In June 2014, a senior litigation counsel at Unilever sent an educational email to 46 managers in her organization. Buried inside the email’s confidentiality disclaimer, she hid a message: respond with a specific phrase in the subject line, and you win a prize. She designed the experiment to prove a point about what her colleagues actually read. Six people claimed the prize. And that was after one recipient accidentally revealed the game by hitting reply-all. Forty managers, most of them experienced professionals who handle sensitive information daily, scrolled past the disclaimer without reading a single word. The senior counsel had made her case more effectively than any memorandum could: the legal profession’s most ubiquitous security measure is invisible to the people it supposedly protects. James Merklinger, vice president of the Association of Corporate Counsel, put the broader absurdity in perspective: when every email carries the same confidentiality notice, from your defense strategy memorandum to your Chipotle lunch order, no one takes you seriously. The notice has become the legal equivalent of a car alarm blaring in a parking garage. Everyone hears it. No one responds. Courts have started saying the same thing, in language far less forgiving. ## The Direct Answer Email disclaimers are generally not legally binding and provide far less protection than most attorneys assume. They cannot create a contract because the recipient never agreed to the terms. They cannot establish privilege where none exists. Their ubiquitous use on every message, privileged or not, actively undermines any claim that you treated specific communications as confidential. The question is not whether you have a disclaimer. The question is whether your actual practices demonstrate reasonable efforts to protect client information under Model Rule 1.6(c). *This is Part 4 in the “Technology Blind Spot” series on email security. In “The Email Privacy Illusion: Part 1,” I examined how free email providers systematically process every message attorneys send and receive. In Part 2, I documented the exposure that persists when your email is secure but your client’s is not. In Part 3, I presented the portal-based solution that healthcare adopted and law has not. This installment addresses the specific delusion that sits in every attorney’s signature block: the belief that boilerplate language creates legal protection.* ## Why Every-Email Disclaimers Undermine Their Own Purpose The fundamental problem with blanket disclaimers is dilution. When the same language appears on your defense strategy memorandum and your lunch meeting confirmation, you have demonstrated that the label “privileged and confidential” carries no actual meaning in your practice. Courts notice. In Scott v. Beth Israel Medical Center, the New York Supreme Court confronted exactly this scenario. Dr. W. Norman Scott, head of the orthopedics department, communicated with his attorney about litigation against his employer using the hospital’s email system. Every email from his counsel at Paul, Weiss included the standard disclaimer: “This message is intended only for the use of the Addressee and may contain information that is privileged and confidential.” The court was unimpressed. It held that the attorney’s “pro forma notice at the end of the e-mail is insufficient and not a reasonable precaution to protect its clients.” The disclaimer, the court found, “cannot create a right to confidentiality out of whole cloth.” The communications were not privileged, regardless of the disclaimer. Attorney-client privilege requires that the communication be made in confidence with the intent to maintain confidentiality. When you apply the same confidentiality marking to every message regardless of content, you have demonstrated no selective intent to maintain confidentiality for specific communications. The automated disclaimer becomes evidence that you did not, in fact, treat any particular communication as requiring special protection. As I detailed in “The Email Privacy Illusion: Part 2,” the court examined the hospital’s email policy and monitoring practices, not the footer boilerplate, when assessing privilege. ## The Contract Problem: No Agreement, No Obligation Email disclaimers attempt to create contractual obligations on the recipient to maintain confidentiality, delete if misdirected, and refrain from disclosure. This legal theory fails at the threshold: contract formation requires mutual assent, and receiving an email does not constitute agreement to its terms. Ryan Calo, then at Stanford Law School’s Center for Internet and Society, explained the mechanics plainly: disclaimers try to establish a nondisclosure duty between sender and recipient, functioning like any other contract. Both parties must agree to the terms. Nothing in the act of simply receiving a message gives rise to such an agreement. In practice, as courts have found, disclaimers merely put the recipient on notice rather than create an enforceable obligation. And that notice function collapses under the weight of its own ubiquity. The Unilever experiment demonstrated what every attorney already suspects: virtually no one reads the text below a signature block. As I documented in “Your AI Tool Doesn’t Keep Secrets,” platform terms of service function as disclosure agreements that most users never read. Email disclaimers operate on the same broken assumption: that including language