Opinion
CV-19-02746-PHX-DWL
08-29-2022
SiteLock LLC, Plaintiff, v. GoDaddy.com LLC, Defendant.
ORDER
Dominic W Lanza, United States District Judge.
In 2013, Plaintiff SiteLock LLC (“SiteLock”) and Defendant GoDaddy.com LLC (“GoDaddy”) executed a contract (the “Reseller Agreement”) under which GoDaddy agreed to promote and sell SiteLock's website security services to GoDaddy's customers. In this action, SiteLock accuses GoDaddy of various contractual breaches, as well as Lanham Act and related state-law violations.
Earlier this year, the Court issued a lengthy order resolving the parties' crossmotions for summary judgment, a motion for sanctions, and a motion to exclude expert testimony. (Doc. 435.) Now pending before the Court are two more requests for sanctions: (1) GoDaddy's motion to preclude SiteLock from pursuing a particular damages theory due to late disclosure (Doc. 457); and (2) GoDaddy's motion for spoliation sanctions based on SiteLock's destruction of application programming interface (“API”) data and certain customer communications (Doc. 467). For the following reasons, both motions are denied.
RELEVANT BACKGROUND
The background of this case has been summarized in detail in earlier orders. When certain facts become important, they will be addressed in the Discussion section below.
On February 26, 2021, the deadline for completing fact discovery expired. (Doc. 250.)
On May 17, 2022, GoDaddy filed a motion for sanctions pursuant to Rule 37(b)(2) and Rule 37(c)(1) based on late disclosure (“the motion for disclosure sanctions”). (Doc. 457 [motion]; Doc. 458 [memorandum].) The motion thereafter became fully briefed. (Doc. 465 [response]; Doc. 466 [refiled version of response]; Doc. 478 [reply].)
On June 1, 2022, GoDaddy filed a motion for sanctions for spoliation of evidence (“the motion for spoliation sanctions”). (Doc. 467 [motion]; Doc. 468 [memorandum].) The motion thereafter became fully briefed. (Doc. 480 [response]; Doc. 486 [reply].)
SiteLock's request for oral argument on both motions is denied because the issues are fully briefed and argument would not aid the decisional process. See LRCiv 7.2(f).
DISCUSSION
I. The Motion For Disclosure Sanctions
A. Legal Standard
As discussed in the Court's March 2, 2022 order, violations of the disclosure obligations created by the District of Arizona's Mandatory Initial Discovery Pilot Project (“MIDP”) are sanctionable under Rule 37(b)(2). (Doc. 435 at 41-42.)
Because this case was filed in April 2019, it was (and remains) subject to the MIDP, which applies to most civil cases filed between May 1, 2017 and May 1, 2020. See D. Ariz. G.O. 17-08. Under the MIDP, the parties “are ordered to provide mandatory initial discovery responses before initiating any further discovery in this case. The responses are called for by the Court, not by discovery requests actually served by an opposing party.” Id. ¶ A.2. “Each party's response must be based on the information then reasonably available to it,” and a “party is not excused from providing its response because it has not fully investigated the case.” Id. ¶ A.3. Additionally, “[t]he duty to provide mandatory initial discovery responses . . . is a continuing duty, and each party must serve supplemental responses when new or additional information is discovered or revealed.” Id. ¶ A.8. As relevant here, the information that is subject to mandatory disclosure under the MIDP includes, “[f]or each of your claims or defenses, . . . the facts relevant to it and the legal theories upon which it is based.” Id. ¶ B.4. Also subject to mandatory disclosure is “a computation of each category of damages claimed by you, and a description of the documents or other evidentiary material on which it is based.” Id. ¶ B.5.
Because the disclosures required by the MIDP “supersede the disclosures required by Rule 26(a)(1) and are framed as court-ordered mandatory initial discovery pursuant to the Court's inherent authority to manage cases,” id. at 1, a violation of the MIDP's disclosure obligations is sanctionable under Rule 37(b)(2). Sali v. Corona Reg'lMed. Ctr., 884 F.3d 1218, 1222 (9th Cir. 2018) (“In the context of Rule 37(b) sanctions, we ‘read broadly' the term ‘order'. . . [to] ‘include any order relating to discovery.'”) (citations omitted); Nyerges v. Hillstone Rest. Grp. Inc., 2021 WL 3299625, *8-9 (D. Ariz. 2021) (violation of MIDP disclosure obligations sanctionable under Rule 37(b)(2)). Rule 37(b)(2), in turn, provides that if a party “fails to obey an order to provide or permit discovery . . . the court . . . may issue further just orders,” including “prohibiting the disobedient party from supporting . . . designated claims or defenses, or from introducing designated matters in evidence.” “The scope of sanctions for failure to comply with a discovery order is committed to the sound discretion of the district court.” Payne v. Exxon Corp., 121 F.3d 503, 510 (9th Cir. 1997).
