Recently a legal administrator asked me about the protocol for copying clients on e-mails sent to opposing counsel. Turns out the lawyers in the firm were split – some believed it was okay to cc: clients; others used bcc: exclusively.
What at first seemed like a no-brainer question turned into something more intriguing. Stick with me.
To: and cc: recipients in an e-mail message are visible to each other – no doubt about that. If you want to protect client confidentiality, do not include the client as cc: recipient on an e-mail sent to opposing counsel. This is especially true in practice areas where your client’s privacy is paramount. Family and criminal law come to mind.
Therefore, you should copy the client as a bcc: recipient, correct?
Whether bcc: recipients can be easily discovered is a subject of debate in some circles. Most blogs and forums insist that bcc: recipients can never be disclosed. This is the position of Ask Leo. On the other side of the coin, an e-How article suggests that if you suspect bcc: recipients are included in an e-mail, use “Reply All” to force disclosure. (This doesn’t work, by the way. Chalk it up to an urban myth.)
So what’s the skinny? When an e-mail containing bcc: recipients is sent, the mail server strips the bcc: recipients from the e-mail header you and I receive. Back on the outgoing mail server, the bcc: recipients remain in metadata which can be discovered in server journals. (This is how Microsoft Exchange and Outlook work.) The person who sent the e-mail can also see bcc: recipients by viewing message options or changing the default settings for sent items. If you’re an Outlook user, see the directions posted here.
Does this mean bcc: is safe to use? Ninety-nine percent of the time: yes. But bugs and SMTP settings can cause bcc: recipient exposure. Do you use Outlook Express 6.0? Have you installed product updates and service packs? If not, you may be in trouble. Outlook Express 6.0 has a bug that can expose bcc: addresses. Read more here. Thunderbird users have also complained about exposure of bcc: addresses which Mozilla attributed to a Time Warner SMTP mail server bug.
But assuming you are not using a buggy mail server or an outdated e-mail program, you should be fine with bcc: addresses. If you want to be 100% sure , then avoid sending blind carbon copies. Instead, send your e-mail to the other side then forward your e-mail to the client. Granted, this creates an extra copy of the same message, but it also ensures client confidentiality. It may also avoid the confusion that can result from being a bcc: recipient since the bcc: field is often not visible by default.
Lastly, remember that e-mail may not always be an appropriate means of communication. Information that is particularly sensitive or subject to a confidentiality agreement may deserve special protection. Communicating by e-mail can also be subject to client approval and consent.
Copyright 2011 Beverly Michaelis
