Litigation Risks of Failing to Preserve Personal Data

In recent years, the Delaware Court of Chancery has increased its focus on the importance of preserving data and delineating the consequences for failing to do so. Indeed, last year we wrote an article about the risks of failing to preserve text messages and other messaging data.

Recently, the Court issued a ruling in In re Facebook Inc. Derivative Litigation^[1] that highlights the importance of preserving personal email. That ruling, along with its practical implications, is discussed below.

I. Summary of the Case

Facts

In March 2018, news broke that Cambridge Analytica, a British data analytics firm, harvested private information of more than 50 million Facebook users without their permission.^[2] Cambridge Analytica reportedly paid Meta Platforms, Inc. (“Meta”), which owns Facebook and other platforms, for information that included users’ identities, personal identifying information, friends, and “likes.”^[3]

Shortly after news broke about the Cambridge Analytica data harvest, Meta issued a legal hold that advised its recipients of their obligation to preserve (among other things):

all hard copy and electronic data and documents (such as files, data tables or logs, notes, memos, spreadsheets, docs stored in Dropbox and Box, Quip, and Google or Zoho Docs), and all correspondence (such as email, instant messages, Skype messages, WhatsApp messages, FB Messages, text messages, FB Group posts, and letters).^[4]

Sheryl Sandberg, then a member of Meta’s senior leadership team, received the legal hold.^[5] At the time, she was the chief operating officer, a position she held until August 2022.^[6] Sandberg was also on Meta’s board of directors (the “Board”), a position she held until May 2024.^[7]

On April 25, 2018, litigation stemming from the Cambridge Analytica data harvest was initiated.^[8] As litigation progressed, Meta reminded its document custodians about the legal hold.^[9] When a new director (Jeffrey Zients) joined the Board in 2018, Meta sent him the legal hold.^[10]

Outside counsel spoke with Sandberg and Zients, both of whom were defendants in the litigation, about document preservation and collection.^[11] They also received “FAQs Regarding Legal Holds,” which emphasized the obligation to preserve “‘any information related to the Matter,’” including information on personal devices and accounts.^[12]

In discovery, plaintiffs asked defendants to disclose information about their preservation and collection of electronically stored information. While interrogatory responses disclosed that Sandberg had a practice prior to the litigation of regularly deleting emails from her Gmail account that were over thirty days old,^[13] Sandberg’s counsel—as characterized by the Court—was not forthcoming with certain information about the preservation of her personal Gmail account and could not provide a specific date by when Sandberg ceased this practice.^[14] As to Zients, counsel disclosed that he had an auto-delete function enabled that deleted email approximately every six months.^[15]

Sandberg’s and Zients’s counsel investigated whether deleted emails could be obtained from other sources.^[16] They reviewed emails from Sandberg’s Gmail account and documents obtained from her in connection with other litigation.^[17] None were responsive.^[18] Counsel was able to identify fifty-seven emails in the litigation record that were sent to or from Sandberg’s Gmail account.^[19] For Zients, counsel reviewed documents from Zients’s other accounts and identified 415 that were sent to or from his personal account.^[20]

Plaintiffs moved for sanctions for spoliation.^[21]

Relevant Rulings

On January 21, 2025, the Court ruled on the sanctions motion, holding that Sandberg and Zients had “an affirmative duty to preserve their personal emails as evidence”— which neither contested.^[22] Both, as noted above, received litigation holds and were advised by their counsel to preserve personal email, but did not.

The Court held that while counsel was able to identify some deleted email, the balance was lost and could “support a spoliation sanction.”^[23]

The Court then considered whether the emails were lost due to a failure to take reasonable preservation steps. In doing so, the Court noted that individuals, like organizations,

must disable auto-delete functions that would otherwise destroy emails or texts. They also must back up data from personal devices before disposing of them. Failing to disable the auto-delete setting or back up messages before deletion demonstrates that a defendant acted unreasonably. Individuals may not claim ignorance. After receiving a litigation hold, an individual must take steps to determine what is necessary to comply. This includes learning what is necessary to prevent destruction or automatic deletion.^[24]

