Outback Steakhouse gets Grilled by Judge over Electronic Evidence Preservation

Outback Steakhouse gets Grilled by Judge over Electronic Evidence Preservation

A Federal court in New Jersey sanctioned Outback Steakhouse for failing to preserve enough video camera footage of a customer’s slip and fall.

Despite the restaurant manager’s efforts to export nearly 30 minutes of surveillance video, the court determined the selective collection and preservation of but a few minutes of video that preceded the plaintiff’s fall on an alleged greasy substance was insufficient.  Because the DVR system used by Outback was configured to overwrite its data every seven days, by the time the Plaintiff sent her preservation letter (some twelve days later which sought a total of 48 hours of video) the relevant electronic evidence had already been destroyed.

It was revealed during discovery that Outback had a policy and a procedure in place to check the floor as they work and to report incidents to management, but it did not have a policy (or any employee training) on the preservation of electronic evidence, thereby leaving each manager to determine how much video evidence to collect.

In response to the permanent loss of the additional requested video evidence, Plaintiff filed a motion for sanctions pursuant to Federal Rule of Civil Procedure 37.  The court determined that because Outback was a sophisticated litigant, it was aware it had a duty to preserve relevant evidence.  The court found Outback failed to fulfill its duty because it left the task of determining what to preserve to individual restaurant managers who were given no guidance on how to execute the company’s preservation duties.  As such, the court ruled the jury could be instructed that Outback intentionally failed to preserve the disputed video evidence and that it may presume the lost video footage was unfavorable to Outback.

Slip and fall cases typically involve the routine application of the facts to long established premises liability laws, and this one does not appear to be any different.  However, it is quite instructive on the issues of (i) electronic evidence preservation and (ii) company policies and procedures.

You can read the Court’s opinion in Nagy v. Outback Steakhouse here.

A few takeaways to consider:

Best Practices regarding Surveillance Camera Footage

  • Take Inventory: Businesses should act quickly after an incident has occurred to determine what video evidence exists.  This inquiry should focus not only on your own video systems/evidence but also third-party video feeds such as neighboring businesses and homes, traffic cameras, and municipal/police surveillance systems.
  • Data is ephemeral. As seen in the Outback case, the surveillance video was overwritten by the system after just seven days. Third-party data retention could be even less, so act fast to canvass the area and request their cooperation to preserve the evidence (even if they don’t want to turn it over immediately without a subpoena or court order).
  • Video systems are highly proprietary. You may need to hire a forensic expert to preserve the data at issue.  Often with surveillance camera/DVR data, the information is saved in a proprietary format and requires a product-specific export tool (and possibly even a viewer) to access the videos.  While a forensic image of the hard drive located within the DVR system might satisfy the company’s preservation obligations, the image may prove useless unless there is a way of exporting and viewing it in a usable, and cost efficient, format.
  • Have a written Evidence/ESI Policy and Procedure. For businesses that deal with public invitees, injuries are bound to occur.  In addition to any policies and procedures for the reporting of accidents/injuries, it behooves businesses to include in those policies an evidence policy that addresses the types of evidence that should be preserved, by whom, and when.  As seen in this example, the local restaurant managers are tasked with deciding what video to save, and how much.  Given that Outback had a policy on floor sweeps, preserving an entire day’s video could have proven the employees fulfilled their duties as directed.

Best Practices for preserving ESI in General:

  • Begin the preservation process early. Litigation takes place months/years after the fact, and ESI-related discovery issues may not be known until it is too late to preserve the evidence.  Forensically imaging an entire computer or smartphone, or as in the Outback case, exporting a full day worth of video, may seem like an over-indulgence, but when compared to fighting a spoliation motion, it is money well spent.
  • Handle With Care: Metadata on-board. Hiding behind your documents, photographs, and emails is its metadata. Metadata is constantly being updated as the user interacts with the ESI.  As such:
    • when dealing with thumb drives and other external storage devices, don’t insert them to see what they contain. Too often the file access dates will be updated by anti-virus scans or search functions conducted by the client and/or attorney.  Rather, they should be delivered to an expert for preview/preservation.
    • When dealing with specific, relevant emails, don’t forward the subject email, add it as an attachment to a new email when sending to counsel. The internal metadata (header) of the original email needs to be preserved—forwarding it replaces the original metadata with the forwarded email’s information.  Tracing it will only lead back to you, not the original sender.
    • When dealing with documents, preserve both the internal metadata and its system metadata. Internal metadata travels with the document, but system metadata can only be found on the device on which the file was created/saved/modified/edited.  You may need to image an entire device in order to satisfy your preservation obligations, even if you think the document is the only relevant piece of evidence in your case.

