to technology, either due to malicious acts or careless use of technology. Thus, it may also not be surprising that the Commission on Ethics 20/20 is proposing adding language to the comment to Rule 1.1, the rule stating the duty of competency, that says a lawyer s obligation [t]o maintain the requisite knowledge and skill includes that the lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology.... Id. Proposal for Rule 1.1 cmt [6], available id. at (emphasis added). (The new language is the italicized portion.) For many lawyers, making such a commitment to protect client information, particularly in this wireless, Web 2.0 world, will require a change in habits and mindset. This article provides some basic guidance for lawyers and firms on protecting their client information. In doing so, I draw freely from and without re-citing attribution to an earlier article that I wrote with Anthony Davis, which was published as Protecting and Securing Confidential Client Data, New York Law Journal (November 5, 2010), available at In particular, the section Protecting Information is drawn copied from this earlier article. Threats to Information. In order to protect client information, the first step often involves identifying the threats to such information. Threats to client information particularly electronically stored information come from many quarters, and involve very basic and very advanced technologies. Some criminals seek direct access to information that lawyers maintain, for example by paying someone to provide financially sensitive information. Others may attack the container that holds the information. For instance, a criminal may steal a briefcase, a smart phone, or computer, thereby gaining access to important information stored there. Criminals may also seek to gain access by breaking into an office or hacking into a firm s computer system. 1

14 Criminals are not the only source of threats to law firm information. Disgruntled employees may disclose information in order to harm clients or their law firms, or take information to establish an independent practice, or to help an adversary. And not all threats to the security of information are grounded in malice. An employee may lose information, or simply leave it on a desk, so that an opportunist (perhaps a custodian or office visitor) may take advantage of information inadvertently left in plain sight. Lawyers may also be targets for government or corporate spies. Whether an unscrupulous person or business seeks information for insider trading, to gain a competitive business or strategic advantage, or to undermine an adversary s case, law firms may be prime targets for espionage efforts. Just as the sources of risk are numerous, so are the means for obtaining information held by law firms. The principle threats to information may be divided into three categories. First is access through electronic means. Traditionally this meant wire taps and bugs, but the computer and ease in transporting data have given rise to an entire vocabulary for the ways in which criminal hackers sometimes called crackers can obtain information. A criminal hacker may use an ipod to podslurp information, or a thumb or flash drive to thumbsuck it. Or a criminal hacker may send an to phish for data or passwords, or tap a Bluetooth device and listen to calls or access applications by bluesnarfing. Criminal hackers may even pose as a friend or acquaintance, or at least use a friendly or other electronic communication, in the hopes of gaining access to a computer network. Perhaps their aim is to review information, or perhaps they hope to plant spyware such as a Trojan horse or bot that can provide access and information in the future. The second type of threat, physical access, is often forgotten, but presents no less danger. Such threats range peaceful and harmless conduct like listening to telephone calls and viewing documents left on a desk to violent actions such as breaking into offices or stealing computers or data devices. Physical access attacks also include such time-honored tricks as inducing disgruntled employees to provide information, or engaging in dumpster diving. The third type of threat involves social engineering or persuasion. A standard tool of con men, white collar criminals, and corporate spies, social engineering often involves befriending people who have information, or can get information, and inducing them to provide that information. Lawyers and staff are often quite willing to share information about their work with virtually anyone who will listen. Law firms often pay little attention to whether (new) employees may be seeking employment in the hopes of obtaining confidential information. Corporate and government spies often thrive on information they can obtain through well-placed people. Perhaps the most spectacular recent story concerns the intimate relationship that Russian spy Anna Chapman with a leading New York transactional lawyer shortly before Ms. Chapman was deported in 2010, and the information that she may have sought through that relationship. See Anna, the Spy Who Loved Me, New York Post (April 8, 2012). Protecting Information. In light of the wide variety of threats, and serious consequences that can result from both inadvertent disclosure and unauthorized access, lawyers are at last beginning to take seriously the need to impose proper protocols in order to protect information in their charge. At the highest level, some law firms have sought to become ISO/IEC27002 compliant and even certified. ISO/IEC27002 is an information security standard developed by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC27002 contains twelve main sections: 2

