A board of directors is privy to a corporation’s most sensitive information. As a result, directors’ communications present one of the most significant data-security and electronic-discovery risks.

Wise general counsels are thinking critically not only about how to prevent security breaches but also about preparedness for litigation involving information in directors’ custody.

Data Control vs. 
Ease of Access

The demands on today’s corporate directors are greater than ever. A recent Thomson Reuters survey of corporate secretaries and general counsels found that directors received an average of 10,672 pages of confidential board packet material in 2012 — a more than 50 percent increase from 2011.

In this environment, ease of access to information is crucial. Many directors must communicate about company business while at their own places of work, when traveling, while on vacation, and via multiple computing devices. Balancing the need to accommodate a busy director’s desire for timely access to information against security and discovery concerns is difficult.

Most respondents in the Thomson Reuters survey said they do not issue corporate email addresses to outside directors. As a result, some directors send and receive data from personal gmail or hotmail accounts, and other directors use email addresses hosted by their own places of work.

A significant number of respondents in the Thompson Reuters survey said they send board packets to directors via email. Some have attempted to address the risks inherent in transmitting confidential board information to personal or day-job email addresses through the use of board portals. These portals, such as Directors Desk and BoardVantage, purport to provide a secure method for data transmittal, but they only solve part of the problem.

Directors often communicate with each other, company executives, and third-parties outside the context of board portals. Over 70 percent of respondents in the Thompson Reuters survey indicated that directors communicate about company business via personal devices not owned or controlled by the corporation. In other words, highly sensitive (and potentially discoverable) corporate communications reside in locations over which the director, not the corporation, has control.

Risks of Litigation Involving Director Communications

Directors’ communications are at the heart of highly litigated matters such as mergers and acquisitions, corporate governance issues, and executive compensation.

It is difficult to imagine an e-discovery nightmare more harrowing than sanctions for spoliation or mishandling of directors’ documents. But the data shows that corporations may not be as prepared as they could be for litigation in which director communications become relevant.

For example, just over 60 percent of respondents in the Thompson Reuters survey have document-retention policies that address directors’ emails. In other words, although a company may have elaborate policies covering employees, these policies may not address email stored in directors’ personal accounts or at the directors’ own places of work. In addition, when litigation hits, corporations routinely issue preservation notices to employees. However, legal departments may not typically distribute such notices to relevant outside directors.

An unprepared corporation is on a collision course with increasingly tough e-discovery standards. Cautionary tales from the Zubulake cases and the Qualcomm v. Broadcom litigation abound. Recently, the Delaware Court of Chancery (which often sets the standard for corporate governance) has opined on e-discovery obligations in cases involving directors’ electronic data.

In a June 2009 case, Grace Brothers, Ltd. v. Siena Holdings, the Court of Chancery granted a motion to compel directors to produce company-related emails from their personal email accounts. The court rejected the argument that searching directors’ personal emails would be cumulative and duplicative. Instead, the court took the company to task for “fail[ing] to even ask that the directors look for any relevant emails in their accounts.”

More recently in April 2010, the Court of Chancery ruled in a telephonic hearing in Roffe v. Eagle Rock Energy, G.P., C.A. that directors (who were defendants in the case) could not be the ones who reviewed and collected their own email. The court stated: “We don’t rely on people who are defendants to decide what documents are responsive.” The directors at issue had been using personal email accounts to conduct committee business. The court rejected arguments about the burden of sifting through personal and other confidential, non-responsive information to find emails that would be largely duplicative. Referring to one director, the court commented: “If he chose to use his personal computer, well, that was his bad choice . . . And if he has it mixed in with other stuff that he gets . . . that was his bad choice. That makes it all the more essential that a lawyer . . . go through his email and make sure that . . . what is responsive is appropriately produced.”

Questions GCs Should be Asking About Directors’ E-discovery Preparedness

To avoid difficult conversations with a director about searching personal or other non-relevant confidential files after litigation hits, counsel should be asking the following questions:

Do the corporation’s document retention, collection, and preservation policies apply to corporate data controlled by its outside directors at their own places of business?

Does the corporate secretary transmit board books through a secure portal over which the corporation has control?

For communications that do not occur over secure board portals, is it practical to issue corporate email addresses to outside directors and ask those directors to exclusively use these email addresses for board business?

If not, have outside directors acknowledged that their email accounts and computing devices used for board business may be subject to discovery in litigation?

Once litigation hits, should certain directors receive a litigation hold notice?

Is counsel sufficiently involved, or is the corporation relying solely on the directors to preserve and collect relevant data?

Addressing these issues before litigation strikes is key to managing expectations and risks when discoverable data resides in an outside director’s control.