Red Flags Everywhere! – Ten Risks for Directors – Week 7

Each week for the next 10 weeks, we will publish an installment of our Red Flags Everywhere! series, highlighting key risk areas that public companies and their board of directors should keep top of mind.

This series will serve as a lead up to MoFo’s upcoming Red Flags and Red Wine Tabletop program taking place in our Palo Alto office on May 7. Members of our Securities Litigation, Employment and Labor, and Capital Markets Groups will guide attendees through a ripped-from-the-headlines fact pattern designed to spark interactive discussion and practical analysis that will be valuable to every board advisor.

This week, we focus on board communications. Directors should treat all business communications as potentially discoverable. Mitigate risk by keeping board matters in company-controlled, formal channels, rather than personal platforms and devices.

If you are interested in learning more about MoFo’s Red Flags Everywhere Tabletop event, please reach out to Deborah Argueta. See all the Red Flags client alerts.

Board Communications Can Become Evidence: Directors Should Treat Email, Text, and Messaging Hygiene as a Governance Issue

If you are a director of a company, there is a good chance that you or the company you serve will face litigation at some point. Litigation often involves the collection and production of documents and data, including, potentially, directors’ documents and data. If directors use personal email accounts, personal phones, or third-party messaging apps for company business, which is common, those sources may also be subject to collection. Not only is the collection of directors’ personal devices and emails highly invasive, but it may also raise attorney-client privilege concerns. This alert provides practical tips to mitigate risks around board communications, including risks arising from the platforms and devices the board uses to communicate, the storage of board communications, and board communication on sensitive topics.

Use only dedicated email for company business.

If you take away anything from this alert, remember this: outside directors should use dedicated email addresses for company business, preferably company email addresses. Unfortunately, it is common for directors to use personal email addresses for company business, or worse, other company email addresses. For example, a director who sits on the board of Company A while also serving as an executive at Company B may receive Company A board communications on the director’s Company B email address. This creates multiple problems.

First, because those communications are now on Company B’s servers, they are subject to Company B’s email policies, which may mean those communications are no longer deemed confidential or subject to Company A’s attorney-client privilege. Courts across numerous jurisdictions have held that board documents and communications that are sent to email accounts controlled by other companies may not carry an expectation of privacy and may not be protected by attorney-client privilege. Several courts have followed a four-part test to determine if an outside directors’ use of another company’s email account can waive attorney-client privilege:[1]

1. Does the company maintain a policy banning personal or other objectionable uses?
2. Does the company monitor the use of employees’ computer or email?
3. Can third parties access the computer or email?
4. Did the company notify the employee, or was the employee aware, of any such use and monitoring policies?

If the answer is “yes” to any of these questions, there is a risk that these communications will not be deemed confidential, and, therefore, will not be privileged.

There is also burden and expense associated with collecting emails from a third party. Litigants may subpoena Company B to retrieve the director’s communications, forcing Company B to isolate Company A materials, which again undermines any claim of confidentiality over those communications.

Similar issues arise when directors use personal email accounts or personal devices for company business. Texting about company business on personal phones may make those devices relevant in litigation. As a sign of the times, recent cases have involved executives using AI platforms for analysis and advice.[2] Again, litigants can and will subpoena the directors’ personal email accounts, AI chats, and text messages to obtain relevant communications. Spoiler: the AI chats were not privileged.[3] While this may feel like an invasion of privacy, if it concerns the business, there is an argument that the material may be discoverable.

These risks are mitigated when directors use company email exclusively for company communications. This practice makes collection narrower, preservation easier, and inadvertent privilege waiver less likely.

If that is not possible, the next-best alternative is for directors to use a dedicated personal email account, encrypt the communications, and segregate company communications from unrelated or personal communications. This approach still creates some collection burden, but it mitigates the risk of inadvertent waiver of attorney-client privilege.

Manage retention settings before there is a problem.

Directors should also understand where their company-related data lives and how long it stays there, including email, text messages, messaging apps, voicemail, cloud backups, and devices. When a dispute, investigation, or demand appears, routine deletion settings should be reviewed immediately and, where appropriate, suspended. Again, this task is much easier if all data is stored within the company’s systems. Regardless, directors face potential personal liability or court sanctions for spoliation, meaning the destruction of, or failure to preserve, evidence relevant to litigation.

