Please ensure Javascript is enabled for purposes of website accessibility
Home / Expert Opinion / eDiscovery Update / eDiscovery Update: Data wiping, missing iPhone leads to sanctions

eDiscovery Update: Data wiping, missing iPhone leads to sanctions

Peter Coons

Peter Coons

A recent ruling from the Supreme Court in Albany County (HMS Holding Corp v. Arendt) caught my eye for numerous reasons. One was the court’s decision to levy sanctions for spoliation, and another was the overwhelming evidence put forward by the plaintiff’s computer forensic expert that identified the nefarious actions of defendants to cover their tracks.

The plaintiff commenced this action on Aug. 19, 2014, to “safeguard HMS’s confidential, proprietary and trade secret information, to prevent unfair competition and irreparable injury to HMS’s business interests, and to protect the goodwill of its business.”

Basically, two of the defendants in this case were former employees of HMS and both conspired to use HMS intellectual property they possessed at their new employer with the intent of competing against HMS. After the suit commenced, the two defendants proceeded to run a data wiping utility on a personal computer and fabricate a story about a broken iPhone in an effort to thwart discovery. Did I mention the two defendants were attorneys?

The two defendants were Sean Curtin and Danielle Lange. Curtin was the COO of HMS prior to his departure on Feb. 28, 2013. Curtin resigned voluntarily citing a desire to spend more time with family. Approximately a year prior to his departure, Curtin had signed a noncompetition agreement with HMS.

“… the agreement provided that for a period of at least one year following the termination of Curtin’s employment, he would not ‘directly or indirectly engage or assist others in engaging in any business or enterprise that competes with HMS’s business.’”

Four months after his departure, Curtin initiated contact with several executives at HMS’s competitor, Professional Consulting Group (“PCG”), to discuss competing with HMS.

“By the beginning of September 2013, Curtin committed to assist PCG in developing a comprehensive proposal to reenter the TPL business and compete for HMS’s customers. Curtin also assisted PCG in identifying and recruiting ‘current or past [HMS] employee[s]’ with the necessary TPL qualifications and experience.”

One such employee was co-defendant Danielle Lange, who worked as a staff attorney at HMS from January 2010 until May 2014 when she joined PCG.

“PCG’s newly formed TPL team, led by Curtin, moved quickly to compete for the business of HMS’s customers. PCG submitted a successful TPL proposal to the State of Louisiana in July 2014, but the award was protested by HMS on August 8, 2014. During the same time frame, PCG also submitted an unsuccessful proposal to the State of North Carolina.”

After HMS filed the suit, PCG issued a litigation hold notice to certain employees, including Curtin and Lange. The hold advised recipients of their obligation to “preserve all records related to the subject of the complaints, including electronically stored information (“ESI”) on computers, removable or portable storage media, office computers, cell phones and personal computers.”

Defendants eventually handed over forensic copies of computers used by both Lange and Curtin as well as data extracted from an iPhone used by Lange. The ESI contained on these forensic copies were analyzed by HMS’s computer forensic expert, J. Christopher Racich. After his investigation of the electronic devices, Racich concluded that Curtin and Lange “intentionally deleted and destroyed ESI that is relevant to this lawsuit”.

Racich found that Curtin used a data wiping tool six separate times after the commencement of this action.

“Data destruction was initiated using the tool ‘Disk Utility,’ which is part of the computer’s Macintosh operating system. The ‘Secure Erase Free Space’ function completely overwrites all unallocated space on a computer hard drive, rendering unrecoverable any files previously deleted by the user.”

In his affidavit, Curtin did not deny running the disk utility and data wiping sequence. He claimed that he ran it to speed up his computer and claimed “to have been advised by several PCG colleagues that the use of Apple’s pre-loaded Disk Utility software would improve speed by optimizing disk performance.” The court did not believe this argument because additional steps and choices were required to activate the data wiping sequence.

Forensic analysis also showed that an external hard drive containing a folder named “HMS” had been attached to both Curtin’s personal computer and his PCG work computer. Analysis uncovered that HMS data was copied to the same external drive on Feb. 27, 2013, the day before Curtis left HMS. Additional forensic evidence also showed that these files were accessed between June 24, 2014, and July 22, 2014. Curtin failed to produce the drive for forensic examination in September 2014 even though he acknowledged that it was used while he was employed at HMS. Curtin claimed he was unable to locate this drive, which was just another excuse the court had trouble swallowing.

Lange also had some explaining to do when it came to missing ESI.

HMS took issue with Lange’s failure to produce the text messages from her iPhone prior to September 2014. “Racich’s affidavit states that review of the text messages produced by other parties to this action and the Texas Action shows numerous texts sent and received by Lange during this period.”

Lange’s position was that she couldn’t produce these messages because she “replaced her iPhone 4 in August 2014, after accidentally dropping it.” Lange submitted evidence that she purchased the new phone on Aug. 8, 2014. The staff at the AT&T store couldn’t transfer the data to the new phone, she claimed, and she left the old phone at the store.

A plausible scenario until it was disproven by the forensic examiners who looked at Lange’s computer, which unbeknownst to Lange, created automatic backups of the iPhone(s) each time they were connected to the computer.

“HMS’s expert testified clearly and unequivocally that the backup of Lange’s iPhone 4 from which her text messages were recovered was created on August 15, 2014–one week after Lange allegedly discarded her inoperable iPhone 4 at the AT & T store. And given Lange’s receipt from the AT & T store, there can be no mistake about the date of this visit.”

In the end the court agreed that Curtin and Lange intentionally destroyed, deleted and failed to produce ESI while under a known duty of preservation. The court also concluded that the destroyed, deleted and missing ESI would have supported HMS’s claims against these defendants.

The court found that an adverse inference finding was appropriate in this situation. The court added “… [a]dding to defendants’ culpability is their failure to testify truthfully about material events, which has had the effect of interfering with the sound administration of justice.”

The court also came down heavily on Lange for her dishonesty.

“… given the egregious nature of Lange’s misconduct and its bearing on her honesty, trustworthiness and fitness to practice law the Court is obliged to forward a copy of this Decision & Order After Hearing to the New York State Committee on Professional Standards.”

In addition to an adverse inference, defendants were ordered to pay attorney and other reasonable fees, costs and expenses “incurred as a result of their intentional misconduct.”

The takeaway here is that another person thought they could get away with deleting material and hiding their tracks.  In the world of computer forensics there are always digital cookie crumbs to follow.

Peter Coons is co-founder and senior vice president at D4, providing eDiscovery and digital forensics consulting services to clients, Peter is a Certified Information Systems Security Professional (CISSP), an EnCase Certified Examiner (EnCE), an Access Data Certified Examiner (ACE), and a Certified Computer Examiner (CCE). He belongs to various digital investigation and information security based organizations. Peter holds a master’s degree in Digital Forensics Management from Champlain College and a bachelor’s degree in Economics from the State University of New York at Oneonta.