#CaseoftheWeekCase LawESI Protocol

#CaseoftheWeek Episode 40: Spoliation Sanctions Due to Hiding of Communications from Encrypted Platforms

Hard to believe we have already reached 40 episodes of #CaseoftheWeek. For our 40th episode, we chose to analyze the FTC vs Noland decision. This is an interesting case as the party used encrypted messaging applications, Signal and ProtonMail, to hide communications from the government following learning of an investigation. This led to spoliation sanctions and an adverse inference in our case of FTC vs Noland.

Good morning and welcome to our #CaseoftheWeek for September 21, 2021. My name is Kelly Twigger, and I am the CEO and founder of eDiscovery Assistant and the principal at ESI Attorneys. Thanks so much for joining me today.

Through our partnership at ACEDS, each week, we select a recent decision in eDiscovery from our eDiscovery Assistant database that highlights some key issues for litigators and those who are involved in the eDiscovery process. We talk a little bit about the practical implications of that decision for you, your practice, and for your clients.

If you’re viewing us on any of the platforms—whether it’s LinkedIn, YouTube, Twitter, or Facebook—you’ll see a link to the decision that we’re discussing today titled FTC vs Noland. You’ll also see a link to post from eDiscovery Today from Doug Austin about the same decision.

You’ll also see a link to our 2020 Annual Case Law Report, which shows the number of statistics and breakdown of other information in some key cases from 2020. We’ll be doing that report again for 2021 with Doug Austin at eDiscovery Today as well.

We also invite you to check out our recently updated website. If you’re interested in receiving our weekly case blog newsletter or the blog post from eDiscovery Assistant, in which we’re currently writing a series on ESI protocols, you can hop over to our blog and sign up to get those.

All right, let’s dive into this week’s case.

This week’s case is a decision in the Federal Trade Commission vs Noland case. This one is dated August 30. Let me just make sure I’ve got that date right—August 30, 2021. This is a decision from United States District Judge Dominic Lanza. In our eDiscovery Assistant database, we have 21 cases from Judge Lanza, many of which are decided under the Mandatory Initial Discovery Protocol Project in the District of Arizona.

As always, we tag our cases in eDiscovery Assistant with issues to allow you to search some better. Issue tags for this case are numerous, including instant messaging, spoliation, mobile device, text messages, failure to preserve, sanctions, WhatsApp, adverse inference, forensic examination, and ephemeral messaging.

This is a case where it kind of brings together a number of the issues that we’ve been talking about over this entire year for #CaseoftheWeek. In essence, you’re going to find bad actions on behalf of the defendants, and the question really becomes, what is the level that’s required to meet the intent to deprive standard under Rule 37(e)(2) for a potential adverse inference instruction.

Let’s dive into the facts. SBH, which is the company at issue here being investigated by the FTC, is an affiliate marketing program that sells coffee products and other nutraceuticals through its online platform and network of affiliates. The FTC alleges in its investigation that SBH operated as an illegal pyramid scheme and that the individual defendants, including Noland, who held leadership roles within SBH, made false statements to SBH affiliates, mostly about valuation of the company, money that can be earned, those kinds of things.

During the course of its investigation, the FTC issued a subpoena to Wells Fargo, which was the financial institution that did banking for SBH. That happened on April 26, 2019. The subpoena sought financial information related to both Noland, who was CEO, and SBH. It’s not really stated how in the facts of the case, but somehow Wells Fargo inadvertently disclosed the subpoena from the FTC to Noland. When the FTC learned that its investigation was no longer covert, it specifically advised Noland and SBH to preserve the relevant documents. We’re going to get into those individual facts.

Instead of preserving that information, Noland and SBH did the exact opposite. They changed their form of regular communication using email and text messages and some other services, including WhatsApp, to using two encrypted platforms for email and messaging called Signal and ProtonMail. They’ve really stopped using the other messaging platforms that they were using, including WhatsApp, text messages and email.

What are ProtonMail and Signal? That’s important for this analysis. ProtonMail is a Switzerland based encrypted email service that emphasizes user privacy—allows the user to create all kinds of different settings associated with It. Signal is a free privacy focused messaging application and voice talk app that allows anybody with a phone number to join it. On Signal, communications are encrypted end-to-end, and users can set data to disappear after certain customizable timeframes. Signal is a not for profit organization with no advertising, and so it’s incentive to gather data on its users is non-existent, and therefore it does not collect data on its users. That’s really important. Signal was funded by a small group of privacy activists, including the founder of WhatsApp, who got on board with Signal after Facebook bought WhatsApp. He clashed with Facebook on how the acquisition really began the erosion of privacy from WhatsApp, which was intended to be an original end-to-end encryption with no data collected from users.

Now, once on these two platforms, Signal and ProtonMail, the individual defendants at SBH, the leadership group, stopped using their previous messaging platforms for work related communications and turned on Signal’s auto delete function and then proceeded to exchange thousands of messages related to SBH’s business. They essentially stopped using what they were using and moved on to these encrypted platforms.

April 26th, the FTC sent a subpoena to Wells Fargo. On May 20, 2019, Noland called his lawyer and told him to cooperate with the FTC in the investigation. The FTC responded to that inquiry by saying that it did not have any need to cooperate at this time, but it did instruct Noland and SBH to suspend the destruction of all information and to preserve data.

Now, the defendants used ProtonMail and Signal from April of 2019 throughout the remainder of that year. Fast Forward now to January 2020, the FTC concludes its investigation and gets a temporary restraining order to appoint a receiver for SBH and as part of that TRO, requires preservation of all information and for the defendants, meaning that leadership group, to turn over their mobile devices. The TRO required those individuals to “immediately, transfer or deliver to the receiver possession, custody and control of all the documents of or pertaining to the receivership entities, including all communications occurring via electronic mail, electronic messaging service, or encrypted messaging service.”

The TRO also required the individual defendants to turn over “all keys, codes, usernames and passwords necessary to gain or secure access to any assets or documents and or pertaining to the receivership entities, including access to their business premises, means of communication, encrypted messaging services, or other properties.”

The same obligations applied under the preliminary injunction that was entered on February 28 of 2020. It’s very clear from the request under the temporary restraining order and also a subsequent preliminary injunction that was entered by the Court that as of January 2020, that SBH had an obligation to preserve all electronic communications, including those on encrypted platforms like Signal and ProtonMail.

Now, as I mentioned, the defendant didn’t do any of those things. Then at a February 2020 deposition after the TRO had entered, Noland refused to disclose ProtonMail and Signal when he was questioned about using encrypted communications during a deposition. Following up on that on March 19, 2020, the defendants provided discovery responses to the FTC that required them to list their sources of ESI, and they failed to disclose Signal and ProtonMail as sources of ESI.

Fast Forward again to May 29, 2020—two months later—Noland uses his ProtonMail account to send an email to provide third-party witnesses—affiliates with SBH—with what can be construed as a script to follow when drafting declarations that the individual defendants—leadership folks—wish to submit in support of their defense to the FTC. Essentially, what happened is the SBH leadership team drafted a declaration or language for declarations that they wanted the affiliates to enter her on behalf of SBH to really bolster their position with the FTC.

After sending the email to his affiliates, Noland then deleted the email from his account and did not disclose that email to the FTC. The FTC then subsequently learned from an anonymous recipient that Noland had sent the email and they got a copy of it together with the language that was proposed.

Fast forward a couple of months later to August 2020, and the individual defendants to this point had not produced their mobile devices for imaging, despite the TRO and the preliminary injunction that entered in January and February. Now a couple days or the day before turning over their phones, the individual defendants worked together in a concerted fashion to delete the Signal app and preclude the forensic examiners from the mobile devices from being able to recover any of the data from Signal. All of the messages that the defendants had sent from May 2019 through August of 2020 were completely wiped, no availability of that information whatsoever. Now important point here, all of this was done without the knowledge of Counsel, the FTC or the receiver that had been appointed under the TRO. Nobody knew other than the actual defendants that Signal was being used or that it was being auto deleted or that the application was wiped from their phones prior to turning them over for imaging. Because that was all wiped, no information left on the images, no ability for the FTC to even know that it existed at the time.

Fast forward to late September or early October 2020, when the defendants produced batches of discovery materials to the FTC, including several Excel spreadsheets of their text messages that included 7507 WhatsApp communications. Of those 7507,  7505 (so all but two of them) were sent between September 2, 2017 and May 16, 2019. Remember that May 16 is the same date that Noland called his lawyer and told him to cooperate with the FTC. The discovery also showed that the defendants had exchanged thousands of text messages from 2017 to May 16, 2019, which is also the same date that Noland invited the leadership to ProtonMail and Signal. You’ve got, essentially, evidence that’s being produced in discovery that the defendants were using text messages and WhatsApp up until they stop on the same date. That immediately raises information or skepticism on part of the FTC as to how these defendants were communicating.

