A business litigation client came to me after the other side claimed they had no responsive emails. Not that the emails were privileged. Not that they didn’t exist. That they had no responsive emails — in a company with 200 employees that handled millions of dollars in contracts entirely over email.

Their email system had a 90-day auto-delete policy. The lawsuit was filed on day 91.

The timing was suspicious enough that the court agreed. But proving intentional spoliation is hard, sanctions short of adverse inference are often inadequate, and the evidence — whatever it showed — was gone.

Spoliation of digital evidence is not always a dramatic act of deliberate destruction. More often, it’s the predictable result of normal business practices meeting the extraordinary requirements of litigation. Auto-delete policies. Cloud retention defaults. Device trade-ins. Software update overwrites. Routine IT maintenance. Any of these, if they continue running after the duty to preserve attaches, can result in sanctions under FRCP 37(e) — and any of them can be avoided with a properly issued and followed preservation letter.

When the Duty to Preserve Attaches

The duty to preserve evidence attaches when litigation is reasonably anticipated. Not when a complaint is filed. Not when a demand letter is received. When litigation becomes reasonably foreseeable — which, in many business disputes, employee terminations, and personal injury situations, is well before any formal legal action.

Courts have found the duty attached when:

The implication: by the time a litigation hold memo goes out to employees, it may already be too late to preserve evidence that was destroyed between the triggering event and the hold. Getting the hold in place quickly after a triggering event is not optional — it’s a core litigation function.

What FRCP 37(e) Actually Says

Federal Rule of Civil Procedure 37(e), as amended in 2015, governs sanctions for failure to preserve electronically stored information. It’s worth reading carefully because it establishes a specific framework that courts are required to follow.

The rule applies when ESI that should have been preserved in anticipation of litigation was lost because a party failed to take reasonable steps to preserve it, and the ESI cannot be restored or replaced through additional discovery.

If those conditions are met, courts may:

Under 37(e)(1): Order measures no greater than necessary to cure the prejudice — which can include additional discovery, adverse jury instructions that stop short of inference, or cost-shifting.

Under 37(e)(2): If the court finds the party acted with intent to deprive the opposing party of the information’s use in litigation — and this requires intent, not mere negligence — the court may presume the lost information was unfavorable, instruct the jury it may or must so presume, or dismiss the action or enter default judgment.

The 2015 amendments were designed to create uniformity across circuits that had developed widely divergent sanctions standards. The key distinction is between negligent failure to preserve (37(e)(1) remedies) and intentional deprivation (37(e)(2) remedies including adverse inference). Proving intent is hard — but auto-delete policies that continue running after the duty attaches, combined with evidence of awareness of the duty, can support an intent finding.

Auto-Delete Features: The Biggest Threat to Digital Preservation

Most organizations have auto-delete features running constantly on their systems. Email systems delete messages older than X days. Collaboration platforms like Slack and Microsoft Teams have configurable retention policies. Cloud storage providers purge deleted items after 30-90 days. Mobile device management systems remotely wipe devices that haven’t checked in.

None of these systems know when litigation is anticipated. They keep running unless someone turns them off.

A preservation letter — sent to the opposing party — triggers their duty to take steps to pause these systems. But it doesn’t automatically pause them. The opposing party has to take affirmative action. And documenting that they failed to do so is how you build a sanctions motion later.

Common auto-delete features to address in preservation letters:

Your preservation letter needs to address the specific categories of evidence relevant to the case — not just say “preserve all documents.” If you don’t specifically flag that security camera footage gets overwritten every 30 days, and the opposing party lets it overwrite, they may argue they didn’t know it was relevant.

Cloud Retention Policies: A Specific Challenge

Cloud platforms add a layer of complexity because retention is often governed by contractual terms between the platform and the user that the opposing party may not fully understand.

Google Workspace: Deleted items are retained in Trash for 30 days, then permanently deleted unless covered by a Google Vault hold. Google Vault is a separate product that requires a paid subscription. Organizations without Vault may have no way to recover messages deleted before they implemented a hold.

Microsoft 365: Deleted items go to the Recoverable Items folder, which has a default retention of 14 days in the second-stage deletion container, then permanent deletion. Litigation Hold in Microsoft Purview preserves items regardless of user-initiated deletion — but it must be activated. Organizations that never activated litigation holds may have significant gaps in their preservation capability.

Slack: Default message retention on paid plans is indefinite for workspace admins, but individual channels can have retention policies set by admins. Deleted messages in Slack are not recovered through normal means — recovery requires enterprise admin tools and may depend on whether the workspace has eDiscovery features enabled.

Personal cloud accounts (iCloud, Dropbox, personal Google Drive): These accounts are not under organizational control, which means a preservation letter to a company doesn’t automatically preserve evidence in an employee’s personal cloud storage that contains relevant business communications.

When drafting preservation letters, ask your forensic expert which platforms are likely in use by the opposing party and what the specific retention windows and deletion policies are. A forensic expert familiar with the organization’s tech stack can tell you which holes to plug.

Drafting Effective Preservation Letters

A preservation letter needs to accomplish three things: put the recipient on notice of the duty to preserve, identify the categories of ESI that need to be preserved, and create a record that establishes the duty and its scope.

Here’s what effective preservation letters include.

Clear trigger: “Pursuant to [describe the dispute or anticipated claim], you are hereby notified that litigation is reasonably anticipated. This letter constitutes your formal notice of the duty to preserve all relevant evidence.”

