Does an employee who communicates with his lawyer from a company email account waive the attorney-client privilege with respect to those communications? The answer is not terribly well settled—not in Delaware and not in most jurisdictions. But a recent decision by the Delaware Court of Chancery gives Delaware employers and litigants a pretty good idea of the analysis to be applied.
The case, In re Information Management Services, is an unusual type of derivative litigation in that it involves two families, each suing the other for breaches of fiduciary duty. Two of the company’s senior executives, who were alleged to have mismanaged the company in violation of their fiduciary duties, sent emails to their personal lawyers from their company-issued email accounts. During discovery, the executives refused to produce the emails, claiming them to be protected by the attorney-client privilege. The plaintiffs sought to compel production of the emails.
The court adopted the four-factor test first enumerated in In re Asia Global Crossing, Ltd. (Bankr. S.D.N.Y. 2005), and applied it to determine whether the executives had a reasonable expectation of privacy in the contents of the emails that they sought to protect. The court determined that the executives did not have a reasonable expectation of privacy in the contents of the emails because the company’s policy expressly warned that employee emails were “open to access” the company’s staff. The policy permitted personal use of the company’s computers “after hours” but warned that, if an employee wanted to keep files private, the files should be saved offline. Thus, the policy was key in ensuring the company can now access emails between the executives and their counsel.
There are a few particularly notable points in the decision that are worth mention.
First, Delaware law generally provides great deference to the attorney-client privilege. Usually, the privilege is considered very difficult to waive. By contrast, this case suggests that a company policy is sufficient to overcome that otherwise difficult hurdle. The court goes so far as to say that a policy that prohibits all personal use would likely be sufficient to waive the privilege without any further analysis.
Second, the court seemed to place a high burden on the executives. Vice Chancellor Laster recognized that the executives wrote in the subject lines of the emails, “Subject to Attorney Client Privilege” but concluded that the failure to use webmail (such as G-Mail or Yahoo!) or encryption rendered the communications not confidential. The court wrote that there could be no reasonable expectation of privacy because:
a third party to the communication had the right to access [the] emails when [the executives] communicated using their work accounts.
The “third party” in this case was the company and its IT staff. But the holding raises questions of whether use of a service such as Dropbox, which, by its terms of service, expressly notifies users of its right to access the contents of any account, would also waive the privilege. In that case, a third party has the right to access contents so, in accordance with the court’s decision, there could be no reasonable expectation of privacy and, therefore, no privilege.
The decision is very well researched and contains a stockpile of case citations and references for those who may be interested in the subject matter. And even for those who may not be interested in the macro view of this area of the law, there is one key lesson to take away—Delaware employers should carefully review their policies to ensure that the language clearly warns employees that the company reserves the right to monitor, access, and/or review all emails sent or received from a company email account. Now, the question of whether a personal, web-based email account, accessed via the company’s servers, would be subject to the same analysis is an even trickier one and one that we’ll save for a later date.
In re Info. Mgmt. Servs., Inc., No. 8168-VCL (Del. Ch. Sept. 5, 2013).