Client-CPA-Attorney Privilege and Information Technology Risk
Reinstein, Alan, Seward, Jack, The CPA Journal
In the past few years, the public has seen more than 150 million records com- promised: data breaches that included AICPA membership lists, losses of crucial university databases, and Big Four firms losing laptops containing confidential information (see www.privacyrights.org and Tom Zeller, Jr., "An Ominous Milestone: 100 Million Data Leaks," New York Times, December 18, 2006). The Department of Veterans Affairs reported the theft of 26.5 million Social Security numbers in May 2006 from an employee whose home was burglarized. Perhaps the best-known incident was the 2005-2006 hacking of more than 45 million files of TJX Companies, Inc. (Joseph Pereira, "Breaking the Code: How Credit Card Data Went Out Wireless Door," Wall Street Journal, May 4, 2007). None of the victims used readily available encryption technologies to protect their electronic data.
While data stored and transmitted using such conventional means as postal service, FedEx, and courier face loss and theft, using information technology (IT) creates additional risks, such as unauthorized access or damage to information arising from Trojan horses, viruses, worms, and rootkits. Portable storage devices, such as flash drives and laptops, make theft much easier. CPAs should understand the threat of malicious software and recognize the dangers of ineffective, unprotected, or improperly configured wireless networks that allow the unauthorized harvesting of electronic information.
When CPAs are entrusted with financial information by an individual or business, it is expected that those communications will be kept confidential, especially privileged information that is part of a legal action. The AICPA and the Canadian Institute of Chartered Accountants (CIC A) have set up a task force to design and implement sound privacy practices and policies, including the disclosure of personal information to third parties only with a client's implicit or explicit consent.
Understanding Attorney-Client Privilege
Attorney-client privilege, a well-established principle that seeks to ensure open and candid discussions between these parties [Upjohn Co. v. United States, 449 U.S. 383, 389 (1981)], applies to "(1) communications (2) made in confidence (3) by the client (4) in the course of seeking legal advice (5) from a lawyer in his capacity as such, and [it] applies only (6) when invoked by the client and (7) not waived" [Meoli v. American Medical Service of San Diego, 287 B.R. 808, 813 (2003)]. This privilege is especially important for accountants operating in an IT environment because of the concentration of data in accessible repositories.
In ascertaining whether a communication is confidential, courts apply both a subjective and an objective test [In re Asia Global Crossing, Ltd, 322 B.R. 247, 255 (Bankr. S.D.N.Y. 2005)]. The parties must have intended and expected the communication to be confidential, and, given the facts and cir- cumstances, the expectation of confidential- ity must be reasonable.
The parties' conduct can either expressly or implicitly waive the attorney-client privilege [In re Keeper of the Records, 348 F.3d 16, 22 (1st Cir. 2003)]. An implied waiver "occurs when a party claiming the privilege voluntarily disclosed confidential information on a given subject matter to a party not covered by the privilege" [Hanson v. United States Agency for Int'l Developmem, 372 F.3d 286, 293-94 (4th Cir. 2004)]. Herein lies the danger to CPAs. In Asia Global Crossing, the bankruptcy court held that e-mails forwarded to third parties waived privilege. It identified four factors that can increase the risk of disclosure and could destroy the attorney-client privilege. Privilege is endangered if: 1) the company does not maintain a policy banning personal or objectionable use of its e-mail system; 2) the company does not monitor its employees' use of their computers or e-mail accounts; 3) third parties have a right of access to employees' computer or e-mail accounts; and 4) the employee was not notified of or was otherwise unaware of the policies regarding the use and monitoring of their computers and e-mail. …