Scenario

A company is a party to long-running complex commercial litigation. The case’s fact discovery deadline is a month away when opposing counsel alerts the company’s outside counsel to a series of recently produced emails. The emails show that several of the company’s custodians used personal Gmail email accounts for business purposes. Citing discovery obligations, opposing counsel demands the Gmail accounts be collected and reviewed for relevant materials. The company’s general counsel asks outside counsel what are the risks of refusing to collect and review the Gmail accounts and why the accounts were not previously identified as potential sources.

The Pitfalls of “Bringing Your Own Email” to Work

In some companies, employees engage in “Bring Your Own Email” (“BYOE”), using personal email accounts to conduct business. BYOE poses different risks, costs and discovery consequences than “Bring Your Own Device” (“BYOD”)—using, with the employer’s permission, a personal mobile device to access the employer’s information systems and applications for work purposes.

The business and practical reasons for distinguishing between BYOE and BYOD are clear. BYOD can increase employee productivity, enhance IT functionality by catering to user preferences and cut costs. BYOD decentralizes a company’s information governance regime but through a secure, controlled electronic platform that is engineered to protect and preserve the company’s data. Companies can—and do—live with that cost-benefit tradeoff.

Often done without the employer’s knowledge, BYOE, on the other hand, can result in potentially relevant electronically stored information (“ESI”) sources and discoverable information being inadvertently overlooked. Such a scenario exposes companies to increased eDiscovery and litigation risks and costs and may create information governance risks implicated by BYOE concerning the security, control and privacy of company and client data.

Employee’s Personal Email Files Can Be Discoverable in Certain Cases

Courts have held that a party’s employees’ personal email accounts may be discoverable when used for work purposes—and not just where employees are a named party alongside their employer.

Competing Legal Standards Create a Risk of Discoverability

Courts are split on what test applies when determining whether an employer has sufficient possession, custody or control of an employee’s personal email account under Rule 34(a). Some courts apply the liberal “practical ability test” while others apply the more restrictive “legal right test.”

Under the “practical ability test,” courts conduct a fact-intensive balance inquiry to determine if a party can realistically obtain the discovery sought from its employees, directors, agents or affiliated non-parties. The factors courts consider under this analysis include whether the individual is subject to firing from the employer.

Courts conducting a “legal right test” take a narrower view of possession, custody or control under Rule 34(a). For example, courts consider factors such as whether a contract or other legal right exists entitling the party to access its employees’ personal email files.

The Impact of Employees Being Named Parties

Not surprisingly, where the employee is also a party, courts have held that neither the company nor the employee can shield a personal email account from discovery simply by contending that their business emails and documents were searched for relevant materials. Rather, the employee bears the obligations of a party under Rules 26 and 34, and personal email accounts are not protected from discovery simply because they are personal email accounts.

Strategies and Best Practices for Addressing BYOE

The practice of employees conducting business on personal email accounts can present challenges in the litigation discovery context that in-house and outside counsel should be aware of. Companies and their counsel should consider taking appropriate steps to minimize the cost and risk associated with BYOE, including:

  • Understanding their employees’ BYOE practices and considering rules prohibiting employees from using personal email accounts for work purposes.
  • Considering requiring that employees obtain BYOE approval from company compliance personnel or in-house counsel and/or agree to make personal email accounts available to the company for business or litigation purposes.
  • Addressing BYOE in litigation holds by directing employees to identify to in-house or outside counsel whether the employees use BYOE for any purpose and requiring employees to preserve business-related data in their personal email files.
  • Addressing BYOE practices during pre-collection, custodial interviews.

Conclusion

Whether a court will observe and respect the thin cyber line dividing our work and personal lives depends on how well we ourselves observe that line. When we use our personal email for work, opposing counsel and courts are less likely to be swayed by a privacy argument. BYOE is an extension of our BYOD business culture. But it comes with much different risks, costs and discovery consequences—and also implicates other paramount corporate information governance concerns (e.g., data security, control and privacy). Companies and their lawyers are well-advised to be aware of BYOE.