Not So Fast: Risk Managers Who Are Also Attorneys Are Not Always Protected by the Attorney-Client Privilege

Not So Fast: Risk Managers Who Are Also Attorneys Are Not Always Protected by the Attorney-Client Privilege

Risk managers who also happen to be attorneys are not always protected by the attorney-client privilege, according to a recent decision by the U.S. District Court for the Eastern District of Pennsylvania.  In Casey v. Unitek Global Services, Inc. (, the court held that communications from a company’s risk manager were not protected by the attorney-client privilege simply because the risk manager also happened to be an attorney.  Casey provides a good reminder for colleges and universities that have risk managers or similar professionals not to assume that communications from lawyers who may be acting in a non-legal capacity will be protected by the attorney-client privilege.

The plaintiff in Casey – the defendant company’s former director of risk management – sued the company for sex discrimination (and related claims).  Though the plaintiff was a lawyer, her job duties for the company involved leading the company’s risk-management and safety efforts.   Yet in litigation, the company claimed that it did not have to produce any internal communications involving the plaintiff because the plaintiff’s status as a lawyer meant that her communications were protected by the attorney-client privilege.  In other words, the company elevated the plaintiff’s status as a lawyer over her role as a risk manager.  The court did not buy the company’s argument.
The court instead held that the plaintiff did not act as an attorney for the company and therefore her communications could not be protected under the attorney-client privilege.  A number of factors led the court to this holding.  First, the company did not hire the plaintiff to be an attorney, nor did her job require “any legal knowledge, much less a” law degree.  Second, the plaintiff’s department (risk management) was separate from the company’s legal department, where the company’s general counsel resided.  Third, although the plaintiff attended litigation meetings hosted by outside counsel, she did so as a client – specifically, as a representative of the company – not as an attorney.  Plaintiff’s participation in these meetings, the court found, was to assist the company’s executives in making “strategic business decisions” related to the litigation.
Further, the court stressed that communications can be protected under the attorney-client privilege only if they are made for the purpose of seeking or providing legal advice.  To that end, communications are not protected by the attorney-client privilege just because they are sent or received by a lawyer.  Protected communications are only those confidentially made for the purpose of seeking or providing legal advice.  The court held that none of the relevant communications from or to plaintiff could meet this standard because plaintiff’s role did not involve providing legal advice.
Colleges and universities that employ risk managers or similar professionals should pause to evaluate whether potentially sensitive communications would be protected by the attorney-client privilege.  Otherwise, there is a real risk that a college or university could be forced to produce harmful communications to an adversary or third party.  Ensuring that confidential, sensitive communications are protected by the attorney-client privilege requires foresight and planning.  Although there is no precise panacea for protecting a risk manager’s communications, the following few strategies will help bring those communications under the attorney-client privilege’s shield:

  • Before initiating potentially sensitive or confidential communications, risk managers should seek and receive express authorization from counsel (in-house or outside counsel) to engage in those communications.  Doing so will help make the case that the risk manager was working at the direction of counsel.
  • If the college or university has a general counsel, incorporate the risk manager as part of counsel’s staff or have the risk manager report directly to counsel.  This will help colleges and universities show that their risk manager works hand-in-hand with general counsel.  To enhance this strategy, colleges and universities should amend the risk manager’s job description to indicate that the duties include working with and reporting to general counsel.  Organizational charts should also be updated accordingly.
  • When communicating with general counsel, risk managers should expressly state that they are seeking the advice of counsel.  Similarly, when communicating with other professionals, risk managers should explain, if true, that they are collecting information on behalf of counsel.  Applying this advice will help define the line between “business” communications and “legal” communications.  Colleges and universities that fail to recognize or blur this line do so at their own peril and risk the loss of the protection the attorney-client privilege provides.

A strategy that is guaranteed to fail is copying counsel on all e-mail communications or having counsel present for all meetings or phone calls.  Unfortunately, this practice is  common – and courts are not tolerating it.  Indeed, the Casey court noted, “To prevent corporate attorneys from abusing the privilege by using it as a shield to thwart discovery, the claimant must demonstrate that the communication would not have been made but for the client’s need for legal advice or services.”  (emphases added.)  Counsel’s presence on an e-mail chain, on the phone, or in a meeting does not always transform those attendant communications into privileged ones.  
With claims against colleges and universities on the rise, there is no better time than the present for schools to re-evaluate communications involving risk managers and related professionals.  The attorney-client privilege can be taken for granted until it is needed to protect a confidential – and 
sometimes embarrassing – communication.  But with proper forethought and action, colleges and universities can take steps to ensure that the communications of risk managers and similar employees are protected by the attorney-client privilege.  Indeed, taking that action now will avoid the potentially devastating effects of producing documents in litigation later.

If you have any questions about this article or about best practices for protecting your risk manager’s communications, please contact the author, Cory S. Winter, at 717.257.7562 or

This article appears in the Fall 2015 edition of Saul Ewing’s Higher Education Highlights newsletter. Click here to see the complete newsletter.

View Document(s):