B. Discussion
1. Terminology
Before diving into the merits of GoDaddy's request for disclosure sanctions, it is important to discuss the terminology used in the motion. GoDaddy seeks to exclude SiteLock's “theory of damages based on unactivated SiteLock products that GoDaddy's customers obtained for free,” which GoDaddy characterizes as the “Free Giveaway Theory.” (Doc. 458 at 1.) According to GoDaddy, this theory is that “GoDaddy breached the parties' agreement by offering free giveaways” of SiteLock products, which is distinct from SiteLock's theory based on “generalized allegations of damages based on sales of SiteLock made by GoDaddy to GoDaddy's customers.” (Id. at 3.) According to GoDaddy, SiteLock disclosed the “Free Giveaway Theory” for the first time on March 19, 2021, when it was mentioned in the report of SiteLock's damages expert, Dr. Kursh. (Doc. 478 at 3.) In that report, Kursh states: “GoDaddy also sold SiteLock as part of bundles of other products. I understand that, as with standalone sales of SiteLock subscriptions, GoDaddy paid SiteLock for these subscriptions only ‘if activated.'” (Doc. 308-9 ¶ 167.)
The Court will set forth its understanding of the theory in a simpler context. A customer at McDonald's purchases a Happy Meal, which comes with a toy that McDonald's advertises as being “free.” Because the cost of the toy does not display on the register when the cashier rings up the order, the customer may view the toy as a giveaway. However, the wholesale manufacturer of those toys does not view them as “free” or “given away,” but as a valuable component of the overall Happy Meal that drives customer traffic.
Here, GoDaddy suggests that when it provided a customer with a bundle of products that included a SiteLock subscription, the SiteLock component of the bundle was “a free giveaway” because the customer did not pay for the SiteLock product itself. (Doc. 458 at 3 n. 2 [“[C]ustomers who have GoDaddy's Managed Wordpress Ultimate plan get the free SiteLock Professional plan.”].) But SiteLock disputes that the SiteLock product is “free” in this scenario, arguing that “[w]hen a customer pays GoDaddy for a product bundle that includes SiteLock, by definition that customer is ordering and paying for all of the products in that bundle, including SiteLock.” (Doc. 466 at 1.)
2. The Parties' Arguments
In its motion to exclude, GoDaddy argues that (1) the logic underlying the Court's earlier order excluding GoDaddy's “bundling” recoupment theories also mandates exclusion of SiteLock's Free Giveaway Theory (Doc. 458 at 10-12); (2) exclusion is necessary under Ninth Circuit precedent (id. at 12-13); (3) the disclosure violation was not substantially justified, because SiteLock could have developed the theory before the case began, and was not harmless, because it interfered with GoDaddy's ability to pursue relevant discovery (id. at 13-16); (4) at a minimum, the Court should reopen fact and expert discovery (id. at 16-17); and (5) the motion is timely (id. at 17).
SiteLock responds that (1) it properly disclosed the disputed theory in the complaint and in its MIDP disclosures, both of which made clear that it was seeking damages based on GoDaddy's failure to pay SiteLock for “all” “orders” of a SiteLock subscription (Doc. 465 at 10-13); (2) the Court already held that bundled SiteLock subscriptions are part of SiteLock's claims (id. at 13-14); (3) GoDaddy's motion is untimely because it was filed more than 18 months after GoDaddy became aware of SiteLock's position that “all” “orders” includes bundled subscriptions (id. at 14-15); and (4) any technical violation was substantially justified, because SiteLock reasonably believed its MIDP disclosures put GoDaddy on notice of the theory, and harmless, because GoDaddy already has the relevant information it claims to need (id. at 15-17).
In reply, GoDaddy argues that (1) SiteLock failed to properly disclose the theory (Doc. 478 at 2-3); (2) SiteLock had no valid reason to delay disclosure (id. at 3-5); (3) SiteLock's witnesses confirmed that GoDaddy gave away free products (id. at 5-7); (4) SiteLock failed to address previous judicial admissions (id. at 7); (5) the Court has already ruled that SiteLock's disclosed theory did not include “free giveaways” (id. at 7-8); (6) the Court has not already ruled that SiteLock's disclosed theory included bundled products (id. at 8-10); (7) more discovery is required on “free giveaways” (id. at 10-11); and (8) the motion is timely (id. at 11).
3. Analysis
On August 9, 2019, SiteLock served its initial MIDP disclosures, which explained that “GoDaddy breached the Agreement by refusing to pay SiteLock for each customer ‘order' of a SiteLock ‘subscription.'” (Doc. 466-2 at 10.) On August 28, 2020, SiteLock served amended MIDP disclosures, which stated that GoDaddy was obligated to pay SiteLock for “each ‘order' of any ‘subscription' to a SiteLock service” and that GoDaddy breached the Reseller Agreement “[b]y failing to pay SiteLock for all ‘orders' of SiteLock ‘subscriptions.'” (Doc. 466-3 at 16-17.)
SiteLock argues these disclosures were, alone, sufficient to provide adequate notice of the so-called Free Giveaway Theory because they made clear that it was seeking damages arising from “each” and “all” orders of SiteLock subscriptions, which are unqualified formulations that necessarily include orders in which a SiteLock subscription was included as part of a larger product bundle. In response, GoDaddy contends this argument is inconsistent with how GoDaddy defined the term “order” for purposes of its initial interrogatories, requests for production, and deposition notices, which was that an order constituted “a Customer's agreement to pay for a SiteLock subscription.” (Doc. 458 at 6, citing Doc. 253-1 at 57, 73, 83.)
As an initial matter, the Court is not persuaded that SiteLock's current position is inconsistent with its previous definition of “orders.” Although GoDaddy may have construed the phrase “agreement to pay for a SiteLock subscription” to refer only to standalone purchases outside of bundles, it also would have been reasonable for SiteLock to construe that phrase to include bundles in which there was no separate charge for the SiteLock component. This harkens back to the Happy Meal analogy described above- although the customer might perceive the toy to be a free giveaway, the manufacturer would not. At most, then, the definition of “order” that SiteLock provided during the early stages of the case was ambiguous as to whether it encompassed bundled subscriptions.