In a recent case involving breach of fiduciary duty claims against the directors of a social media company, the Delaware Court of Chancery considered sanctions against two directors for failing to preserve data. During discovery, it was revealed that the directors had discussed company business on personal email accounts and had failed to preserve those materials after litigation was filed. One director had a practice of regularly deleting emails more than 30 days old, while the other had a six-month auto-delete rule. The court found both practices problematic, explaining that individuals must disable auto-delete functions and otherwise preserve relevant emails and texts.

Importantly, preservation obligations arise only when directors reasonably anticipate litigation, or in connection with specific regulatory requirements. For most outside directors, the trigger will be a litigation hold notice issued by the company. Absent preservation obligations, auto-delete settings are perfectly acceptable, and often helpful. But the moment you anticipate litigation, such as when you receive a litigation hold notice, you should review your deletion settings and suspend them as needed.

Discuss the most sensitive subjects live—by phone or in person—then document the actual decision through formal channels.

There is a difference between thoughtful discussion and the unnecessary creation of discoverable rhetoric. For especially sensitive topics, such as CEO issues, crisis response, or accusations of executive misconduct, directors should consider live conversations rather than sprawling email chains or text exchanges. That is not about hiding the ball. Final decisions, directions, and materials still belong in proper board records. It is about reducing the creation of casual written commentary that can later be stripped of context and treated as the “real story.” In other words, preserve what exists, but avoid creating unnecessary, ad-hoc recorded chatter in the first place.

Instead, build the record through formal board materials that reflect thoughtful consideration and final decision-making. Directors should push management and counsel to use board decks, memoranda, minutes, and board-portal materials to capture the important facts, alternatives, risks, and decisions.

A recent ruling from Delaware shows the value of robust board materials. In In re Zendesk, Inc. Section 220 Litig., C.A. No. 2023-0454-BWD (Del. Ch. Aug. 25, 2023), stockholder plaintiffs sought documents under Section 220 of the Delaware General Corporation Law related to a merger. The company voluntarily produced “Formal Board Materials,” including board minutes, presentations, and other board-level documents. The plaintiffs, however, claimed there were “gaps” and “inconsistencies” that necessitated searches for and production of emails. The court rejected that argument, finding that the plaintiffs “have not met their burden to prove that [the requested] electronic communications . . . are essential to accomplishing the proper purposes stated in their [d]emands.” The case shows that when the formal record is strong, courts are more likely to stop there. When the formal record is thin, incomplete, or obviously missing key events, discovery pressure tends to move outward into emails, texts, and other informal communications.

Key Takeaways:

1. Use company systems. Directors should use company email and approved company platforms for company business. Avoid using another company’s platform for board business because it can undermine confidentiality and jeopardize attorney-client privilege.
2. Assume board communications may become evidence. Emails, texts, AI chats, and messaging-app communications about company business may be discoverable—even if the communications take place on “personal” devices or third-party platforms.
3. Check retention settings early. Know where company data resides and be ready to suspend auto-delete settings when litigation is reasonably anticipated.
4. Build the formal record. Handle sensitive discussions carefully, but document key facts, deliberations, and decisions through formal board materials and minutes.

The prior Red Flags alerts are available here:

• Week 1: Director Oversight of AI Requires Strong Processes and Good-Faith Engagement
• Week 2: Board Engagement with Political and Social Issues Should Be Tied to Stockholder Value
• Week 3: Board Refreshment and Director Risk: Navigating Investor Demands and Delaware Constraints
• Week 4: Board Oversight of the CEO Should Be Active and Independent
• Week 5: Rule 10b5-1 Plans and Insider Trading Policies Should Be Real, Current, and Enforced
• Week 6: Board Oversight of Internal Investigations: Serious Allegations Merit Serious Oversight

[1] In re Asia Glob. Crossing, Ltd., 322 B.R. 247 (Bankr. S.D.N.Y. 2005).

[2] USA v. Heppner, Case No. 25-cr-00503-JSR (S.D.N.Y. Feb. 10, 2026) (granting motion to access documents that a CEO created using the AI tool Claude before he was charged with securities fraud).

[3] Id.