In a recent blog on Quon v. Arch Wireless, I talked about how poor policy and process cost the Ontario Police Department the right to search and review messages. There is another ongoing federal request for declaratory judgment in Washington DC by a law firm, Newman, MacIntosh & Hennessy LLP. The meat of the matter at issue is whether transmittal of Electronically Stored Information (ESI) outside of the United States of America waives 4th Amendment Protection (Privilege) in light of the ongoing governmental foreign surveillance. Without diving too far into the case, the law firm wants the court to declare that it is safe to send client data to an India-based litigation support services company, Acumen Legal Services. They have also opened ethics inquiries to the D.C. and Maryland Bar Associations for guidance.
In our growing out-sourced, SaaS based economy, corporations are increasingly turning to providers outside of the United States to process, host, review and even store ESI. The consequences of this world wide economy are slowly and at times inconsistently being litigated in various jurisdictions. These cases raise serious questions about corporate ownership, foreign privacy conflicts, privilege waiver and Intellectual Property waiver whenever corporate ESI is transmitted to foreign countries. Few countries have the same patent, IP and other protections for corporate ESI that have been enacted within the US.
So what about all the multinational public corporations? The ones with Exchange servers in Europe, Japan, India, China, Korea, etc? Their internal email is crossing that same border and subject to the foreign surveillance that has Newman, MacIntosh & Hennessy concerned about their client’s privileged email. Is corporate counsel effectively waiving privilege when they give legal advice to an overseas director? Given some European countries’ stance on employee privacy, US corporations may already be in violation of Belgium, German or French laws simply by searching and reviewing foreign employee email to comply with US regulations or discovery requests. All of this is a complicated maze of unintended consequences that most companies deal with by turning a blind eye to the foreign communication stream.
Looking beyond the obvious communication channels, some companies are starting to ask hard questions about foreign based communication services. Because RIM‘s Blackberry servers are located in Canada, does that mean that all email sent to/from a Blackberry has now had privilege waived on it? RIM’s technical documentation makes it clear that the messages are encrypted at the corporate server level, but the message headers are still exposed and that can include more than just the address information.
Whether we are talking about email, IM, Text, VOIP or any other communication stream, recent cases have challenged the presumption of corporate privacy, privilege and ownership. Proper policy and training seem to be the answer for domestic corporations who use a SaaS email provider or other US based Text/SMS provider. When dealing with world-wide infrastructure, a corporation must engage specialized counsel and actively monitor cases and publications like those of The Sedona Conference Working Group 6: International Electronic Information Management, Discovery and Disclosure. Although the rules seem to be changing, companies can make informed risk vs. cost decisions to minimize their potential exposure if they are cognizant of the issues and do not just pretend that they do not exist.