The Email Privacy Illusion: Part 2 of 3
Your Encryption Ends Where Your Client’s Inbox Begins
In 2014, three weeks into a wrongful termination production at EMC/Kazeon, a paralegal flagged an anomaly in the plaintiff’s email collection. The plaintiff’s attorney had used a properly configured Microsoft Exchange server with Transport Layer Security encryption. Outbound messages left the firm encrypted. The attorney’s own system was clean.
The plaintiff’s inbox was not.
Her employer’s IT department had retained every message in a litigation hold archive. When the production order arrived, opposing counsel received fourteen months of attorney-client strategy discussions, settlement valuations, and assessments of the employer’s own liability. The attorney’s encryption had protected the messages in transit. It had done nothing to protect them at the destination. Every privileged communication sat in plaintext on the defendant’s own servers, cataloged by date and sender.
She called our team that afternoon. I remember the silence on the line before she asked the question: “How did they get my emails?”
It was not a technical mistake. It was an architectural one. She secured her half of the channel and assumed the other half would take care of itself.
When you send email to a client using a free email service or corporate email system, your encryption protects the message only during transit. Once the email arrives at the recipient’s mail server, it falls under that provider’s scanning, storage, and access policies. Google can process their Gmail. Their employer can read their corporate email. And in litigation, opposing counsel can obtain it all.
This is Part 2 of a three-part series on email privacy. Part 1 addressed attorneys who use free email for legal practice and the forty-minute eDiscovery collection that exposed a solo practitioner’s entire client history. This installment examines the subtler problem: what happens when you have done everything right on your end, but your client has not. Part 3 will examine what healthcare figured out about secure communication years before the legal profession started asking the question.
The Armored Car to an Unlocked House
Transport Layer Security (TLS) is an armored car. It protects your message while it travels between servers. But TLS secures the journey, not the destination. When your encrypted email arrives at your client’s Gmail inbox, the armored car drops the package at an unlocked house where the landlord has a key.
Most business email systems use TLS to encrypt messages in transit. This prevents interception during transmission, which addresses one threat vector. TLS does nothing to protect the message once it reaches the recipient’s server. At that point, the recipient’s email provider has full access to the plaintext content. As I documented in “Your AI Tool Doesn’t Keep Secrets,” platform terms of service function as disclosure agreements that most users never read. Google’s Terms of Service state explicitly that automated systems analyze your content, including emails. Your client accepted those terms. You sent the privileged communication anyway.
True end-to-end encryption works differently. It encrypts the message content itself, not the transmission channel, so only the intended recipient can decrypt and read the message. But end-to-end encryption requires both parties to use compatible encryption systems. If your client uses Gmail’s standard interface, they cannot receive end-to-end encrypted email without additional steps that most clients will not take. The ABA’s 2023 Legal Technology Survey found that only 42% of attorneys even have email encryption available. Among solo practitioners, that number drops to 33.1%. If the attorneys cannot get this right, expecting clients to configure encryption on their end is a fantasy.
What remains is a communication architecture with a structural weakness. You control one endpoint. Your client’s endpoint belongs to someone else.
The Corporate Email Problem: Three Cases That Draw the Line
Free email services are not the only concern. When your client asks you to send communications to their work email address, you introduce their employer into the attorney-client relationship. Corporate email systems belong to the employer. IT administrators can access any employee’s mailbox. Many organizations actively monitor email for policy compliance, data loss prevention, and security threats. When litigation arises, the corporate email archive becomes a primary discovery target.
Three cases define where courts draw the line.
In 2005, the bankruptcy court in In re Asia Global Crossing established the four-factor test that courts now use to evaluate whether an employee has a reasonable expectation of privacy in communications sent through an employer’s email system: (1) Does the company maintain a policy banning personal use? (2) Does the company monitor employee email? (3) Do third parties have a right of access to the system? (4) Did the company notify the employee of these policies? No single factor controls. Courts balance all four. But the pattern is clear: when an employer has a monitoring policy and the employee knows about it, privilege claims collapse.
Two years later, Scott v. Beth Israel Medical Center demonstrated how the Asia Global framework plays out in practice. Dr. Norman Scott, head of orthopedics at Beth Israel, used his employer’s email system to send communications to his personal attorney about a potential $14 million breach-of-contract claim. Beth Israel’s policy prohibited personal use and expressly reserved the right to access and disclose any material on the system. The court denied Dr. Scott’s motion to compel the return of the emails. It ruled that the employer’s monitoring policy was “to have the employer looking over your shoulder each time you send an e-mail.” The otherwise privileged communication between Dr. Scott and his attorney was not made in confidence because the policy eliminated any reasonable expectation of privacy. The email disclaimer Dr. Scott placed on every message made no difference. As I detailed in “The Email Disclaimer Delusion,” disclaimers appear after the content has already traversed the monitored channel.
