The Delaware Chancery Court held that the attorney–client privilege did not cover a corporate executive’s emails with his personal lawyer because he sent the emails through the company’s email account. The company maintained a policy that it may monitor employee emails, and the court found this policy nullified the executive’s reasonable expectation of privacy. In re Information Management Services, Inc., 2013 WL 5426157 (Del. Sept. 5, 2013).
In this shareholder’s derivative action, a shareholder sued two company executives for breach of fiduciary duties. The executives sent 362 emails to their personal lawyers about the alleged mismanagement using their work email accounts. The company moved to compel these emails claiming that the attorney–client privilege did not apply because the company reserved the right to monitor all email communications and therefore the executives had no reasonable expectation of privacy.
The company policy manual notified employees that it had unrestricted access to communications sent using the company’s computers and email servers. The policy stated: “You should assume files and Internet messages are open to access by [company] staff.”
One of the signature elements of the attorney–client privilege is that putatively privileged communications must be “confidential when made.” The court noted that, in the ordinary course of business, employees who send communications within the company over the employer’s email system can reasonably expect that outsiders will not have access to the system. But an employer’s policies and procedures may alter the employee’s reasonable expectation of privacy. The question for the court, therefore, was whether these executives had a reasonable expectation of privacy for the 362 emails sent to their personal attorneys using the company’s email system.
The court applied the four factors originally enunciated in In re Asia Global Crossing, Ltd, 322 B.R. 247 (Bankr. S.D.N.Y. 2005) to determine the executives’ reasonable expectation of privacy. These include:
- Whether the corporation maintains a policy banning or restricting personal use, or informs employees that they have no right of personal privacy in workplace emails, or advises employees that it monitors or reserves the right to monitor emails;
- Whether the company monitors the use of employees’ computer or email and the extent to which the employer adheres to or enforces its policies and employees’ knowledge of or reliance on deviations from the policy;
- Whether third parties have a right of access to the computer or emails; and
- Whether the corporation notified the employee, or was the employee aware, of the use and monitoring policies.
No one factor is dispositive; nor are all four factors required. The court, rather, balanced these factors to determine “whether the employee’s intent to communication in confidence was objectively reasonable.”
Applying these factors, the court decided that the executives did not have a reasonable expectation of privacy. The company maintained a policy notifying employees that it monitored emails, the executives knew it, and took no actions to secure privacy other than putting “subject to attorney client privilege” in the emails’ subject lines. In short, the confidentiality element was missing, and the attorney–client privilege consequently did not apply.
Webmail and Work Email Distinguished
The court noted a difference between an employee using the company’s email account and the employee accessing a webmail account, such as Gmail or Hotmail, through the company’s Internet. It noted that courts generally afford greater privacy protection to webmail but have reached divergent conclusions when analyzing whether an employee had a reasonable expectation of privacy in privileged emails sent through a webmail account using the company’s Internet.
The court also noted that a different result may occur when it is a third party seeking access to the employee’s workplace communications to a personal lawyer rather than the company. In litigation between a company and employee, an employee has little expectation of privacy if the company maintains a monitoring policy as described in this case. But the expectation of privacy is likely greater when a third party seeks access to these emails.