Critically, any lingering ambiguity was eliminated by no later than November 20, 2020, when SiteLock filed a motion to compel in which it made clear that “SiteLock subscriptions that GoDaddy sold with other services are just as relevant as SiteLock subscriptions that GoDaddy sold on their own. The parties' contracts required GoDaddy to pay SiteLock when it sold SiteLock subscriptions whether separately or as part of a package.” (Doc. 215 at 4.) This was more than three months before the close of fact discovery. Following this clarification, GoDaddy took various steps to defend against SiteLock's claim for damages based on bundled subscriptions, including retaining an expert to “defend against SiteLock's late-disclosed position.” (Doc. 367 at 6.)
Given this backdrop, GoDaddy has not established that SiteLock violated its disclosure obligations under the MIDP with respect to the so-called Free Giveaway Theory. SiteLock's MIDP disclosures, although perhaps ambiguous, could be reasonably construed as encompassing the damages theory it now seeks to pursue.
Alternatively, even assuming the disclosures could be deemed inadequate, any disclosure violation was substantially justified and harmless. Although the text of Rule 37(b)(2) does not specifically enumerate a “substantially justified or harmless” escape hatch for liability, the Court has determined that a district court may consider concepts of substantial justification and harmlessness when deciding whether to impose sanctions under Rule 37(b)(2), in pursuit of the requirement that sanctions be “just.” (Doc. 435 at 48 n. 18.)
SiteLock's position that it believed it did not need to amend its MIDP disclosures, because it had already disclosed a theory of damages covering both standalone and bundled subscriptions (“all” or “each” order), was substantially justified. As discussed above, a reasonable person could have interpreted SiteLock's disclosure of its intention to pursue damages based on “each” and “all” orders to include orders involving bundled subscriptions, even in light of how SiteLock defined the term “orders” for purposes of its discovery requests.
Any disclosure violation was also harmless. GoDaddy became aware of SiteLock's theory no later than November 2020, nearly two years ago and several months before the close of discovery. GoDaddy was not “in the dark regarding the theory or nature of Plaintiffs' damages claims,” Allstate Ins. Co. v. Nassiri, 2010 WL 5248111, *5 (D. Nev. 2020), but was given “fair notice of the factual basis for [SiteLock's claims] so as to allow [GoDaddy] an opportunity to conduct relevant discovery.” Ocean Garden Prods. Inc. v. Blessings Inc., 2018 WL 6133773, *1 (D. Ariz. 2018). In fact, GoDaddy does not explicitly state that it was unaware of the full scope of GoDaddy's theory, but simply contends that the theory was never properly and formally disclosed. GoDaddy also retained an expert to “defend against SiteLock's late-disclosed position.” (Doc. 367 at 6.) Finally, GoDaddy's attempt to bring a fully conceived counterclaim based on the same factual premise, without a motion to exclude SiteLock's theory, and then only bring a motion to exclude after the counterclaim was excluded, makes clear that GoDaddy was not genuinely prejudiced by what was-at most-a nominal violation of SiteLock's disclosure obligations under the MIDP.
GoDaddy argues that the Court's earlier exclusion of its recoupment theory “mandates” exclusion of SiteLock's similar theory. Not so. The Court found that GoDaddy never disclosed its theories to SiteLock until after the close of fact discovery and that GoDaddy's vague MIDP disclosures did not provide fair notice or even “logically implicate[] the existence of a peripheral undisclosed theory.” (Doc. 435 at 47-48.) By contrast, SiteLock provided initial and supplemental MIDP disclosures that were, alone, arguably sufficient to disclose the challenged theory, then explicitly informed GoDaddy of the two components of its theory shortly after supplementing its MIDP disclosures (and well before the close of discovery). Although both SiteLock's and GoDaddy's theories relied on a similar universe of facts, their disclosure efforts varied drastically.
II. The Motion For Spoliation Sanctions
A. Legal Standard
GoDaddy seeks the imposition of spoliation sanctions under Rule 37(e) of the Federal Rules of Civil Procedure. Rule 37(e) was “completely rewritten” in 2015 to “provide[] a nationally uniform standard for when courts can give an adverse inference instruction, or impose equally or more severe sanctions, to remedy the loss of ESI.” 1 Gensler, Federal Rules of Civil Procedure, Rules and Commentary, Rule 37, at 1194 (2021). The text of Rule 37(e)(2) now provides:
If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court: ...
(2) only upon finding that the party acted with the intent to deprive another party of the information's use in the litigation may:
(A) presume that the lost information was unfavorable to the party;
(B) instruct the jury that it may or must presume the
information was unfavorable to the party; or
(C) dismiss the action or enter a default judgment.
A party seeking sanctions under Rule 37(e) has a threshold duty to show that the ESI at issue was, in fact, lost or destroyed. Fed.R.Civ.P. 37(e) advisory committee's note to 2015 amendment (“The new rule applies only . . . when [ESI] is lost.”). If such a showing has been made, Rule 37(e) “establishes three prerequisites to sanctions: the ESI should have been preserved in the anticipation or conduct of litigation, it is lost through a failure to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery.” Fast v. GoDaddy.com LLC, 340 F.R.D. 326, 335 (D. Ariz. 2022). See also Fed.R.Civ.P. 37(e) advisory committee's note to 2015 amendment (“The new rule applies only if the lost information should have been preserved in the anticipation or conduct of litigation and the party failed to take reasonable steps to preserve it.”).
