NSA surveillance raises potential professional responsibility issues when working with international clients

By Peter Andres*
 
The National Security Agency at Fort Meade |
Photo courtesy of the Department of Defense
Since May 2013, each month we have learned a little more about the trove of documents that Edward Snowden took from the National Security Agency (NSA).  And with each revelation the scope of the U.S. spying program continues to grow.  To date, public opinion appears to be split between those that casually brush off the spying with a “what do I have to hide?” attitude, while others finds the revelations a much more insidious invasion of privacy.  

For lawyers working on matters with international clients based outside of the United States, the Snowden revelations raise practical issues that impact their practice given the scrutiny international communications receive under NSA surveillance programs.   As a Washington Post article noted in October, “intercepting communications overseas has clear advantages for the NSA … [bulk] collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.”  The Snowden disclosure has particular resonance for attorney communication with non-U.S. citizen clients, who still may be subject to U.S. jurisdiction.  If a confidential communication is sent to a Gmail account or another U.S. e-mail service provider and sent to a data center in Asia, should it be assumed that the NSA has access to it?   

The issue raises professional responsibility concerns under Rule 1.6 (c) of the Model Rules of Professional Responsibility, which states that “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”  Furthermore, comment 19 of Rule 1.6, notes that “when transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy...” 

While some may find it personally unsettling that the U.S. government could be reading e-mail communications with a spouse or family member, it is far more troubling to learn that confidential communications with clients could be the subject of U.S. government review.  For example, consider a hypothetical member of a corporate audit committee of foreign company that trades ADRs on the NYSE.  The audit committee member sets up an account with an e-mail service provider, such as Gmail or Hotmail, for communications related to their service on the Board.  Suppose the audit committee member  engaged outside counsel to carry out an internal investigation of a criminal matter.  Can an attorney send a report that details preliminary findings of a criminal investigation through these e-mail channels and still presume it will remain confidential and not permit unauthorized access to the details of the representation?  The Snowden revelations raise further questions about the privacy of e-mail communications, especially overseas, and the nature of attorney-client communications.   In the post-Snowden environment, attorneys will be pressed to consider whether “special security measures” should be implemented for the communications with non-U.S. clients and whether a “reasonable expectation of privacy” still exists, given the high likelihood the NSA collects these communications.  



* Peter Andres is an associate at Baker & McKenzie.