15 1. Risk assessment 2. Security policies 3. Organization of information security 4. Asset management 5. Human resources security 6. Physical and environmental security 7. Communications and operations management 8. Access controls 9. Information systems acquisition, development, and maintenance 10. Information security incident management 11. Business continuity management 12. Compliance Most law firms are not ready to undertake the expenditures of time and money that the full ISO/IEC certification process requires. Only a handful of U.S.-based firms can now claim ISO certification. Yet the ISO/IEC guidelines provide a useful outline for what they may do protect information. Specific protocols for improving data protection include: Assess where information is located. Conduct an audit to determine what information a law firm holds, where that information resides, and who can obtain access to the information. This assessment should include an audit of the firm s use of the Internet and remote systems, as well as how paper and electronically stored information is handled throughout its lifecycle (from creation or receipt through disposal). This assessment should not stop at the function or application level. For example, if lawyers use virtual storage or operating in the cloud, the firm should obtain information to determine the location and protections that exist for such operations. Once completed, the assessment should guide the remaining work to improve the protection of confidential information. For example, if a firm determines that it keeps too much information for too long, or that inappropriate people have access to information, the firm should use that knowledge as it determines what it will keep, where it will store information, and who should have access to that information. Educate on confidentiality. Lawyers should ensure that they educate everyone who has access to information about the value and need for confidentiality, as well as what the firm and individuals can (and are expected to) do to protect information. The goal is to create a culture of confidentiality : constituents need to understand that information should not remain unnecessarily vulnerable, and should only be shared when necessary or appropriate. This education should reach to all levels of the firm, not just to the lawyers. Firms should consider establishing and promoting (including through its education program) codes of conduct that include rules on handling client-related and other confidential information. Firms should also use reminders, including on computer log-in screens and the like, to ensure that constituents receive repeated reminders of their need to protect confidentiality. 3

16 Education on confidentiality should be reinforced through reminders and further education. Lawyers and staff also need to know how to raise concerns when they believe data may have been released or data security compromised, and whom to alert when a disclosure is discovered. Formalize confidentiality. Consider obtaining confidentiality agreements for everyone who has access to information, including employees, non-employees such as custodians, security guards and temporary employees, and providers. Firms should also consider adopting policies and procedures that restrict how information is handled, for example that client documents must be kept on a firm network or in a firm document-management system. Policies establishing confidentiality obligations should express clear penalties for non-compliance, and these should be invoked whenever appropriate. Adopt physical protections for information. Firms should adopt the physical safeguards necessary to protect confidential information. This will likely include the use of locked or restrictedaccess areas. It will also include ensuring that adequate facilities are available for the shredding of documents, as well as provisions to ensure that confidential waste is destroyed each day. Manage electronic information. Many firms have adopted rudimentary policies to protect information, but these may require review and, where appropriate, further enhancement. Most firms do, and all firms need to take steps to ensure that their software in particular firewalls and anti-virus programs is current. These protections, as well as systems to ensure the use and updating of adequate passwords, are the minimum in connection with protecting sensitive information. Increasingly, clients themselves are requesting law firms to adopt and use encryption, and firms should not wait for such requests before considering whether, and to what extent to use encryption on some or all of the information they hold. Firms should also review settings on computers, smart phones, and other devices to ensure that these devices do not become the weakest link in a firm s data protection system. For example, if passcodes are easily activated, firms should generally require their activation, unless there is a good reason for not doing so. Firms should consider who has access to and who accesses confidential information. Enterprise rights controls can limit access to those people who actually require access. Does every lawyer and secretary, for example, need access to non-public information relating to a public company s merger or settlement of a major claim? Firms should also consider monitoring the access to and flow of information, including to determine when unusual amounts of information are moved off the network, so that problems can be detected and promptly addressed. Finally, firms should seriously consider taking the most important confidential information off the network altogether. Electronic protections often cross-over to include physical protections. Firms may want to adopt a policy that restricts the use of portable electronic data storage and communications systems, particularly around the most sensitive confidential information in their care. Lawyers may consider it odd that a firm would tell them not to bring ipods or cell phones into their offices or into certain work areas, although such rules are quite common at defense contractors or other companies where information security is at a premium. At minimum, firms should seriously consider permitting the use only of firm authorized smart phones that they can wipe clean if lost, and firm-issued, encrypted flash or thumb drives. In addition, if information is saved on individual computers, firms should consider at least requiring the use of encrypted or clean laptops for travel, particularly international travel. Manage human resources to protecting confidentiality. When hiring, a law firm should appropriately screen employees who will have access to confidential information, including 4

