Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 1 of 22 Page ID
`#:15692
`
`
`EVAN FINKEL (SBN 100673)
`evan.finkel@pillsburylaw.com
`MICHAEL S. HORIKAWA (SBN 267014)
`michael.horikawa@pillsburylaw.com
`CHAZ M. HALES (SBN 324321)
`chaz.hales@pillsburylaw.com
`CHLOE STEPNEY (SBN 334013)
`chloe.stepney@pillsburylaw.com
`PILLSBURY WINTHROP SHAW PITTMAN LLP
`725 South Figueroa Street, 36th Floor
`Los Angeles, CA 90017p
`Telephone: 213.488.7100
`Facsimile: 213.629.1033
`
`CALLIE A. BJURSTROM (SBN 137816)
`callie.bjurstrom@pillsburylaw.com
`MICHELLE A. HERRERA (SBN 209842)
`michelle.herrera@pillsburylaw.com
`PILLSBURY WINTHROP SHAW PITTMAN LLP
`11682 El Camino Real, Suite 200
`San Diego, CA 92130
`Telephone: 858.509.4000
`Facsimile: 619.819.4363
`
`[Additional counsel listed on last page]
`
`Attorneys for Plaintiff
`MICROVENTION, INC.
`
`UNITED STATES DISTRICT COURT
`CENTRAL DISTRICT OF CALIFORNIA
`
`
`MICROVENTION, INC., a Delaware
`corporation,
`
`
`Plaintiff,
`
`
`
`vs.
`BALT USA, LLC, a Delaware Limited
`Liability Company; DAVID FERRERA;
`NGUYEN “JAKE” LE; YOSHITAKA
`KATAYAMA; STEPHANIE GONG;
`AND MICHELLE TRAN,
`
`Defendants.
`
`Case No. 8:20-cv-02400-JLS-KES
`
`MICROVENTION, INC.’S REPLY
`BRIEF IN SUPPORT OF ITS
`MOTION FOR SANCTIONS
`AGAINST DEFENDANT BALT
`USA, LLC FOR EVIDENCE
`SPOLIATION
`Date: May 5, 2023
`Time: 10:30 a.m.
`Courtroom: 8A
`
`Pre-Trial Conf.: August 4, 2023
`Trial: To be Set
`Hon. Josephine L. Staton
`
`4856-0414-6270.v7
`
`
`
`
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 2 of 22 Page ID
`#:15693
`
`
`TABLE OF CONTENTS
`
`
`
`I. 
`II. 
`
`B. 
`
`Page
`INTRODUCTION ...................................................................................... 1 
`REPLY ARGUMENT ................................................................................ 2 
`A. 
`Balt’s False Representation Regarding Encryption Keys Caused
`the Destruction of Evidence on the Tran and Katayama Laptops ... 2 
`Balt’s False Representation to Stroz is an Affirmative Act That
`Caused the Data Loss ....................................................................... 4 
`Stroz Was Not Responsible for Managing Balt’s Encryption Keys 7 
`Balt’s Expert Is Wrong About What Triggers BitLocker Recovery 9 
`Balt’s Efforts to Search for the Encryption Keys Were Abysmal . 11 
`The Evidence Balt Destroyed is the Data Residing on the Tran and
`Katayama Laptops, Not the Encryption Keys Within Them ......... 14 
`The Court Has Inherent Power to Fashion Appropriate Sanctions
`for Evidence Spoliation .................................................................. 16 
`III.  CONCLUSION ........................................................................................ 18 
`
`
`
`
`C. 
`D. 
`E. 
`F. 
`
`G. 
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`4856-0414-6270.v7
`
`
`
`-i-
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 3 of 22 Page ID
`#:15694
`
`
`TABLE OF AUTHORITIES
`
`Cases
`
` Page(s)
`
`America Unites for Kids v. Rousseau,
`985 F.3d 1075 (9th Cir. 2021). (Op. Br. 12:19–25.) .......................................... 16
`Apple Inc. v. Samsung Elecs. Co.,
`881 F. Supp. 2d 1132 (N.D. Cal. 2012) ................................................................ 4
`Aramark Mgmt., LLC v. Borgquist,
`2021 WL 864067 (C.D. Cal. Jan. 27, 2021) ....................................................... 15
`Farella v. City of New York,
`2007 WL 193867 (S.D.N.Y. Jan. 25, 2007) ....................................................... 14
`In re Google Play Store Antitrust Litig.,
`2023 WL 2673109 (N.D. Cal. Mar. 28, 2023) ................................................. 6, 8
`Hamilton v. Signature Flight Support Corp.,
`2005 WL 3481423 (N.D. Cal. Dec. 20, 2005) ................................................... 16
`Nat’l Ass’n of Radiation Survivors v. Turnage,
`115 F.R.D. 543 (N.D. Cal. 1987) ......................................................................... 7
`Phan v. Costco Wholesale Corp.,
`2020 WL 5074349 (N.D. Cal. Aug. 24, 2020) ..................................................... 6
`Scalia v. County of Kern,
`2023 WL 2333542 (E.D. Cal. Mar. 2, 2023) ................................................ 16, 17
`In re Skanska USA Civ. Se. Inc.,
`340 F.R.D. 180 (N.D. Fla. 2021) ...................................................................... 4, 5
`Youngevity Int'l v. Smith,
`No. 3:16-CV-704-BTM-JLB, 2020 WL 7048687 (S.D. Cal. July 28, 2020)4, 5, 6, 8
`Rules and Regulations
`Federal Rules of Civil Procedure,
`Rule 37 ...................................................................................................... 8, 15, 16
`
`
`
`
`4856-0414-6270.v7
`
`
`
`-ii-
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 4 of 22 Page ID
`#:15695
`
`
`I.
`
`INTRODUCTION
`In its opposition, Balt deliberately confuses the issues before the Court instead of
`addressing them head on, and plays the blame game instead of facing the harsh reality
`that Balt’s conduct alone caused the destruction of evidence residing on the Tran and
`Katayama laptops. In fact, Balt places all of the blame on Stroz, whom Balt selected
`from a list of forensic analysts provided by MVI. In doing so, Balt completely ignores
`the undisputed fact that Stroz took the actions it did based on Balt’s affirmative
`representation that Balt had all necessary encryption keys for its laptops and could and
`would provide them to Stroz. That statement was false, and Balt made it without any
`legitimate basis for believing it to be true. Stroz employed industry best practices based
`on the specific representation made by Balt, and shoulders no responsibility for the data
`loss.
`
`Balt pays short shrift to the misrepresentation it made to Stroz, and only offers a
`non sequitur in response, i.e., Balt’s representation was not untrue because Balt believed
`encryption keys were not needed when it made the laptops available to Stroz. That
`makes no sense. Balt conducted no investigation and made no inquiries into whether
`or not it had the encryption keys before affirmatively misleading Stroz into believing
`that it did. Had it conducted an investigation before making its representation it would
`have discovered that it did not have the keys, and presumably would have made Stroz
`aware of that critical fact. Moreover, knowing that it did not have the encryption keys,
`Balt could have and should have retrieved them from the laptops when it booted them
`(albeit without a legitimate basis) using the process described by Balt’s forensic expert.
`Balt also deliberately misconstrues the evidence loss at issue in this motion. A
`constant refrain throughout Balt’s opposition is that it could not have lost the encryption
`keys because it never had them. But the encryption keys are not the evidence that was
`destroyed. The data on the Tran and Katayama is the evidence that was destroyed, all
`at the hands of Balt. Balt did not lose the encryption keys in any event. They are in the
`laptops, but Balt inexplicably failed to store them anywhere else.
`-1-
`
`4856-0414-6270.v7
`
`
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 5 of 22 Page ID
`#:15696
`
`
`An adverse inference instruction is warranted. Balt’s deliberate actions caused
`the data loss, period. The resulting prejudice to MVI from Balt’s actions is monumental.
`II. REPLY ARGUMENT
`A. Balt’s False Representation Regarding Encryption Keys Caused the
`Destruction of Evidence on the Tran and Katayama Laptops
`The critical fact in MVI’s motion – one that Balt does not dispute – is that before
`Stroz began the imaging process for the Tran and Katayama laptops, Balt affirmatively
`represented to Stroz that Balt had all of the encryption keys Stroz might need for the
`laptops when, in fact, Balt did not. Balt’s misrepresentation is the sole cause of the
`complete and irretrievable loss of all the evidence residing on the Tran and Katayama
`laptops.
`The first step in the preparation process for creating a forensic image of a laptop
`hard drive is to ensure that encryption keys are available for the laptop because different
`forensic imaging methods are used depending upon whether the encryption keys are
`available. (Declaration of Michael Bandemer (“Bandemer”), ¶¶7–9.) To that end,
`Sergio Kopelev, the principal for Stroz, stated in multiple planning calls with both MVI
`and Balt that encryption keys were needed for the laptops. (Declaration of Chaz Hales
`(“Hales”), ¶¶2–3.) In a final confirmation email four days before the scheduled
`imaging, Mr. Kopelev asked Balt to “[l]et us know if you have the information
`regarding any encryption keys and/or user name / passwords.” (Dkt. 385-6, p. 27.) Balt
`confirmed via email that same day that it had the encryption keys, and promised it would
`“also have a representative from Balt’s IT department on hand who will be able to
`unlock any encryption and provide user names and passwords.” (Id. (emphasis
`added).)
`Based on Balt’s affirmative representation that it had the encryption keys for the
`laptops to be imaged, Stroz used industry standard techniques—techniques endorsed by
`Balt’s own forensics expert, Ashraf Massoud—to image all of the laptops Balt provided
`
`
`4856-0414-6270.v7
`
`
`
`-2-
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 6 of 22 Page ID
`#:15697
`
`
`for imaging, including the Tran and Katayama laptops.1 (Bandemer, ¶¶6–8; Dkt. 386-
`3, p. 34.) Mr. Kopelev explained that Stroz “changed a setting in the computer firmware
`to allow booting from an external device,” which is a standard step taken “when the
`necessary decryption information (PIN, recovery key, etc.) is known.” (Dkt. 386-3, p.
`34.) Only after Stroz took that step, however, did Balt IT inform Stroz “that they did
`not have decryption information for the [Tran and Katayama] systems.” Mr. Kopelev
`responded “there was no indication that this was even a concern prior” to that time.
`(Id. (emphasis added).) Stroz proceeded to image the Tran and Katayama laptops using
`an alternate method “with the understanding that while Balt IT didn’t have the particular
`keys on hand, that they could be located at a later date for decryption.” (Id.)
`Stroz successfully analyzed all of the other encrypted laptop images it made that
`day, as well as the other encrypted laptop images Balt provided to Stroz. (Dkt. 385-6,
`pp. 22–24.) This is because Balt located the encryption keys for those devices, as it had
`represented it would to Stroz. (Id.) Only the Tran and Katayama laptops remained
`locked—not because Stroz used inappropriate methods as Balt now speculates, but
`because Balt did not have those encryption keys. Had Stroz known that the encryption
`keys were missing, it could have used other methods to image the laptops, including
`booting the laptops to create a live (rather than forensic) image and/or attempting to
`retrieve the encryption keys from the laptop first. (Bandemer, ¶¶4, 9.) For Stroz, Balt’s
`affirmative representation that “the necessary decryption information [was] known”
`indicated one path of a decision tree for imaging rather than another.
`The complete loss of data on the Tran and Katayama’s laptops is Balt’s failing,
`not Stroz’s.