creates the legal effect of reading language. ## When Your Client Clicks Forward: The Waiver Risk Disclaimers Cannot Address No limitation of email disclaimers is more consequential than their complete inability to prevent privilege waiver when communications are forwarded. Voluntary disclosure of privileged communications to third parties waives the privilege. No footer language changes this. In Semsysco GmbH v. GlobalFoundries Inc., the New York Supreme Court found that privilege was waived when a company’s CEO forwarded an email chain containing attorney-client communications to the opposing side. The CEO claimed he intended to forward only the “top email” of the chain, inadvertently including the privileged communications below. The court was unsympathetic: the plaintiff had failed to show the disclosure was inadvertent or that they acted promptly after discovery. The forwarded email chain, disclaimer and all, constituted waiver. Modern email systems compound this risk. Smartphone apps combine email chains in ways web-based clients do not, making it disturbingly easy to inadvertently include privileged content when forwarding a seemingly innocuous top message. The ubiquitous cc and forward buttons make sharing privileged content so easy that clients often do not think twice before pressing send. As I discussed in “The Conversation That Saves Privilege,” a five-minute briefing at engagement about forwarding risks prevents more privilege waiver than any disclaimer ever drafted. Federal Rule of Evidence 502(b) provides some protection for inadvertent disclosures during discovery, but only where the holder took “reasonable steps to prevent disclosure” and “promptly took reasonable steps to rectify the error.” A disclaimer that appears on every email, read by virtually no one, is unlikely to satisfy the “reasonable steps” requirement. ## What the Ethics Rules Actually Require ABA Model Rule 1.6(c) requires attorneys to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18 clarifies that the reasonableness of efforts depends on factors including the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of additional safeguards, and the difficulty of implementing them. ABA Formal Opinion 477R addressed electronic communications specifically, noting that attorneys should “label client confidential information” and that this “can also consist of something as simple as appending a message or ‘disclaimer’ to client emails, where such a disclaimer is accurate and appropriate for the communication.” That qualifier is critical: the Opinion does not endorse blanket disclaimers on every message. It contemplates targeted use where the disclaimer actually applies to a communication that is, in fact, privileged and confidential. Opinion 477R further emphasizes that attorneys must “discuss with the client the level of security that is appropriate when communicating electronically.” This is an affirmative obligation to have conversations about communication security, not to rely on boilerplate that clients neither read nor understand. New York State Bar Association Ethics Opinion 782 reinforced this principle, requiring lawyers who use technology to communicate with clients to “use reasonable care with respect to such communication” and to “assess the risks attendant to the use of that technology.” ## The Strongest Case for Keeping Disclaimers Credit where due: the most credible defense of email disclaimers comes not from attorneys who believe they create privilege, but from those who correctly note that Opinion 477R includes disclaimers among its recommended practices, and that some courts have weighed disclaimers favorably as one factor in privilege determinations. This argument has legitimate support. In Diodato v. Wells Fargo Insurance Services, a federal court in Pennsylvania found that emails carrying confidentiality disclaimers were protected by privilege. The disclaimers contributed to the court’s conclusion that the communications were intended as confidential. ABA Formal Opinion 11-459, issued in 2011, recognized that disclaimers can serve as one component of a reasonable confidentiality regime. Removing all disclaimers from genuinely privileged communications would eliminate even that marginal protective signal. The proportionality logic is also valid. Model Rule 1.6 requires “reasonable efforts,” not maximum security. Comment 18 explicitly states that the reasonableness standard does not require “special security measures if the method of communication affords a reasonable expectation of privacy.” For routine, low-sensitivity communications, a disclaimer may be the only practical measure. Where this argument becomes indefensible is in the gap between targeted use and blanket application. The Diodato court weighed disclaimers because the underlying communications genuinely involved privileged legal advice. Scott v. Beth Israel reached the opposite result because the disclaimer appeared pro forma, without regard to actual content. The distinction is everything. A disclaimer on a genuinely privileged communication may contribute to a privilege claim. The same disclaimer on every message, including lunch confirmations and office announcements, transforms from a protective measure into evidence of indiscriminate, unreflective practice. The recommendation from the Association of Corporate Counsel is precise: mark specific privileged communications as such, preferably in the subject line. Do