Will A Crack In Data Breach Litigation Open Floodgates

Data loss and security breach incidents have become common. However, lawsuits related to these incidents are not so common or successful. The problems plaintiffs have encountered include not only figuring out the proper cause of action to seek recovery (many states lack laws permitting private lawsuits for damages related to data loss) but also how to establish provable damages. For example, if a large retail store suffers a security breach of 2 hours leaving your personal identifying information exposed to thieves or hackers, have you really suffered any damages if the information is never used or compromised? What about so called "mitigation" damages or out of pocket expenses for future protection such as credit card insurance, fraud protection, or getting a new credit card and incurring an annual fee?

The First Circuit Court of Appeals in Anderson v. Hannaford Bros. Co recently shed some light on the potential for recovery of mitigation damages in data breach litigation. In the Hannaford case, hackers stole up to 4.2 million credit and debit numbers, expiration dates, and security codes, but they did not steal customer names. Hannaford also had received notice that there were 1,800 cases of alleged misuse or fraud from the theft. In response, many financial institutions cancelled consumers’ cards and fees were incurred to reinstate new cards.  Additionally, several consumers purchased identity theft protection for fear of future misuse. 26 separate lawsuits followed that were consolidated into one action in Maine.
 

At the trial court level, nearly all of the plaintiffs’ claims (20 out of 21) were dismissed based on problems with the alleged theories of recovery or the damages claims. The court found that the damages were not recognized under Maine law for claims for lost time and effort or too speculative to prove for claims involving lost points on cards, fees for replacement cards, and insurance.

On appeal, the First Circuit upheld implied contract and negligence as proper theories of recovery. In regards to damages, the First Circuit reversed the trial court and found that "a plaintiff may recover for costs and harms incurred during a reasonable effort to mitigate." To recover, however, the plaintiffs needed to establish an actual injury such as money lost as opposed to only time and effort.
 

In finding that the plaintiffs stated a proper claim for damages in a data breach case, the First Circuit noted that the Hannaford breach was not inadvertent loss or simple breach with no misuse. Rather, the court emphasized that there was actual misuse of the information that may have been global in reach running up thousands of charges. This type of breach presented a "real risk of misuse." Thus, it was foreseeable that a customer might replace a card or purchase insurance to avoid or mitigate future misuse. The court specifically noted the many other cases finding no action for damages, but distinguished those cases based on the real threat and misuse that occurred with the Hannaford breach.

Although the Hannaford case appears to show a possible breach in the dam regarding damage claims in data breach cases, a closer look reveals that it may be more limited in scope. The Hannaford case involved actual misuse of the information with sophisticated thieves intent on doing harm for financial gain. It is unlikely that Hannaford will provide support for other mitigation cases unless those claims involve actual or legitimate threats of misuse.
 

Small Business Insurance For Data Loss and Security Breach

The Hartford has recently announced a new insurance product specially tailored to fit small business for data loss and security breach. It has been touted as more affordable for the smaller business owner.  More and more small businesses are experiencing the devastating effects of a security breach incident or data loss.  The statistics and stories are well reported from various sources.  Experts agree that costs can exceed $200 per lost page of data.  This can cripple a small business and leave it exposed to lawsuits and litigation.

The front line defense to data loss and security breach risks should always be a good security and privacy plan. A technology attorney working in conjunction with your IT support can develop and help implement an effective security and privacy plan. The process of developing and implementing such plans often reveal the problem areas for any business.  Nevertheless, at the end of the day, there is no 100% fail safe plan to secure data, whether the data is on the cloud or in a server in the office.  There are also unavoidable risks associated with paper documents.  Likewise, there is no plan to provide 100% protection to paper documents.  That is why insurance is a good choice to cover the unavoidable risks.

In addition to providing valuable financial protection in the event of a covered incident, the underwriting and application process for data loss insurance will often require best practices.  This process alone will substantially reduce the likelihood of a significant data loss incident. Accordingly, small businesses should consider a three step process for data loss and security breach:

1. Develop and implement a security and privacy plan

2. Implement best practices as part of insurance application process

3.  Purchase and maintain data loss insurance

Connecticut State Court Judges Adopt Electronic Discovery Rules

Connecticut state court judges recently adopted new electronic discovery rules.  The rules will become part of the Connecticut Practice Book for civil discovery and take effect on January 2, 2012.  

The judges present at the annual meeting unanimously adopted the new electronic discovery rules. You can read the new e-discovery rules here.  I removed the sections not relevant to civil cases.  The new rules or modifications are indicated by the underlined portions of the rule. 

Here is a quick hit list, and my brief commentary, of the new e-discovery rules in Connecticut state courts:

  • Definitions of electronic and electronically stored information (ESI) added to the list of definitions.  The new definitions are intentionally broad to adapt to new technology changes.
  • Grounds to move for a protective order in discovery include the terms and conditions of discovery of ESI and the allocation of costs between the parties.  This rule permits the court to take into account a series of factors in fashioning a protective order and cost shifting for discovery of ESI.
  • Litigants should be disclosing ESI that is readily accessible and likely to lead to the discovery of admissible evidence.  This basically clarifies that reasonably accessible ESI is no different than other types of discovery. 
  • Whether a litigant needs to disclose ESI that is not reasonably accessible will depend on a variety of factors that the court may consider. 
  • Court can shift the costs of production for ESI.
  • ESI added to the list of information a party can demand to inspect.
  • Safe harbor from sanctions for not only ESI, but all information, that is lost if the information is lost as the result of routine, good faith operation of a system or process in the absence of showing of intentional actions designed to avoid known discovery obligations.  This rule is based on the federal rule 37(f) safe harbor and the commentary indicates that good faith may require a party to stop or intervene a routine destruction policy.
  • Claw back provisions permit a party to notify an opponent of inadvertently disclosed privileged information.  There is a procedure the party must follow upon receipt of the notice.  The rule does not address issues of waiver of privilege by the inadvertent disclosure. 

Until Connecticut courts interpret these provisions, a good resource for attorneys may be found in the commentary to the rules.  Additionally, the new rules are based on  the Uniform Rules Relating to the Discovery of ESI adopted by the National Conference of Commissioners on Uniform State Laws in 2007.  There are various courts in other states that have interpreted these rules. 

Social Media Continues To Impact Litigation and Trial

The impact of social media  (Facebook, Twitter, LinkedIn, etc) continues to grow in legal matters including litigation and trial.  The court decisions cut across numerous areas from employment law and personal injury to privacy rights and defamation.  Social media use has involved all the key players in lawsuits inclding judges, jurors, consultants, attorneys, reporters, and witnesses.  Lawyers are using Facebook to screen jurors; jurors are using Facebook to post about the case they are sitting on; judges are checking Facebook to make sure jurors are not using it; jury consultants are following Twitter to give advice on trial strategy to attorneys during the trial; and reporters are giving first hand accounts of trials 140 characters at a time. Bottom line: Social media is everywhere and lawyers and litigants should pay attention.

In keeping up to date on the topic, here are some new resources and  articles on social media and litigation and trial:

Vianei Lopez Robinson published an article for Texas Lawyer featured on Law Technology News that covers some recent decisions involving Facebook and the discovery of public and non-public information.  The article also discusses some of the ethical implications for attorney’s "friending" litigation opponents. 

Dan Schwartz’s Connecticut employment law blog continues to cover social media for employers. He recently posted a new update for employers on the newest social network site, Google +. 

Corey Dennis, who previously submitted to this blog a great summary on the basics of Connecticut civil procedure, has just published a comprehensive law review article on social media and the various laws implicated by its use. Here is a link to his article for the Massachusetts Law Review. 

 Leita Walker and Joel Schroeder published a thorough review of social media "crashing into the courtroom" in an article posted by Law.com.  The article describes several recent cases, juror misconduct with social media, attorney use of social media in discovery and cases ranging from employment to trademark matters.

A year or two ago it used to be relatively easy to track social media and the impacts on lawsuits and litigation. There were very few cases, and I posted about most of them.   Now, there are new reports and articles,  cases, and legal issues involving social media almost daily.   Just today,  a Google search of social media and trial brings up articles about the Roger Clemens perjury trial and the Casey Anthony murder trial. 

The bottom line is social media is here to stay and has clearly "crashed into the courtroom."  Attorneys, and especially trial lawyers and litigators, have to become familiar with all the legal implications as social media just might crash into one your cases.   

Some Guidance From Delaware On Seeking Corporate Books and Records in Connecticut

If you own shares of a corporation or an interest in a limited liability company, there are two basic sources in Connecticut concerning your rights to have access to company books and records.  The first source may be found in any agreements that concern governance of the company such as the by-laws of a corporation or the operating of a limited liability company.  The second source may be found in Connecticut’s General Statutes (limited liability company records; business corporation records). 