`
`
`
`
`
`
`
`1 Stroz imaged seven laptops provided by Balt and took receipt of five additional laptop
`images that Balt had previously created. (Dkt. 386-3, pp. 23–24, 28.)
`-3-
`
`
`4856-0414-6270.v7
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 7 of 22 Page ID
`#:15698
`
`
`B.
`
`Balt’s False Representation to Stroz is an Affirmative Act That
`Caused the Data Loss
`When Balt represented to Stroz on April 15, 2022, that it had the encryption keys
`for all laptops Balt provided to Stroz for imaging, Balt had taken no steps to verify
`whether that representation was true. (Hales, ¶7, Ex. 2, 104:19–23.) Balt did not even
`look for the encryption keys before making this sweeping affirmative statement, and
`instead blindly assumed they would magically appear when needed. Had Balt properly
`investigated the matter, it would have easily determined that it did not, in fact, have the
`encryption keys for the Tran and Katayama laptops and could have alerted Stroz who
`would have responded accordingly. (Dkt. 385-6, p. 19.) Balt acted with conscious
`disregard of its discovery obligations when it made this unequivocal representation to
`Stroz about a critical issue without conducting any due diligence whatsoever regarding
`the accuracy of the representation. See Apple Inc. v. Samsung Elecs. Co., 881 F. Supp.
`2d 1132, 1146–47 (N.D. Cal. 2012) (defendant’s conscious disregard of its obligations
`to preserve evidence was “more than sufficient to show willfulness” necessary for
`adverse inference instruction); Youngevity Int'l v. Smith, No. 3:16-CV-704-BTM-JLB,
`2020 WL 7048687, at *2–3 (S.D. Cal. July 28, 2020) (defendants would not be excused
`from taking affirmative action to prevent destruction even if unaware deletion functions
`were in place on devices).
`Balt tries to distinguish the facts of the present case from In re Skanska USA Civ.
`Se. Inc., 340 F.R.D. 180 (N.D. Fla. 2021), cited by MVI in its moving papers, by arguing
`that it “engaged in no affirmative act causing evidence to be lost.” (Balt Opposition
`Brief, Dkt. 409 (“Op. Br.”), 10:5–6.) That is simply not true. Balt made an affirmative
`representation to Stroz, in writing, that it had the encryption keys for the laptops to be
`imaged. This affirmative representation led directly to the imaging method selected by
`Stroz. To the extent the chosen imaging method may have caused the locking of the
`laptops and loss of data, Stroz selected its chosen method in reliance on Balt’s
`affirmative yet demonstrably false representation. (Dkt. 386-3, p. 34.) Balt’s failure to
`
`
`4856-0414-6270.v7
`
`
`
`-4-
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 8 of 22 Page ID
`#:15699
`
`
`do anything to preserve the data on its encrypted laptops, and specifically its failure at
`any point to secure the encryption keys needed to provide access to the laptops,
`constitutes an affirmative act.
`Balt claims it “has provided a credible explanation for the locking of the
`laptops[,]” and that Balt should therefore be off the hook for its destruction of key
`evidence in this case.. (Op. Br., 10:11–12.) But Balt’s explanation is misplaced.
`Skanska requires a credible explanation of the affirmative act—in this case Balt’s
`affirmative false representation to Stroz that it possessed the encryption keys. Balt
`provides no explanation at all, much less a credible one, for the misrepresentation it
`made to Stroz.
`Further, “[t]he existence of reasonable explanations for why deletions occurred
`does not suggest that reasonable steps were taken to prevent deletions.” Youngevity,
`2020 WL 7048687, at *2. This important distinction is lost on Balt. Balt’s purported
`“innocent” belief that there was no encryption on the laptops because Balt IT personnel
`had successfully logged into the laptops the day before they were imaged does not stand
`up to scrutiny. As a preliminary matter, Balt should not have booted the laptops;
`booting the laptops is itself an act of evidence destruction. (Bandemer, ¶¶4–5.) Booting
`a laptop alters the evidence stored on that laptop and is to be avoided in creating a
`forensic image so as to not “risk[] modification or deletion of data present on the
`[laptop].” (Hales (Sergio email).) (Id., Dkt. 386-3, p. 34.)