The messages that were produced in the WhatsApp and the text messages show that the defendants did discuss relevant portions of their business, including the fact that they focus on recruiting affiliates, substantial income claims that were likely false, and actual financial results all before they switch to the ProtonMail and Signal in May of 2019. Now October 30 of 2020, about a month later, counsel for the defendants becomes aware of the unavailability of the Signal and ProtonMail messages and that its client had been using those applications and sent a letter to 22 employees trying to ask for their Signal or ProtonMail messages. All of the employees said that they did not have any messages due to either (1) an auto delete on the Signal account or (2) suspending and clearing of ProtonMail accounts. That, as we understand it from the facts of the case, is the first time that counsel becomes aware of the existence of the Signal and ProtonMail accounts as they were never disclosed to counsel by the client.

December 2020, the FTC then deposes the defendants and the testimony revealed that all of the defendants had installed and used Signal, and at least one of them beside Noland knew that about the subpoena that Wells Fargo had tipped off SBH. They also testified that they deleted Signal from their phones as part of a coordinated plan between them. Follow up with that testimony, the FTC subsequently moves for spoliation sanctions in January of 2021, seeking an adverse inference based on the intentional spoliation of evidence.

Those are long facts but what set us up for an analysis now of whether, in fact, SBH’s actions here in keeping these sources of ESI from counsel and from the FTC and subsequently deleting them, making the information completely unavailable, rises to the level of intent to deprive under Rule 37(e).

How does the Court go about the analysis? The Court really begins by discussing how Rule 37(e) was rewritten in 2015, which is a fact we’ve covered a number of times on the #CaseoftheWeek. When it was rewritten, the Court notes that it was, “to provide a nationally uniform standard for when courts can give an adverse inference instruction or impose equally or more severe sanctions to remedy the loss of ESI.”

As we’ve talked about, FRCP 37(e)(2) provides that if electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party fails to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the Court can, upon finding that the party acted with the intent to deprive another party of the information used in the litigation, may presume that the loss information was unfavorable to the party, instruct the jury that it may or must presume the information was unfavorable to the party, or dismiss the action or enter a default judgment. That’s the basis of Rule 37(2)(e).

Right. Essentially, we’ve got to have failure to preserve, ESI that’s lost, can’t be replaced, and you’ve got to show intent to deprive. Even when you show intent to deprive, you do not have to prove any prejudice to the opposing party based on the content of the information, and the Court has the option to either enter an adverse inference instruction or dismiss the action or enter a default judgment. Now, the Court also notes that there is no ability to rely on its inherent authority under 37(e)(2). That it is solely the basis of this individual analysis, the steps of analysis that are what the Court has to undertake to determine whether an adverse inference instruction or default judgment or dismissal are appropriate.

Let’s go through the steps of the analysis. First, whether the Court requires that you have to show that the ESI was lost or destroyed, and then determine whether the ESI should have been preserved, whether the party failed to take reasonable steps to preserve it, whether it can can be replaced or restored. If the answer to each one of those is yes (i.e. that it can’t be replaced or restored), then you have to ask whether the party acted with the intent to deprive again, taking into account that no prejudice is required to be demonstrated.

Step one of those steps — was ESI lost? Obviously, the Court says yes.  The plaintiffs try to argue that their use of the auto-delete function from Signal makes a difference versus wholesale deletion. But neither the FTC or the Court really buys that, and the end result is the same for purposes of this element. Ultimately, the defendants deleted the Signal app, so whether auto-delete was on or not, all of that information was lost at the time the apps were deleted.

With regard to ProtonMail, the Court points to the one email that the FTC was able to get from the anonymous tip that talked about declarations. That was enough to show that data was deleted would have been relevant, and the court finds that that’s enough to show that the data was lost.

Next step is whether or not there was a duty to preserve the Signal and Proton Mail by SBH. The Court answers that question in the affirmative. The Court looks at whether or not litigation was reasonably foreseeable and when litigation was reasonably foreseeable, and this is always an important analysis in these situations on the duty to preserve.

There are two timing dates here. There’s May of 2019 when SBH learned about the subpoena from Wells Fargo, and then there’s January 2020, when the temporary restraining order actually issued from the Court upon the request of the FTC.

Now, the defendants argued that because the FTC had refused its offer to cooperate back in May of 2019 that it believed the investigation was concluded and it no longer needed to preserve information. That, of course, is completely an argument that is upended by the fact that they switched to end-to-end encrypted communications and continue to use them in the same way they were using WhatsApp and text messages prior to them.

