Ryan M. Billings
rbillings@kmksc.com
(414) 962-5110
The United States Supreme Court recently denied certiorari in an attempted appeal of a Seventh Circuit decision affirming a $280 million judgment, ending nearly a decade of contentious litigation centered around trade-secret theft, retaliation against a whistleblower and spoliation of electronic records. The longstanding legal dispute highlights the need for strict data security and provides yet another example of the critical importance of preserving all information relevant to a legal dispute when litigation is reasonably anticipated or filed.
Plaintiff Epic Systems Corp. (“Epic”) is a well-known Wisconsin company, based in Madison, that provides electronic-health-record software to hospitals throughout the United States. Defendants Tata Consultancy Services Ltd. & Tata America International Corp. (“TCS”) are respectively a data consulting firm and a rival developer of electronic-health-record software, both commonly owned by a parent company based in India. Between 2012 to 2014 (all recited facts are as found by the jury), TCS downloaded more than 150,000 pages of documents containing Epic’s confidential information and trade secrets. How did TCS pull off this massive data heist? Not through any elaborate cybersecurity hack or a complicated scheme of corporate espionage, but because Epic gave a password to someone who should not have had one.
To help navigate its complicated software packages, Epic permitted customers to access a web portal called UserWeb, which contains administrative guides, training materials, software updates, and an online forum where Epic’s customers share data and discuss the software. In essence, it is a gigantic “How-To” manual for Epic’s customers. Because UserWeb contains large volumes of confidential information and trade secrets, Epic’s customers enter into non-disclosure agreements with Epic before they are permitted to access UserWeb.
Kaiser Permanente, the largest managed-healthcare organization in the United States, is an Epic customer. Epic created custom software for Kaiser called KP HealthConnect. Kaiser hired TCS as a consultant to help it understand, teach and optimize KP HealthConnect. Epic was aware that TCS was developing its own rival electronic-health-record software so Epic was very careful about what access Epic allowed TCS to have to its UserWeb portal. While Epic gave Kaiser full access to UserWeb, the passwords Epic gave to TCS employees provided access to only very limited, less sensitive information. So far, so good.
In late 2011, Ramesh Gajaram was employed by a different consulting company that worked with Kaiser to test KP HealthConnect. Gajaram told Epic that he was a Kaiser employee, rather than an employee of the Kaiser consultant, and so Epic gave Gajaram an unlimited-access password. Gajaram later left that consulting company and joined TCS, taking his password with him. Through Gajaram, TCS now had unlimited access to UserWeb. Between 2012 and 2014, TCS used this unlimited access to download more than 6,000 documents containing confidential and trade secret information belonging to Epic. TCS used this information to develop its own software called Med Mantra, which competes with Epic’s software.
Epic discovered this theft through a whistleblower, TCS employee Philip Guionnet. In early 2014, Guionnet attended meetings concerning the Med Mantra software, and he was astonished by how much the software had advanced since the last time he had seen it demonstrated. Guionnet began investigating the matter, and eventually uncovered TCS’s theft. Guionnet reported the theft to TCS’s president. But rather than investigating the matter, TCS’s president took Guionnet off the Kaiser account, and told Guionnet that if he did not transition “peacefully,” he would be put “in a corner,” and TCS would make his life “miserable.” Undeterred, Guionnet told both Kaiser and Epic of his findings. Epic promptly filed suit.
Over the next nine years, Epic and TCS battled it out in trial and appellate courts. During discovery, Epic learned that TCS had failed to preserve evidence relevant to the case. Epic secured what is known as an “adverse-inference instruction,” which is an instruction to the jury that the jury may assume that the evidence that was lost would have been helpful to Epic and harmful to TCS. Litigators often call an adverse-inference instruction the “kiss of death,” believing that any jury who receives such an instruction will very likely agree to a verdict that is against the party who destroyed evidence. The jury in this case followed that rule, and after a lengthy trial, the jury returned a verdict awarding Epic $240 million in compensatory damages and $700 million in punitive damages, which the trial court later reduced to $140 million and $280 million, respectively.
Both parties appealed. Epic argued that the trial court erred in reducing its compensatory damages by $100 million. TCS argued that the trial court should have dismissed all compensatory damages, and that the punitive damages award was excessive and unconstitutional, as the constitution places limitations on the amount of punitive damages that can be awarded. The Court of Appeals agreed with TCS that the punitive damages award was excessive, and determined that punitive damages of no more than $140 million (the amount of compensatory damages) would be constitutional. The appeals court remanded the case back to the trial court for further consideration of punitive damages. Epic tried to appeal that reduction of punitive damages to the U.S. Supreme Court, but the Supreme Court did not accept the appeal (it denied certiorari). On remand, the trial court determined that $140 million was the appropriate amount of punitive damages. TCS appealed, and the Seventh Circuit affirmed. TCS then tried to appeal that decision to the Supreme Court, but the Supreme Court recently denied certiorari, ending nearly a decade of intense litigation. The $280 million award to Epic ($140 million in compensatory and $140 million in punitive damages) is now final.
Two lessons stand out from this “Epic” saga. First, while Epic is no doubt very pleased with its $280 million award, obtaining that award (which still needs to be collected) took more than 9 years and doubtlessly cost many millions of dollars in attorneys’ fees that Epic will not be able to recover, and consumed countless hours of Epic’s executives’ and employees’ time working with its counsel on the litigation that Epic will never get back. And there was no way of knowing until nearly 11 years after TCS stole the information what the outcome of litigation would be. Epic obtained a very nice result, but could not have known going into litigation that it would prevail, and the litigation could have turned out very differently—Epic could have walked away empty-handed. Relatively simple but critically important cybersecurity measures such as verifying Gajaram’s employment before giving him an unlimited password and requiring multi-factor authentication with at least one method linked to Gajaram’s employer (so he would not be able to access UserWeb after he left that employment) could have prevented the theft from ever occurring. Litigation is expensive and risky, and the need for litigation could have been avoided in this case through straightforward protective measures.
Second, TCS greatly hurt its chances of winning this case by failing to preserve relevant information during the litigation. The known facts were bad for TCS, but TCS’s destruction of relevant evidence on top of those bad facts likely made TCS’s cause hopeless. It is imperative when litigation begins or is reasonably anticipated that the parties adopt immediate steps to preserve all information related to the dispute. A failure to preserve can be fatal to successful litigation efforts.
If you would like to learn more about cybersecurity best practices, have questions about preservation duties or litigation holds or would like to discuss a matter involving trade secrets or other confidential information, please contact KMK Attorney Ryan M. Billings at rbillings@kmksc.com or (414) 962-5110.