Deduplication Defense Dodges Sanctions

This is a summer rerun and redo of one of my favorite sanctions opinions by one of the country’s most powerful judges. The scenario is an e-discovery injunction case in Houston involving an employee’s illegal use of a “thumb drive” to misappropriate an employer’s trade secrets. Anadarko Petroleum Corp. v. Davis, 2006 WL 3837518 (S.D. Tex., Dec. 28, 2006). The defendant employee talked his way out of harsh sanctions by the first and only successful use of a “deduplication” defense. Call me a cynic, but I wonder if maybe there wasn’t some wool-pulling going on here? Word of warning to all techie-types caught misappropriating, don’t try to duplicate this defense on on a well-trained e-discovery lawyer with a good forensic expert at his or her side. Your flashy fast-talk could be exposed and your thumb might end up in the wrong place.

The case was heard and decided by Judge Lee H. Rosenthal. She is the long sitting chair of the powerful Committee on Rules of Practice and Procedures of the Judicial Conference of the United States. She heard testimony regarding an employee taking computer files from his employer using thumb drives. As you know, a thumb drive is a USB device for the flash memory storage of data. It can hold vast amounts of data and can be small and hard to detect. My son, for instance, has cufflinks that are USB drives. These flash memory drives are usually the size of a thumb, and thus the name. The one pictured above is a novelty version actually fashioned in the shape of a thumb.  (Great gift idea for the IT fanatic who has everything and does not wear cuffed shirts.)

Deduplication is the process of identifying electronically stored information (“ESI”) files that are exactly the same and eliminating them from production. This filtration process is an important tool of efficiency in e-discovery collection and review because it is not uncommon for a computer to contain multiple copies of the same file. Deduplication is made possible though a unique mathematical algorithm, hash. Want to learn more about hash, the math behind e-discovery, check out my article: HASH: The New Bates Stamp, 12 Journal of Technology Law & Policy 1 (June 2007).

The employee defendant in this case, Billy Davis, used his thumb drive to take confidential information from his employer’s computers on his last day of work. Davis then transferred the proprietary ESI onto his personal laptop, from there onto his new employer’s desk top computer, and then onto its servers. When the former employer found out what had happened, it filed suit against both Davis and his new employer for, among other things, theft of trade secrets, and sent out a preservation letter. The three page letter demanded the preservation of all data on the employee’s and new employer’s computers, including even deleted files.

The employee received the letter and consulted an attorney on what to do. The attorney advised Davis to transfer all of the files back onto the thumb drive, so that he could return them – so far so good. But the attorney also supposedly advised Davis to delete all of the files on his new employers servers, desktop, and his laptop. This is the exact opposite of the preservation demanded by the plaintiff’s letter (and the law). Try that one in Judge Grimm’s court and see what happens. No, better yet, don’t.

At an emergency preliminary injunction hearing a few days after the suit was filed, Davis turned over the thumb drive to the plaintiff with the representation that this constituted all of the ESI taken, Davis also testified that he had deleted all other copies of the ESI. The defendants, both Davis and his new employer, also consented to an injunction requiring the return and full accounting of all ESI taken, and a forensic examination of all of their computers to verify that all of the ESI had in fact been removed as represented.

At a later temporary injunction hearing, the plaintiff asked to have the injunction strengthened to, among other things, prohibit Davis’ employment and competition on the basis of his alleged bad faith theft of trade secrets. Judge Rosenthal rejected that because: 1) she believed Davis’ testimony that he had never actually used the data, at least not the confidential parts; and 2) she believed Davis’ testimony that he had returned all of the ESI taken.

There was considerable reason to doubt that later assertion because Plaintiff’s forensic examination of its computers showed that 7.21 gigabytes had been downloaded by Davis, whereas the thumb drive returned contained only 1.14 gigabytes of data.  Hmm … that leaves 6.07 GBs unaccounted for. Davis, who must have been a very credible witness, explained the missing data with the explanation that he eliminated all redundant, duplicate files when he loaded the files back onto his thumb drive. In other words, he successfully employed a “deduplication” defense, the first,  and last, I have ever heard of. Judge Rosenthal found the testimony credible, and denied the injunction requested for now, but left the issue open upon completion of the forensic examination. If the exam seriously impeached Davis’s testimony, and showed the deduplication excuse to be a sham, the court would reconsider its ruling. It never did. Instead the case settled without any further rulings on this subject. (That happens all of the time in discovery law jurisprudence.)

The plaintiff also sought sanctions for the spoliation that occurred in disregard of the preservation letter. Judge Rosenthal agreed that the ESI should not have been deleted, that it should have been preserved, but denied sanctions because she found no credible evidence of bad faith destruction of evidence, at least not at that point. I conclude this summer rerun of a prior blog with this sage ruling by Judge Rosenthal:

This is an unusual set of facts for a spoliation claim. In most cases in which a party asserts that the alteration or deletion of electronically stored information amounts to spoliation, the party wanted that information to remain available in the form that it was maintained by the other party. In this case, by contrast, Anadarko specifically asked Davis and GeoSouthern to return all the electronically stored confidential and proprietary information Davis had taken from Anadarko and to prevent anyone at GeoSouthern from accessing or using that information. That request makes it necessary for GeoSouthern to make the Anadarko information Davis had placed on the GeoSouthern computer system inaccessible, which requires that such information be deleted. The second aspect that distinguishes this case from the typical spoliation case is that at the same time Davis deleted the information from the GeoSouthern computers and his own laptop, he testified that he placed the information on a thumb drive and delivered it to Anadarko. In most spoliation cases, when information is deleted, no other record of its existence is created, much less promptly produced to the other side. The third aspect that distinguishes this case is that Davis and GeoSouthern have agreed to allow Anadarko to conduct a forensic audit of their computer systems to ensure that no proprietary or confidential Anadarko information remains accessible and to ensure that Davis returned all that he took. . . . .

Anadarko asserts that it is harmed because it cannot verify that all the information Davis took has in fact been returned. Their contention is supported, at least superficially, by the discrepancy in the volume of electronically stored information Davis took compared to what he returned. . . . .

The alleged spoliation currently does not support the issuance of a broader injunction than is presently in place to protect Anadarko’s trade secrets from unauthorized use or disclosure. Because the parties’ computer experts are still conducting their forensic examination of GeoSouthern’s and Davis’s computers, the record necessary to rule on the spoliation motion and determine whether and what sanction should issue is incomplete. This court orders Anadarko to supplement its motion for sanctions within 30 days of the completion of the forensic analysis.

4 Responses to Deduplication Defense Dodges Sanctions

  1. Mike Rossander says:

    The “deduplication defense” is interesting. An equally plausible theory would be the apparent file size discrepancy as a compression artifact. Depending on how the files are moved, file sizes can be changed, sometimes quite dramatically (especially if, for example, a partially corrupted document is repaired by the new operating system – older versions of MS Excel are notorious for file bloat).

    A change in file size is suspicious but not necessarily sufficient to be evidence of wrongdoing. You’d need to compare actual content.

%d bloggers like this: