Assume the worst of your employees, lest a judge or jury assume the worst of you.
That's the upshot of a recent e-discovery case out of the US Bankruptcy Court for the District of Hawaii. The debtor, Hawaiian Airlines, had shared proprietary information with prospective post-petition investors under a strict confidentiality agreement. Hawaiian later claimed that Defendant Mesa Airlines, once a prospective investor, had breached the confidentiality agreement and misused proprietary information for Mesa's own competitive advantage. After Hawaiian filed its complaint, an attorney for Mesa promptly sent an email to Mesa's three top officers imposing a "litigation hold," which explicitly included electronic documents. One of the recipient executives, Vice President and CFO Peter Murnane, responded by sending out emails from his company account (um, wow) to outside individuals searching for a data-wiping program. Apparently his search bore fruit, and Murnane installed software containing a data-wiping feature on his two company laptops. He also changed the system clocks on those two laptops in an attempt to make it appear that he had deleted the data well before Hawaiian filed its complaint.
Of course Murnane's machinations ultimately came to light, and Hawaiian filed a motion for sanctions against Mesa. Although no one else at Mesa knew anything about Murnane's crack computer caper, the court granted the motion, finding that Mesa facilitated Murnane's independent wrongdoing by failing to take "reasonable steps to prevent all of its employees from doing wrongful and foolish things, like destroying evidence, under the pressure of litigation." The company managed to dodge a default judgment sanction (whew!), but the court did impose an adverse inference sanction (d'oh!). So now, instead of being faced with the data, however ugly it might have been, the judge instead can assume the worst set of facts a bankruptcy judge can conjure. I'm thinking those facts are probably pretty bad.
What are these "reasonable steps" that a company should take to prevent spoliation of electronic evidence by a rogue executive or employee? That remains unclear, although the court stated that Mesa could have and should have backed up all data on Mr. Murnane's laptop as soon as Hawaiian filed its complaint. Other thoughts:
- Better safe than sorry: it's always a good idea to review the company's document retention policies and make sure they are comprehensive and up-to-date.
- Talk with your IT folks about limiting the ability of individual users to delete data from the network server or to install software onto company machines. Consider a blanket policy that only your company's IT department can install software on company computers.
- Work with IT to ensure you have a system that reliably backs up the data on your network server on a regular basis.
- Once litigation is underway, just issuing a standard litigation hold and trusting others to comply is not enough. Be actively involved in ensuring you preserve what you must preserve.
- Keep in mind the lesson from Hawaii: as soon as you are aware of litigation involving the company, make every effort to copy the hard drives of all computers - desktops, any and all laptops, even home computers that are used for business - used by all key and/or relevant employees as soon as is reasonably possible.