Overload: Protecting Attorney-Client Privilege With Today’s Communications Tools

Attorneys have an obligation to maintain records of all client communication (as well as many other communications with third parties).[1] We are further often tasked with obtaining communications as part of the discovery process. However, while technology has made communication faster and simpler, it has also created a morass of record keeping.[2] Clients also have needs, which vary by client and practice area, not to mention geography. Many of us have been forced to embrace apps like WhatsApp, not because we want to, but because our clients insist on them. Sometimes, it’s a matter of economics and convenience, like with clients who are in other countries and who rely on those apps to avoid costly long distance telephone calls, or those who simply demand to communicate with us through those apps because they regard them as easier, faster and more secure than emails. At other times, it is a matter of security, since those apps can offer a level of protection that email does not. But what do we do to make sure that the methods used both protect the attorney-client privilege and allow us to retain accurate records of all communications? The situation gets even worse when it becomes a question of obtaining client, opposing party and third-party communications during the discovery process. Which apps did they use? Do they have a copy of the entire communication? Will they still have that copy by the time the need arises in discovery or can they or someone else delete important bits after the fact?

This article is by no means an ethics opinion or a dissection of ethics opinions. This article is an overview of the various means of digital communications from a tech perspective. Ideally, if you understand the features, pitfalls and limitations of the technology you rely on, you will be able to avoid circumstances where ethics rules and opinions may be used against you.

As those of us who practiced before the internet took over our lives and we entered the world of today, record keeping used to be a simple concept. One would take notes of the in-person and telephonic conversations one had with a client or third party and store those in the client file. Written communications were all in paper form, even when faxed, and it was easy enough to make a copy for the client file. This is no longer the case. Today’s communications can take on countless forms, exist in digital-only formats and be timed to self-destruct. Various platforms allow for encryption, single-view messages, deletions by the sender after the fact and even the ability to wipe the entire record for both sides of the conversation with a couple of taps. Many of these communications become irretrievable. Even if one takes a screenshot or a photo of a vanishing message, establishing its authenticity becomes near impossible.[3] Depending on the app or platform one uses, the retention of information varies wildly. Some methods are more permanent than others, and few make it easy for an attorney to maintain a clear and complete record of all client communications.

So, what do we do? Should lawyers avoid all messaging apps? What do we do to discover client and third-party communications in litigation? How do we make sure we don’t run afoul of our professional responsibilities and maintain an adequate record? Over the next few paragraphs, we will look at the various app features and technological hurdles that lawyers should be aware of, to make sure we are using the best tools for our needs and avoid those that can cause harm to befall our clients and careers. First, we should discuss the broad stroke concepts. Below is an overview of the features and functions one must be aware of, so that technology can best be used for efficient communications, without causing us to fail to retain those necessary records of communications.

End-to-End Encryption

In the past, end-to-end encryption was achieved by placing a letter into an envelope, sealing it and entrusting the postal service to deliver it without fail. After all, tampering with the U.S. mail is a federal crime, and one could reasonably rely on a mailed letter not to be intercepted or read while in transit. Say what you might about the quality of the U.S. Postal Service; that remains true to this day. However, most clients and fellow counsel would frown at the idea of all communications going through the post. The deficiency in speed is obvious. In fact, most lawyers have turned to email to fill their daily communication needs. However, email is not sealed in an envelope and is not delivered by a federal agency with legal protections against third-party interference. In fact, email is not encrypted at all.[4] I still regularly see transactional counsel emailing out Social Security numbers and birth dates, as well as other extremely confidential and private information, no matter how often I point out that this should not be done. Email is not secure. Period. Email is great in terms of near instant delivery and the ability to run one’s practice on the go, but email should be regarded as the equivalent of speaking to your client in a crowded elevator. It is not, by any means, private. Emails regularly get hacked, and unencrypted attachments offer your client no protection whatsoever. If you must send something by email, at least put the sensitive content into a secure PDF, which you encrypt and protect with a complex password. This is by no means the “best” form of security, but it at least provides a fig leaf for your client’s information. While email is amazing for communications and record keeping, it should never be used for truly sensitive information. So, what does one use instead? Well, many products offer end-to-end encryption and are a better choice for sensitive communications. But each one comes with its own set of drawbacks, whether in terms of security or record keeping.