If each of these questions is answered in the affirmative, the next inquiry under Rule 37(e)(2) is whether the nonmovant “acted with the intent to deprive another party of the information's use in the litigation.” Unlike Rule 37(e)(1), Rule 37(e)(2) “does not include a requirement that the court find prejudice to the party deprived of the information. This is because the finding of intent required by the subdivision can support not only an inference that the lost information was unfavorable to the party that intentionally destroyed it, but also an inference that the opposing party was prejudiced by the loss of information that would have favored its position. Subdivision (e)(2) does not require any further finding of prejudice.” Fed.R.Civ.P. 37(e) advisory committee's note to 2015 amendment.
If such intent is found, the Court has discretion to impose any of the sanctions authorized in subsections (e)(2)(A)-(C) (i.e., an adverse inference, an adverse-inference jury instruction, or a terminating sanction). However, “[f]inding an intent to deprive another party of the lost information's use in the litigation does not require a court to adopt any of the measures listed in subdivision (e)(2). The remedy should fit the wrong, and the severe measures authorized by this subdivision should not be used when the information lost was relatively unimportant or lesser measures such as those specified in subdivision (e)(1) would be sufficient to redress the loss.” Id.
“[T]he relevant standard of proof for spoliation sanctions is a preponderance of the evidence.” Fast, 340 F.R.D. at 335. See also Compass Bank v. Morris Cerullo World Evangelism, 104 F.Supp.3d 1040, 1052-53 (S.D. Cal. 2015). The Court is the appropriate finder of fact on a Rule 37(e) motion. Mannion v. Ameri-Can Freight Sys. Inc., 2020 WL 417492, *4 (D. Ariz. 2020). See also Adriana Int'l Corp. v. Thoeren, 913 F.2d 1406, 1408 (9th Cir. 1990) (“The imposition of discovery sanctions pursuant to [Rule 37] is reviewed for abuse of discretion. Absent a definite and firm conviction that the district court made a clear error in judgment, this court will not overturn a Rule 37 sanction. Findings of fact related to a motion for discovery sanctions are reviewed under the clearly erroneous standard. If the district court fails to make factual findings, the decision on a motion for sanctions is reviewed de novo.”) (citations omitted).
B. The Parties' Arguments
1. Duty To Preserve Evidence
GoDaddy argues that “SiteLock identified its core claims in 2014” and “identified its disparagement claim by June of 2017.” (Doc. 468 at 10.) Thus, GoDaddy contends that “SiteLock's duty to preserve evidence began in 2014” and that “SiteLock destroyed Customer Communication Evidence and the API Data well after it identified its claims, and as it prepared to file this lawsuit.” (Doc. 468 at 10.)
SiteLock responds that “[f]or years, GoDaddy had assured SiteLock that [it] would . . . uphold its contractual promise to pay for all SiteLock orders.” (Doc. 480 at 7.) According to SiteLock, it was not until October 2018, when “GoDaddy sent a formal email to SiteLock asserting that GoDaddy had no obligation to pay SiteLock for unactivated SiteLock subscriptions,” that SiteLock began anticipating litigation. (Id. at 7.) SiteLock asserts that GoDaddy is wrong to argue that SiteLock was “planning” to sue GoDaddy since March 2014 because “[t]his was before GoDaddy even began offering SiteLock to its customers and more than four years before the parties' contract terminated. . . . GoDaddy repeated [its] assurances for the next four years until reversing itself in October 2018. Because of GoDaddy's repeated assurances, SiteLock saw no need to pursue any legal options against GoDaddy until 2018.” (Id. at 8.)
GoDaddy replies that, based on certain documents relating to Abry Partners, LLC's acquisition of SiteLock, “SiteLock's duty to preserve evidence indisputably arose in 2014, when it began planning to sue GoDaddy.” (Doc. 486 at 1.) GoDaddy specifically argues that a duty to preserve can arise long before a party formally retains counsel. (Id. at 4-5.)
2. Customer Communication Evidence
GoDaddy argues that SiteLock willfully destroyed customer communication evidence, which SiteLock itself has confirmed is directly relevant to SiteLock's claims. (Doc. 468 at 10-11.) GoDaddy also argues that the evidence cannot be obtained from an alternative source. (Id. at 11-12.) Although GoDaddy states that it “need not prove prejudice because SiteLock's destruction of evidence was willful,” GoDaddy argues that it was prejudiced by the destruction here because the missing evidence “would show that there was no disparagement.” (Id. at 12-13.) As a result, GoDaddy asks the Court to preclude SiteLock from arguing that GoDaddy disparaged SiteLock in communications between GoDaddy and GoDaddy's customers, and in the alternative, GoDaddy asks for an adverse inference instruction “for the jury to assume that if SiteLock had not destroyed the Customer Communication Evidence, such evidence would show GoDaddy did not disparage SiteLock.” (Id. at 15.)