`Moreover, logging into a laptop does not reveal whether BitLocker encryption,
`which is part of the Windows operating system, is enabled or not. (Bandemer, ¶16.)
`Balt’s own expert explains that logging into an encrypted laptop is the first step in the
`“easy” process of exporting the encryption keys from encrypted laptops. (Declaration
`of Ashraf Massoud, Dkt. 411 (“Massoud”), ¶8.) And, Balt’s IT Director for Global
`Operations testified that he (1) knew many of Balt’s laptops were encrypted, (2) had
`debriefed a departing IT employee only a month prior to the imaging on topics including
`how Balt sets up BitLocker encryption on its laptops and stores encryption keys, and
`-5-
`
`
`4856-0414-6270.v7
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 9 of 22 Page ID
`#:15700
`
`
`(3) was leading efforts to improve the way Balt stores laptop encryption keys. (Ex. 1
`to Hales, 61:17–62:10, 86:10–88:14, 63:11–66:6.) It is not reasonable to conclude from
`simply booting a laptop that it is not encrypted, and the statements by Kheng Ang in his
`declaration are inconsistent with his deposition testimony given in this case.
`(Bandemer, ¶16.)
`In addition, Balt arrived at its erroneous conclusion after booting the laptops on
`April 18—three days after it made its representation to Stroz that it had the encryption
`keys yet before the imaging process began. (Dkt. 385-6, pp. 2, 23, 27.) At no point did
`Balt provide any update to Stroz about what it had done with the laptops or the erroneous
`conclusion it had reached regarding the encryption keys. (Hales, ¶4.) Had Balt
`promptly shared this information with Stroz, standard practices dictate that alternative
`means for imaging the laptops would have been undertaken. (Bandemer, ¶¶7–9.) Balt’s
`decision to keep this important information to itself on the eve of imaging the laptops
`was deliberately reckless, at the very minimum. See Phan v. Costco Wholesale Corp.,
`2020 WL 5074349, at *3 (N.D. Cal. Aug. 24, 2020) (finding the “absence of evidence
`of a proper process for preserving [] important evidence indicates, at a minimum, that
`defendant was careless”); In re Google Play Store Antitrust Litig., 2023 WL 2673109,
`at *9 (N.D. Cal. Mar. 28, 2023) (concluding defendant’s poor management of efforts to
`preserve relevant chat messages “fell strikingly short” of its discovery obligations);
`Youngevity, 2020 WL 7048687, at *2 (finding defendants’ “ignorance” of automatic
`message deletion and failure to back up devices was “no defense because their
`preservation obligation necessarily entailed learning of these systems to prevent
`destruction”). None of Balt’s actions, and deliberate failure to act, are innocent or
`inconsequential, and all of it led directly to the loss of the critical evidence on these key
`laptops.
`Of significance, having booted the laptops the day before the imaging was to take
`place, Balt failed to do any of the things that would have preserved the encryption keys.
`(Bandemer, ¶¶5, 9.) Balt failed to follow its expert’s “easy” instructions to export the
`-6-
`
`
`4856-0414-6270.v7
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 10 of 22 Page ID
`#:15701
`
`
`encryption keys from the BitLocker control panel. Balt also failed to use the control
`panel to “suspend” BitLocker operation, which is a step recommended by Microsoft
`prior to engaging in planned activities that could trigger a BitLocker recovery mode.
`(Bandemer, ¶14.) Had Balt undertaken either of these measures, the evidence would
`not have been lost.
`C.