Then in 2010, the New Jersey Supreme Court in Stengart v. Loving Care Agency drew a critical distinction. Marina Stengart had used her employer-issued laptop to access her personal, password-protected Yahoo email account and communicate with her attorney about an employment discrimination claim. Loving Care’s forensic consultants recovered the communications from the laptop’s temporary internet files. In a 7-0 decision, the court held that Stengart retained a reasonable expectation of privacy because she used a personal, password-protected webmail account, not the employer’s email system. The employer’s monitoring policy was ambiguous, and the strong public policy protecting attorney-client communications outweighed the company’s interests.
Read those two cases together and the distinction becomes precise. Dr. Scott used the employer’s email system. Privilege destroyed. Marina Stengart used her own personal webmail account on the employer’s hardware. Privilege preserved. The controlling variable is not whose computer carries the message. It is whose email system carries it.
Now apply that distinction to the scenario that opens this piece. Your client’s employer owns the email system. The Asia Global factors point one direction. The privilege analysis points the same direction. Every strategy discussion, every settlement valuation, every assessment of the employer’s liability is stored on servers the prospective defendant controls. When litigation commences, opposing counsel does not need to look far. They already have the archive.
Your Ethical Obligations Extend to the Recipient
ABA Model Rule 1.6(c) does not limit your duty to protect confidential information based on whose email system carries the message. The rule requires “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation.” Knowingly sending privileged information to an email account you know is monitored is difficult to reconcile with “reasonable efforts.”
Formal Opinion 477R addressed this directly. The opinion reversed the profession’s prior assumption that unencrypted email was acceptable for all communications and established a fact-specific framework requiring attorneys to evaluate “the sensitivity of the information” and “the likelihood of disclosure if additional safeguards are not employed.” For highly sensitive matters, the opinion concluded, standard email may be insufficient. As I explored in “The Backdoor to Your Client’s Inbox,” the opinion’s framework transforms the encryption decision into a privilege decision.
Opinion 477R also established an affirmative obligation: attorneys must “discuss with the client the level of security that is appropriate when communicating electronically.” This is not optional guidance. It is an ethical requirement. You cannot simply accept whatever email address the client provides without discussing the security implications of that choice. Comment 18 to Model Rule 1.6 reinforces this, listing factors for determining reasonable efforts that include the sensitivity of the information and the client’s instructions and circumstances. A client’s preference for convenience does not override your independent obligation to protect their confidences. As I outlined in “The Conversation That Saves Privilege,” the five-minute briefing at engagement that covers communication security satisfies both the Rule 1.6(c) confidentiality obligation and the Rule 1.4 duty to communicate.
The Strongest Case for Doing Nothing
Here is the best version of the counterargument, stated as fairly as I can manage: TLS encryption handles the interception risk that actually matters in practice. No published disciplinary opinion has sanctioned an attorney for sending encrypted email to a client’s Gmail account. The Stored Communications Act provides statutory protection against third-party disclosure. Clients have a right to choose their own communication preferences, and second-guessing those choices paternalizes the relationship. If the client wants to use their personal email, that is the client’s informed choice.
Parts of this argument hold. TLS does address interception during transit. The Stored Communications Act provides some protection against voluntary disclosure by providers. No disciplinary board has published a sanction solely on this theory. Client autonomy is a real value.
Here is where it breaks down.
Interception is the wrong threat to optimize against. TLS protects against eavesdropping during transmission. It does nothing to prevent the recipient’s email provider from processing the message after delivery. Google’s automated systems scan every Gmail message for spam filtering, malware detection, categorization, Smart Reply suggestions, and Gemini-powered AI features. Your threat model for privileged communications must include the recipient’s provider. TLS alone is insufficient for that threat.
Statutory protection addresses the wrong vector. The Stored Communications Act restricts providers from voluntarily disclosing email content to third parties, subject to significant exceptions for government legal process. But your client can be compelled to produce their own emails in litigation. The fact that Google cannot voluntarily hand emails to opposing counsel does not prevent opposing counsel from obtaining them through your client’s own discovery obligations. In employment cases, the employer already has the corporate email archive.
