Skip to content


Hacking of Servers Doesn’t Warrant Spoliation Sanctions

Masterobjects v. Inc.

N.D. Ca. 3/13/22 8:00


Why This Case Is Important

What are reasonable steps to preserve potentially relevant data under the FRCP? In this case, the court ruled that a data breach didn’t warrant spoliation sanctions—even if data was lost—if reasonable data security measures were taken.


In this case, the defendant contended that a variety of discovery violations were committed by the plaintiff, including but not limited to (1) not obeying a court issued discovery order and (2) potential spoliation.

At the start of discovery, the magistrate judge ordered the plaintiff to produce data from related litigation in response to the defendant’s production requests. While the plaintiff did produce some requested data, the failed to meet the production deadline from the court.

Additionally, the defendant argued that the plaintiff still had not produced responsive documents in their control. At the court hearing, the plaintiff conceded that they “ had made no effort to produce documents” held by counsel from a related matter.

Regarding the alleged spoliation, the plaintiff’s database had been hacked and potentially relevant data may have been lost. 


  • Sanctions Granted and Dismissed. The court rejected the defendant’s motion for alleged spoliation but granted the defendant’s motion for violating the discovery order.
  • Violation of Discovery Order. Because the plaintiff didn’t meet the discovery order deadline and not all requested data within the order was produced, the court ordered the plaintiff to “perform a complete search of its own files AND all documents in its custody and control.”
  • Alleged Spoliation. The fact that the plaintiff’s database was hacked did not meet the standard to show that the plaintiff “did not take reasonable steps” to preserve relevant data. The court stated that the plaintiff “protected its servers to the best level achievable at the time and employed knowledgeable consultants to assist in that effort.” On top of that, the defendant did not prove that relevant evidence was spoliated by the hack.

Legal Analysis

by, Nancy Patton, Esq., CEDS Senior Director, Solution Consulting, Exterro

Inevitably, the worlds of data breach and data preservation are bound to intersect. In this case, spoliation sanctions were not warranted when the data loss was due to data breach, based on how the party protected its systems (but read the fine print). Interesting, the court also states that the defendant did not prove that relevant evidence was spoliated by the hack. When a data breach occurs, what the court considers in spoliation analysis may be different than when spoliation occurs in more traditional ways.

Ready to Get Started?

Get an Exterro data risk management platform demo today.

Get a Demo