In response, SiteLock argues that GoDaddy cannot show that favorable evidence was lost or that GoDaddy was prejudiced by the loss of the calls-more evidence of disparagement could logically only benefit SiteLock while calls lacking disparagement would not be probative. (Id. at 14-15, 17.) At any rate, SiteLock argues that it was reasonable not to retain all customer calls, as SiteLock applied a standard retention policy in which calls and chats were retained for 90 days. (Id. at 15-16.) SiteLock also asserts that GoDaddy “cites zero evidence” in support of the contention that SiteLock intentionally destroyed the communications to frustrate GoDaddy's litigation objectives. (Id. at 16-17.) 17.) Finally, SiteLock requests an award of the costs incurred when opposing GoDaddy's motion, lest GoDaddy “be emboldened to continue filing frivolous and untimely discovery motions.” (Id. at 17.)
GoDaddy replies that “temporal proximity between SiteLock's decision to preserve, review, and then destroy Customer Communication Evidence . . . demonstrates intent.” (Doc. 486 at 4.) GoDaddy also reasserts that it is requesting SiteLock's claims be barred or “an instruction stating that it has been deemed admitted, and must be accepted as true, that the deleted recordings show GoDaddy did not disparage SiteLock.” (Id. at 11.)
3. API Calls
GoDaddy argues that because the API data “goes to the heart of SiteLock's core claims” and “SiteLock insisted the GoDaddy produce the same data,” “there is no question that it should have been preserved. SiteLock cannot credibly argue that the API Data can be obtained from an alternative source given its demand that GoDaddy reengineer the automated API calls from GoDaddy's backup tapes.” (Doc. 468 at 11-12.) GoDaddy asserts that it was prejudiced by SiteLock's destruction of API data in two ways: (1) “the parties spent months litigating discovery battles that could have been avoided had SiteLock preserved this key evidence”; and (2) without the API data SiteLock cannot show that it “accurately invoiced GoDaddy for all activations.” (Id. at 14-15.) GoDaddy asks the Court to preclude SiteLock from arguing that the “destroyed” API data supports its calculation of damages, or in the alternative, to order SiteLock to pay GoDaddy's attorneys' fees in connection with all litigation that could have been avoided had SiteLock simply preserved the API data. (Id. at 15-16.)
SiteLock responds that it has preserved records showing all subscriptions reported by GoDaddy, but those records do not include information that SiteLock never received- i.e., subscriptions that GoDaddy did not report. (Doc. 480 at 8.) SiteLock asserts that the API data is irrelevant because the transaction records associated with the raw API calls has been produced and the API calls themselves would be duplicative of those records. (Id. at 9.) SiteLock further contends that those calls would be irrelevant to SiteLock's damages because they only represent the disclosed transactions, not the transactions GoDaddy failed to report. (Id. at 9.) SiteLock also argues that the API calls themselves are “raw computer code that is largely indecipherable to humans. GoDaddy does not explain how it would be feasible to use this computer code to calculate damages.” (Id. at 9.) SiteLock asserts that its policy of not retaining API calls was reasonable, as it retained the transactions and the API calls were duplicative of those records, and thus SiteLock could not have foreseen that API calls would be relevant to future litigation with GoDaddy. (Id. at 11-12.) SiteLock also asserts that GoDaddy has not established SiteLock's intent to deprive and that GoDaddy is not prejudiced by the absence of “GoDaddy's own data” or the presence of discovery battles caused by GoDaddy's unwillingness to produce that data to SiteLock. (Id. at 12.)
GoDaddy replies that SiteLock “now argues that it preserved all API evidence, but that claim is contradicted . . . . Mr. Lovell testified that SiteLock kept only the data that made it on to its invoices. So if SiteLock failed to include the agreed-upon discount for bundled products in its invoices, SiteLock did not preserve that data.” (Doc. 486 at 8.) GoDaddy further contends that “[w]hile SiteLock argues the API Data is irrelevant, it used the absence of that data to oppose GoDaddy's pending Rule 37 motion, and to support its motion for partial summary judgment.” (Id.) Finally, GoDaddy reasserts that it need not prove prejudice, but “prejudice is clear,” and points to a negotiation between SiteLock and GoDaddy that supports this conclusion. (Id. at 8-9.)
4. Timeliness
In addition to opposing GoDaddy's request for spoliation sanctions on the merits, SiteLock contends the motion should be denied on untimeliness grounds because it essentially raises a discovery dispute and thus should have been filed before the close of fact discovery. (Doc. 480 at 4-5.)
GoDaddy replies that its request is timely because it sought relief five months before trial, unlike in Mannion, and because the case management order does not include a specific deadline for this sort of motion. (Doc. 486 at 9-11.)
