Refusal to Pay Hacker’s Ransom Is Not Spoliation under Rule 37(e)
- ILS Team
In MASTEROBJECTS, INC. v. AMAZON.COM, INC., No. C 20-08103 WHA (N.D. Cal. March 13, 2022), before the Special Master was Defendant’s Rule 37 motion that alleged violations of the Court’s Discovery Order and a motion for spoliation sanctions.
With respect to the spoliation issue, the facts were that on Dec. 9, 2020, Plaintiff’s law firm, Hosie Rice, was attacked by hackers. The hack rendered all the files and mailboxes inaccessible without a recovery key set up by the attackers. The hackers demanded a ransom before unlocking the data. Hosie Rice contacted the FBI and its own insurer. Both the FBI and the insurer advised them not to pay the ransom. Hosie Rice did not pay the ransom, nor did Amazon offered to pay the ransom. The firm and its consultants spent hundreds of hours attempting to restore the data, but everything prior to the final months of 2016 was lost.
Spoliation of electronically stored information is governed by Rule 37(e). The rule requires that if electronic information was lost, it must have been lost because a party failed to take reasonable steps to preserve it and that there has been prejudice to the moving party. Additionally, the rule provides for additional remedies if the accused party “acted with the intent to deprive another party of the information’s use in the litigation.” The Special Master found that no element of this test was met.
As an initial matter, the Special Master noted that there was no evidence that any electronically stored information was lost. The evidence was that the data still existed on hard drives, and while access was blocked, the data still appeared to exist and could be accessed if a key was provided or if access was granted in the future.
Moreover, even if the denial of access was construed to be a “loss,” the Special Master found no evidence to support the contention that Hosie Rice failed to take reasonable steps to preserve the data. On the contrary, the Special Master noted that the evidence supported that Hosie Rice protected its servers to the best level achievable at the time and employed consultants to assist in that effort. “Hosie Rice is the victim of a crime perpetrated on it by a hostile actor entirely unrelated to this litigation, not a spoliator.”
On the issue of prejudice, rather than offering affirmative evidence, Defendant fell back on the argument of “we can’t know what we don’t know.” The Special Master found that argument did not survive Rule 37(e).
Lastly, there was no evidence that Hosie Rice acted with intent to deprive Defendant of evidence. Defendant argued that Hosie Rice lost its data not because it was hacked but because it refused to pay ransom. However, as noted by the Special Master, “[e]ven if one ignores the FBI and insurance carrier advice, even if one presumes (without any evidence) that paying a ransom in bitcoin to an unknown hacker would have succeeded, there is no logic or beneficial public policy in compelling a crime victim to pay ransom to a criminal in order to avoid being labeled a spoliator.”