Trade Secrets Case Uses MD5 Hash and Keyword Search to Protect Defendants’ Rights – Magistrate’s Privilege Waiver Order Is Reversed

indiamichigan.jpgA District Court Judge in Philadelphia recently reversed a Magistrate’s order requiring a defendant in a trade secret case to produce a forensic image of two of its computers. Bro-Tech Corp. v. Thermax, Inc., 2008 WL 724627 (E.D. Pa. March 17, 2008). The computers in question were defendant’s servers located in Michigan and India. The order required production of full images to plaintiff’s counsel.

The defendant was willing to produce forensic images to plaintiff’s computer forensic expert, not its legal counsel. Defendant wanted to protect its confidential information on these servers by limiting the expert’s search to the trade secret documents, or files that might contain information about these secrets. Accordingly, defendant would only agree to allow the expert to search for files with matching MD5 hash values, matching file names, or files containing plaintiff’s keywords. Hash value searches are often used in trade secret cases. See Eg. Creative Science Systems, Inc. v. Forex Capital Markets, LLC, 2006 WL 870970, at *4 (N.D. Cal. 2006). As I explained at pages 17-20 of my article, HASH: The New Bates Stamp, 12 Journal of Technology Law & Policy 1 (June 2007), “the irreversibility quality of hashing makes it possible to perform a hash search of a computer for specific hash values without revealing the actual contents of the computer searched.”

Further, defendant was only willing to allow these searches of its servers if it could protect its attorney-client communications and work product. To do this, defendant proposed the standard procedure typically used for productions of this kind. See Playboy Enterprises v. Wells, 60 F. Supp.2d 1050 (S.D. Cal. 1999). After plaintiff’s expert performed the search of the forensic images, the files found would first be produced to defendant for a privilege review. Defendant would have a right to remove any privileged files, prepare a log of the files removed, and produce the rest to the plaintiff.

Judge Cynthia M. Rufe agreed with the defendant. She held that it was clear legal error for the magistrate to require production of the forensic images “without any limitation as to the scope of the disclosure or prior filtering for privileged or work-product materials that the images might hold.” In other words, she reversed because the order was too broad and did not protect defendant’s secrecy rights. Instead, the Magistrate erroneously assumed that the defendant had waived all of its confidentiality rights to all of the information on the servers by the mere act of having these servers examined by its forensic expert.

Case Background

Before I go into the intricacies of the waiver argument, it is helpful to review the case background. It is a trade secret action brought by Bro-Tech against one of its competitors, Thermax, and seven former employees who went to work for Thermax USA, Ltd.. The plaintiff, Bro-Tech Corporation, a/k/a “The Purolite Company,” designs and manufactures chemical solutions, namely ion exchange resins, used to remove impurities from water and air. The twenty eight page amended complaint alleges twelve causes of action:

Purolite asserts the following causes of action: (1) misappropriation of trade secrets; (2) misappropriation of trade secrets through inevitable disclosure; (3) common law unfair competition; (4) breach of contract; (5) breach of the duty of loyalty; (6) tortious interference with existing and prospective business relationships; (7) conversion; (8) violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; (9) commercial disparagement; (10) unjust enrichment; (11) violation of the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C. §1962(c) and (d); and (12) civil conspiracy.

Defendants responded by denying all allegations, and the competitor corporation, Thermax, counter-sued. Thermax alleged that Bro-Tech was intentionally interfering with its relationships with its customers by making false accusations that Thermax stole Bro-Tech’s trade secrets. They also claimed that Bro-Tech itself stole trade secrets, in a kind of two wrongs cancel each other out defense, known as a “clean hands” affirmative defense (it seldom works). In other words, this is a typical trade secret case with competent counsel on both sides. In fact dozens of lawyers from Philadelphia and New York have appeared of record in this case, including Baker & McKenzie for the defendants.

The amended complaint seeks, among other things, temporary and permanent injunctive relief requiring the return of any trade secrets that the individual defendants took with them or disclosed to their new employer, Thermax. Apparently to avoid a temporary injunction hearing early in the case, the defendants, in 2005, agreed to a Stipulation and Order (“the May 23 Order”) that “imposed an ongoing obligation on Defendants to return to Plaintiffs any Purolite files in their possession, and then to purge said files from their possession, custody and/or control.” Bro-Tech Corp. v. Thermax, Inc., supra at *1.

In late 2007, plaintiff deposed the defendant’s computer forensic expert, Stephen Wolfe, of the Huron Consulting Group. Wolfe testified that he had searched forensic images of defendant, Thermax’s Michigan and India servers, to see if they contained the hash values, file names, or keywords used by plaintiff’s expert, Lawrence Golden, to identify plaintiff’s trade secret files. Here is how the court described it:

Wolfe searched India and Michigan servers for (1) the unique electronic “fingerprints” (or MD5 hash values) of all Purolite documents identified as such in this litigation; (2) the file names of the identified Purolite documents; and (3) certain search terms drawn from the Golden Exhibits. FN 8.

Wolfe admitted in his deposition that his search uncovered a number of matching files. Wolfe then filtered out files that were obviously false hits, such as standard application files that happened to contain the keywords. He then submitted the rest of the files with hits to Thermax’s legal counsel for review. Wolfe did not actually review the contents of the India and Michigan files himself, but he did review the contents of files on other Thermax computers. The court explains that:

. . . hits in the India or Michigan servers apparently were not substantively evaluated by Wolfe, but were categorized and identified according to more superficial file characteristics, filtered for “false hits” by reference to external attributes, and submitted to Thermax’s counsel for review of the actual content of the files.


The plaintiff responded to this testimony by arguing that the hits Wolfe admitted finding on Thermax’s servers in India and Michigan showed that the May 23rd Order had not been followed. The order required Thermax to return and purge any trade secrets on all of its computers. Plaintiff argued that it was therefore entitled to production of the full images of these servers and moved to compel. Magistrate Judge Carol Wells agreed after an evidentiary hearing that production was required to permit a determination of whether Defendants had violated the May 23rd Order. Judge Wells ordered the production of the full images to “designated counsel only.” Bro-Tech v. Thermax, 2008 U.S. Dist. LEXIS 8970 (Feb. 7, 2008).

Defendant appealed the Magistrate Judge’s ruling to the District Court Judge arguing clear legal error on two grounds. First, they argued:

that before any disclosure of the contents of the India and Michigan servers to counsel for Purolite occurs, Thermax has the legal right to filter the information to be disclosed in order to remove any attorney-client communications or work product material therein.

Id. at *2.

Second, defendants argued that:

they should be required to disclose to Purolite (after a review for privileged materials) only files which yield hits during a targeted search of the India and Michigan servers for evidence of Purolite files, and not, as the February 7 Order requires, to disclose the entire content of the India and Michigan servers for Plaintiffs’ counsel’s review.


Plaintiff argued that the magistrate’s order should be upheld because only inspection of the entire India and Michigan servers by Plaintiff’s counsel could ensure that no violation of the order had occurred. Plaintiff also argued that defendant had waived privilege to any confidential content on these servers “by disclosing the servers to Stephen Wolfe, who authored an expert report for Defendants, albeit one which did not, in any way, concern the content of the India or Michigan servers.” Id.

Waiver Argument

The magistrate erroneously found waiver on the basis of Rule 26(a)(2)(B), FRCP. This is the expert witness rule that requires a party to disclose all material considered by its expert in formulating an expert report to an opposing party. Plaintiff argued that this disclosure applied to all otherwise privileged materials, regardless of whether the expert actually examined the materials or relied upon them in a report. For authority, plaintiff relied upon Synthes Spine Co., L.P. v. Walden, 232 F.R.D. 460, 463-464 (E.D. Pa. 2005) (disclosure requirements of Rule 26(a)(2)(B) override all claims of attorney-client privilege), and Vitalo v. Cabot Corp., 212 F.R.D. 478, 479 (E.D. Pa. 2002) (overrides work product privilege).