The statutes permit an owner to make written demand for access to company books and records and to bring a lawsuit in court if the demand is refused.  Although the process seems straight foward enough, many times it is not.  Management may deny the request and claim the request is overly broad, not sufficiently detailed under the statute,  or sought for an improper purpose.  In Connecticut, the results of "books and records" cases are not consistent and a proper demand for books and records in not always clear. If the demand is not proper, a court will not grant the request.

As in many instances when matters are not clear in Connecticut, Delaware law is always a good resource.  Here is an informative article by Jeff Mordock of the Delaware Business Court Insider (you have to subscribe for free to get the full article) that discusses some of the details in drafting a proper, or more likely to be enforced, books and records demand.   

Connecticut Supreme Court and Appellate Court Cases and Briefs Online

There are three good online resources to get information on appellate court cases in Connecticut.  

The first resource is a new addition to the state judicial branch website.  The public now has access to the case and docket information regarding Supreme Court and Appellate cases.  Here is the link.   Previously, you could only access trial level cases.  This is a great addition to the website and will cut down on trips to the clerk’s office to check on the status of a case.

You can get download advanced release opinions from the Supreme Court and Appellate Court.  Here is the link.

You can also download copies of some briefs for cases assigned for argument before the Supreme Court.  Here is the link.  This website is maintained by the Appellate Advocacy Committee of the Connecticut Bar Association. Briefs are typically posted several months after being filed with the court.

Forensic Accounting in Connecticut Business Litigation

Forensic accountants are frequently necessary in business litigation.  This is my next installment of the "ask the experts" series.   Stephen Pedneault is an expert in forensic accounting.  He is the principal of Forsenic Accounting Services.  Here is my interview with Stephen.

Disclaimer:  I am not endorsing any experts that I feature on this blog or the opinions expressed.  I am posting these interviews to offer insights from the various professionals that get involved with business litigation cases.

What are the biggest issues you see now with respect to forensic accounting and business litigation?  Probably the biggest issue we face in every case regardless of the venue it’s in is the availability of records. We can pretty much figure out anything if we have records available, computerized records or paper records. The biggest challenge for us is getting access to them and actually getting the opposing side to produce them. That’s our biggest stumbling block in pretty much every engagement we do. 

If a business owner suspects fraud, how soon should they come to you or an attorney to deal with that issue? 

Well as soon as possible. We get a lot of calls from exactly the audience you described and one of the first things we have to ask them is you know do you have counsel, do you have an attorney that’s either representing you as a shareholder or a partner or a member, or does the LLC or the entity have counsel because before I hear too much of the story there’s no privilege between an accountant and a client. So I don’t want to hear too much, what I want to make sure is as early as possible, I want to be involved early, but I got to make sure that before I’m involved early on there’s an attorney involved so we can establish some attorney/client privilege and then we can get retained directly by counsel to be part of that privilege and then we can start talking about what are the issues and concerns. 

What can business owners do to stop or detect or prevent fraud amongst it’s employees?   When we’re talking employee embezzlement, there’s really only three things that are available. You can prevent certain things, you can detect certain things, and then you can insure against the things you didn’t prevent and detect. Certainly setting up the controls to prevent as much as possible, so employees not signing checks, having business owners involved in the signing of checks, not issuing credit cards and bank cards to employees, limiting what they have access and opportunity. That’s on the prevention side but you can’t prevent everything from occurring so on the detection side, starting with the basics, the owners looking at the bank statements every month, looking at the cancelled check images, looking online at the banking activity, looking at accounts receivable, knowing who owes what balances and are we getting paid, managing the cash flows. These are all important basic controls that over time probably start out as the owners are doing but then people get busy and they hire key people and they delegate the responsibilities and once again you know down the road that key employee, and it’s almost always the key employee that we depend on, has taken advantage of the situation and started either stealing the checks or paying themselves extra payroll or stealing the deposits.  

 What kinds of problems have you come across that have been created in terms of your investigations of fraud brought about by smartphones and portable devices?

Well there is two clear trends. One is that our evidence which was already computerized is now becoming wireless. The evidence meaning the transactions and also where the records are maintained. This whole concept of cloud computing, businesses are putting all their business records no longer on their servers, their putting it out on a server somewhere in the world. So they can access it anywhere on the internet. The problem is gaining access to that evidence is going to be a challenge because nobody really knows where it’s hosted. It could be hosted next door, it could be hosted in Nigeria. So getting access to the ultimate records of where the company’s accounting system is maintained is a challenge. Using cellular devices to do the banking there is no history on any laptop servers or computers, it’s all wireless. So the whole nature of gaining evidence is changing and becoming a huge challenge for us just to get access to it. 