In a perfect world, we would all use secure client portals, which most practice management systems already have built in, to communicate with our clients. However, I have yet to encounter a law firm, big or small, that has successfully implemented such a system The reasons are simple. It is cumbersome to use and requires the client to log into your firm’s portal to read and respond to each message. As someone who personally hates every secure message a financial institution sends me, with its two-factor authentication and a five-minute process just to read every silly notification, I have a hard time believing that we will ever be able to get our client or staff to embrace the idea that those portals should be the sole means for confidential communications.

If the only issue were the need for end-to-end encryption in communications, many excellent apps would be there to fill the gap left by email, without the need for me to write anything more than their names. But let’s start with a few concepts and names, and we’ll discuss the drawbacks of each one as we go.

Text and Multimedia Messaging (SMS and MMS)

Among the first messaging tools on the scene was SMS. While it has become more feature-rich over time, now allowing the sending of low-resolution images and video, SMS, at its core, was designed for fast delivery of short messages. It is fairly secure, since the delivery is handled by telecoms, and is fairly simple to retrieve during the discovery process. While one can generally delete a message one has sent from one’s own device, this deletion does nothing to remove the record from the recipient, so at least one party to the communication will generally have access to the message in question. However, the drawbacks to SMS/MMS are also quite severe. Since in most cases, SMS/MMS messages are delivered to one’s phone, it becomes difficult to maintain the record in one’s client file, making SMS messages difficult to log, and making it so that if a client sends a message to one member of a firm, it is likely that no other staff member in the firm will be aware of it. Surely, lawyers can log all their SMS messages in their client file, but few actually do anything of the sort. They rely on the fact that those messages exist in their smartphone and assume they can always reference them from there. This can result in disaster when one’s staff and co-counsel are not updated on developments that occurred via such private messaging. SMS is, of course, also very limiting, in that there is a character limit and no ability to attach documents (other than photos and short, low-quality videos). Many solutions have been introduced over the years, with some more useful than others, but none that truly solve all our problems.

Google Voice

A practical solution for a solo practitioner is Google Voice. It is basically a 21st-century answer to SMS/MMS, telephone calls and voicemails. It allows for large messages, maintains a log of all communications that can be accessed on the Google Voice web portal, transcribes and maintains recordings and transcriptions in an email inbox style view, allows for easy searching through all of one’s communications, just like email, and because it is available on a computer browser, allows for easy copying and/or pasting of communications into other destinations. This product also allows one to place and receive telephone calls, all through Google Voice’s own telephone number; allows for the recording of calls with an automated message that notifies all parties that the call is being recorded; allows for advances like call blocking and spam filtering; and provides good encryption of the data stored. It even offers extremely cheap long-distance calling. Most alluring, of course, is that it is free to sign up and use. For clients who insist on speaking with us through SMS, Google Voice is probably the best solution for a solo. Why only a solo? Well, because unless your entire firm shares one Google Voice account (which can be very dangerous and chaotic for its own reasons), you are left with the same problem as regular SMS, in that if you message me, how will my staff know about that communication? In theory, I could copy and paste all the communications I get on Google Voice into my practice management system, but let’s face it, will I? Unlikely.

SMS Built Into the Practice Management Systems

Seeing this problem in every law firm, many practice management systems have embedded a communication tool that emulates SMS directly into themselves. At first, this sounds like an excellent idea. However, it too has its drawbacks. The advantage is obvious. All SMS communications land in the client and matter records automatically and all staff members working on a matter have direct access to those communications. The drawbacks? Depending on the practice management system, those SMS communications may be limited to clients with U.S. telephone numbers, they have no spam filters that I know of and they are often difficult to use on the go, as the mobile apps of most practice management systems have added SMS as an afterthought and have not added many of the features a product like Google Voice or WhatsApp have natively. It can also result in message overload, as now all staff members are receiving notifications of all SMS messages to the firm. It is also important to note that this feature is often ridiculously and unjustifiably expensive. For example, some vendors charge extra for the plan that includes SMS service, versus the most expensive plan without it. Since most practice management systems charge for their plans on a per user basis, this can often scale up to hefty sums on a monthly basis. For me, that is inappropriate, considering the technology is simple and cheap to the point that Google is giving the equivalent away for free. Surely our practice management systems could do better and realize that this is a vital feature that they should include in every level of subscription, but alas, they are for-profit companies. But even if it were free, let’s face it: SMS is the technology of yesteryear. The clients of tomorrow expect something more feature-rich.