C. Analysis
1. Customer Communication Evidence
On the one hand, the Court understands and, to some extent, shares GoDaddy's frustration with SiteLock's decision to destroy Customer Communication Evidence. One of SiteLock's contentions in this case is that GoDaddy improperly disparaged SiteLock. There is evidence that SiteLock became aware of the possibility that it would be pursuing such a claim against GoDaddy no later than June 2017, which is long before this case was filed. (Doc. 371-1 ¶ 103.) From that point forward, SiteLock has a duty to preserve information that was potentially relevant to its anticipated disparagement claim. Fast, 340 F.R.D. at 337 (“[A] duty to preserve ESI can arise far in advance of the formal retention of a lawyer or the filing of a lawsuit. . . . [T]he duty arises when litigation is reasonably foreseeable and the party knows or should know the ESI may be relevant to pending or future litigation.”); Waymo LLC v. Uber Techs., Inc., 2018 WL 646701, *14 (N.D. Cal. 2018) (“Many court decisions hold that potential litigants have a duty to preserve relevant information when litigation is reasonably foreseeable. Rule 37(e) is based on this commonlaw duty. . . . This is an objective standard, asking not whether the party in fact reasonably foresaw litigation, but whether a reasonable party in the same factual circumstances would have reasonably foreseen litigation. The reasonable foreseeability of litigation is a flexible fact-specific standard that allows a district court to exercise the discretion necessary to confront the myriad factual situations inherent in the spoliation. This standard does not trigger the duty to preserve documents from the mere existence of a potential claim or the distant possibility of litigation. However, it is not so inflexible as to require that litigation be imminent, or probable without significant contingencies.”) (cleaned up). It is no excuse that the information was otherwise subject to destruction pursuant to SiteLock's document retention policy-once SiteLock became aware of the information's potential relevance to anticipated litigation, a preservation duty arose. See generally Apple Inc. v. Samsung Electronics Co., 881 F.Supp.2d 1132, 1137 (N.D. Cal. 2012) (“[I]t generally is recognized that when a company or organization has a document retention policy, it is obligated to suspend that policy and implement a litigation hold to ensure the preservation of relevant documents after the preservation duty has been triggered.”) (citation and internal quotation marks omitted).
The Court also agrees with GoDaddy's contention that SiteLock should have recognized that the specific category of information at issue here-Customer Communication Evidence-was potentially relevant to the anticipated litigation. See Fed.R.Civ.P. 37(e), advisory committee note to 2015 amendment (“Courts should consider the extent to which a party was on notice that litigation was likely and that the information would be relevant. . . . [T]he scope of information that should be preserved may remain uncertain. It is important not to be blinded to this reality by hindsight arising from familiarity with an action as it is actually filed.”) (emphasis added). SiteLock has now produced two pieces of evidence that arguably support its disparagement theory-a customer support call and a voicemail. (Doc. 475 [notice of non-electronic filing of exhibits].) Both callers refer in broad terms to conversations with GoDaddy in which customers were encouraged to view SiteLock as an inferior or unsuitable product. Given that the evidence of the alleged disparagement was contained within recordings of customer calls and voicemails (i.e., Customer Communication Evidence), it should have been apparent to SiteLock that such information needed to be preserved in anticipation of litigation.
On the other hand, the two remedies that GoDaddy seeks based on SiteLock's spoliation of Customer Communication Evidence-“an order precluding SiteLock from arguing GoDaddy disparaged or defamed SiteLock based on any alleged communications with customers,” or in the alternative “an adverse inference instruction that the missing evidence would have benefitted GoDaddy had it been preserved” (Doc. 468 at 2)-are untethered to the actual violation and would produce a windfall. If any of the destroyed communications contained evidence of GoDaddy disparaging SiteLock, their destruction was beneficial to GoDaddy and detrimental to SiteLock (because the evidence would have otherwise been useful in supporting SiteLock's disparagement claim). In contrast, if any of the destroyed communications lacked evidence of disparagement, they were unhelpful to either party-as SiteLock persuasively puts in, “SiteLock does not claim that every customer who called SiteLock in June 2017 reported GoDaddy's disparagement. It is no defense for GoDaddy to argue that GoDaddy didn't always disparage SiteLock.” (Doc. 480 at 15.)
Under these circumstances, it would be improper to sanction SiteLock for the destruction of evidence that was either potentially helpful to SiteLock or, at worst, irrelevant by categorically precluding SiteLock from presenting any evidence of disparagement at trial or crafting an adverse-inference instruction. The first requested sanction would, for example, preclude SiteLock from presenting the two pieces of disparagement evidence (the customer support call and voicemail) that it did preserve. The Court is not required to, and declines in its discretion to, impose such disproportionate, windfall-producing sanctions. See Fed.R.Civ.P. 37(e) advisory committee's note to 2015 amendment (“The remedy should fit the wrong, and the severe measures authorized by [subdivision (e)(2)] should not be used when the information lost was relatively unimportant or lesser measures such as those specified in subdivision (e)(1) would be sufficient to redress the loss.”); Fast, 340 F.R.D at 353 (“The fact that Rules 37(c)(1) and (e) authorize sanctions does not mean that sanctions must be imposed. The Court retains discretion to determine what sanctions, if any, are warranted.”).
The Court notes that, if SiteLock were to attempt to argue at trial that it has additional evidence of disparagement beyond the pieces of Customer Communication Evidence it has preserved and produced”, this approach might be improper (because SiteLock's failure to preserve the remaining Customer Communication Evidence has undermined GoDaddy's ability to rebut claims about the content of other customer communications). But because it is unclear whether SiteLock intends to pursue such a claim at trial, and GoDaddy has not moved for a tailored sanction that would preclude such a claim, the Court simply flags the issue for now.
Given this determination, it is unnecessary to resolve SiteLock's alternative argument that the Customer Communication Evidence-based sanctions request be denied on untimeliness grounds.