Defendant countered that Wolfe had not examined these two servers as a testifying expert, but rather as a consultative expert, and so Rule 26(a)(2)(B) did not apply. Wolfe had examined and prepared reports on other computers owned by defendants, and thus was a testifying expert for these other computers. But he had not prepared a report to be used as evidence on the Michigan and India servers. Instead, he had only examined these computers to help the corporate defendant, Thermax, evaluate its case. Thus, he was only a consultative expert, and not a testifying expert, as to these two servers.

Although not discussed in this opinion, Thermax probably also argued that even if Wolfe had been a testifying witness as to these servers, and thus Rule 26(a)(2)(B) did apply, its privilege could only be waived as to specific attorney-client communications actually disclosed to Wolfe and relied upon by him to form the expert opinion stated in the report. Since Wolfe testified that he never examined the contents of any files on these servers, there was no disclosure, and, of course, no reliance.

Judge Rufe rejected the Magistrate’s over-broad construction of privilege waiver and allowed defendant to protect its privileged communications. Here is the Judge’s discussion and analysis of the law.

When privileged communications or work product materials are voluntarily disclosed to a third party, the privilege is waived. [FN18] An exception to this rule exists for disclosures to third parties which are necessary for the client to obtain adequately informed legal advice. [FN19] Under this exception, Thermax has not waived its privilege or work product protections in the India and Michigan server files disclosed to Wolfe. When searching these files, Wolfe was functioning in his capacity as “a non-testifying expert, retained by the lawyer to assist the lawyer in preparing the clients’s case.” [FN20] Thermax did not waive any protections it might have in the India and Michigan servers by disclosing them to Wolfe for consultative expert assistance in this litigation. Accordingly, this Order must provide for a privilege and work product filter.

This was obviously the correct decision, not only for the reasons stated, but also because Wolfe had only looked at information about the files (names, hash, and whether they contained key words chosen by plaintiff), and had not actually examined the contents of the files themselves. Further, only a small percentage of the files on these servers had these matching characteristics.


Here is Judge Rufe’s actual holding reversing the Magistrate’s order:

*3 In this instance, the Court must overrule as contrary to law that portion of the February 7 Order which compels Thermax to produce to Plaintiffs the entire India and Michigan servers for Plaintiffs’ review, without regard for privilege, on Rule 26(a)(2)(B) grounds. Wolfe repeatedly stated under oath that the India and Michigan servers were outside the scope of his expert report, and that he did not consider them in his testifying expert role. [FN15] Instead, his expert report exclusively concerned the contents of other devices. Because the information on the India and Michigan servers was not disclosed to or considered by Wolfe for purposes of his expert report, Rule 26(a)(2)(B) does not apply to the materials on those servers, and does not provide a legal basis for requiring their disclosure to Purolite.

Although Judge Rufe agreed with defendants that they had a right to protect their privileges, she did want a search of these servers performed to determine whether defendants had retained any of plaintiff’s trade secret information in violation of the prior stipulated order:

Notwithstanding the foregoing ruling, the Court wholly agrees with the Magistrate Judge that, in present circumstances, a significant measure of disclosure of the contents of the India and Michigan servers is necessary to ensure that Thermax has not retained Purolite information in violation of the May 23 Order. The fact that Wolfe’s electronic search of the India and Michigan servers using search terms designed to find Purolite information yielded numerous hits suggests the strong possibility (if not providing conclusive proof) that Purolite information is improperly contained in those servers. Furthermore, the parties agree that some disclosure is now necessary, although they disagree on the proper scope of the disclosure. [FN16] Thus, disclosure of the images, to some extent, shall be required.

Id. at *3.

Judge Rufe suggests that if the limited disclosure does reveal any intentional violation of the prior court order to return and purge any trade secrets, then a full search of the imaged server hard drives might be permitted. Such an inspection would include deleted files and slack space, and this might provide further evidence of intentional violation of the order or spoliation:

*4 The Court finds that there is not, at present, evidence of an intentional violation of the May 23 Order by Defendants, as would warrant full disclosure. We know too little about the contents of the files that yielded hits during Wolfe’s search of the India and Michigan servers to reach such a conclusion at this time. Wolfe’s search may have yielded false hits, or may otherwise have signaled files that were properly in Thermax’s possession; conversely, the hits may indicate a Thermax violation. Lacking clear evidence of an intentional violation, the Court will not impose the type of disclosure ordered previously in materially different circumstances involving Defendant Sachdev. Instead, a more measured, yet still significant, disclosure will be required.

Based on these findings, the court followed defendant’s suggested protocol for limited production and required the following:

*5 (1) Within three (3) days of the date of this Order, Defendants’ counsel shall produce to Plaintiffs’ computer forensic expert forensically sound copies of the images of all electronic data storage devices in Michigan and India of which Huron Consulting Group (“Huron”) made copies in May and June 2007. These forensically sound copies are to be marked “CONFIDENTIAL–DESIGNATED COUNSEL ONLY”;

(2) Review of these forensically sound copies shall be limited to:
(a) MD5 hash value searches for Purolite documents identified as such in this litigation;
(b) File name searches for the Purolite documents; and
(c) Searches for documents containing any term identified by Stephen C. Wolfe in his November 28, 2007 expert report;

(3) All documents identified in these searches by Plaintiffs’ computer forensic expert will be provided to Defendants’ counsel in electronic format, who will review these documents for privilege;

(4) Within seven (7) days of receiving these documents from Plaintiffs’ computer forensic expert, Defendants’ counsel will provide all such documents which are not privileged, and a privilege log for any withheld or redacted documents, to Plaintiffs’ counsel. Plaintiffs’ counsel shall not have access to any other documents on these images;


Judge Rufe has, I think, done the right thing under these circumstances. A waiver of attorney-client privilege should never be implied from a forensic expert’s mere review of a party’s computer. Otherwise, parties would be chilled from employing experts and other skillful persons to help them to evaluate a case. Would justice really be served by uneducated guesses, or blind ignorance? Do we really want to discourage clients from telling their lawyer the full story for fear that their secrets will not be safe?

It was obviously not defendant’s intent to waive its privileges in this case. The Magistrate Judge’s finding of waiver appears to have been a kind of improper punishment of defendant for its assumed violation of the prior court order. But, as Judge Rufe implies, that is taking the cart before the horse. The violation of the order has not yet been proven. The hits Wolfe testified to may all be false positives resulting from overly broad keywords by plaintiff’s expert.

In any event, even if a violation is later proven by, for instance, multiple hash value matches (which is a common way to prove trade secret theft), this would still not justify stripping defendants of their attorney client privilege. It might justify sanctions and further search of the computers. It might even result in defendant’s loss of the case on all twelve counts. But even a losing defendant has a right to communicate with their lawyer in private. It is unfair to deprive a litigant of this fundamental right as a punishment for perceived misconduct.

Justice Story (1779-1845) Apointed Supreme Court Justice at age 32The United States Supreme Court has repeatedly recognized, since at least 1826, that the attorney-client privilege is a fundamental right. Public interest demands maintenance of the privilege so that a client may communicate freely and confidentially with his attorney. In Chirac v. Reinicker, 11 Wheat. (24 U.S.) 280, 294 (1826), the Supreme Court, through Justice Joseph Story, declared that “it is indispensable for the purposes of private justice” that our legal system preserve the confidentiality of facts “communicated by client to counsel” in confidence. Later, in Blackburn v. Crawfords, 3 Wall. (70 U.S.) 175, 192-193 (1865), the Supreme Court quoted with approval the following statement from an earlier English case: “If the [attorney-client] privilege did not exist at all, everyone would be thrown upon his own legal resources. Deprived of all professional assistance, a man would not venture to consult any skilful person, or would only dare to tell his counsel half his case.”

The judiciary should be wary of unwarranted intrusions upon this essential right. Judge Cynthia Rufe, like Justice Story before her, was correct to reverse the Magistrate Judge and uphold the attorney-client privilege.

2 Responses to Trade Secrets Case Uses MD5 Hash and Keyword Search to Protect Defendants’ Rights – Magistrate’s Privilege Waiver Order Is Reversed

  1. […] of the opinion. The defendants were being stripped of their attorney-client privilege, which is a fundamental right recognized by the Supreme Court since 1826. Here are the Judge’s Grimm […]

Leave a Reply