WhatsApp, Telegram and Other Apps

This brings us to the apps of today. Many if not most of those reading this article have heard of WhatsApp. Fewer have heard of Telegram, WeChat and other apps that have appeared over the years. These apps have eliminated the concept of long-distance phone charges, SMS fees while roaming, character limits, attachment size and type limits and, depending on the app, virtually all bottlenecks in communications. However, they come at a heavy price, at least for us lawyers. Depending on the specific features of a given app, as attorneys, we must be aware of their risks and limitations.[5] Implemented correctly, these apps allow us to communicate with clients on their terms, making for happier clients who know they can contact their attorneys at any time, using apps that they are comfortable with.

Let’s discuss the features and limitations of each app and what we as lawyers must do to make them compatible with our professional responsibilities. WhatsApp allows for almost all forms of file transfer and, unlike email, offers true end-to-end encryption. If you need to share confidential or privileged information, this is probably among the most secure tools to do it.[6] However, be warned that for record keeping and discovery purposes, WhatsApp can pose a serious problem in that it allows you to not only delete a message after it has been sent (and received and read), but it allows you to delete the message not just on your device but also on those of all recipients. This can make keeping communications records a problem. The “best” solution, since WhatsApp has a web browser and desktop client app, is to copy and/or paste each communication into your practice management system as it occurs. Of course, this is a hassle, and I have yet to meet a lawyer that religiously does this. In general, this should not be an issue in your communications with your clients, unless you expect your client to suddenly delete his or her communications with you.

However, when reviewing WhatsApp messages for discovery purposes, I would suggest asking your client to download and save all communications they may have had with the opposing parties and/or third parties. In fact, you may want to have this export done by a third-party service, to avoid the possibility of not being able to authenticate the messages. After all, at any given point after you commence litigation, it is possible that someone might delete that smoking gun you were hoping to later rely on.

Another thing to note about WhatsApp is that it is quite simple to create a WhatsApp group chat. This can be excellent for many different purposes, but please be sure to note that if you ever leave the group and then later rejoin the group, you will not see any of the group messages that occurred while you were away, much like walking out of a conference room in real life.

For a practical example, I have regularly represented condominium and cooperative boards, many of which handle their day-to-day communications as a group chat. When a board member resigns or does not get reelected, they regularly leave the board’s group chat. Then, later, when litigation occurs over some issue that the board member was involved in, he or she suddenly discovers that they only have partial records of board communications. This could theoretically be remedied by subpoenaing one of the other members to the chat, but that is an unnecessary hassle that can be avoided. This becomes a bigger problem when, as it did in a case I consulted on, the entire board fails to win reelection. All five board members, having been defeated at an annual meeting, disbanded and left their board chat group, deleting their own local copies. What none of them realized was that all of them ended up losing their transcripts of years of chats. When did they realize it? Well, when they got sued for a breach of fiduciary duty by the new board and suddenly discovered that not one of them was able to produce records of their deliberations and positions. It became a lot more difficult to establish facts in discovery when all board communications were missing. As you might imagine, given that they effectively deleted the evidence, however unintentionally that might have been, the plaintiffs sought a negative inference when the former board members were forced to admit that they deleted those records.[7] Before you think that you could possibly subpoena WhatsApp for those records, think again. The whole point of end-to-end encryption is that WhatsApp does not maintain a record of any of those communications, making them lost forever.

Moving on to Telegram, you will face similar but even more dangerous problems. Telegram prides itself of being among the most secure methods of communication[8] but, again, faces similar problems to WhatsApp. In fact, Telegram’s problems in this respect are even more pronounced since any party to a chat can delete the entire chat for all parties to the conversation. This makes for very secure messaging but is terrible for record keeping. In addition, in Telegram one can delete the entire chat or any given message sent at any time. One can even delete a message that was sent more than a year ago. (WhatsApp has a limit of 60 hours for deleting messages.) As such, whenever you’re worried that a communication might disappear or be edited after the fact, make sure to save it upon receipt. Since Telegram supports all forms of files and audio/video messages, it is important to download those upon receipt as well.

Not long ago, WhatsApp adopted one of the features of Telegram – the ability to edit messages (in this case, the message will be marked as edited, but you will never be able to see or recover the original text). Thus, this opens the possibility of a wide range of ex post facto manipulations. For example, a fraudster can ask “How are you?” and after you answer “okay,” change his question to “Can I take $50k from your safe?” When asked why the message was edited, the fraudster can simply say that he misspelled one of the words in the question and had “corrected” the spelling. A fraudster can even make a spelling error in the original message on purpose and correct it before you even answer, so that the recipient will see the message as edited before responding and think nothing of it. Then, when the fraudster later changes the message again, there will be an indicator showing that the message was edited a second time, as it will simply show “edited.” The message can effectively be edited countless times, making it impossible to be sure who said what and when. By comparison, WhatsApp has a limit of only 15 minutes for editing messages, while Telegram gives you as much as 48 hours, which makes it much easier to commit fraud and manipulate the conversation records after the fact.

Both WhatsApp and Telegram also allow single view messages, which will disappear after they have been viewed once. It makes record-keeping nearly impossible unless you photograph your phone screen with another device when opening the message.

Another very popular app is WeChat. WeChat is a product that very few in the United States have used or even heard of. One of the main reasons for that is that it is a Chinese app, which, by that fact alone, scares most Americans. In fact, WeChat is an app that allows for much more than messaging and is a universal app that provides means for online payments, ordering food and other products to be delivered, allows for lots of person-to-person interaction and is generally a very impressive product. However, as attorneys, we probably want to stay away from it, as it is entirely possible that the Chinese government has some back-end access to all communications. WeChat will of course deny this, but be it paranoia or an abundance of caution, I have yet to meet an American lawyer that feels comfortable using WeChat.

It would be wrong not to mention the various messaging apps built into the various social media platforms, like Facebook Messenger or LinkedIn messenger. However, while it might be wrong to leave them out of this article, you should most certainly leave them out of any communications toolbox that involves confidential or privileged information. The long and short of is that these are not truly private messages, nor are they end-to-end encrypted. In fact, the terms of service of these products are rather explicit about the communications being available to their publisher, for advertising and business development purposes. In other words, anything you say using Facebook or LinkedIn will be parsed by them and used to market to you.[9] This is akin to using a consumer grade Gmail address to run your practice. If you don’t own your data, how can you protect it from falling into the wrong hands?

In the end, there are basic questions you must ask about each communication method you use, and you must establish firm protocols for data retention and security for all such communications.

Key Takeaways

1. Read the terms of service of each platform you intend to use and confirm that you own your communications and that they are encrypted-end-to-end, and, if that is not the case, do not use the platform for any communication that you would not want accessed by third parties. For example, Facebook Messenger is usually fine for planning a night out with friends. It is not fine for confidential and privileged communications.
2. Whenever you get a notification from any such platform that they updated their terms of service, don’t just click OK. Read the changes and make sure that the provider hasn’t changed its policy on data ownership, access, use or encryption.
3. If using a platform that does not guarantee you the ability to retain and archive your communications, make sure you export those communications and archive them yourself, at least those communications that you are required to maintain records of or ones that you may need to rely on later (e.g., Google Voice will keep every SMS, MMS, voicemail and file transfer in your Google Voice inbox, so you can always access them there, whereas products like WhatsApp or Telegram may result in messages disappearing later if one of the parties deletes them).
4. When you take on a matter, before sending out a demand letter, commencing litigation or even contacting the opposing party, sit down with your client and identify what platforms were used to communicate between the parties to the dispute and/or third parties related to it. Have an IT company export and store all those communications, so that you can establish a chain of evidence later and so that no one deletes the important data to avoid discovery.
5. Consider issuing pre-litigation subpoenas or at least sending out litigation hold letters to all parties you expect to need communications records from. That way, if messages are deleted after the fact, you can make a motion for a negative inference.
6. Update your engagement letters to make clients opt in and affirmatively acknowledge that (a) you have a client portal built into your practice management system and that the most secure way to communicate with your office electronically is via that portal; (b) if they wish to communicate by email, they understand that it is not encrypted and understand and accept the inherent risks and direct you to use it for confidential communications anyway; (c) if they wish to use a communications app of any sort, that they have read and understood the terms of service, accept those terms and understand that they must not delete any messages after sending them to you; and (d) that they understand that if they have used any such apps to communicate with the opposing parties or third parties, that they shall immediately coordinate to have all such communications retrieved and stored by an IT company.
7. Log all communications you receive by SMS or through any app into your practice management system as soon as they occur, so that your client is complete and those communications are contemporaneously and diligently logged and maintained by your firm, providing a business records exception to the hearsay rule.[10]

If you follow these basic rules, you should not have too many problems with any of these tools, and your clients will greatly appreciate your ability and willingness to communicate with them on their own terms and with the tools they feel comfortable using.

Alexander Paykin is the owner of The Law Office of Alexander, a boutique commercial and real estate litigation and complex transaction firm. He is also a consultant to other law firms on the use of technology in the practice of law, ranging on topics from hardware and practice management systems, to billing, payment, bookkeeping and accounting technologies. He is the chair of NYSBA’s Committee on Technology and the Legal Profession and is a member of NYSBA’s Committee on Law Practice and Court Rules, Committee on Civil Practice Law and Rules (CPLR), the Law Practice Management Committee and the Committee on Law, Youth and Citizenship.

[1] Pursuant to Guideline No. 3.C of NYSBA Social Media Ethics Guidelines, 2019, “If an attorney utilizes social media to communicate with a client relating to legal representation, the attorney should retain records of those communications, just as he would if the communications were memorialized on paper.”

[2] The Pennsylvania Bar Association has opined that, under the Pennsylvania Rules of Professional Conduct, which are different from the NYRPC, an attorney “should retain records of those communications containing legal advice.” See Pa. Bar Association, Ethics Comm., Formal Op. 2014-300.

[3] In detail, the authenticity of a screenshot, namely that it is an accurate copy of text messages sent, can be established by a witness testifying that (1) he or she observed the incriminating messages on the cell phone, (2) the screenshot, although he or she did not personally take it, was an accurate representation of the messages seen on the cell phone, (3) the cell phone belonged to the owner based on his or her familiarity with the make, model and color of the cell phone, (4) he or she had seen the owner use the cell phone many times, (5) the witness personally handled the phone, and (6) the cellphone was password-protected, making it unlikely that someone, other than the owner, was able to send the messages sought to be introduced. See Matter of RD (CL), 58 Misc. 3d 780, 787–88 (2017).

[4] I get a lot of questions and confusion on this point, as people often refer to encrypted emails as if they were an actual thing. They are not. You can have an encrypted message sent to you, but not via email. When you get what is commonly referred to as an encrypted email, you are actually just getting a link with a token that then lets you log into an encrypted webpage, where you then get to see the contents of your message. If you are clicking on a link to leave your email client and to land on a different server, you are viewing an encrypted message, but it was not an “encrypted email.”

[5] In addition to presenting some risks and limitations, social network apps have great potentialities. In Baidoo v. Blood-Dzraku, 48 Misc. 3d 309 (2015), the court granted permission to serve defendant with the divorce summons using a private message through Facebook.

[6] Regarding WeChat messages and the attorney-client privilege, see Hansen Realty Dev. Corp. v. Sapphire Realty Group LLC, 2020 N.Y. Slip Op 33166(U) (Sup. Ct., N.Y. Co. Sept. 25, 2020).

[7] Regarding the spoliation of WhatsApp chats and the grant of an adverse inference, see RCSUS Inc. v. SGM Socher, Inc., 2022 N.Y. Slip Op 30926(U) (Sup. Ct., N.Y. Co. Mar. 20, 2022). Regarding the unintentional spoliation of WeChat chats in the event of phone lost or damaged, see Siras Partners LLC v. Activity Kuafu Hudson Yards LLC, 171 A.D.3d 680 (1st Dep’t 2019).

[8][8] Though I have heard many argue that Telegram’s privacy is highly questionable, since all communication records are stored in their cloud, yet it is a free app with no ads, leading many to suspect that some financial backer – possibly the Russian government – is financing the costs of operation and has access to all contents. This is, of course, rumor and inuendo, but given that the app appears to have no revenue generation and has large operating costs, one must wonder how the company stays afloat.

[9] As recently set forth by commentators regarding privacy and social networking sites, given the millions of users, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.” Romano v. Steelcase Inc., 30 Misc. 3d 426, 434 (Sup. Ct., Suffolk Co. 2010), citing Dana L. Fleming and Joseph M. Herlihy, What Happens When the College Rumor Mill Goes Online? Privacy, Defamation and Online Social Networking Sites, 53 Boston B.J. 1:16 (Jan./Feb. 2009).

[10] Pursuant to Guideline No. 3.C of NYSBA Social Media Ethics Guidelines, 2019, “A lawyer shall not deactivate a social media account, which contains communications with clients, unless those communications have been appropriately preserved.”