`Stroz Was Not Responsible for Managing Balt’s Encryption Keys
`Balt blatantly attempts to shift the blame for its data loss to Stroz and tries to
`distance itself from Stroz by characterizing it as the firm that “MVI proposed.” (Op.
`Br., 2:27–3:1.) The record is clear that MVI proposed three acceptable vendors, and
`Balt selected Stroz from that list.2 (Exs. 1–2 to Declaration of Paul Stewart, Dkt. 410-
`1, pp. 2, 6.) Regardless, Balt completely ignores the affirmative representation it made
`to Stroz that it had the encryption keys for all laptops Stroz was tasked with imaging,
`and fails to meaningfully address it in its Opposition Brief.
`Instead, Balt incredulously argues that Stroz—not Balt—was responsible for
`managing Balt’s encryption keys. According to Balt’s forensics expert, the encryption
`keys are stored in the laptops themselves and can be easily retrieved by “logging into
`the computer [with local admin rights], opening the Control Panel, and clicking on the
`BitLocker icon.” (Massoud, ¶¶ 5, 8.) He opines that Stroz “should have logged onto
`the [laptops] using the administrative user name and password provided by Balt” and
`“easily retrieved [the encryption keys] from the Windows Control Panel.” (Massoud, ¶
`15.) In fact, after Balt later informed Stroz that it could not locate any other copies of
`the encryption keys, it sent the laptops to Stroz’s lab in Boston, and Stroz did attempt
`to log into the laptop with the admin credentials. (Dkt. 385-6, p. 5.) Only then, on May
`2, 2022, did Stroz and the parties learn that the laptops were completely inaccessible
`
`
`2 Balt liberally misstates facts in its brief. For example, MVI did not ask previously ask
`Judge Scott to find Balt “guilty of spoliation.” (Op. Br., 3:6.) MVI mentioned spoliation
`within the context of its motion to compel Balt to provide information regarding its
`litigation hold memorandum (Dkt. 229-1), which Judge Scott granted. Judge Scott
`made no finding on spoliation. (See Ex. 4 to Stewart, 13:10–14:4.)
`-7-
`
`
`4856-0414-6270.v7
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 11 of 22 Page ID
`#:15702
`
`
`unless Balt could find a copy of the encryption key stored some other place.
`This begs the obvious question: If Stroz could have retrieved the encryption keys
`so easily, why didn’t Balt do so before it provided the laptops to Stroz? These are Balt
`laptops, issued to Balt employees, managed by the Balt IT department, and for which
`Balt is under an obligation to preserve the evidence (i.e., documents and files) stored
`on the laptops for use in this litigation. Nat’l Ass’n of Radiation Survivors v. Turnage,
`115 F.R.D. 543, 557–58 (N.D. Cal. 1987) (“The obligation to retain discoverable
`materials is an affirmative one.”). Moreover, just three days after Balt told Stroz that it
`had all encryption keys and one day before Balt made the laptops available to Stroz for
`imaging, Balt booted the laptops and had every opportunity at that time to “simply”
`retrieve the encryption keys. That would have been the prudent and expected course of
`action by Balt to (1) ensure the integrity and accessibility of the laptops and (2) confirm
`that Balt’s representation about having all encryption keys necessary to access the
`laptop contents was accurate. (Bandemer, ¶¶5, 9, 17.) Balt did neither and its attempt
`to pass off its own IT failures as Stroz’s fault is an act of desperation.
`Lastly, Balt’s expert does not address the fact that Balt failed to store the
`encryption keys for its employee laptops in a safe location—somewhere other than on
`the laptops themselves—or secure the encryption keys when its duty to preserve
`evidence arose. (Bandemer, ¶15.) “As Rule 37 indicates, the duty to preserve relevant
`evidence is an unqualified obligation in all cases.” In re Google Play Store Antitrust
`Litig., 2023 WL 2673109, at *8 (N.D. Cal. Mar. 28, 2023). The record shows that Balt
`did not have a consistent or effective procedure in place to track and store laptop
`encryption keys before MVI filed this lawsuit. (Hales, ¶7, Ex. 1, 63:11–66:6.)
