Encryption Doesn’t Make Data “Inaccessible,” Especially When You Know Someone Who Can Decrypt It

Estate of Daher, by and through Daher v. LSH Co.

E.D. Pa. 7/17/23 7:00

Why This Case Is Important

This case shows the truth, in the realm of e-discovery, of a variant of George Washington’s apocryphal quote, “It is better to offer no excuse than a bad one.” Attempting to avoid one’s obligation to produce data for litigation rarely works when it is accessible, and parties who do so run the risk of falling out of the court’s good graces .

Overview

In this action seeking to recover the proceeds of a life insurance policy, the Plaintiff subpoenaed data related to the deceased from a non-party and related entities, Coventry. Coventry had received data from a company, AVS, charged with preparing life expectancy reports for insured parties, after AVS went out of business.

Citing multiple reasons why it could not produce the data in question, Coventry opposed the motion to compel production of AVS data:

• The AVS database contained confidential information relating to tens of thousands of people.
• The data was not within Coventry’s “possession, custody, or control,” but rather belonged to a sister company.
• The data was encrypted and therefore inaccessible.
• It did not have to provide contact information for a consultant who could decrypt the data, because it would “require the creation of documents that do not already exist.

After analyzing the reasons, the Court issued an opinion compelling Coventry to produce the data relating to the deceased and to identify the consultant capable of decrypting it.

Ruling

• Confidentiality Claim Rejected. While the AVS database did contain confidential data regarding thousands of individuals unrelated to the case, the scope of the request was only for data concerning the deceased holding this particular life insurance policy. Compliance with the order would not disclose any others’ confidential information; therefore the need to maintain confidentiality was not a valid reason for noncompliance with the subpoena.
• Ability to Obtain upon Demand. Coventry argued that the requested data was owned by a sister company, and therefore not in its “possession, custody, or control.” The court rejected the argument on the grounds that Coventry had the “ability to obtain upon demand,” since some of its sister company’s personnel may have access to the AVS server, including to “search for life expectancy reports”—the type of data requested by Plaintiff.
• Encryption Doesn’t Render Data Inaccessible. Finally, Coventry said that the data was encrypted and therefore inaccessible, and that hiring an external IT consultant to decrypt the data would pose an “undue burden.” However, Coventry failed to demonstrate what the undue burden or cost would be “beyond its bald assertion,” an argument that the Court found insufficient to overcome Coventry’s obligation to produce the relevant data. Coventry argued it should not have to produce the contact information for a consultant because \"courts generally do not enforce subpoenas that ’require the creation of documents that do not already exist,’” but the Court found the argument unconvincing as Coventry had already told Plaintiff that it possessed the information in question.

Expert Perspective

by: Patricia E. Antezana, Counsel, Reed Smith

Parties must attempt to quantify the burden and\/or costs of responding to discovery requests if they are going to argue that the requests are unduly burdensome. Without concrete evidence of costs and expenses to collect information or support to show how a collection would be unduly burdensome, courts may be unwilling to find undue burden.