“Under these principles,” ^[25] the Court held that Sandberg and Zients failed to take reasonable steps to preserve their personal emails. The Court inferred Sandberg was “picking and choosing which emails to delete,” and the Court found that there was a lack of “transparency” to plaintiffs’ counsel about Sandberg’s email practices.^[26] Zients used an auto-delete function on his email that deleted data approximately every six months.^[27]

Against this backdrop, the Court held that plaintiffs “made a showing sufficient to demonstrate prejudice” and shifted the burden to Sandberg and Zients to show lack of prejudice.^[28]

Sandberg could not meet her burden “to make a convincing case against a finding of prejudice.”^[29] The Court noted that a review of the documents that counsel was able to recover reflected emails discussing matters relevant to the action, such as the “reputational danger” Cambridge Analytica posed to Meta and Meta’s lagging “trust among [Facebook] regular users.”^[30] As a sanction for spoliation, the Court raised Sandberg’s standard of proof by one level on any issue where she bears the burden of proof, and it awarded expenses incurred by plaintiffs in pursuing the spoliation issue against Sandberg including “for the effort required to pin down Sandberg’s positions and confirm that the ESI was not available from other sources.”^[31]

Conversely, the Court held that there is less reason to think that Zients lost relevant emails, and as a result the Court did not impose sanctions against him.^[32] Zients “was an outside director, not a C-suite officer, so he logically would have been less immersed in Company operations and likely received communications comparable to what other directors received.”^[33] Also, he joined the Board after the Cambridge Analytica data harvest—and did not “participate in those events in real time.”^[34]

II. Practical Application

How can I be certain that potentially relevant personal data is preserved? It is not uncommon for individuals to text or, as in the case of Facebook, use personal email accounts to communicate about business matters. In the context of litigation, any such potentially relevant communications must be preserved. As part of the preservation process, it is important to speak with custodians early on (and then throughout the litigation) about their preservation obligations—including discussing turning off any auto-delete functions and not actively deleting potentially relevant information.

Because a company often has less control over personal data, one option is to collect personal data to ensure that it is available, if ever needed. When considering whether to pursue this option, it is important to evaluate whether any applicable privacy laws or regulations restrict the collection of personal data.

What should I do when someone with potentially relevant personal data leaves while litigation is pending? The life cycle of litigation is often long. Indeed, Facebook began in 2018 and is still being litigated.

During the litigation life cycle, employees, officers, and directors with potentially relevant data may leave. In Facebook, Sandberg stopped being an officer and director years into the litigation.

Part of ensuring potentially relevant documents are adequately preserved can involve considering a company’s relationship with someone after they stop being associated with the company, and whether their data should be collected before they leave. For example, although Sandberg stopped being an officer and director, she remained a defendant and had to abide by discovery obligations as a party to the litigation. For individuals who are not parties to a litigation, it may be harder to access their potentially relevant personal data after they are no longer associated with the company absent an ongoing contractual agreement that would require their cooperation or a subpoena.

Do I have to disclose to opposing counsel that potentially relevant data such as personal email has been deleted? While every case is different, the Court—as evidenced by Facebook—expects transparency in discussions with opposing counsel about preservation matters, especially where there is a concern that data has been lost, destroyed, or deleted.

1. C.A. No. 2018-0307-JTL, 2025 WL 262194 (Del. Ch. Jan. 21, 2025). ↑

2. Id. at *3. ↑

3. Id. ↑

4. Id. ↑

5. Id. ↑

6. Id. ↑

7. Id. ↑

8. Id. ↑

9. Id.; see also id. at *7 (“Zients and Sandberg received frequent reminders about their preservation obligations”). ↑

10. Id. at *3. ↑

11. Id. at *4. ↑

12. Id. at *7. ↑

13. Id. at *4. ↑

14. Id. at *4–5, 9. ↑

15. Id. at *10; see also id. at *4. ↑

16. Id. at *5. ↑

17. Id. ↑

18. Id. ↑

19. Id. ↑

20. Id. ↑

21. Id. ↑

22. Id. at *7. ↑

23. Id. ↑

24. Id. at *8 (internal quotations omitted). ↑

25. Id. at *9. ↑

26. Id. at *9. ↑

27. Id. at *10. ↑

28. Id. ↑

29. Id. ↑

30. Id. at *11. ↑

31. Id. at *12–13. ↑

32. Id. at *11. ↑

33. Id. ↑

34. Id. ↑