BCLP – US Securities and Corporate Governance – Bryan Cave Leighton Paisner

US Securities and Corporate Governance

Data Privacy and Security

Main Content

Court ruling highlights confidentiality risks for non-employee directors who use outside email addresses

A recent decision by the Delaware Court of Chancery highlights risks for outside directors in using third-party email systems when communicating about confidential company matters.  In that case, the court ruled that attorney-client privilege was lost because of the lack of a reasonable privacy expectation.

The case arose out of a tender offer by Softbank for shares of WeWork that was oversubscribed but terminated prior to closing. During discovery, the plaintiffs sought documents from Softbank in the custody of “dual hat” employees of Softbank and its majority-owned subsidiary, Sprint.  The documents – which related to Softbank and not Sprint – were sent to or from Sprint email accounts but withheld by Softbank on the basis of its attorney-client privilege. 

The court explained that the privilege issue turned on whether the employees had a reasonable expectation of privacy in their work email accounts, which must be decided on a case-by-case basis, and applied the four-factor test established in In re Asia Global Crossing, Ltd.:

(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies? [322 B.R. 247, 257 (Bankr. S.D.N.Y. 2005)]

In this case, the court found that a number of factors supported production of the documents:

  • Although

SEC alerts public companies of increase in sophisticated ransomware attacks

The SEC’s Office of Compliance and Examinations (OCIE) issued a risk alert on July 10 about its observation of an apparent increase in sophistication of ransomware attacks on SEC registrants, including broker-dealers, investment advisers,  investment companies, and impacting service providers to public financial institutions.

Recognizing the SEC’s alert and other recent cyber incidents, we encourage all public companies, financial institutions and their service providers to consider their cybersecurity preparedness and operational resiliency to address hacking and, in particular ransomware attacks, consistent with the advice of the OCIE and the Department of Homeland Security.  This is particularly important given that OCIE once again advised financial institutions, in its 2020 Examination Priorities release, that Information Security was one of its top priorities.

In its risk alert, OCIE cited recent reports of one or more threat actors orchestrating phishing and other campaigns designed to penetrate financial institution networks, primarily to access internal resources and deploy ransomware, a type of malware designed to provide unauthorized access to institutions’ systems and deny the institution use of its system until a ransom is paid.  OCIE also noted ransomware attacks impacting service providers to public companies.

OCIE encouraged public companies and their service providers to monitor cybersecurity alerts published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), including the alert published on June 30, 2020, relating to a particular malware focused on financial institutions and their customers.

The OCIE alert noted that information security is a key risk area on

The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.