17 conducting credit and background checks. Having conducted such reviews, firms should make sure that they take adequate steps to address any problems the screening identifies, and to renew such evaluations on a periodic basis or when circumstances indicate further due diligence is appropriate. Managing human resources should extend to establishing adequate support systems for employees. These support systems should ensure that people who need help turn to the firm or its support system (such as employee assistance systems), instead of turning against the firm and taking action that may harm the firm or its clients. Disposal. Particular dangers arise from disposal of law firm-related information. Firms need to ensure they have convenient, adequate receptacles to receive information to be discarded, and that those receptacles are emptied and shredded on a regular basis. Further, firms should make sure that they dispose properly of all electronically stored information, including that they offer secure destruction for home computers or personal equipment that may contain firm-related information. Finally, having assessed what important information they have, firms should clean out (using secure disposal) sensitive information that is no longer needed. Evaluate insurance coverage. As noted at the outset, problems that may arise from inappropriate disclosure of confidential information may fall outside standard lawyers professional liability (LPL) policies. While some policies may exclude loss of client information as and other losses of client property from coverage, larger law firms LPL policies usually provide coverage related to the loss of client information. Yet even the best LPL policy generally does not cover other costs a firm may incur from a damage breach, such as from reputational injuries or crisis management costs. Insurance can provide an important tool for managing the risks of such costs. Insurers now offer a diverse portfolio of policies that protect firms from a much broader range of costs they may incur from a release of client information. These so-called cyber policies typically provide indemnification for the cost of notice and coverage for fines and damages that may follow a breach of client information security. Prepare for an unauthorized release. Finally, even if firms undertake broad, vigorous efforts to improve their information protection systems, the possibility of an unauthorized or improper release always remains. Firms should prepare for a breach, and how they will respond to a breach, before any breach occurs. The response plan will need to have several components: first, it will likely include a remedial response, for example identifying and closing the system breach. Second, firms may need to provide notice, including to insurers, affected clients, employees, and particularly under applicable state data protection laws to regulators. Third, the response plan will also likely include a public relations response to ensure the affected firm s reputation remains secure with clients and the larger community. Finally, fourth, firms may want to evaluate in advance what action they will take against the breaching party, including possible civil action, such as seeking temporary restraining orders, and, in appropriate circumstances, even criminal prosecution. Conclusion. The duty to protect client information is central to a lawyer s role. The proposed rules related to technology and confidentiality therefore should be seen as a good reminder that lawyers need to take steps to protect client-related information, and to respond if there is a disclosure or unauthorized access, before such situations occur. We owe such a proactive response not only to our clients, but to ourselves, to help avoid situations that may cause much lost sleep and many frayed nerves if not worse later. 5



More information

Drafting and Enforcing Fee Agreements

Drafting and Enforcing Fee Agreements Drafting and Enforcing Fee Agreements Prepared by Steven M. Richman, Esq. 2008 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris

More information

ediscovery Advantage Florida Amends Rule of Civil Procedure to Address ESI Introduction Table of Contents

ediscovery Advantage Florida Amends Rule of Civil Procedure to Address ESI Introduction Table of Contents July-August 2012 Volume 2, Number 3 Introduction Over the course of this summer, two states Florida and Illinois have amended existing rules to address electronically stored information ( ESI ) and/or

More information

ETHICAL CONSIDERATIONS IN WORKERS COMPENSATION CASES. Leto Copeley Patterson, Harkavy & Lawrence, L.L.P. Raleigh, North Carolina

ETHICAL CONSIDERATIONS IN WORKERS COMPENSATION CASES. Leto Copeley Patterson, Harkavy & Lawrence, L.L.P. Raleigh, North Carolina ETHICAL CONSIDERATIONS IN WORKERS COMPENSATION CASES Leto Copeley Patterson, Harkavy & Lawrence, L.L.P. Raleigh, North Carolina I. INTRODUCTION The source of guidance for ethical conduct by attorneys in

More information


ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of

More information

Standards for Internal Control

Standards for Internal Control Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty

More information

Eliminating Negligence in. Physician Credentialing

Eliminating Negligence in. Physician Credentialing Eliminating Negligence in Physician Credentialing Illinois Hospital Association White Paper Legal Department February 2009 Copyright 2009 Illinois Hospital Association. Every hospital strives to select

More information

Information Technology Governance

Information Technology Governance New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller

More information

CODE OF CONDUCT. Our reputation and integrity depend upon each of us assuming a personal responsibility for our business conduct.

CODE OF CONDUCT. Our reputation and integrity depend upon each of us assuming a personal responsibility for our business conduct. responsibility CODE OF CONDUCT Our reputation and integrity depend upon each of us assuming a personal responsibility for our business conduct. 02 Letter from Our CEO Dear ConocoPhillips Employees, Our

More information

The Growing Importance of E-Discovery on Your Business

The Growing Importance of E-Discovery on Your Business The Growing Importance of E-Discovery on Your Business! An Osterman Research White Paper Published June 2008 SPONSORED BY!! Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 Phone:

More information

Ethical Considerations in Personal Injury Settlements and Lien Resolution. understanding PeriodiC JudgMent value

Ethical Considerations in Personal Injury Settlements and Lien Resolution. understanding PeriodiC JudgMent value Ethical Considerations in Personal Injury Settlements and Lien Resolution by Martin Jacobson, Esq. & Robert Schweers, Esq. This article discusses what every personal injury trial lawyer in New York State

More information



More information

The Impact of Electronic Discovery on Corporations. Michael J. Powell L. Clint Crosby

The Impact of Electronic Discovery on Corporations. Michael J. Powell L. Clint Crosby The Impact of Electronic Discovery on Corporations? Michael J. Powell L. Clint Crosby Look How Far We ve Come ESI ESI = Electronically Stored Information Any information that is stored in a medium from

More information



More information

Navigating A Case Through E-discovery Jill Griset and Melissa Laws McGuireWoods LLP Charlotte

Navigating A Case Through E-discovery Jill Griset and Melissa Laws McGuireWoods LLP Charlotte Navigating A Case Through E-discovery Jill Griset and Melissa Laws McGuireWoods LLP Charlotte I. SCOPE NOTE Since the amendments to the Federal Rules of Civil Procedure were enacted on December 1, 2006,

More information

Proliferation of Electronically Stored Information (ESI) and Reimbursable Private Cloud Computing Costs

Proliferation of Electronically Stored Information (ESI) and Reimbursable Private Cloud Computing Costs Proliferation of Electronically Stored Information (ESI) and Reimbursable Private Cloud Computing Costs Michael R. Arkfeld Attorney, speaker and author of Arkfeld on Electronic Discovery and Evidence (3rd