`However, Balt cannot now rely on its inadequate IT practices as an excuse for its failure
`to preserve evidence on its employee laptops. See Fed. R. Civ. P. 37, Advisory
`Committee Notes to the 2006 Amendment (“[A] party is not permitted to exploit the
`routine operation of an information system to thwart discovery obligations by allowing
`that operation to continue.”); Youngevity, 2020 WL 7048687, at *2 (S.D. Cal. July 28,
`-8-
`
`
`4856-0414-6270.v7
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 12 of 22 Page ID
`#:15703
`
`
`2020) (“Although perfection is often impossible in preserving ESI within complex
`electronic systems because it may be ‘lost as a result of the routine good faith operation’
`of the system, this does not excuse the party from preventing destruction within their
`control.”). Balt’s conduct destroyed evidence that was clearly within its control.
`D. Balt’s Expert Is Wrong About What Triggers BitLocker Recovery
`Balt’s attempt to shift blame to Stroz is built on a house of cards. Balt’s expert
`explains that sometimes a forensic examiner must modify the computer’s BIOS
`program “so that the computer starts up by accessing a drive attached to a USB port”
`rather than its internal hard drive, which allows the examiner to then boot from a USB
`device containing forensic software that is used to image the hard drive in an “off” state.
`(Massoud, ¶¶ 10–12; Bandemer, ¶11.) Mr. Massoud then incorrectly guarantees that
`“[a]ltering the BIOS/UEFI program instructions in this manner will not cause the
`computer to lock.” (Massoud, ¶ 12 (emphasis added).)
`This is simply not true. In direct contrast, Microsoft’s “BitLocker recovery
`guide” lists changing the BIOS in order to boot from “something other than the hard
`drive” among a list of 30 “specific events that will cause BitLocker to enter recovery
`mode when attempting to start the operating system drive.” (Bandemer, ¶¶12–14, Ex.
`1, p. 5.) In fact, Mr. Kopelev’s description of the steps Stroz took match Mr. Massoud’s
`recommended “safe” procedure exactly. Stroz “changed a setting in the computer
`firmware [BIOS/UEFI program instructions] to allow booting from external media [a
`drive attached to a USB port].” (Compare Dkt. 386-3, p. 34, with Massoud, ¶12.)
`Unlike Mr. Massoud, who incorrectly stated that such a procedure “will not” trigger the
`BitLocker recovery mode, Mr. Kopelev acknowledged that this process could, indeed,
`have triggered BitLocker and explained that the process is standard “when the
`necessary decryption information . . . is known.” (Dkt. 386-3, p. 34 (emphasis added).)
`Mr. Massoud compounds his error by blindly surmising that “[b]ecause the
`laptops were locked by BitLocker,” Stroz clearly “did something” that BitLocker
`interpreted as “tampering.” (Massoud, ¶17.) Mr. Massoud further speculates that Stroz
`-9-
`
`
`4856-0414-6270.v7
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 13 of 22 Page ID
`#:15704
`
`
`“may have” turned off a feature called Secure Boot, and claims that if someone turns
`off Secure Boot, the computer “will require the BitLocker key.” (Massoud, ¶¶13, 17.)
`Mr. Massoud then continues his proclivity to read minds by proffering, without any
`foundation whatsoever, that Stroz “apparently believe[d] incorrectly that [turning off
`Secure Boot] was necessary” before confidently declaring that “this step was not
`necessary” and fingering the disabling of Secure Boot as the “likely” reason the Tran
`and Katayama laptops were locked. (Massoud, ¶17.)