Specific custodians: Name every person whose communications and files are relevant. “The duty to preserve applies to [Employee A], [Employee B], and any other person with knowledge of or involvement in [the relevant matter].” Vague “anyone with relevant information” language makes it easier for the opposing party to claim they didn’t know specific people were covered.

Specific categories of ESI: Don’t just say “documents.” List:

Auto-delete instruction: “This preservation obligation requires you to immediately suspend any automatic deletion features, retention policies, or routine destruction schedules that may affect relevant ESI.”

Acknowledgment request: Ask for written confirmation that the opposing party has implemented a litigation hold. Their failure to respond is part of your spoliation record.

Dated and documented: Send the letter via certified mail and email. Keep the delivery records. The date of the letter establishes when the opposing party had formal notice.

What Happens When Preservation Fails

When relevant ESI is destroyed after the duty to preserve has attached, you have a range of options depending on the circumstances.

Document the gap first. Before filing a sanctions motion, build the evidentiary record. What evidence should exist? What evidence does exist? What’s missing? How do you know it’s missing rather than just not yet produced? Forensic examination of remaining systems can often reveal gaps — metadata showing files were deleted, database records with missing entries, email thread gaps.

Establish that destruction occurred after the duty attached. The timing is crucial. If you can show the opposing party’s IT logs reflect mass deletion after the trigger date, that’s your foundation.

Show prejudice. Under 37(e)(1), prejudice is required for any remedy. Courts want to see that the lost evidence likely would have mattered — not just that it existed.

Argue intent if the facts support it. The circumstances of the destruction matter. Auto-delete policies that were deliberately maintained after notice, evidence of manual deletion, or suspicious timing all support an intent finding under 37(e)(2).

Sanctions courts can impose range from cost-shifting and additional discovery to adverse inference instructions telling the jury to assume the destroyed evidence was unfavorable to the destroying party. In egregious cases, dismissal or default judgment is available — though courts use those remedies sparingly.

The Forensic Examiner’s Role in Spoliation Cases

When there’s a spoliation dispute, forensic examiners are often called in to do two things: determine what was destroyed and when, and opine on whether the destruction was consistent with routine operations or with deliberate clearing.

Timeline reconstruction: Log files, database metadata, and system artifacts often reveal when files were accessed, modified, or deleted. A competent examiner can often build a timeline that shows whether deletion occurred before or after the duty to preserve attached.

Volume analysis: Was the deletion consistent with normal business operations? If an organization deletes 10,000 emails per week under a retention policy, and 10,000 emails were deleted in the two weeks after the preservation letter was received, that’s consistent with routine operations. If 300,000 emails were deleted in the week after the letter, that’s not.

Recovery attempts: Before concluding that evidence is gone, a forensic examiner should attempt recovery from backup systems, unallocated space on drives, email server archives, and platform-level recycle bins. FRCP 37(e) requires that ESI be “lost” and “cannot be restored or replaced through additional discovery” — exhausting recovery options before filing a sanctions motion is both required and strategically sound.

For more on how forensic examiners document and authenticate the evidence they do recover, see our piece on [chain of custody for cloud-only evidence](/chain-of-custody-cloud-evidence/).

FAQ

When exactly does the duty to preserve attach, and how do I know?

There’s no bright-line rule. The standard is when litigation is “reasonably anticipated” — which is inherently fact-specific. Courts have found the duty attached when a party received a demand letter, when internal communications showed awareness that a lawsuit was likely, when an EEOC charge was filed, and when a government subpoena was received. If you’re a party and you’re asking whether you should implement a hold, the answer is almost certainly yes — the cost of implementing a hold that turns out to be unnecessary is much lower than the cost of sanctions for failing to preserve.

Can I send a preservation letter to a third-party cloud provider?

You can, but its effect is limited. Cloud providers don’t automatically comply with preservation letters from private parties — they respond to legal process. What a letter to a cloud provider does is create a record that you put the provider on notice, which may support a later argument that the provider should have preserved data. For actual preservation of cloud evidence, you typically need either the account holder’s consent to implement a hold (through the platform’s built-in litigation hold features) or a court order compelling the provider to preserve.

What’s the difference between a litigation hold and a preservation letter?

A preservation letter is sent to an opposing party (or potential opposing party) putting them on notice of their duty to preserve. A litigation hold is the internal document an organization issues to its own employees and IT department instructing them to preserve relevant data. When you receive a preservation letter, your first action should be issuing an internal litigation hold. If you’re the one sending the preservation letter, you should also be issuing an internal litigation hold for your own organization’s relevant data.

Does FRCP 37(e) apply in state courts?

FRCP 37(e) applies only in federal court. State courts have their own rules and case law governing spoliation, which vary significantly. Some states have adopted rules similar to the amended federal rule; others rely on common law spoliation doctrine that may allow adverse inference instructions based on negligence alone — a lower bar than the 37(e)(2) intent requirement. If you’re in state court, research the specific spoliation standards in your jurisdiction.

What should I do if I suspect my opponent has already destroyed evidence before I could send a preservation letter?

Act immediately. Retain a forensic expert and begin documenting what evidence should exist based on the nature of the case, what evidence has been produced, and what gaps exist. File a motion for expedited discovery to obtain server logs, IT records, and other metadata that can establish what was deleted and when. If there’s evidence of deliberate destruction, preserve it before filing your sanctions motion — courts want to see that you tried to recover the evidence before concluding it’s gone.