What records do you look to get access to from an audit perspective and also what form of the records do you like to receive it in?

That answer depends on what the context is for the forensic accounting. Ultimately we want to see the underlying reliable records: bank statements, cancelled check images, deposit details, credit card statements. We like the general ledgers, we like the computerized records but they can all be manipulated so we like to get, we’d like to get the records but we’d like to be able to corroborate them to underlying source third party records that are ultimately reliable and whether we get them in computerized form, we get them in images, we get them in paper, it doesn’t really matter to us, we’re used to dealing with boxes and boxes of records.

No Contract, No Problem – Charter Oak Gets A Chance To Prove Its Case

 In a decision that will be officially release tomorrow (download)the Connecticut appellate court ordered a new trial in favor of Charter Oak Lending for the claims it brought against employees who defected to a competitor.   Unless there is a successful appeal to the Connecticut Supreme Court, this means Charter Oak will get a second chance to prove its claims against the key employees despite the lack of a written contract in place covering non-competition.   I originally posted about this case in November of 1999 when Charter Oak lost at the trial level.  The case result had generated media interest surrounding the claims because the damages and the lack of a contract governing the employment relationship. 

As I noted at the time, it is always better to have a written contract in place with employees to govern post termination conduct involving competition, solicitation, confidential information, and trade secrets. However, the lack of contract does not by itself leave a business without a remedy especially if the situation involves use of trade secrets or confidential information or the employees actively competing before departure.  

In Charter Oak, the trial court dismissed the claims finding that Charter Oak failed to make out a threshold case during the trial.  In other words, the case never reached the level of a final decision on the merits because the judge found that the basic elements of the claims were not met.  The basic claims were breach of fiduciary duty, misappropriation of trade secrets and unfair trade practices. 

The appellate court reversed the decision and found that facts existed to make out threshold claims for these causes of action.  Therefore, the trial court judge should have permitted the case to proceed to a final decision on the merits.  Significantly,  the appellate court deemed as sufficient Charter Oak’s claim that its client list was a trade secret entitled to protection under General Statutes 35-51 known as the Connecticut Uniform Trade Secrets Act (CUTSA).  The court stated:

to make out a prima facie case for a violation of CUTSA, the plaintiff was required to present sufficient evidence that, if believed, would prove that the information in its customer list had independent economic value and that the plaintiff made reasonable efforts to maintain its secrecy.

Here were some of the facts that the court found sufficient to afford trade secret protection to the client list:

  • access was limited
  • the computers were encrypted
  • the building was secured where the computers were stored
  • employees were not permitted to share the list
  • employees understood the list was private
  • the lists were not sold or disclosed to third parties
  • the list could not be obtained from any other single source
  • the list gave Charter a competitive advantage

In addition to the ruling on CUTSA, the appellate court reaffirmed some aspects of the law with respect to fiduciary obligations of agents or employees.  The court affirmed the duty of loyalty owed by an agent to his or her principal.  This duty applies regardless of a whether a contract exists.  In the business context, this duty forbids an employee from actively competing against an employer concerning the subject matter of the agency or from using confidential information against the employer in competition.

Whether Charter Oak prevails in the new trial remains unclear.  However, the lack of a contract or written agreement should not prevent Charter Oak from getting a final decision on the merits.

Navigating FINRA’s Mandatory Arbitration Requirement – An Overview

 

 Raymond & Bennett attorney Joseph Blyskal contributed the following post to this Blog.

 I recently read an article indicating that arbitration was the preferred forum for member companies of the Financial Industry Regulatory Authority, but with a caveat–that the only real reason it was preferred was as damage control for the industry. With only some exceptions, the Financial Industry Regulatory Authority (FINRA) requires arbitration of industry disputes, which simply means disputes amongst or between its members and associated persons. In addition, while nonmembers can compel members to arbitrate, nonmembers of FINRA cannot be compelled to arbitrate. Regardless of whether the motive is fiscal, public relations, or other, the mandatory arbitration requirement may be hard to get around. However, the presence of a good faith claim against nonmembers can create the option to litigate an industry dispute outside of arbitration.   