2. API Calls
During the course of the SiteLock/GoDaddy contractual relationship, “GoDaddy reported orders for (activated) SiteLock subscriptions to SiteLock through an API. An API is a piece of software that allows two businesses' computerized systems to talk to one another. The API worked as follows: each time a customer ordered a SiteLock subscription from GoDaddy (and ‘activated' the subscription), GoDaddy's computer system automatically transmitted an ‘API call' to SiteLock's computer system. An API call is computer code that tells the recipient computer to take some action. In this case, each API call instructed SiteLock's system to create a record reflecting the details of the customer's order. When SiteLock's computer system received the API call, SiteLock's internal database automatically created a transaction record reflecting all of the information about the subscription contained in that API call.” (Doc. 480 at 7.) API “calls” between computers are “raw computer code” that is “largely indecipherable to humans” and “unusable until translated into . . . transaction records.” (Id. at 2, 9.)
In a nutshell, GoDaddy argues that SiteLock “spoliated API Data by deleting the API calls that it received, keeping only ‘some' transaction data, and altering the retained data along the way to fit its invoices.” (Doc. 468 at 6 [emphasis added].) SiteLock, in turn, acknowledges that it did not “retain[] the raw API calls themselves” but argues that it “preserved and produced all relevant API data,” in that it “preserved all of the[] transaction records [and] produced these records . . . at GoDaddy's request.” (Doc. 480 at 6-7 [emphasis added].)
Resolving GoDaddy's motion is complicated by the parties' ambiguous use of the terms API “data” and “call.” For example, when SiteLock states that it “preserved and produced all relevant API data,” it is referring to the automatically created transaction record that translates the code, not the API call itself. (Doc. 480 at 7-8.) The Court will respect GoDaddy's own description of its spoliation claim-that SiteLock spoliated data by deleting the API calls, i.e., computer code. (Doc. 468 at 6.) GoDaddy also asserts that SiteLock kept only some of the transaction “data” and altered that “data” along the way to fit its invoices. (Id. at 6.) However, the evidence that GoDaddy produces in support of that claim makes clear that “data” refers to the API “calls” themselves, not the transaction records that SiteLock has produced. (Doc. 468 at 6 [citing Doc. 367-18, deposition of Scott Lovell].) Accordingly, the narrow question before the Court is whether the imposition of spoliation sanctions under Rule 37(e) is warranted based on the destruction of the API “calls” when SiteLock has preserved the corresponding transaction records.
Doc. 367-18 at 7 (stating that SiteLock maintains “some” records of API calls that it receives from resellers, but it would be too expensive to retain them all); id. at 21 (explaining that API calls impact how invoicing is “set up”).
A party seeking sanctions under Rule 37(e) has a threshold duty to show that the ESI at issue was, in fact, lost or destroyed. Fed.R.Civ.P. 37(e) advisory committee's note to 2015 amendment (“The new rule applies only . . . when [ESI] is lost.”). GoDaddy argues that SiteLock destroyed many of the API calls and SiteLock does not dispute it.
The next inquiry is whether the ESI was foreseeably relevant to the pending or foreseeable litigation. It is hard to understand why the API calls would be relevant here. GoDaddy does not deny that the API calls themselves are functionally useless to a layperson, does not explain how an expert would make use of them, and SiteLock alleges (without effective contradiction) that it has produced all of the transaction records associated with those calls. Instead, GoDaddy makes three points: first, that GoDaddy was prejudiced by litigating discovery battles that would have been avoided if SiteLock had preserved the API calls (Doc. 468 at 14), second, the related point that SiteLock “used the absence of [the API Data] to oppose GoDaddy's pending Rule 37 Motion, and to support its motion for partial summary judgment” (id. at 8), and third, that SiteLock cannot meet its burden of establishing damages without the information in the API calls (id. at 14).
GoDaddy first argues that “SiteLock's failure to preserve the API [calls] caused discovery disputes that wasted the Court's resources on a series of motions that lasted more than a year.” (Id. at 6.) To the extent this argument has any bearing on the relevance of API calls, it is factually unsupported. GoDaddy points to SiteLock's RFP No. 10, which GoDaddy characterizes as “demanding]” API calls. (Doc. 468 at 6.) In fact, RFP No. 10 requested that GoDaddy produce “[d]ocuments sufficient to show all invoicing information provided by GoDaddy to SiteLock through the [API].” (Doc. 154-1 at 77.) In its response brief, SiteLock explains that it was not requesting the API “call,” but “documents showing the actual subscription information that GoDaddy reported through the API,” which tracks the Court's own understanding of the RFP. (Doc. 480 at 9.) GoDaddy does not reply. Similarly, GoDaddy points to SiteLock's RFP No. 7, which requested “documents sufficient to show the number of SiteLock products purchased through GoDaddy between November 4, 2013 and March 2, 2018, and the number of such products that were activated between November 4, 2013 and December 31, 2018.” (Doc. 152-1 at 48.) But SiteLock explained in a cover letter that these documents were “necessary to calculate SiteLock's contract damages, which are based on SiteLock subscriptions sold through GoDaddy but never reported to SiteLock through GoDaddy's API.” (Id.) Again, this is apparently a request for documents that reflect the full scope of transactions between the two parties, not a request for raw API calls. GoDaddy does not offer an alternative understanding in its reply.