Client choice is not the same as informed consent. When a client asks you to send communications to their work email, they may not understand that their employer has full access. It is your obligation to explain this, not to defer to a preference the client formed without understanding the consequences. ABA Formal Opinion 477R specifically requires the conversation. An employee contemplating litigation against their employer who receives strategy discussions on the employer’s email system has not made an informed choice. They have made an uninformed one that you had an obligation to correct.
And the absence of a published sanction is not evidence of safety. It is evidence that no opposing counsel has yet assembled the argument in the right case. The doctrinal foundation is established. The Asia Global factors are settled. Scott v. Beth Israel supplies the result. Someone will eventually connect these authorities in a disciplinary complaint. The question is whether the attorney named in that complaint will be surprised.
When the Gap Becomes a Chasm
Donald Rumsfeld once observed that there are known unknowns and unknown unknowns. In email security, the encryption gap is neither. It is a known known that attorneys treat as someone else’s problem.
In my eDiscovery work at EMC/Kazeon, the most damaging productions consistently came from the client’s side of the communication, not the attorney’s. Law firms maintain privilege review processes and retention policies. Clients do not. A client’s Gmail account swept up in a broad discovery request yields every communication the attorney sent, stored in plaintext, often with forwarded chains that include attachments the attorney assumed would remain on the firm’s own servers.
Corporate defendants gain tactical advantages when opposing plaintiffs use work email for attorney communications. Settlement negotiations collapse when one party’s email provider retains messages the party believed were deleted. Privilege logs become nightmares when a client’s free email account commingles personal, professional, and attorney communications in a single undifferentiated archive. As I documented in “The Email Privacy Illusion: Part 1,” free email providers designed these accounts for advertising, not for confidentiality. They function accordingly.
Every case followed the same sequence. Attorneys secured their own systems and assumed the recipient’s environment would hold. When discovery requests arrived, the weakest link failed first. That link was almost always the client’s inbox.
Where the Exposure Concentrates
Employment law clients face the sharpest version of this problem. The employer who may become the defendant already controls the email system that carries the privileged communications. An employee contemplating a wrongful termination or discrimination claim who receives attorney strategy discussions at their work address has handed opposing counsel the case file before the complaint is even filed. Advise these clients explicitly: use personal email from personal devices on personal networks. Do not contact counsel from a work computer, work phone, or employer Wi-Fi. I built this guidance into the client briefing framework in “Protecting Your Attorney-Client Privilege.”
M&A and corporate transaction attorneys face a different calculus. Deal updates contain information that could move markets. If your client’s CFO receives those updates at a personal Gmail address, Google’s systems are processing messages about material nonpublic information. If they receive them at their corporate address, the company’s IT department has access to pre-announcement deal terms. For transactions where confidentiality is the consideration, not just a preference, standard email may be insufficient for either endpoint.
Criminal defense strategy ranks among the most sensitive content in legal practice. Clients facing criminal charges may have adversaries with significant investigative resources and motivation to access their communications. As I explored in “The Privilege Paradox,” the intersection of surveillance authority and attorney-client communication creates risks that standard email cannot address. Standard email, even from a secure firm, provides inadequate protection when received at a free email account the government can compel the provider to produce.
Intellectual property attorneys face a self-defeating irony. Trade secret protection requires “reasonable efforts” to maintain secrecy. If you advise a client on trade secret matters through communications that land on Google’s servers, you may undermine the very protection you are trying to establish. The communication channel becomes relevant to the substantive legal question. A court evaluating whether the client took reasonable efforts to protect the secret will examine how the client communicated about the secret. An email trail on a free provider’s servers is not a strong exhibit.
Before Friday
This afternoon: Review your active client list. Identify every client communicating with you through a free email account or corporate email address. For each one, categorize the matter by sensitivity. Criminal defense, contested employment, M&A transactions, and trade secret matters rank highest. Routine contract reviews rank lower. This triage takes thirty minutes and determines where your risk concentrates.
Tomorrow: Draft a standard communication-security paragraph for your engagement letters. The language should identify approved communication channels, explain why free email and corporate email create exposure for sensitive matters, and document the client’s informed choice if they prefer a channel you have identified as potentially insecure. As I outlined in “The Conversation That Saves Privilege,” this conversation belongs at intake, not after a discovery dispute.
This week: For your highest-sensitivity matters, contact clients individually and discuss secure alternatives. Client portals, encrypted messaging applications, and password-protected document delivery provide additional layers of protection. Part 3 of this series will address these solutions in detail, borrowed from an industry that solved this problem years ago.
For employment clients specifically: Put the work-email prohibition in writing at the outset of every representation. Do not use work email, work devices, or work networks for attorney communications. If the client has already been using corporate email, assess whether any existing communications require remediation. The privilege may already be compromised.