Steven M. Hilary, CCE, EnCE, ACE Promoted to Partner

Steven M. Hilary, CCE, EnCE, ACE Promoted to Partner

Maragell is pleased to announce Steven M. Hilary has become a partner at the firm. “Steve’s forensic skills and experience as a computer forensic investigator and testifying expert has been an important part of the firm’s achievements these past ten years,” said Jeff Brenner, Maragell’s founding partner. “His promotion reflects Maragell’s commitment to recognizing those at the firm who have reached the highest levels of professional accomplishment and who share the values that are important to our clients and the members of the firm. I congratulate Steve on this accomplishment and look forward to his continued contributions to Maragell’s future success.”

Steve revealed that he became fascinated with computer forensics when he attended an open house on the subject at Bloomsburg University where he obtained his degree. “I’m happy to have had the good fortune to be able to turn my interest into a career, and to be part of an amazing community of expert investigators.”

Tales from the Hard Drive

Tales from the Hard Drive
Jeff Brenner, Esq., NJLPI and Steve Hilary, CCE, EnCE, ACE recently entertained the Camden County Bar Association with four case studies.

  1. John Dillinger – Bank Theft in the Digital Age
  2. The Time Traveler’s Document
  3. The Sexting Supervisor
  4. What Evil Lurks in the Hearts of Computers–The Volume Shadow Copy Knows!

The cases educated the audience (i) how to digitally trace stolen files via thumb drives from one company to another, (ii) how to tell if an electronic document was forged or backdated using metadata analysis, (iii) how to find deleted/missing text messages on a smartphone, and (iv) some unusual locations where data can hide on the Cloud, a computer’s operating system, and on backups.

Maragell’s Computer Forensic Expertise Proves Instrumental in Federal Jury Trial Victory

Maragell’s Computer Forensic Expertise Proves Instrumental in Federal Jury Trial Victory
Steven M. Hilary, EnCE, CCE, ACE, was recently accepted in Federal Court as an expert in computer forensics. Mr. Hilary testified during the two-week jury trial how the defendants used their company computers to create a competing business (via Gmail communications regarding the new company’s logo, 401K documents, and a new company handbook), and then intentionally deleted all the files on one of them using the “Windows Reset” setting in Windows 10. With the Windows Reset feature, a user has the option to “Keep my files” or “Remove Everything;” the latter option was selected in this case.

Mr. Hilary also explained how the defendants spoliated cell phone evidence by selectively deleting their text messages. Unfortunately for them, they didn’t know that even when a text is deleted, if they “liked” the text using the Apple Tapback feature, the operating system within the phone maintained the Tapback icon (the “thumbs up”) as well as the text that (they thought) was deleted. Based on Mr. Hilary’s findings, the Court instructed the jury to presume the foregoing destroyed information was unfavorable to the defendants. The jury awarded our client a multi-million dollar verdict, including punitive damages.

Expanding the Walls of your Castle? Protect your Data and Remote Employee Devices


St Andrews Castle, once a stronghold of the Catholic Church, fell into the hands of locals when they tricked the residents by posing as masons sent by Rome to fix the walls. Don’t let yours suffer the same fate.


Your Expanded Office

As you transition your business to remote and home office locations you increase the number of openings and pathways into your castle.

To help counter the risks these extended office walls create (and the devices contained inside) Maragell, in conjunction with our sister firm Black Cipher Security, is offering an easy-to-install cybersecurity protection solution for as low as $250 per device per year.

The tool monitors the device in real time (24/7) for malicious activity and acts to stop attack vectors such as ransomware, identify unusual user activity, and stop and quarantine malicious processes, all with the oversight of our Security Operations Center. For more information, please complete the contact form displayed on this page.

Thank you for Voting! Maragell Named BEST Corporate Investigator for 2019

Dear Friends,

Thank you for your continued support! Maragell has been named in the New Jersey Law Journal’s 2019 Survey of Vendors to the legal community as the WINNER

Best Corporate Investigations Provider!