                                        

                                                           

FINRA members are defined as any entity: “who is registered or has applied for registration under the Rules of FINRA” or  “[a] sole proprietor, partner, officer, director, or branch manager of a member, or other natural person occupying a similar status or performing similar functions, or a natural person engaged in the investment banking or securities business who is directly or indirectly controlling or controlled by a member, whether or not any such person is registered or exempt from registration with FINRA.”FINRA Manual Rule 13100(r). Some examples include: Metlife Securities, Inc., Bernad L. Madoff (now obviously inactive), and ING Financial Markets, LLC.

There are only a few enumerated exceptions to the mandatory arbitration rule. Disputes arising out of the insurance business activities of a member that is also an insurance company, claims alleging employment discrimination in violation of a statute, class actions, shareholder derivative actions, and matters that are inappropriate for the forum in light of the “purposes of FINRA and the intent of the Code” are excluded. FINRA Manual Rule 13200-13205. Depending on the circumstances, these are easily applied.

Less easily applied are the two threshold requirements that trigger mandatory arbitration for a dispute–that the dispute arises from the (1) business activities of (2) members or associated persons.  These must be addressed before considering the application of the exceptions.

Whether a dispute arises from business activities is a factual inquiry. It is liberally construed, however. It includes claims for commissions earned, discharge from employment, and non-statutory discrimination claims. Generally, this is a threshold element.  

The more litigation-friendly element is the second—that the dispute is between members, a member and an associated persons, or associated persons. Whether an entity is a FINRA member is not usually debatable (there are formal registration requirements). However, whether an entity is an “associated person” is often subject to debate.  Courts often deny motions to compel arbitration where a factual showing is not made to support a finding of “associated person” as defined in the Code.

Cases where there are parent companies and subsidiaries involved in the dispute, or where there are employees or registered representatives as parties that are not FINRA members, or not employed by FINRA members, are breeding grounds for litigation over this second threshold provision.

Of course, in any case—whether the threshold elements are present or an exception applies—the general rule that those not party to an agreement to arbitrate cannot be compelled to do so applies to the FINRA arbitration provision. Thus, litigation is clearly a viable option where there is at least one entity involved that is not a FINRA member.

While difficult to get around the arbitration provisions of FINRA, it may be possible to do so. Litigants, both those prosecuting and defending claims, should identify and categorize all the disputants before making a determination that arbitration is indeed “mandatory”.

 

Computer Forensics In Business Litigation – Ask The Expert

Many business litigation cases require experts in various fields.  I am going to feature experts on this blog in an "ask the expert" series of interviews.  Disclaimer:  I am not endorsing any experts that I feature on this blog or the opinions expressed.  I am posting these interviews to offer my readers some insights from the various professionals that get involved with business litigation cases.

Monique Ferraro is an expert in computer forensics and the principal of Technology Forensics, LLC.  She is also an attorney. The following is my recent interview with Monique. 

Q: What issues do you see in business disputes involving computer forensics:

 

A: Mostly, we see parties seeking email and deleted email. Increasingly, lawyers are asking for email and all electronically stored information containing metadata in their discovery requests. When they don’t get what they asked for initially, or if the party is not able to produce the information on their own, they call us. We figure out the best way to obtain the information requested without disrupting the business process while maintaining the integrity of the potential evidence and providing a solid chain of custody.

As far as the types of cases, we see computer forensics being requested in every type of litigation, from contract disputes to debt collection, employment litigation and even motor vehicle accidents.

 

 

Q: Many people think that when they delete computers docs and emails, its deleted.  In laymans terms, what really happens to it?  Can it be recovered?

 

A: It’s important to remember that computers were designed by engineers, not lawyers. Lawyers are concerned with precision of language. If you say you deleted something, then you deleted something. It’s gone. Unrecoverable. Engineers think in terms of efficiency.

 

When computer systems were designed, the engineers who developed them figured it would be more efficient to simply mark the space where information is held as available for reuse rather than truly deleting the file. The process uses less energy and is more efficient than truly deleting the file.

So, when we hit the ‘delete’ key, information isn’t deleted.

 

What happens is that the computer software goes to the table that keeps track of all the files and where they’re located and makes a check mark indicating that the space where that file is kept can be used for something else. Next time the computer goes to save a file, it can save it to this newly open space. However, because the size of computer storage is so large now, the space left open by the ‘deleted’ file is rarely reused. The original file stays there, lying in storage but with the space marked as available until it is either overwritten or ‘wiped.’

 

‘Wiping’ refers to really deleting a computer file. To really delete a computer file by wiping, a process is used that both marks the space as available and overwrites the space. Usually, the space is overwritten several times in order to obliterate any data remaining.