Nevertheless, the Court says that the duty did arise as of May 19, 2019, when they learned about the subpoena, and that in addition to learning about the subpoena, when the FTC responded to SBH’s request to cooperate, that the FTC responded to counsel’s email by stating that Noland, “and the company should suspend any ordinary course destruction of documents, communications and records.” At the very least, they should have stopped, turned off the auto-delete function on Signal and stopped deleting any information on any other platforms, including Signal and ProtonMail.

As we know from the facts of the case, SBH continued to destroy information after that May correspondence with the FTC as well as after the January 20, 2020 TRO. It doesn’t really matter what the date of timing is. More goes to the quantity of information that’s lost. In fact, data was destroyed, and there was a duty to preserve.

Next step on the inquiry is whether there was a reasonable foreseeability of the relevance of the Signal and ProtonMail messages. The FTC arguments here are really that the relevance of the lost ESI can’t be definitively ascertained because it no longer exists, which is pretty common. But they do argue that in such circumstances, the individual defendants cannot assert any presumption of irrelevance. Meaning that the FTC saying, “you can’t argue that it’s irrelevant because it doesn’t exist, and we don’t have an ability to combat that.” Now, the defendants actually didn’t dispute that the deleted messages included relevant matters, and at the depositions, they ultimately admitted that they used those applications for those business purposes at least part of the time.

When you look at the data from the WhatsApp messages and the text messages, which shows all of the communications between the leadership team about all of these business issues which were the subject of the FTC investigation, it becomes pretty clear that by switching platforms, they simply moved those communications into encrypted platforms that they could delete and destroy while the FTC was continuing its investigation. What they were really doing is precluding the ability of the FTC to find any more information from May 2019 forward. Obviously reasonable foreseeability is yes.

Next analysis is did SBH take reasonable steps to preserve. Clearly, we’ve shown that they didn’t. They actually did the opposite and deleted information. Multiple areas in which that’s clear here; the largest being the uninstalling of the Signal app just prior to providing their mobile devices for imaging by the FTC.

Next step is can any of the lost data be replaced? And the answer is no. I mean, we talked about this with regard to the Signal information as ephemeral messaging. If it was set to auto-delete it auto-deleted. When they deleted the apps entirely from their mobile devices, all of the content was gone. There really was no information to be available. Now, the FTC did make a good faith effort to go to other entities, including those affiliates that had been communicated with to find out if they had Signal, or if they had other access to the information that would have been available on these mobile devices. But none of that information was available.

It is important to note, though, that the FTC did make that inquiry because the Court notes it. It’s important from a perspective of making sure that you’ve combed the Earth to find out whether there are any other places where this information could have existed. Because, of course, if it could have existed, then it’s not gone, and we don’t have spoliation.

Next analysis is where the Court really notes again that there’s no requirement of finding prejudice under 37(e)(2) so we don’t have to take that step.

Next step moves to the intent to deprive. This is where we always kind of fall down in terms of 37(e)(2) usually with case analysis, right? It’s very difficult to prove this intent to deprive. Well, as we’ve seen from the facts here, not as difficult in this particular situation.

This, of course, is the biggest argument in the case, because intent to deprive is what allows for the adverse inference instruction that the FTC is seeking here. Without the intent to deprive, you simply can’t get an adverse inference instruction, a dismissal or default judgment under 37(e)(2). Now, the defendants tried to say that they switched to Signal and ProtonMail innocently. There was apparently some semblance of an issue that a prior employee at SBH had been hacking information or ease dropping on information from the leadership team. The FTC investigator found absolutely no evidence in any of the electronic communications about that discussion, about that employee. The Court found that the FTC had easily carried its burden of showing that the defendants acted with the intent to deprive contained in the Signal and ProtonMail messages. The Court really noted that the most decisive factor was the timing of the installation of the Signal and ProtonMail by the leadership team. The fact was that those defendants installed those apps in late May, one day after Noland discovered the subpoena from Wells Fargo. The Court really poo pooed the argument from the individual defendants that the timing was really a coincidence, that the individual defendants tried to state that they just happened to install those on a particular date, and the Court said, “We’re not buying it. This explanation is completely incredible.” There’s also absolutely no other evidence to support the notion that the individual defendants were being hacked. That argument was dismissed.

