Sanctions considered due to loss of evidence in cyberattack
Western Power, Inc. v. TransAmerican Power Prods., Inc., No. H-17-1028 (S.D. Tex. June 7, 2018).
In this contract dispute, the court considered whether it should sanction a party for the near-complete loss of discoverable evidence in a cyberattack.
The plaintiff, Western Power, Inc. (WPI), represents manufacturers by promoting their products. WPI entered a contract for services with TransAmerican Power Products whereby WPI would be paid on commission, calculated according to sales figures. Subsequently, WPI brought this case against TransAmerican, alleging breach of contract and other claims. WPI alleged that TransAmerican “failed and refused to compensate” it fully.
During discovery, WPI produced a spreadsheet with its calculation of the amount it had been underpaid.
Several months later, TransAmerican suffered a “cyberattack that affected its servers and personal workstations.” That attack crippled TransAmerican’s computer systems; it lost “most of the information” that WPI sought in discovery. A month after that, TransAmerican produced its own spreadsheet, which it said it had prepared prior to the attack.
WPI moved for sanctions under Federal Rule of Civil Procedure 37(e) for TransAmerican’s failure to preserve evidence.
The court pointed out that according to the advisory committee notes for Rule 37, “the rule calls only for reasonable steps to preserve.” Therefore, Rule 37 does not apply when information is lost in spite of a party’s reasonable efforts. The committee notes specifically referenced a “malign software attack” as one type of uncontrollable event that could destroy evidence. However, courts can still weigh how well a party anticipated such a risk and protected its discoverable information against loss.
WPI argued that TransAmerican should have preserved its discoverable evidence, the loss of which prejudiced WPI. Further, WPI claimed that TransAmerican’s “inaction is sufficient circumstantial evidence” of its intent to deprive WPI of information.
TransAmerican countered that it took reasonable preservation steps and did not act in bad faith. It also argued that Rule 37(e) was inapplicable because the loss was due to a “malign software attack,” not its own conduct.
The court agreed with TransAmerican that Rule 37(e)’s spoliation sanctions would not generally apply to the loss of evidence in a cyberattack. But the fact-intensive question of whether TransAmerican “adequately protected against the risk of such an attack” remained.
Therefore, the court deferred a ruling on WPI’s motion for sanctions until it could hear the facts at trial. After this opinion, the matter went to a three-day jury trial. The parties ultimately settled the matter while the jury was deliberating.
Takeaways on Protecting Against Cybersecurity Risks
Any individual cyberattack may come as a surprise, but the possibility of attack is entirely foreseeable. Protect your discoverable information! Back up your data, create a cybersecurity plan, and consider moving your discovery to secure cloud-based storage.
Also, don’t delay in producing discovery. TransAmerican claimed that it prepared its spreadsheet months before the attack; it’s unclear why it hadn’t yet provided it to WPI.