`Mr. Massoud’s speculative hypotheses are riddled with problems. First, as has
`been stated, there is no need to look for an alternate explanation. Mr. Massoud’s own
`recommended method of imaging laptops that Stroz employed is on Microsoft’s list of
`things that can trigger BitLocker. (Bandemer, ¶13, Ex. 1.) Second, the list is not short,
`and it is unclear why “disabling Secure Boot,” which does not appear on the list,
`catches Mr. Massoud’s attention. (Id.) Third, there has been no evidence or testimony
`proffered at any point indicating that Secure Boot was enabled on any Balt laptop such
`that Stroz could have disabled it. Fourth, there is likewise no evidence that Stroz
`disabled the Secure Boot setting or modified it in any way. Mr. Kopelev’s explanation
`does not mention Secure Boot and, instead, straightforwardly explains that the BIOS
`was modified to allow booting from an external [USB] device. (Dkt. 386-3, p. 34;
`Hales, ¶5.)
`Nevertheless, Balt attempts to capitalize on Mr. Massoud’s flawed conclusion by
`converting Mr. Massoud’s qualified and speculative opinions to unqualified and
`absolute conclusions. (Op. Br., 2:3 (“Stroz Friedberg took an extra and unnecessary
`step”); 4:21–23 (“due to a mistake [Stroz] made in the process”); 5:1 (Stroz “took an
`extra and unnecessary step relating to the BIOS”); 5:23 (“If Stroz Friedberg had not
`turned off the ‘Secure Boot’ setting”); 8:16–17 (Stroz “apparently chose to turn off the
`‘Secure Boot’ setting in the BIOS program”); 8:19–21 (Stroz “unnecessarily triggered
`the BitLocker encryption software by apparently turning off the ‘Secure Boot’ setting”);
`10:8–10 (Stroz “chose to take the unnecessary step of turning off the laptop’s ‘Secure
`-10-
`
`
`4856-0414-6270.v7
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`Case No. 8:20-cv-02400-JLS-KES
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 8:20-cv-02400-JLS-KES Document 424 Filed 04/21/23 Page 14 of 22 Page ID
`#:15705
`
`
`Boot’ setting in the BIOS program”); 11:5–6 (Stroz could have accessed the encryption
`keys “if [it] had followed best practices”); 13:3–5 (Balt “had no way of knowing[] that
`Stroz Friedberg would turn off the ‘Secure Boot’ setting”); 13:19–20 (“if [Stroz] did
`not make the mistake of turning off [Secure Boot]”); 14: 18–19 (“Stroz Friedberg made
`a mistake”).
`Lost in the din is an admission that Balt cannot escape: “Balt is not privy to the
`specific technique Stroz Friedberg used.” (Op. Br., 4:25–26.) Balt does not know
`because it did not ask Stroz for any information about the steps Stroz took when imaging
`the laptops after receiving Stroz’s explanation on May 13, 2022. (Hales, ¶5.) MVI is
`unaware of any communications between Balt and Stroz discussing Secure Boot or any
`other details of how Stroz imaged the laptops aside from Mr. Kopelev’s email. (Id.)
`Anything further that Balt attributes to Stroz is unfounded, based only on self-serving
`speculation, and premised on an incorrect understanding of how BitLocker works.
`Balt’s “could have, should have, would have” scenarios are part of Balt’s overarching
`smoke and mirrors game designed to obfuscate the issues and distract the Court’s
`attention away from Balt’s egregious and irremediable errors and should be given no
`weight.
`E.
`Balt’s Efforts to Search for the Encryption Keys Were Abysmal
`Balt paints itself not only as Stroz’s innocent victim, but also as the model of
`cooperation, pointing to examples of its purported benevolent efforts to locate the
`missing encryption keys and crying, “This is not the conduct of a party trying to conceal
`or destroy evidence.” (Op. Br. 2:22–23.) This is yet another smokescreen Balt erects
`to distract the Court from its disregard for its obligation to preserve electronic evidence.
`First, Balt claims that it “voluntarily turned over” to MVI more 55,000 of MVI’s
`own confidential and propriety documents in the related patent case that Balt had found
`on its employ