Sanctions for Failure to Preserve Encryption Keys

December 6, 2023

Parties and their counsel may have a duty not only to ensure that data is properly placed on litigation hold, but also that any encryption keys are properly maintained by IT, as demonstrated in Microvention, Inc. v. Balt United States, LLC, 2023 U.S. Dist. LEXIS 204073 (C. D. Cal. Oct. 5, 2023, 8:20-cv-02400-JLS-KES).

This case involves allegations of misappropriation of trade secrets and breach of contract. MicroVention originally filed a patent suit against Balt in 2019. During discovery in that matter, Balt produced documents that MicroVention alleges contain trade secrets. As a result, MicroVention filed the trade secret lawsuit on December 22, 2020. The parties agreed that a neutral vendor would image all of Balt’s laptops at issue and split the costs.

In the ESI protocol negotiated by the parties, Balt was to provide “any and all necessary log-in information (e.g., usernames and passwords),” so that the data on the devices could be retrieved. Before working on the devices, the vendor requested this information, and Balt agreed to have someone from IT “on hand” to address login and encryption issues. Instead, Balt’s former counsel advised Balt to turn on the devices before providing them to the vendor. IT followed this directive and was able to access the devices, and did not notice BitLocker encryption—however, IT did not verify that BitLocker had been installed before giving the devices to the vendor.

While the vendor was able to image several devices, it was not able to image two of the laptops that were at issue in the case. Balt alleged that the vendor was at fault while MicroVention’s expert argued that Balt’s IT Department should have been able to decrypt a laptop.

The Court did not find an intent to deprive under Rule 37(e)(2), but it did recommend Rule 37(e)(1) sanctions because:

  • Balt had a duty to preserve, and should have made sure that it had the encryption keys before giving the devices to the vendor. And, if it had done this, it would have allowed the vendor to access the data in a way that would not have caused BitLocker to lock the devices.
  • While it was unclear whether Balt or the vendor caused the devices to lock, it was reasonable for the vendor to rely on Balt’s representation that Balt IT’s department would be able to unlock any encryption.
  • MicroVention was prejudiced by the loss because the data cannot be found in another location.

Judge Scott recommended that the District Court allow MicroVention “to present evidence to the jury concerning the loss and likely relevance of the information” lost. The Court further recommended that Balt be precluded from using the lack of evidence of these devices as proof to their defenses. Also, Judge Scott recommended Balt—and Balt’s former counsel—pay for the costs of MicroVention’s motion and its expert fees.

Explore Our Other Articles!

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.


Submit a Comment

Your email address will not be published. Required fields are marked *

Let's Talk

Send us a message or give us a call and we will get back to you shortly!

(202) 772-3965
Copyright © 2024 Tesseract Data Services