not mark everything. ## What Healthcare Figured Out That Law Has Not Healthcare providers face analogous confidentiality obligations under HIPAA. When was the last time your doctor emailed you test results? If your provider follows the law, the answer is never. You will receive a letter, a phone call, or a notification to log into a secure portal. They understand that email is not a secure medium for sensitive information. They also understand that a disclaimer at the bottom of an email does not change that fact. ## The Email Disclaimer Delusion Email disclaimers are the legal equivalent of a car alarm blaring in a parking garage. Everyone hears it. No one responds. The senior counsel at Unilever who hid the prize in her disclaimer demonstrated in five minutes what Scott v. Beth Israel confirmed in a published opinion: the words at the bottom of your emails create no protection because no one reads them, no court enforces them, and their blanket application signals the opposite of what you intend. Your clients trust you with their most sensitive matters. That trust assumes you have taken basic precautions to protect their information. In 2026, basic precautions do not include boilerplate language that courts dismiss, clients ignore, and opposing counsel actively exploits. They include actual security measures: portals, encryption, informed consent, and documented policies. The tools exist. The cost is minimal. The only missing element is the willingness to abandon comfortable delusions for uncomfortable competence. The question is not whether your disclaimer is well-drafted. The question is whether your practices will survive scrutiny when the privilege you thought you had becomes the waiver you cannot explain. This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations. About the Author JD Morris is Co-Founder and COO of LexAxiom, an AI platform for the business of law, with over 20 years of enterprise technology experience at companies including VMware, Dell, Huawei, and EMC. He holds an MLS from Texas A&M, MEng from George Washington University, and dual MBAs from Columbia Business School and Berkeley Haas. His work focuses on legal technology, cybersecurity, and professional responsibility. LinkedIn: http://www.linkedin.com/in/jdavidmorris | X: @JDMorris_LTech | Bluesky: @JDMorris-ltech.bsky.social References 1. ABA Model Rules of Professional Conduct, Rule 1.1, Comment 8 (Technology Competence, 2012 amendments). 2. ABA Model Rules of Professional Conduct, Rule 1.6(c) and Comments 18-19 (Reasonable Efforts to Prevent Unauthorized Disclosure). 3. ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 22, 2017). 4. ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 99-413, “Protecting the Confidentiality of Unencrypted E-Mail” (1999) (superseded by Opinion 477R). 5. ABA Formal Opinion 11-459, “Duty to Protect the Confidentiality of E-mail Communications with One’s Client” (August 4, 2011). 6. Scott v. Beth Israel Medical Center, Inc., 17 Misc.3d 934, 847 N.Y.S.2d 436 (N.Y. Sup. Ct. 2007). 7. Semsysco GmbH v. GlobalFoundries Inc., No. 652719/2016, 2019 NY Slip Op. 30664(U) (N.Y. Sup. Ct. Mar. 15, 2019). 8. Diodato v. Wells Fargo Insurance Services USA, Inc., 2013 WL 3524829 (M.D. Pa. July 11, 2013). 9. Federal Rules of Evidence, Rule 502 (Attorney-Client Privilege and Work Product; Limitations on Waiver). 10. CPLR 4548 (New York Civil Practice Law and Rules: Electronic Communications and Privilege). 11. New York State Bar Association Committee on Professional Ethics, Opinion No. 782 (December 8, 2004). 12. Association of Corporate Counsel, “Privilege and Confidentiality Disclaimer: Wisdom of the Crowd” (April 2015, republished November 2025) (James Merklinger quoted; Courtney Ozer, Senior Counsel – Litigation, Unilever, disclaimer experiment described). 13. Ryan Calo, Center for Internet and Society at Stanford Law School (quoted in Chicago Tribune, August 2011). 14. James Sinclair, “Alright, Fine, I’ll Add a Disclaimer to My Emails,” McSweeney’s Internet Tendency. 15. Buffett, Warren E., Berkshire Hathaway Annual Letter to Shareholders (2001) (“swimming naked” observation on risk exposure). 16. Morris, JD. “The Email Privacy Illusion: Part 1 of 3: Why Your Free Email Account Is the Biggest Risk to Your Bar License,” Morris Legal Technology Blog. 17. Morris, JD. “The Email Privacy Illusion: Part 2 of 3,” Morris Legal Technology Blog. 18. Morris, JD. “The Email Privacy Illusion: Part 3 of 3: What Healthcare Figured Out About Confidential Communication That Law Has Not,” Morris Legal Technology Blog. 19. Morris, JD. “Your AI Tool Doesn’t Keep Secrets: What Platform Terms of Service Mean for Attorney-Client Privilege,” Morris Legal Technology Blog. 20. Morris, JD. “The Conversation That Saves Privilege: A Client Briefing Framework,” Morris Legal Technology Blog. 21. Morris, JD. “Your Password Is the Weakest Link in Your Security Chain,” Morris Legal Technology Blog. 22. Morris, JD. “The Backdoor to Your Client’s Inbox: Section 702, Salt Typhoon, and the Privilege You’ve Already Lost,” Morris Legal Technology Blog. 23. Morris, JD. “Why Hackers Target Law Firms: Where All the Secrets Are Buried,” Morris Legal Technology Blog. 24. Morris, JD. “The FBI Says Stop Texting: The Privilege Problem Nobody’s Discussing,” Morris Legal Technology Blog. 25. Morris, JD. “17 Subprocessors Deep,” Morris Legal Technology Blog.

Originally published on LinkedIn Newsletter: The Technology Blind Spot