Exterro's E-Discovery & Privacy Breakdown

The world of E-Discovery & Privacy is constantly changing – let us break it down for you with a weekly dose of News, Resources, Case Law, and Humor, all written in a concise and easy to understand format.


Case Law Alert: Hacking of Servers Doesn’t Warrant Spoliation Sanctions

Created on May 20, 2022

Vice President, E-Discovery

What are reasonable steps to preserve potentially relevant data under the FRCP? In Masterobjects v. Amazon.com Inc. (N.D. Ca. March 13, 2022), the court ruled that a data breach didn’t warrant spoliation sanctions—even if data was lost—if reasonable data security measures were taken.

E-Discovery Case Overview

In this case, the defendant contended that a variety of discovery violations were committed by the plaintiff, including but not limited to (1) not obeying a court issued discovery order and (2) potential spoliation.

At the start of discovery, the magistrate judge ordered the plaintiff to produce data from related litigation in response to the defendant’s production requests. While the plaintiff did produce some requested data, the failed to meet the production deadline from the court.

Additionally, the defendant argued that the plaintiff still had not produced responsive documents in their control. At the court hearing, the plaintiff conceded that they “ had made no effort to produce documents” held by counsel from a related matter.

Regarding the alleged spoliation, the plaintiff’s database had been hacked and potentially relevant data may have been lost.

E-Discovery Case Ruling

  • Sanctions Granted and Dismissed. The court rejected the defendant’s motion for alleged spoliation but granted the defendant’s motion for violating the discovery order.
  • Violation of Discovery Order. Because the plaintiff didn’t meet the discovery order deadline and not all requested data within the order was produced, the court ordered the plaintiff to “perform a complete search of its own files AND all documents in its custody and control.”
  • Alleged Spoliation. The fact that the plaintiff’s database was hacked did not meet the standard to show that the plaintiff “did not take reasonable steps” to preserve relevant data. The court stated that the plaintiff “protected its servers to the best level achievable at the time and employed knowledgeable consultants to assist in that effort.” On top of that, the defendant did not prove that relevant evidence was spoliated by the hack.

Expert Opinion from Nancy Patton, Esq., CEDS, Senior Solutions Consultant, Exterro

Inevitably, the worlds of data breach and data preservation are bound to intersect. In this case, spoliation sanctions were not warranted when the data loss was due to data breach, based on how the party protected its systems (but read the fine print). Interesting, the court also states that the defendant did not prove that relevant evidence was spoliated by the hack. When a data breach occurs, what the court considers in spoliation analysis may be different than when spoliation occurs in more traditional ways.

Case Law Tip

Want to learn more about recent e-discovery sanctions? Download the Exterro whitepaper, Don't Get Sanctioned Like These Parties!