Tuesday, November 6, 2007

Hawaiian Airlines Bankruptcy: Issuing a "Litigation Hold" May not be Enough when Rogue Employee Destroys ESI

Mesa Air Group, a party in bankruptcy litigation with debtor Hawaiian Airlines (HA), got an ugly pre-Halloween surprise from the bankruptcy court hearing the case. According to the the recent opinion in Adv. Proc No 06-90026, and currently being reported as 2007 Bankr. LEXIS 3679, a single, highly placed employee within Mesa Air set about to wipe ESI from several hard drives. In one instance, the destruction took place immediately after a hearing wherein the judge questioned the credibility of the employee. While the debtor predictably obtained the adverse inference finding, this opinion ought to be reviewed as a precautionary tale for counsel who believe they have done their part by issuing a litigation hold. (Also hidden in this opinion is a lesson for those who believe Confidentiality Agreements to the exist as the "end all and be all", but that is a subject for another day).

The court's opinion offers up the following timeline:
HA filed it s Chapter 11 in 2003. In the process of searching for post-petition investors, HA provided passwords to prospective investors allowing them to access the now ever-present "data vault". The ESI in the data vault was capable of being downloaded by those accessing the information. The Debtor required confidentiality agreements, as much of the data was viewed as being "competitively sensitive", required the destruction of the information at a time certain, and prohibited any use of the information except to evaluate the investment. Mesa later became a direct competitor of HA, leading HA to claim that Mesa had breached the confidentiality agreement, allegedly using some of HA's information as its own.

According to the opinion, Mesa's CFO signed a CA, accessed the data vault, and downloaded several electronic documents. The CFO had 2 laptops issued by Mesa, and a computer at home. According to the court, the CFO also happened to have software called System Mechanic Professional, which includes a feature called DriveScrubber2. (In the near future, law professors will quip that any opinion that includes references to things such as DriveScrubber, DataAssassin, FrankenFile or Mac-Daddy Drive DooDoo means someone is getting sanctioned).

Shortly after HA filed its complaint against Mesa, counsel sent a litigation hold via email to the CEO, CFO and COO. According to the court, in late February 2006 the CFO began searching (unbelievably, via email communication) for software to delete files and make it look like they were never on the target drive. A week later, CFO certified to the court that he had downloaded the information from the data vault to a CD, but never to his hard drive. CFO also certified that he never shared the information shared on the CD.

Fast forward to June 28, 2006, when HA seeks a preliminary injunction after finding a draft offering memorandum for Mesa investors that appeared to copy portions of an HA information memo, verbatim. Apparently, the CFO also forwarded portions of HA's memo to Mesa colleagues, stating that Mesa's offering memo needed to "be more like the attached."

According to the opinion, on July 16, 2006, the CFO wipes the hard drive and changes the clock on one of the laptops to conceal any misdeeds. A second declaration was filed by the CFO on August 7, indicating that some previous testimony was incorrect, but no wrong-doing occurred.

On August 8 during a hearing, the court apparently voiced some "concerns" about CFO's credibility, to the extent that the opinion indicated that the CFO commenced to wipe the drive on the second laptop beginning that very day, and continuing until Mid-September. Once again, Daylight Savings came to a premature end in Hawaii, as the CFO changed the clock in this laptop as well.

Between January and April 2006, the CFO apparently also deleted files from the "H drive" of the company servers. Mesa was able to salvage the "H drive" information through tape back ups.

Borrowing from the "What the Definition of Is, Is" playbook, the opinion indicates that someone argued on behalf of Mesa that the only scrubbing taking place was done to remove "adult content" from the laptops as well as the H drive. It seems there was some testimony regarding "adult content" in 2003 or 2004, but the court found no credible evidence that expunging some nebulous adult content was the purpose of the scrub down in 2006, unless of course someone had some fetish that they disguised as "Hawaiian Airlines"...

Aside from the fact that someone in the food chain decided, as between dirty pictures and dirty deeds, that dirty pictures are the lesser of two evils, the opinion is fairly uneventful. The opinion does serve as a quiet reminder that simply issuing a litigation hold, then sitting back and waiting for IT to save the company is simply not enough. On pages *14 and *15, the court suggests that Mesa could have taken "reasonable steps that would have prevented, or mitigated the consequences of... destruction of evidence." One such step would have been creation of backups of the laptop drives and the H drive after the adversary was filed. (Apparently the tape back ups were only good for January 2 and April 6, 2006...). The court declared that simply instructing employees to preserve evidence and trusting them to comply was not adequate, and that instead, "Mesa could and should have taken reasonable steps to prevent all of its employees from doing wrongful and foolish things, like destroying evidence...". While the court is careful to point out that CFO acted alone, Judge Robert Faris also made it clear that Mesa "facilitated" the CFO's misconduct.

What duties might counsel have beyond issuing a litigation hold, working on the assumption that a corporate client will be looking to counsel for advice as to how to avoid a "dirty deeds" opinion? Unfortunately, the opinion does not address whether or not Mesa had a document retention/destruction policy, whether or not such a policy was followed, or what items might be incorporated into such a policy to mitigate the actions of a rogue employee. Even in the absence of a policy, the opinion does not address what steps, if any, Mesa may have taken prior to June 2006 to prevent or mitigate the consequences of such misdeeds. The opinion does not delve into (nor do I recall ever seeing an opinion that did) the administrative permissions at the server level that allow an individual user to delete documents.

Given the constant state of flux that inevitably follows the development and implementation of technology-based business applications, it is likely that opinions like this will become increasingly fact intensive. Rather than rely on an increasingly well-informed bench to discover the correct answer, counsel must shoulder the burden of understanding the client's digital enterprise. This means finding, and learning, the client's document retention policy. This means identifying the potential information holes. Yesterday's smoking gun email is today's "personal" Internet-based email account. The media roundly criticizes, and rightly so, when the government loses laptops chock-full of military secrets; for the lawyer, not knowing how many laptops a key employee may have, or as in the K-Mart case, which former employees still have data, is just as damning.

Increasingly, corporations will be forced to face choices such as allowing email to stored at the user level, or the ability of an individual user to delete documents off of the companies shared servers. Not only will counsel need to have some minimal technological skill to contribute to that process, they will have to translate that process to the bench in order to avoid similar Halloween surprises.

No comments: