Court ruling highlights confidentiality risks for non-employee directors who use outside email addresses

A recent decision by the Delaware Court of Chancery highlights risks for outside directors in using third-party email systems when communicating about confidential company matters.  In that case, the court ruled that attorney-client privilege was lost because of the lack of a reasonable privacy expectation.

The case arose out of a tender offer by Softbank for shares of WeWork that was oversubscribed but terminated prior to closing. During discovery, the plaintiffs sought documents from Softbank in the custody of “dual hat” employees of Softbank and its majority-owned subsidiary, Sprint.  The documents – which related to Softbank and not Sprint – were sent to or from Sprint email accounts but withheld by Softbank on the basis of its attorney-client privilege. 

The court explained that the privilege issue turned on whether the employees had a reasonable expectation of privacy in their work email accounts, which must be decided on a case-by-case basis, and applied the four-factor test established in In re Asia Global Crossing, Ltd.:

(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies? [322 B.R. 247, 257 (Bankr. S.D.N.Y. 2005)]

In this case, the court found that a number of factors supported production of the documents:

• Although Sprint does not have a clear policy banning personal use of email, its code of conduct made clear that employees have no right of personal privacy in work emails and that it reserved the right to monitor those emails
• Although no evidence was produced showing Sprint’s monitoring practice, Sprint explicitly reserved the right to do so
• The individuals took no significant or meaningful steps to defeat access by Sprint, such as shifting to a webmail account or encrypting their communications
• Circumstances indicated that the individuals were aware of Sprint’s email policies and could not have had a reasonable expectation of privacy when using Sprint email accounts

The court rejected Softbank’s argument that the four-factor test did not apply simply because Sprint was not the party seeking to overcome privilege.  The court likewise rejected the observation that Sprint’s code of conduct acknowledged that Sprint would protect the privacy of its employees’ email accounts.  Finally, the court rejected Softbank’s argument that the individuals’ duties of confidentiality to Softbank overrode Sprint’s rights under its code of conduct – due to the absence of any agreements with Sprint authorizing use of its email accounts for Softbank-related purposes. 

In light of this decision, companies may want to review the email practices of its directors and others with which it shares confidential communications, including seconded employees or “dual hat” employees who work for subsidiaries.  With respect to directors in particular, companies may wish to alert their directors to only utilize the company’s email accounts, board portal or, if confidentiality can be assured, personal email accounts.  The court did allude to the possibility of arrangements with an outside director’s employer to protect the confidentiality of email communications; however, this was not definitively addressed and may be difficult to implement.  The court also suggested that it may not have found a waiver of privilege for communications sent to or from employees of a wholly-owned subsidiary, but it should be observed that the court found a waiver even though Softbank’s ownership of Sprint was not a bare majority, but rather an 84% supermajority.  The court also did not address how the considerations might impact other business confidentiality concerns beyond the attorney-client privilege.