I recently read NY Bar Association opinion 945 (link below), dealing with most of the relevant issues that arise when a lawyer learns a client is reading and retrieving e-mail from an opponent, often a spouse in a divorce proceeding though sometiems an employer or former employer in termination-related litigation.
Assume the client deduces the password to an e-mail account the client has no permission to access. The client reads e-mails, copies them, provides copies to the lawyer, and demands that the lawyer use them to impeach the author at a deposition. More concretely, assume the client is a wife who accesses an e-mail account, downloads evidence showing that husband has been having an affair, prints the evidence, gives it to the lawyer, and demands that the lawyer use it.
The opinion deals with all issues but use. My own take on the relevant issues, which largely tracks the opinion, is:
(1) May or must the lawyer tell the husband or the husband's lawyer that the client is accessing the account and reading e-mail? No. The information is confidential and the lawyer's services are not being used, even assuming it is a crime, which it may not be. (This conclusion is even easier under the CA rules, which have no exceptions for this case.) The text of 4.4(b) does not extend to this case because the documents were not inadvertently provided.
Opinion 945 gives lawyers some manuevering room to deal with uncertainty, and grounds that room in Rule 1.6(b)(6). If a case in a jurisdiction actually considered the issue and held that such a duty exists then I would agree. I am not sure the issue has been confronted squarely or resolved in these terms, however, and certainly not in all jurisdictions. The cases cited in the opinion either pertain to communications with lawyers or work product, which I think raise distinct issues, or appear to reflect passing comments rather than considered holdings.
(2) Assuming a proceeding is pending, may or must the lawyer inform the tribunal? It depends on whether the underlying conduct is criminal, which requires interpretation of the Stored Communications Act or, if applicable, a similar state law. If so, there is a plausible argument that Rule 3.3(b) applies and compels disclosure. If not, 3.3(b) does not apply and we default to the answer above. Note that courts differ on how to read the SCA in this circumstance. Orin Kerr ably surveys the terrain here. One might argue that this is fraudulent rather than criminal conduct, but that is a debatable point. Deduction is not deceit. Presumably one could argue that the e-mail system itself has been deceived because it treats a password as equivalent to authorization, and one could imagine CFAA arguments being brought to bear here, but I have not yet seen a case deciding such a claim and the answer does not strike me as obvoius. The client's conduct is sneaky, yes. Fraudulent within the meaning of Rule 3.3, I'm less sure.
(3) May the lawyer read these e-mails? E-mails between the husband and his paramour are not privileged; if the messages were between the husband and counsel then the lawyer should not read them simply to avoid disqualification, regardless whether one is willing to stretch "methods" in Rule 4.4(a) to cover this situation. (4.4(b) does not apply for the reason stated above.) 8.4(d) might fill this gap to the extent one thinks it needs filling.
(4) May the lawyer use the e-mail in the deposition (suppose the husband denies infidelity)? Assuming the statements made in the messages are true there is no issue under Rule 3.3(a). If we've gotten past the 3.3(b) issues then I see no reason the rules themselves preclude such use, though my intuition is that courts would be receptive to motions to exclude such evidence or possibly sanction lawyers trading on it.
(5) One also might argue that the lawyer has a duty to discourage, or at least not encourage, the client's conduct, to the extent it is continuing. I suspect the 1.2(d) analysis tracks the 3.3 analysis above.
I'd be interested in readers' thoughts or reactions. These are interesting issues, I think, that appear not to have been resolved definitively but which are likely to arise with increasing frequency as more of our lives are stored in the cloud.
ABA opinion 11-460 is relevant as well. It is here: Download 11_460_nm_formal_opinion.authcheckdam
And COPRAC has a relevant opinion circulating as well (though not one interpreting the CA rules, interestingly). It is here: Download 06-0004_ConfidentialInformation_10-15-12-1