In the same vein, GoDaddy asserts that “SiteLock argued that the parties' differences over alleged ‘missing data' could be put to rest if GoDaddy produced the API Data.” (Doc. 468 at 6 [citing Doc. 181-3 at 253].) But the actual testimony suggests that “this data” referred to “invoices that GoDaddy provided to SiteLock,” not API calls. (Doc. 181-3 at 253.) Finally, GoDaddy's assertion that “SiteLock also requested that GoDaddy reengineer-and reproduce-logs of the API calls from GoDaddy's servers” is based on GoDaddy's own characterization of SiteLock's request. (Doc. 468 at 7 [citing Docs. 3672 ¶ 32, 367-26 at 2].) GoDaddy's reply is limited to recursively citing its own briefing in support of the argument that “SiteLock repeatedly demanded GoDaddy produce the API Data in this action.” (Doc. 486 at 9.)
Second, GoDaddy argues that SiteLock “used the absence of [the API Data] to oppose GoDaddy's pending Rule 37 Motion, and to support its motion for partial summary judgment.” (Doc. 486 at 8.) When responding to GoDaddy's Rule 37 motion, SiteLock alleged that “[d]uring the parties' relationship, SiteLock submitted invoices to GoDaddy based on the orders for SiteLock subscriptions that GoDaddy reported to SiteLock. The subscriptions GoDaddy reported, and for which SiteLock billed GoDaddy, included orders of both standalone and bundled subscriptions. SiteLock itself did not (and could not) distinguish between standalone and bundled subscriptions, because GoDaddy never reported that information to SiteLock.” (Doc. 466 at 4.) In SiteLock's motion for partial summary judgment, SiteLock argued that “GoDaddy used an Application Programming Interface (or ‘API') to report its sales to SiteLock. Based on the data that GoDaddy reported through the API, SiteLock generated invoices that it sent to GoDaddy on a monthly basis, which GoDaddy paid after ‘reconciling' them. It is undisputed that GoDaddy never provided information to SiteLock through the API (or through any other avenue) identifying any of its sales of SiteLock subscriptions as part of a ‘bundled' package entitled to the discount. Accordingly, SiteLock did not know what subscriptions GoDaddy had sold as part of bundles, and could not reflect such bundles in its invoices.” (Doc. 341 at 12.) Contrary to GoDaddy's position, neither of these assertions relied on the absence of API calls. Instead, they relied on GoDaddy's failure to report a subset of transactions (bundles) in the first place.
Third, GoDaddy argues that SiteLock cannot prove damages with “reasonable certainty” without the API calls. (Doc. 468 at 14-15.) SiteLock responds that it has “already calculated damages using GoDaddy's transaction records, which are the only source of information showing the subscriptions that GoDaddy failed to report and pay for. SiteLock's own transaction records do not reflect the subscriptions that GoDaddy failed to report through the API, and therefore do not permit this calculation.” (Doc. 480 at 9.) GoDaddy does not reply directly but argues that “SiteLock's argument on damages violates due process.” (Doc. 486 at 9.) However, arguments raised for the first time in reply are forfeited. CSR Technology, Inc. v. Bandspeed, Inc., 2012 WL 1150863, *5 (D. Ariz. 2012) (finding that a constitutional due process claim raised for the first time in reply was waived).
For these reasons, GoDaddy has not established that the destroyed API calls would be relevant to anticipated litigation. This determination, alone, means that GoDaddy's request for spoliation sanctions based on the destruction of the API calls must be denied.
Finally, and alternatively, GoDaddy's request for sanctions also fails because it has not established that the missing ESI “cannot be restored or replaced through additional discovery.” Fast, 340 F.R.D. at 339. For the reasons discussed above, GoDaddy has failed to establish that the missing API calls differ, in any material way, from the resulting transaction records that were preserved and produced. The transaction records can thus be viewed as “replacing” the API calls.
Given these determinations, it is unnecessary to resolve SiteLock's alternative argument that the API-related sanctions request be denied on untimeliness grounds.
3. Attorneys' Fees
GoDaddy asks the Court to grant “attorneys' fees incurred while litigating issues related to the API Data that would have been averted had SiteLock preserved that evidence.” (Doc. 468 at 2.) Although GoDaddy does not specify the basis for this request, the Court assumes that the request for spoliation sanctions in the form of attorneys' fees would be governed by Rule 37(e)(1) of the Federal Rules of Civil Procedure, which provides that “upon finding prejudice to another party from loss of information, [the Court] may order measures no greater than necessary to cure the injustice.”
As stated above, the Court has found that SiteLock's destruction of API “calls” caused no prejudice to GoDaddy because the calls were duplicative of information GoDaddy did produce. Further, even if GoDaddy's fee request were based on the Court's inherent authority, the Court has found no evidence of SiteLock's intent to frustrate GoDaddy's litigation aims, which would be necessary to establish that SiteLock acted “in bad faith, vexatiously, wantonly, or for oppressive reasons.” Leon v. IDXSys. Corp., 464 F.3d 951, 961 (9th Cir. 2006).
SiteLock requests that “given the frivolousness of GoDaddy's motion, . . . the Court award SiteLock fees pursuant to 28 U.S.C. § 1927 or the Court's inherent authority. (Doc. 465 at 17.) Because SiteLock offers a bare request for sanctions, without formally setting out allegations of bad faith (as required under both § 1927 and the Court's inherent authority, Cunningham v. County of Los Angeles, 879 F.2d 481, 490 (9th Cir. 1988)), the Court declines in its discretion to grant fees.
Accordingly, IT IS ORDERED that:
1. GoDaddy's motion for disclosure sanctions (Doc. 457) is denied.
2. GoDaddy's motion for spoliation sanctions (Doc. 467) is denied.