 

Because deleted data isn’t really deleted in the true sense unless it is wiped, most of the time deleted files can be retrieved and fully restored. That is true for files that have been consciously saved as well as data that has not been saved is held in temporary storage, as with Internet data.

 

Q: What are you seeing in the courts in terms of road blocks to getting access to servers and hard drives?

 

A: Most of the time, courts have been quite willing to grant discovery of electronically stored information. It gets tricky when litigants ask for a specific file or folder on a network or a targeted hard drive. Parties resist requests that involve having the opposing party’s expert on site, which is what litigants often request when seeking a specific storage device, folder or file. Of course, few businesses welcome the opposing party coming in and accessing their systems and data.

 

The objections are usually based upon keeping their business and client data secure and confidential and preventing disruption of their business. If there haven’t been discovery abuses and the party is trustworthy, the court usually allows the business to hire its own expert. To validate the acquisition of potential evidence, there are several methods that can be used, from documenting the process in writing to videotaping it, that can minimize the intrusion into business information and keep business disruption to a minimum.

 

Q: How do attorneys get access to emails that are on ISP accounts like Comcast, or third party servers like Gmail?

 

Most ISPs require a subpoena or court order to release information. It depends on the service provider, the information you’re looking for and who you’re requesting the information about. It’s best practice to contact the legal department of the ISP and ask them what they need and how they want it in order to get the results you seek. It may be that you’re legally entitled to the information, but if you don’t request if in the form that the ISP wants you to ask it in and from the person they designate, you won’t get what you’re looking for. It’s important to bear in mind that quite a lot of Internet service provider information is held in storage for a limited amount of time and that by the time there’s a lawsuit pending, the information is long gone.

 

Q: What issues have you seen with forensics and social media sites like Facebook, MySpace and Twitter?

A: Usually, we’re asked to mine data from social media sites as part of the whole process of investigating a specific person or case. It’s often an adjunct to the larger inquiry that helps to establish that we have the right information or to identify someone a target is communicating with. Of course, in some cases, the use of the social media is an issue in a case, and gaining the posting history is the challenge for the forensic examiner.

 

Q: Is it a good idea to work with an attorney early in an investigation?

 

A: We prefer to contract with the attorney representing the business because that’s the best way to protect our work product from being discovered by the opposing party. Attorney-client privilege extends to us if the attorney contracts with us. That provides the business with the same sort of protection of confidential information that they enjoy in their relationship with their attorney.

Q: What can someone in a business dispute do to preserve critical ESI (electronically storied information) when they know they are going to be in a lawsuit

 

A: Every business will be involved in litigation at some point. As with all things, planning saves a lot of labor and expense. Every business today holds at least some electronically stored information- email, accounting information, transaction information. Businesses need to know what electronic data they have, who accesses it and where it’s stored. A big issue we see is that electronic data is being held on business-owned as well as personally owned resources such as smart phones and laptops. It’s essential for the business owners to know where their data are stored so that they can ensure its preservation and production in the event of litigation.

  

 

Q: What mistakes do people make before business disputes that end up hurting them after the case is in court?

 

A: By far the biggest mistake people make is deleting electronic records. The fundamentals of litigation have changed. Whereas it was once possible to shred documents (which was spoliation, but was harder to prove), electronic storage of data makes it very difficult to destroy information without leaving behind a trail of evidence documenting the destruction. 

 

Q: What if you do not control the servers, infrastructure, how can you save critical ESI for later use in a lawsuit:

 

A: If you don’t control the storage media, you need to have your attorney issue a letter that informs the other party of your intent to sue and tells them of their duty to preserve relevant data. It’s best if the party who doesn’t have access has a good understanding of where the data are maintained so that discovery requests can be crafted intelligently. Without knowing how the data are stored and where, it’s more difficult to know whether you’re getting all the information when the other party produces it.

 

The good news (sort of) is that if a party knowingly or intentionally destroys electronically stored information, there are pretty harsh sanctions and a separate cause of action available to the person harmed by the loss of data. The intentional destruction of potential evidence is called spoliation. It’s a fairly easy proposition for a digital forensics examiner to determine if spoliation of electronically stored information has occurred and document it. Armed with the proof that spoliation occurred, courts have ordered pretty severe sanctions that range from ordering an adverse inference about the evidence (meaning that the jury should assume that the evidence was damaging) to default judgments. Money damages have also been awarded, some going into millions of dollars. In Connecticut, spoliation of evidence is a separate civil cause of action for which damages can be awarded.