More information

Electronic Discovery. In This Issue

Electronic Discovery. In This Issue Electronic Discovery In This Issue May 2008 Volume 56 Number3 United States Department of Justice Executive Office for United States Attorneys Washington, DC 20530 Kenneth E. Melson Director Contributors'

More information

Network Security and Privacy:

Network Security and Privacy: Network Security and Privacy: Risk Management and Insurance to address Legal Exposures and Financial Statement Protection 2013 Update by Kevin P. Kalinich Gobal Practice Leader, Cyber Insurance Aon Risk

More information

Bankruptcy, Electronically Stored Information, and an Attorney s Ethical Obligations: Practical Pointers for your Practice.

Bankruptcy, Electronically Stored Information, and an Attorney s Ethical Obligations: Practical Pointers for your Practice. Bankruptcy, Electronically Stored Information, and an Attorney s Ethical Obligations: Practical Pointers for your Practice. Michael D. Fielding 1 Husch Blackwell Sanders LLP 2 4801 Main Street, Suite 1000

More information

Western Global Learning Program

Western Global Learning Program Quick Link: Responding to an Accident or Illness Western Global Learning Program Faculty Director s Emergency Guide Note: This guide is for use by Western Washington University only. Neither WWU, nor any

More information


DISCOVERY IN AN INSURANCE CASE. ERIKA L. BRIGHT Wick Phillips Dallas, Texas DISCOVERY IN AN INSURANCE CASE ERIKA L. BRIGHT Wick Phillips Dallas, Texas CHRISTOPHER KIPPER BURKE Great American Insurance Company Cincinnati, Ohio REBECCA DIMASI Buchanan DiMasi Dancy & Grabouski, LLP

More information

Navigating in the Brave New World of E-Discovery: Ethics, Sanctions and Spoliation

Navigating in the Brave New World of E-Discovery: Ethics, Sanctions and Spoliation NAVIGATING THE NEW WORLD OF E-DISCOVERY Navigating in the Brave New World of E-Discovery: Ethics, Sanctions and Spoliation Allison O. Van Laningham I. INTRODUCTION E-discovery is a fact of life in nearly

More information

Fighting over smoking gun emails: The nightmare begins

Fighting over smoking gun emails: The nightmare begins E - DISCOVERY Fighting over smoking gun emails: The nightmare begins Part I E-Discovery under the New Federal Rules The federal discovery landscape has changed. The United States Supreme Court on April

More information

Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo

Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo Global Network Initiative Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo Global Network Initiative Protecting and Advancing Freedom of Expresssion and Protecting and

More information

School Board Meetings

School Board Meetings I A S B School Board Meetings Requirements of the Illinois Open Meetings Act James P. Bartley and Julie E. Lewis With special recognition to Terrence M. Barnicle, Scott F. Uhler, Michael J. Duggan and

More information



More information

Data Breach Response Guide

Data Breach Response Guide Data Breach Response Guide By Experian Data Breach Resolution 2013-2014 Edition Trust the Power of Experience. 2013, Inc. Table of Contents Introduction 3... Data Breach Preparedness 4...

More information



More information

Whistleblower Investigation Manual

Whistleblower Investigation Manual Alaska Occupational Safety & Health-AKOSH Whistleblower Investigation Manual PROCEDURES FOR HANDLING RETALIATION COMPLAINTS UNDER ALASKA STATUTE 18.60.089 ALASKA DEPARTMENT OF LABOR & WORKFORCE DEVELOPMENT

More information

E-Issues in Construction Disputes. Karen Groulx Fraser Milner Casgrain LLP

E-Issues in Construction Disputes. Karen Groulx Fraser Milner Casgrain LLP Red Hot Topics in Construction Law E-Issues in Construction Disputes Karen Groulx Fraser Milner Casgrain LLP Friday, March 2, 2012 Ontario Bar Association Continuing Legal Education E-Issues in Construction

More information