In connection with the 'cash for peerages' scandal, there were a number of mentions in the press about secondary email systems, following rumours about the existence of such a system within Downing Street. Do secondary email systems exist? How do they work and why are they used? And what should lawyers and regulators know about disclosure of evidence from them?

It is not uncommon for financial services, insurance, healthcare and government departments to operate two email systems. One email system is 'open' and used for general corporate communications; the other is a 'private' system and is for the so-called trusted few.

These private systems are usually seen as a safe and secure way of communication between members who have access to the system. Depending upon the level of security required, they can operate over secure, isolated networks, they may not be connected to the internet and they often employ sophisticated levels of encryption.

Organisations frequently operate multiple systems and separate locations exist to maintain and manage the complex infrastructure. Due to the complexity of these systems and information security concerns, knowledge of all these operating systems is not always easy or obvious.

But while such systems and the communication on them may be generally safe from the eyes of the outside world, the information contained on them is ultimately within the organisation or company's possession and control and thus may be relevant and disclosable in any litigation or regulatory context.

How do secondary email systems work?

As people become more sophisticated in their knowledge and understanding of the use and risk of email – and as technology becomes more utilitarian – private systems have evolved between private individuals and often those holding public offices of government or corporate positions. They are intended to serve personal or professional limited-use needs, but their use is still governed and subject to regulatory and statutory obligations.

There are many different kinds of email systems but they can generally be classed as either primary or secondary. Primary email systems are those that are used for purposes such as public business. Secondary systems are those that may be used as back-up systems or for private or personal communications.

These primary or secondary systems can also be configured to be 'open' or 'closed'. An open system is one that essentially connects to the internet so that users from different domains or businesses can communicate with each other. A closed system is one that is confined within the physical bounds of a company's network, or possibly even so that only people with specific access to certain computer resources or specific terminals have the ability to use that type of messaging system.

Open systems have evolved as the primary email communication medium between public domains and accounts. With limits set on acceptable use and technical filters to manage issues such as computer viruses, open systems can generally send and receive electronic messages between non-affiliated individuals. Closed systems have similarly evolved as secure or isolated private communication applications and networks, where unique access accounts and complex controls and protection methods (such as authentication or encryption) are employed. More specifically, if an email system allows sending and receiving from internet domains, it can be considered 'open'. But if it restricts to a limited set (or single) domain configuration and is isolated from other domains, physically and logically, it is 'closed'.

Closed systems often employ complex security protocols and encryption throughout the network, including sender and receiver identity. Open systems may do the same, though with certain restrictions on addresses and acceptable formats according to standards that allow messages to transfer between exchanges. In any case, whether open or closed systems, encryption and secure two-way messaging can be employed to provide additional protection to email communications.

Encryption does not by itself provide an open or closed system. That is defined by the accessibility of the system to general public domain use. This, and a general lack of understanding of the fundamental construct of (open) email systems as public utilities by design, can lead to interesting issues and embarrassing problems for individuals and companies. Even if a message is encrypted or if the session is believed to be secure between sender and receiver, if it passes via a public address over a public service (such as the internet) it is susceptible to interception – and even if it takes time and extensive computer resources, it is possible to read the content. Open systems are open to the public. Closed systems provide some protection but that protection is only as good as the physical protection from limited users and means of use.

Public and private email communications are concepts that have come about because of the relative capabilities of a company or individuals to actually protect their communications. These designations are results of policy, whether legal statutes or general public practices.

It is common practice for employees at all levels within an organisation to turn to public email systems such as Yahoo! or Hotmail to communicate privately. What they may not know, and what lawyers may not always realise, is that these so-called 'private' communications on these public email systems may be discoverable simply because company resources have been utilised and that use has been documented in web and router logs of internet traffic. These communications may in the end not be relevant to the legal proceedings, but without discovery and analysis, lawyers will not be able to exclude them.

Lessons for lawyers

Lawyers, regulators and investigators should consider whether their own client or the other side is the sort of organisation that might operate a secondary email system (for example, financial services institutions or government departments). In terms of seeking disclosure from another party, consideration should be given to notifying the other party that the search for evidence should include a review of any such secondary or private email systems.

In litigation in the US, this notification can be given from one party to the other in the form of the pre or early action 'preservation letter' and then as part of the parties' ongoing 'meet and confer' obligations.

In England and Wales, the October 2005 amendments to the Civil Procedure Rules (CPR) require or expect a climate of openness between the parties in terms of the extent of the search that each party will undertake, especially in preparation for and at the case management conference stage. The fallback position under the CPR is the ability to commence specific disclosure proceedings against the other party for non-disclosure should it try to hide these secondary systems.