Magistrate Judge Sets Protocol for Plaintiff's Forensic Examination of Former Employee's Computer and Requests Affidavit from Expert Explaining Certain Issues
Equity Analytics, LLC v. Lundin, 248 F.R.D. 331 (D.D.C. 2008)
In this case, plaintiff Equity Analytics claimed that defendant, its former employee, gained illegal access to electronically stored information after he was fired. Defendant explained that another Equity employee had granted him permission to use the employee’s username and password to access a particular Equity computer system. Defendant admitted that he had accessed the system some 18 times over a 90-day period, and had used his Macintosh computer to do it.
In November 2007, the district court issued a TRO prohibiting defendant from “accessing or attempting to access Equity Analytics, LLC's data on Salesforce.com for any purpose.” The judge initially struck from the TRO a requirement that defendant permit Equity to have a computer forensic expert examine his computer to ascertain: (1) whether defendant accessed Equity's confidential customer data and/or trade secrets; (2) whether the data has been forwarded to defendant’s new employer an Equity competitor; and (3) whether the data was purged or overwritten. The parties subsequently agreed that a computer forensic specialist should be permitted to examine defendant’s Macintosh computer, but they could not reach agreement on the search protocol.
Defendant stated that he now works out of his home and uses the Macintosh computer and portable hard drives to store data and for many other purposes. As a result, he argued that the computer and the hard drives contain: (1) attorney-client communications; (2) business records; (3) medical records; (4) tax and banking records; and (5) data (including images) created for his professional photography business. Defendant proposed that the forensic computer examiner use search terms to restrict the search to data that is relevant to this case. Defendant also proposed that the search first be limited to certain file types, i.e., MS Word (.doc, .txt, .rtf), MS Excel (.csv, .xml), MS Powerpoint (.ppt), MS Entourage and Adobe Acrobat (.pdf). Once those files were found, the search would then be limited to files that contained certain key words.
Equity argued that search terms were inadequate because defendant indicated he had loaded a new operating system (“Leopard”) onto the Macintosh in October 2007, and doing so could have compromised the integrity of the files that were previously on the computer. Equity also argued that files can be converted easily from one format to another to “disguise their identity.” Thus, Equity argued that confidential files could have been downloaded and saved in a phony format, i.e., a document stolen from Equity could have been saved as a .jpg file, used to save an image, rather than as a .doc file used to save a Word document. Equity further claimed that, if there were less than complete files in the form of fragments of information, a file extension and keyword search would not capture them.
Magistrate Judge John M. Facciola resolved several points and requested that Equity’s examiner provide an affidavit explaining a number of other technical issues.
Return of hard drives: The parties contemplated that the examiner would make a mirror image of the hard drives, but they differed over what would then happen to the hard drives. Defendant, who claimed he needed the computer and the data to make a living, wanted them returned to him as soon as the mirror image was made. Equity wanted them preserved in their present condition until the litigation concluded. The judge sought input from the examiner:
[I]t is my understanding of the technology, based for the most part on my understanding of the FBI's procedures in the criminal cases where I issue search warrants, that the mirror image is a perfect duplication of the hard drive and that it is physically impossible for the mirror image to contain anything the hard drive does not and for there to be anything on the mirror image that is not on the hard drive. Once again, I will turn to the examiner for his or her knowledge and require that in the declaration I am ordering the examiner speak to whether there is any possibility whatsoever that the mirror images will not be perfect copies of the hard drives and whether there is any need to preserve the hard drives in their original condition once the mirror images are created.
Party Agreement vs. Court Order: The court explained:
The parties have differed over whether the document they were negotiating will be in the form of an agreement or order. It will be in the form of an order that I will issue. Lundin indicates that the hard drives may contain attorney-client communications. As Magistrate Judge Grimm pointed out in what is now the seminal decision on the question, a judicially compelled disclosure of otherwise privileged information is not a waiver of any privilege that could be claimed. See Hopson v. Mayor, 232 F .R.D. 228, 232 (D. Md. 2005). Thus, an order can accomplish what an agreement between counsel cannot and I will issue an order.
In a footnote, the court observed: “This is the principle that underlies proposed Federal Rule of Evidence 502. See John M. Facciola, Sailing on Confused Seas: Privilege Waiver and the New Federal Rules of Civil Procdure, 2 FED. CTS. L. REV. 57 (2007).”
Subject Matter Jurisdiction and Cost of Examination: In response to defendant’s concerns, the court stated that the order would contain a provision that defendant, by not objecting to the forensic examination, was not thereby consenting to any additional discovery and reserved the right to move at any time to dismiss the case for lack of jurisdiction over its subject matter. The court stated the order would also provide that the cost of the examination would be borne by Equity and that Equity would not be allowed to seek to recover that cost from defendant at any time or for any purpose.
Written Report: On the parties’ quarrel over whether the examiner would produce a report, the court ruled: “The examiner shall produce such a report because doing so will, in my view, expedite the conclusion of this matter.”
The court further ordered Equity to submit by March 20 an affidavit from its examiner explaining the following:
1) Why the limitations proposed by plaintiff are unlikely to capture all the information Equity seeks and the impact, if any, of the loading of the new operating system upon Lundin's computer and the data that was on it before the new operating system was loaded;
2) How the search will be conducted; and
3) Whether there is any possibility that the mirror images will not be perfect copies of the hard drives, and whether there is any need to preserve the hard drives in their original condition once the mirror images are created.
Plaintiff would be allowed to file a reply thereto by March 31, 2008.