Producer’s use of computer after entry of an injunction prohibiting destruction of relevant data did not constitute spoliation

article-image

Mintel International Group, Ltd. v. Neergheen, 2010 U.S. Dist. LEXIS 2323 (N.D. Ill. Jan. 12, 2010)

Defendant producer had worked in plaintiff’s marketing department, and had had access to plaintiff requestor’s confidential information. Defendant had signed an employment agreement containing a confidentiality clause, and a covenant not to compete. In 2007, plaintiff restructured its marketing department and eliminated defendant’s job. Defendant was offered a temporary position in January 2008, and began to look for new employment, of which plaintiff was aware. Defendant was hired by a new company in April, 2008.

Plaintiff had provided defendant with a laptop, which was used, along with USB drives, for his work with plaintiff. During his exit interview, plaintiff did not ask defendant to return the laptop and devices, and defendant continued to use the laptop and storage devices during his temporary employment. Between April 23, when he informed plaintiff he was leaving, and April 30, plaintiff began monitoring defendant’s e-mails. During this period, defendant sent 8 emails to his personal e-mail address (a practice not prohibited by plaintiff).

On July 11, 2008, plaintiff filed a complaint for injunctive and other relief against defendant. Defendant was to return all materials taken from plaintiff, provide a forensic image of personal desktop and laptop computers, and prohibited defendant from deleting any files related to plaintiff.

Defendant testified that he would occasionally e-mail documents to his personal e-mail account, and copy work files to his USB drive so he could work on them at home. He did not delete any files after July 11, 2008. He stated that he did not share any of plaintiff’s data with his new employer and did not transfer any files to other media.

Plaintiff filed a motion seeking sanctions for spoliation, arguing that defendant failed to preserve data on the laptop. The magistrate denied the motion, determining that defendant’s “acts of turning on the computer, accessing the Internet, and allowing an automated defragmentation (“defrag”) program to run during the one week period at issue (July 11 through July 18) did not result in the destruction of relevant evidence.” Id. at *19-*20. Plaintiff had further failed to establish that defendant’s actions were taken in bad faith, or that he had deliberately acted to destroy adverse information.

The district court upheld the magistrate’s findings. Plaintiff’s assertion that defendant’s use of the laptop at all constituted spoliation was rejected, as the TRO only forbade defendant from deleting any files relating to plaintiff. “The Court did not forbid [defendant] from turning on the computer, accessing the internet, or deleting files not related to [plaintiff] Mintel. If Mintel had wanted such restrictions, it should have requested them.” Id. at *24.

Plaintiff further argued that the presence of a hexadecimal “FF” value in the unallocated space of the USB devices indicated that they were wiped. However, defendant’s expert could not name a wiping program which would leave an “FF” pattern, and found no other traces of a wiping program. In addition, two of plaintiff’s documents were found on the USB drives. The court cited these facts as evidence that no deliberate wiping occurred.

Although it was undisputed that metadata on the computer was destroyed after July 11, 2008, there was no evidence presented that the data destroyed was relevant.

Mintel argues that the “evidence” at issue is not just the existence of Mintel confidential documents on the laptop, but also the metadata which shows the activities done by or through the laptop, including the attachment of USB devices, the calling up of Microsoft Office programs, and links to documents or websites. Mintel’s expert opined that [defendant] Neergheen undertook activities which rendered the ability to fully document all of that activity (from May 2008 through the date of imaging) impossible. On the other side, Neergheen’s expert admits that data was destroyed and overwritten, but opines that nothing Neergheen did (or allowed to take place by virtue of using the computer to check e-mail and “surf the web”), on a computer that he thought was his own, was the least bit suspicious or out of the ordinary.

Id. at *26. In addition, the court found that the antivirus and defragmentation programs which ran on the computer were not user initiated.

[T]hey were automated programs that had virtually no effect on the hard drive. Specifically, the automated antivirus program did not have any effect on the last access dates of any substantive files relating to this litigation. The virus scan software did not alter the file metadata of the files being scanned. The only files that would have had their last access dates updated are the few files associated with the McAfee program itself, rather than substantive documents. Additionally, any defrag program that was run on the computer was not user initiated; rather, the laptop’s operating system was set to run a “boot optimization” automatically, and the effect of the automatic defrag on the hard drive was “virtually none.”

Id. at *27. The court concluded that plaintiff had failed to establish that any unrecoverable material would have been unfavorable to defendant, or that it was more likely than not that defendant’s actions had been undertaken in bad faith. “In short, Neergheen’s conduct really was “innocent-looking actions that meld[ed] into what could be construed as ‘typical’ computer usage,” rather than a pattern that is easily recognized by forensic experts as spoliation.” Id. at *28.