When HR Pros Go Bad: Spoliation & Personal Identifiable Information

A HR professional emailed to his home computer the personnel files of 68 employees when he feared layoffs were coming. 

That is only the beginning of a really ugly fact pattern.

The data included past and current employee names, social security numbers, date of births, compensation, and addresses.  The former employer (now the Plaintiff) sued the HR professional (now the Defendant) for “conversion, breach of contract, breach of the duty of loyalty, and sought injunctive relief.”   1-800-East W. Mortg. Co. v. Bournazian, 2010 Mass. Super. LEXIS 158 (Mass. Super. Ct. July 18, 2010)

A temporary restraining order was entered against the Defendant, preventing him from “deleting, altering, erasing or otherwise tampering with any information on any computer, hard drive, thumb drive, flash drive, or other electronic data storage device owned by [the Defendant or his wife] or resident on any web-based account or data storage service until further order of this Court.”  1-800-East W. Mortg. Co. at *2.

Two days after being served with the TRO, he downloaded an evidence erasing program and wiped a large amount of the data.  1-800-East W. Mortg. Co. at *2.

Eleven days after the TRO, the Court permanently enjoined the Defendant from:

Deleting, altering, erasing or otherwise tampering with any information on any computer, hard drive, thumb drive, flash drive, or other electronic data storage to which they have access until such time as a forensic expert hired by East West Mortgage may make a bit map copy of the data on these devices and/or accounts.

1-800-East W. Mortg. Co. at *2.

Ironically on the anniversary of the Watergate break-in, the Defendants were to provide to the Plaintiff’s expert, “each and every computer hard drive, thumb drive, flash drive or other electronic data storage device owned by them for the purpose of creating a bit map copy of said electronic media and for analysis of the contents thereof consistent with the protocol for the acquisition of electronically stored information.” 1-800-East W. Mortg. Co. at *2-3.

Destruction of Evidence

Following the lead of Nixon and Lewinsky, the Defendant tried deleting everything with the data destruction software Ccleaner and destroyed his external hard drive with a “mini-sledge hammer.”  1-800-East W. Mortg. Co. at *3-4.

The Defendant’s destruction of evidence took place on the day the injunction was entered against him.  1-800-East W. Mortg. Co. at *3.

The Defendant tried explaining his actions with 5 different stories, which the Court found to be highly un-credible.  1-800-East W. Mortg. Co. at *5.

The stories ranged from his work computer was crashing to he wanted to make a template to the hard drive fell in the bath tub.  1-800-East W. Mortg. Co. at *5.

Wrath of Court

The Court did not take kindly to the willful violations of the court orders.  1-800-East W. Mortg. Co. at *6-7. 

The Defendant was sanctioned with the following order: 

  1. Damages including fees for a credit monitoring service of the 68 employees in the amount of $4,549.30;
  2. Damages including the cost of the forensic expert in the amount of $10,549.50;
  3. Attorneys fees to be proven; 

 

Permanent injunction from distributing, sharing, divulging, displaying, disseminating or otherwise distributing any confidential information from the Plaintiff.

1-800-East W. Mortg. Co. at *8-9. 

Bow Tie Thoughts

The willful violation of the court orders and destruction of evidence makes case law that sounds like Book of Revelations.  Throw in the theft of personal identifiable information and a judge will act like one of the Four Horsemen of Apocalypse. 

The protection of personal identifiable information and the transitory nature of electronically stored information will be heavily litigation in the years to come.  It is a matter of time before such information is foolishly hosted in the “Cloud” that results in an ugly data breach.

  1. He got off light. The Ponemon Institute has been compiling data for several years on the cost of a privacy breach. They consistently return estimates of $100-300 per breached record. (The variation is dependent on customer expectations which is a function of industry. Financial services companies are at the high end of the range.)

    Credit monitoring is a component of the total cost of a breach but only a relatively minor component. The full cost to the company for 68 compromised records is probably closer to $20,000. Plus the $10k forensics bill and legal costs, of course.