We were also voted a Top 3 “Best of” provider in the following two categories:

Best Expert Witness (Technology/Computer Forensics)
Best End-to-End eDiscovery Provider

On behalf of our entire staff, we thank you for your past business and we look forward to supporting you in the future.


Jeffrey Brenner, Esq., NJLPI

Best of News – SJ Magazine Top Attorney Night

Maragell, LLC was once again proud to sponsor the 2019 winners of the SJ Magazine Top Attorneys Awards. Congratulations to all the honorees, including our own Jeff Brenner who was named a Top Attorney in Computer Law.

See all the winners here:

Data Spoliation – Uncovering the Cover-Up

Concerned your adversary’s client altered a document and deleted the original? Worried your own client deleted key evidence from his computer before turning it over for inspection? Years ago, when a user hit “delete” it didn’t always mean “delete” and forensic examiners were quick to amaze litigants with their ability to reclaim the information. With improved hard drive technology and increased operating system security (combined with full disk encryption), today, delete can really mean delete. Or does it? Enter forensic artifact.
Just as the human brain tells the muscles in the arm to curl, a computer’s operating system tells the device what to do when a thumb drive is inserted, how to display a webpage, or when a file is deleted. These types of commands/ instructions, among thousands of others, are routinely recorded and stored by the computer’s operating system. By studying these items, a forensic examiner can often recreate the user’s activities on the computer, including the spoliation of information.By way of example, a user can remove a file from a computer by simply deleting it. Doing so “sends” the file to the Recycle Bin. This action creates a host of forensic artifacts depending on the (Windows) operating system of the computer (Mac computers have different artifacts). These artifacts can reveal when the file was sent to the Recycle Bin, the original location of the file on the computer, its original size, and the user profile involved.

The file remains in the Recycle Bin until either the user restores the file (either by undoing the deletion or simply dragging it out) or removes it (by deleting the contents of the entire Recycle Bin or selectively deleting the one file). Deleting the deleted file from the Recycle Bin “sends” it to the unallocated/deleted space of the computer. If the drive is an older one, this space may contain the “permanently” deleted data until the data is overwritten by new files created on the computer or until a cleanup process is performed. Until the data is overwritten, keyword searches and forensic file recovery software can be used to locate and/or reclaim the information. If the drive is new (solid state drive or a virtual machine), the file itself is likely unrecoverable.

But what if the custodian were to wipe the relevant files from the computer instead of just deleting them? When a person wipes a file using a software program such as Eraser, Window Washer, or PC Cleaner, generally four actions will occur: the software will rename the original file, it will overwrite the original file’s data, it may change the timestamps of the original file, and it will delete the original file (not necessarily in this exact sequence).

Many of these transactions can be found in the operating system files even though the file itself has since been destroyed. By extracting and analyzing these operating system files, an examiner can potentially determine the original file’s name and location on the hard drive.

If the file cannot be identified, using other forensic artifacts found in the operating system, the examiner may still be able to determine what program was used (assuming the user deleted the wiping program too), when it was installed, and when it was used. The mere use of a wiping program after a litigation hold is in place (or subpoena received) may be enough to impose sanctions even if the original files cannot be identified. And, if that evidence can be coupled with an examination of the user’s Internet history showing what searches were conducted (i.e. “how to permanently delete a file”) an intentional act can be established.

Another “hiding” place for lost files is the computer’s Shadow Copy (sometimes referred to as a “Restore Point”). Depending on the configuration of the operating system, the computer itself may create several Shadow Copies, each one containing a snapshot of the content of the computer at the time. If a file is missing from the computer, by examining this artifact, the examiner may succeed in locating it. The bigger question of why it went missing is a topic for deposition.

Practice Tips: By knowing the original file names and locations of the wiped files, an examiner can potentially restore them from Shadow Copies. In the event no Shadow Copies exist, knowing the wiped file names/folders even existed may provide sufficient evidence to claim spoliation. Finally, analyzing other artifacts on the computer may show when a wiping program was initially used, when it was last run and how many times, and whether the user searched the Internet for tips on how to destroy sensitive files, thereby providing circumstantial evidence of an intentional act.