The Other Half of the Channel
She secured her firm’s email server, encrypted outbound messages, and trained her staff on phishing awareness. She did everything the security consultants recommended. She controlled her half of the channel with precision.
Not once did she ask about the other half.
Fourteen months of privileged strategy discussions sat in plaintext on the defendant’s own email servers. They were cataloged, searchable, and already subject to a litigation hold by the time her client mentioned that she’d been using her work address all along.
The encryption gap is not a technology problem. Encryption exists. Secure portals exist. End-to-end encrypted messaging exists. The gap is a conversation problem. It exists because attorneys treat the client’s email choice as the client’s business rather than the attorney’s obligation. The cases are clear. The ethics rules are clear. The only thing missing is the conversation that connects them. Five minutes at intake. One paragraph in the engagement letter. That is the distance between the attorney who controlled her half of the channel and the attorney who controls all of it.
[The opening eDiscovery scenario is based on the author’s professional experience at EMC/Kazeon. Identifying details have been altered to protect confidentiality. The collection process and technical details are representative of standard eDiscovery procedures during the relevant period.]
This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations.
About the Author
JD Morris is Co-Founder and COO of LexAxiom. With over 20 years of enterprise technology experience and credentials including an MLS from Texas A&M, MEng from George Washington University, and dual MBAs from Columbia Business School and Berkeley Haas, JD focuses on the intersection of legal technology, cybersecurity, and professional responsibility.
Connect: LinkedIn | X | Bluesky
http://www.linkedin.com/in/jdavidmorris | @JDMorris_LTech | @JDMorris-ltech.bsky.social
References
1. ABA Model Rules of Professional Conduct, Rule 1.1, Comment 8 (Technology Competence, 2012 amendments).
2. ABA Model Rules of Professional Conduct, Rule 1.6(c) and Comment 18 (Reasonable Efforts to Prevent Unauthorized Disclosure).
3. ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 22, 2017).
4. American Bar Association, 2023 Legal Technology Survey Report, Technology Basics & Security Volume (42% email encryption availability; 33.1% solo practitioners).
5. In re Asia Global Crossing, Ltd., 322 B.R. 247 (Bankr. S.D.N.Y. 2005) (establishing four-factor test for employee email privacy expectations: personal use policy, monitoring, third-party access, employee notice).
6. Scott v. Beth Israel Medical Center, 17 Misc.3d 934, 847 N.Y.S.2d 436 (N.Y. Sup. Ct. 2007) (privilege denied; employer monitoring policy defeated expectation of privacy in attorney-client emails sent through corporate system).
7. Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010) (7-0; privilege preserved for personal password-protected webmail accessed on employer laptop; ambiguous policy did not defeat reasonable expectation of privacy).
8. Stored Communications Act, 18 U.S.C. § 2702.
9. Google, Terms of Service (effective January 5, 2022; updated December 18, 2025), policies.google.com/terms (“automated systems analyze your content (including emails)”).
10. Google, Official Blog, “Gmail is entering the Gemini era” (January 8, 2026) (AI Overviews, Help Me Write, Suggested Replies for all free Gmail users).
11. Morris, JD. “The Email Privacy Illusion: Part 1 of 3,” Morris Legal Technology Blog (free email scanning; Kazeon eDiscovery collection; Google ToS analysis).
12. Morris, JD. “The Email Privacy Illusion: Part 3 of 3,” Morris Legal Technology Blog (forthcoming) (secure portals; HIPAA communication model).
13. Morris, JD. “Your AI Tool Doesn’t Keep Secrets: What Platform Terms of Service Mean for Attorney-Client Privilege,” Morris Legal Technology Blog.
14. Morris, JD. “The Email Disclaimer Delusion: Why Your Signature Block Won’t Save Your Privilege,” Morris Legal Technology Blog.
15. Morris, JD. “The Conversation That Saves Privilege: A Client Briefing Framework,” Morris Legal Technology Blog.
16. Morris, JD. “The Backdoor to Your Client’s Inbox: Section 702, Salt Typhoon, and the Privilege You’ve Already Lost,” Morris Legal Technology Blog.
17. Morris, JD. “The Privilege Paradox: When Government Surveillance Destroys What Courts Claim to Protect,” Morris Legal Technology Blog.
18. Morris, JD. “Protecting Your Attorney-Client Privilege: Seven Rules for Every Client,” Morris Legal Technology Blog (client briefing template).
19. Morris, JD. “Your Password Is the Weakest Link in Your Security Chain,” Morris Legal Technology Blog.
