Sophisticated companies are well aware of the importance of maintaining the attorney-client privilege, and often take great pains to design protocols to make sure their counsel and employees protect that privilege. But during high-stakes litigation involving their most senior personnel, some find that privilege called into question due to their own personnel's use of another company's email account on those communications. This issue often surfaces when a company's director takes part in privileged communications using the email account of another company that director is also affiliated with. Last week, in Twitter v. Musk, the Delaware Court of Chancery grappled with the issue in deciding whether Elon Musk could claim privilege over communications related to his proposed purchase of Twitter that he sent and received from his email accounts associated with two entities of which he is the CEO but that had no role in the disputed merger: Tesla and SpaceX. In this instance, the court held that Musk successfully demonstrated an objectively reasonable expectation of personal confidentiality in the SpaceX and Tesla emails, and thus that the attorney-client privilege shielded the documents from production. But the court's discussion makes clear that under slightly different facts Musk could have been required to disclose to Twitter sensitive communications he made believing they were privileged, and provides a good reminder of the care that companies must take to make sure the privileged communications of their directors and other senior personnel are protected.

To be protected under the attorney-client privilege a communication must be confidential. But the fact that a party intends confidentiality, and subjectively believes the communication will remain confidential, is not enough. Under Delaware law, a party's "subjective expectation of confidentiality must be objectively reasonable under the circumstances." The question whether a party had an objectively reasonable expectation of privacy is highly fact-intensive and decided on a case-by-case basis, with the burden on the party asserting the privilege to prove it applies.

When a company seeks to assert the attorney-client privilege over a communication that one of its officers, directors, or employees sent or received over another company's email account, courts in Delaware and other jurisdictions apply the four-factor test first described by the Southern District of New York in In re Asia Global Crossing, Ltd. These four factors—which, as the court in Twitter v. Musk explained, primarily seek to ascertain "whether company policies and historical practices [make] it reasonable for employees to expect privacy in company-sponsored emails"—are:

  1. Whether the corporation maintains a policy banning personal or other objectionable use;
  2. Whether the company monitors the use of the employee's computer or email;
  3. Whether third parties have a right of access to the computer or emails; and
  4. Whether the company notified the employee, or whether the employee was aware, of the use and monitoring policies.

In this case, both Tesla and SpaceX had general policies concerning email monitoring that, on their own, may have prevented Musk from reasonably expecting privacy, thus preventing a claim of attorney-client privilege. SpaceX's written policy, for example, warned that users have "no expectation of privacy or confidentiality when using [SpaceX] resources" and also "reserve[d] the right to review all emails, text messages and other communications that are sent or received on SpaceX equipment, SpaceX accounts, or the SpaceX network." And while the use of company email for non-company purposes was not expressly banned, Tesla warned that "[e]mployees should not use Tesla owned communications systems and devices as a means of communicating or storing information about their personal lives."

Though the court acknowledged that it had previously "treated policies nearly identical to those . . . as weighing in favor of production and effectively dispositive of the Asia Global analysis," here these written policies were outweighed by the evidence Musk put forward on how these policies were carried out in practice, and in particular how they were applied to Musk himself.

Despite the broad language reserving the right to monitor employee emails, both companies also had policies limiting the instances in which they would exercise that right. Each would access employee emails only after securing approval from their Legal and Human Resources departments, and only where necessary to investigate an issue or conduct business (such as after an employee has left the company). According to the court, these policies suggested than an employee "might reasonably expect privacy over personal communications unless the employee is acting contrary to company guidelines."

Musk also provided affidavits attesting that, despite these written policies' stated application to all employees, each company had also adopted unwritten "Musk-specific rules" that exempted Musk himself from the company's default policies. According to those affidavits, no one at either company could access Musk's emails without Musk's own express consent, except "to the extent legally necessary." Further affidavit testimony from Tesla and SpaceX swore that no personnel at either company had ever accessed Musk's emails, except for purposes Musk had authorized or "as legally necessary."

The court found that these mitigating considerations "outweigh[ed] the generic policies that diminish employee privacy expectations." As a result, according to the court, all four Asia Global factors weighed in Musk's favor and against the production of documents.

Takeaways

While Musk was not required to produce his documents, the court's analysis demonstrates the real risk that privilege can be waived through an individual's use of one company's email account to discuss another company's confidential and privileged information. Key takeaways for companies and their officers and directors include:

  • Personal communications on employer email accounts are fraught with confidentiality and privilege concerns.
  • Directors and officers should avoid discussing company business using email addresses associated with other entities. Likewise, companies should take steps to encourage their directors and officers not to use email addresses associated with other entities when communicating about company business.
  • Companies should also encourage their directors and officers not to use that company's email system to conduct or discuss any other company's business. While it is only the "other company's" privilege that is at risk from such use, the company whose email system is used may also be dragged into privilege or discovery fights, resulting in expense, disturbance, and other burdens.
  • If use of another entity's email address is challenged in connection with a privilege dispute, courts may look past the veneer of corporate policies that purport to monitor work email accounts and to ban the personal use of those accounts. The party seeking the privilege protection should work with the email user and the company controlling that email account to seek and provide evidence supporting the user's reasonable expectation of confidentiality. The burden is on the party seeking the privilege protection, and in Twitter v. Musk it was Musk's documentary and affidavit evidence that carried the day.

Originally published 21 September 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.