A Cybersecurity Risk Assessment is the First Step to Managing your Compliance Burden

Traditional risk management is already a mission critical practice for businesses. Add to it the scourge of computer hackers tapping into IT systems via emails laden with malware or through insecure remote connections and it becomes a seemingly impossible task. Append those daily efforts to the increasing demands of state and federal regulators to be notified of potential breaches in almost real time and you get a business that may not survive the resulting costs and reputational damage.

The solution proactive businesses (and their counsel) are using to help identify how data flows through their companies, the risks it faces as it moves, and how to use that knowledge to rapidly respond the ever-changing data privacy/breach notification regulatory environment is a Cybersecurity Risk Assessment.

A Cybersecurity Risk Assessment focuses on the value of the information contained within a business’s computers and the losses it may incur if that information is exposed, destroyed, stolen, or becomes otherwise inaccessible. The Assessment identifies and categorizes the critical electronic data in the business’s possession or control, where that data is located, who has access to it, and the strength of the business’s current IT systems and controls to protect it from harm. This catalog of information allows business leaders, risk officers and legal counsel to build, upgrade, and maintain systems, processes and protocols which will ultimately reduce the risk of a cyber incident, limit the legal, financial and reputational exposure should an incident occur, and enable the business to respond to regulatory notification requirements in an efficient and cost effective manner. This strategy ultimately aligns with the goals of state and federal data and privacy regulations and responsibilities.

A Cybersecurity Risk Assessment is often confused with protectionist tools like cybersecurity audits, vulnerability assessments, and penetration tests. Each tool is important, but they are not interchangeable nor do they address the business’s IT architecture as a whole. These tools are designed to evaluate the strength or weakness of a particular piece of software (computer operating systems, programs, applications), or hardware (routers, firewalls), or business processes (data flow and usage), and the channels over which the business’s information flows (third party vendors, cloud storage, email). The results these tools yield become part of the Cybersecurity Risk Assessment and impact how the business re-organizes itself, its processes, and its equipment to better protect its data and the value it represents.

New Regulations to Come:

The Office of the New Jersey Attorney General recently announced that it will be creating a new civil enforcement unit, known as the Data Privacy & Cybersecurity Section, to investigate data breaches impacting New Jersey residents and to enforce federal and state data privacy and cybersecurity laws. New Jersey’s AG joins an expanding list of state AGs, including those of California, Connecticut, Indiana, Maryland, Massachusetts, New York, and North Carolina, who are dedicating more resources to data breach investigation and enforcement actions.

In 2017 the New York Department of Financial Services released Cybersecurity Regulation 23 NYCRR 500 (DFS 500), a set of regulations that places new cybersecurity requirements on all covered financial institutions. In addition, the NY state Attorney General has proposed the SHIELD ACT, which would place a legal
on companies to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data; the standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not. The performance of a Cybersecurity Risk Assessment is a primary requirement for compliance with these regulations.
Pennsylvania is one of 24 states that requires customer notification, “without unreasonable delay,” when a data breach affects more than 1,000 residents. Pennsylvania’s attorney general is taking on a national role on data breaches in the midst of a wave of incidents impacting millions of Americans and Pennsylvanians. Attorney General Shapiro filed his office’s first-ever lawsuit under Pennsylvania’s Breach of Personal Information Notification Act against the ride-sharing company Uber based on a data breach impacting 600,000 Uber drivers in the United States — including 13,500 in Pennsylvania.
Performing a Cybersecurity Risk Assessment will not only improve the business’s security posture, it will help align the organization with these, and other state and federal regulations and activities (e.g. Sarbanes Oxley, HIPAA Privacy, PCI) and the most recent addition, the international data transfer requirements of GDPR (General Data Protection Regulation). Knowing where the data is, what personally identifiable information it contains, who has access to it, and for how long, will not only put the organization in the most efficient compliance posture, it will greatly improve its incident response time.
To learn more about how Black Cipher Security can help improve your outcomes, visit our website at or email

Thank you for Voting! Maragell Named One of the Best Computer Forensics Experts and Best Investigators for 2018

Dear Friends,

Thank you for your continued support! Maragell has been named in the New Jersey Law Journal’s 2018 Survey of vendors to the legal community as a Top 3 “Best of” winner in the following categories:

Best Expert Witness (Technology/Computer Forensics)
Best Corporate Investigations Provider

On behalf of our entire staff, we thank you for your past business and look forward to supporting you in the future.


Jeffrey Brenner, Esq., NJLPI