In terms of the intent to deprive, the Court found the intent to deprive was also exacerbated by Noland’s failure to disclose Signal or the ProtonMail at his deposition, the discovery responses which failed to disclose those applications, as well as the coordinated deletion of the Signal app from the iPhones and the content of the ProtonMail message to the affiliates being deleted. Intent to deprive was a no brainer here, and that really shows us what the bar is for purposes of creating that intent to deprive under Rule 37(e)(2).

Of course, the FTC requested an adverse inference that the spoliated evidence was going to be unfavorable to the defendants, and the Court concludes that the requested adverse inference sanction is appropriate and that it is likely that the deleted information from Signal and ProtonMail address matters that were very relevant to the litigation. The Court also noted that the defendants conduct not only violated Rule 37(e), but also the MIDP rules, the temporary restraining order, as well as the preliminary injunctions, and that all of those violations raise the possibility of the drawing of an adverse inference. The motion for sanctions is granted and the adverse inference instruction is awarded.

What are our takeaways from this case?

Well, as we’ve discussed in multiple occasions, the timeline here is really key. The specific dates on what took place really paint the picture of the defendants’ actions, and a lot of those are uncovered as a result of the forensic examination of those mobile devices. But you also have to couple that with the WhatsApp messages and the text messages. Someone looking at those Excel spreadsheets of the text messages and WhatsApp combined with the dates on the forensic examination really creates that timeline that lets you start to put together a picture of some suspicious behavior that then needs to be investigated further.

Every keystroke that you make when you’re dealing with ESI is recorded in some way, shape or form. Despite their best efforts, the defendants here were not able to completely hide what happened. Ultimately they admitted at their depositions the use of Signal and ProtonMail. Using Signal and ProtonMail as encrypted applications did preclude the FTC from being able to get any of that information. To the extent the defendants were able to mitigate any of the kind of behavior that the FTC was investigating from May to January, they would have been able to do that without the FTC knowing because those communications are gone.

Now, even with the adverse inference, the question becomes here, will the FTC really have the information it needs to show the bad conduct after the investigation? Now, of course, they have all the information prior to May 2019, which presumably formed the basis for their need to investigate in the first place. But of course, the defendants here were savvy enough to keep certain information from the FTC by using those encrypted applications.

Now we talked a bit about the fact that counsel here were not aware of the use of Signal or ProtonMail in May of 2019, when Noland first reached out to counsel. When they figured it out, they immediately began questioning the client and advising the FTC of the issues. That is the proper way to handle bad actions by client with regard to handling data. We saw this situation in the DR Distributors case and in other cases we’ve covered on the #CaseoftheWeek. It is incumbent upon counsel to immediately advise the Court when they have noticed that the client has not taken the steps that were required by the Court. In this particular instance, we’re not just talking about a common law duty to preserve. We’re talking about a temporary restraining order as well as a preliminary injunction that were issued requiring SBH to preserve information. Very important for counsel to not only try to learn this information as quickly as possible when it comes to your clients, but when you do learn that your client has kept information from you, that you disclose it as as soon as possible.

Final takeaway really is understand that Signal and ProtonMail and encrypted platforms like those products exist. If your clients are using them, you need to know about it as counsel. That is part of your duty to investigate what’s happening, what the sources of information are for purposes of discovery. When you sign those Rule 26 certifications that you provided all discovery, you’ve got to know that all of these sources of ESI exist.

That’s our #CaseoftheWeek for this week. Thanks so much for joining me. I’ll be back next week with another edition of our #CaseoftheWeek from eDiscovery Assistant. If you are an ACEDS member and interested in doing a trial of eDiscovery Assistant, there is a discount available to current ACEDS members and a trial if you’re taking the ACEDS exam.  If you’re interested in either of those, please drop us a line at aceds@ediscoveryassistant.com and one of our team will be in touch.

If you are not an as member but are interested in using the eDiscovery Assistant platform, you can use the button in the upper right hand corner to start your own trial, or you can reach out to our team at support@eDiscoveryAssistant.com. We’ll do a demo for you and get you set up.

Thanks so much. Have a great week. Stay safe and healthy, and I’ll see you next week.

Watch Next Episode Live

#CaseoftheWeek streams live on the ACEDS YouTubeFacebookTwitter, and LinkedIn company pages. Subscribe to the ACEDS social channels to be notified when we go live.

Catch the Replay

You’ll be able to read episode summaries and watch the recorded show right here on the eDiscovery Assistant blog or access the recorded versions from the ACEDS social media channels.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound