Opinion
MDL 19-md-2879
12-02-2020
IN RE: MARRIOTT INTERNATIONAL CUSTOMER DATA SECURITY BREACH LITIGATION THIS DOCUMENTS RELATES TO THE CONSUMER TRACK
JUDGE GRIMM
REPORT AND RECOMMENDATION
Introduction
In this data breach case, the consumer plaintiffs complain that Marriott permitted the exposure of their personal data to hackers. Marriott seeks to defend itself by exploring how the hackers used the plaintiffs' private information, alleged to be the product of the hackers' theft, to harm the plaintiffs.
Marriott's efforts have taken two forms: It has served interrogatories and requests to produce documents upon the plaintiffs, seeking the numbers on the credit cards that may have been stolen by the hackers, and the other information the plaintiffs have as to the possible use of their personal data that may illuminate how the hackers used what they stole.
Marriott's second form of discovery is to prepare subpoenas for service upon entities, such as banks or other credit card providers, for information those entities have about the use of their credit cards, whether by plaintiffs or hackers (see Letter of November 23, 2020, at 3-4, specifying why Marriott needs the information it seeks).
The plaintiffs have responded to the discovery sought from them by redacting significant portions of their contents, insisting that paragraph 11 of the Second Amended Protective Order authorizes the redactions. They are also seeking a protective order against the service of the subpoenas on the banks and credit card providers.
I will turn first to the propriety of the redactions made. I have reached a somewhat startling conclusion that the Protective Order ("Order") may not justify the redactions made. I say "startling" because, at this point, counsel for both parties and I have taken that right as a given. Therefore, I believe that all that may be needed to resolve the impasse at which the parties have arrived is to amend the Order to allow information subject to the Order to be used in subpoenas to third parties.
While examining the pertinent provision of the Order more carefully, I was drawn to a more careful consideration of paragraph 11 that revealed a paradox in the paragraph in the Order that seems to permit a universal right to redact what the Order calls "PII."
The Structure of the Order
The pertinent paragraph, paragraph 11, that, according to the plaintiffs, creates an absolute right to redact certain information, follows paragraphs that:
(1) Provide the definitions of the terms used in the agreement (#1)
(2) The agreement's scope and duration (#2 and #3)
(3) The designation by a party of materials claimed to be covered by the agreement and the right to challenge those designations (#4 and 5)
(4) Access to and use of the designated material (#6)
(5) The procedures to be followed when material subject to the agreement is subpoenaed by a third party (#7)
(6) Obligations of a party if it discloses material, subject to the agreement, inadvertently (#8)
(7) The filing of protected material in court (#9)
(8) The final disposition of the material (#10) Paragraph 1 (g) defines a crucial term "PII" as follows:
"PII": Personally Identifiable Information, which, for purposes of this Order, includes, but is not limited to payment card numbers, financial account numbers, social security numbers, addresses, phone numbers, email addresses, driver's license numbers, other state identification numbers, employer identification numbers, tax identification numbers, passport numbers, a foreign government equivalent of any of these
numbers or identifiers, or other personal data that may, in combination, reveal sensitive PII.
Thus, before speaking to redaction, the Order defines this term and then speaks with precision and an all-embracing intent to cover every possible aspect of the (1) creation of the protection of confidential and highly confidential material, (2) access to it, (3) its use, and (4) ultimate disposition.
Redaction
Paragraph 11 permits the redaction on which the plaintiffs rely. As will be seen, however, paragraph 11 does not permit the redaction of "highly confidential" information that contains PII. It only permits the redaction of PII itself.
This paragraph is the only paragraph of the agreement that speaks of redaction. It leads to several difficult questions:
Why would the lawyers have singled out PII and in effect denied any access to it while permitting access to every other kind of highly confidential information? Why would they have permitted controlled access to "highly sensitive personal and confidential" information (Protective Order, paragraph 1(g)) but denied any access to, for example, credit card numbers, which are PII?
My inability to resolve this conundrum led me to a more careful parsing of paragraph 11. I have concluded that the paragraph defies explanation and must be modified to provide adequate guidance on how PII should be treated.
The Redaction Paragraph
The pertinent paragraph, #11, states, in subsection (a), the following:
11. REDACTION OF PII
(a) Any Producing Party may redact from any Disclosures or Discovery Material any "PII," personnel files, or personal contact information for any person. Any Party or Non-Party may designate as "Highly Confidential" those Documents, testimony, or information containing "personal data" within the meaning of the European Union's General Data Protection Regulation (GDPR) or other applicable privacy law or regulation if the GDPR applies to such materials, in which case the Party or Non-Party
may redact such personal data contained within said materials. If the same responsive information is otherwise available and not subject to GDPR such information should be produced consistent with the terms of this Order, which provides adequate protection without the need for redaction.
The territorial scope of the GDPR is defined as follows: Art. 3 GDPR Territorial scope. This regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the union, regardless of whether the processing takes place in the union or not. This regulation applies to the processing of personal data of data subjects who are in the union by a controller or processor not established in the union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the union, or the monitoring of their behavior as far as their behavior takes place within the union (EU GDPR, https://gdpr-info.eu/art-4-gdpr/).
The GDPR defines "personal data" as follows:
For the purposes of this regulation:
•. "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that
natural person.
EU GDPR, https://gdpr-info.eu/art-4-gdpr/.
This paragraph seems to create two categories. It first grants the absolute right to redact any "PII, personnel files, or personal contact information." It then creates another category, which is treated differently. This second category is information, whether or not it is PII, within the definition of "personal data" within the meaning of the GDPR, but only if the GDPR applies to it. A party may redact such information. But if the same information is not subject to GDPR, it must be produced and therefore not redacted. The draft persons believed redaction was not necessary. The provisions of the Order limiting, for example, who may see such information suffice.
Thus, this paragraph speaks to three categories of information created by this paragraph:
1. PII may be redacted by a party unilaterally and absolutely.
2. Information within the definition of the GDPR and which is subject to the GDPR may be redacted.
3. Information within the definition of the GDPR but not subject to the GDPR may not be redacted because the parties to the Order believe that the Order's protections, other than redaction, sufficed.
Thus, the first sentence of the paragraph grants an absolute right to redact certain information, whereas the last sentence of the last paragraph states that that redaction is improper as to certain other information. Perhaps the lawyers thought PII was too sensitive to be seen by opposing counsel despite the Order's restrictions on the distribution of the information subject to the Order.
Yet, note that PII may not be redacted if it is within the definition of "personal data" under the GDPR but not subject to the GDPR because it is not within the "territorial scope" of the GDPR. Thus, the last sentence of the paragraph seems to take away the absolute right to redact information granted by the first sentence in the paragraph for information within the "personal data" definition in the GDPR. If this reading is correct, and PII is within the definition of personal data in the GDPR, the paragraph is confounding. Why grant an absolute right to redact in the first sentence of the paragraph and take it away in the last sentence, as to PII, not subject to the GDPR?
The Log Provisions
The log provisions add another problem. Paragraph 11(b) of the Order states the following:
(b) If a Producing Party makes redactions pursuant to Section 11(a) it shall provide a log of redacted documents describing the redactions and confer with the Requesting Party as to whether the redactions will impair the Requesting Party's ability to search for relevant information and, if so, whether reasonable technical means exist to
permit search without compromising the protections set forth herein.
First, as I have indicated in an earlier report and recommendation, if section (a) of the paragraph permits redaction of PII, then all a party who redacts material need do is say that the material redacted is PII (ECF NO. 649 at 6-7). However, the second sentence imposes an obligation on the party doing the redacting to confer with the opposing party to determine whether there might be a means to accomplish what the paragraph calls the "search" without compromising the protection the Order provides. But there is nothing in the paragraph that requires anyone to do anything else. Therefore, the Order invites the impasse that we have now reached.
Plaintiffs have made redactions by insisting upon an absolute right to redact PII. Marriott insists that plaintiffs' assertion of such a right makes legitimate discovery impossible. There the matter stands, and the parties have been standing there for nearly a year. The agreement provides no guidance as to what should happen now. If the agreement provides plaintiffs with the absolute right to redact the PII they claim, there is not much to talk about.
Paragraph 11 Should Be Stricken
I believe that paragraph 11 (a) is so incomprehensible as to be useless. The toothless redaction log provision (subsection (b)) is responsible for the impasse confronting us. Additionally, the Order does not speak to whether information subject to the Order may be used in a subpoena to a third party.
Therefore, I believe it is time to draft a new Order that speaks to the problems we are now confronting, and I recommend that the Court strike paragraph 11 from the agreement. It should then permit the parties to be heard regarding at least the following issues before issuing a revised Order:
1. Should the Court amend the agreement to permit an absolute right to redact information unequivocally, and, if so, what information should be eligible for redaction?
2. If redaction is permitted, should the party making the redaction be required to justify the redaction by specifying the nature of the material redacted and the reason why the redaction meets whatever requirements the Court will impose to justify a redaction. How detailed must that showing be?
3. If the redaction yields a dispute about whether the redaction was permissible under the Order, what standard should be used to resolve it?
2. If the Court determines that absolute redaction should not be permitted, should the Order be further amended to permit that information subject to the Order, including PII, be used if necessary in subpoenas to be served on third parties?
3. Is it necessary to make it clear that information produced by third parties in response to a subpoena is, upon production, subject to the Order?
A Protective Order Based on a Stipulation May Be Modified
I appreciate why the plaintiffs oppose any amendment of the Order. They insist that the burden of establishing an entitlement to an amendment falls on Marriott.
The plaintiffs are certainly correct that it is settled that the burden of establishing a modification of a stipulated protective falls on the party who seeks it. As has been stated by a court in this Circuit:
A district court has discretionary authority to modify a protective order it has previously entered "for what it deems good cause shown." United States v. (Under Seal), 794 F.2d 920, 928 n.6 (4th Cir. 1986) (observing in passing the court's permissible exercise of discretion, noting it had "no occasion to consider [] the district court's protective order" because the matter was not on appeal). Accord SmithKline Beecham Corp. v. Synthon Pharmaceuticals, Ltd., 210 FRD. 163, 166 (MDNC 2002) (noting that courts have inherent power to modify protective orders, including protective orders arising from a
stipulation by the parties) (citations omitted). . . . The party seeking to modify a protective order bears the burden of showing good cause for the modification. Id. (citations omitted).(Schaefer v. Family Med. Ctrs. of SC, LLC, No. 3:18-cv-02775-MBS, 2019 US Dist. LEXIS 82570, at *38-39 (D.S.C. May 16, 2019).
Plaintiffs' Position
The plaintiffs insist that Marriott failed to show good cause for amending the Order. They point out that Marriott had to know that the plaintiffs sought and, in their view, obtained a right to unilateral redaction, but they agreed to the Order containing that provision in paragraph 11.
The plaintiffs also insist that they relied on that right to redaction as they commenced and then proceeded with this litigation. However, they might not have, had they known that they would be compelled to reveal the information they claim the right to redact.
Finally, they complain that the PII should not be permitted to be used in third-party subpoenas because Marriott intends to use those subpoenas to demand information that cannot possibly be relevant to this case and would invade their privacy without good cause.
The Recommendations
I recommend that Judge Grimm permit the plaintiffs to be heard regarding these issues, including whether they should still have absolute power to redact the PII if he accepts my recommendation that the Order should be amended and paragraph 11 deleted.
I also appreciate that the plaintiffs fear that the disclosures on their credit card entries may be used to embarrass them. Marriott denies any such intentions.
There is an important difference between disclosures of information to a lawyer and its subsequent use. The Order is based on the lawyers' mutual trust that the information subject to the Order may be used only to prosecute, defend, or settle this case (Order, paragraph 6(a)). Certainly, Judge Grimm has the power to add that if a document containing highly confidential or confidential information, including PII, is sought in discovery, the document must be used only for the purpose for which it is sought and not to embarrass or harass any party.
In this instance, it would mean that Marriott could use information subject to the Order to investigate whether the credit card numbers at issue or other PII were used by thieves, causing damage to plaintiffs, or they indicate that a different data breach caused the damages sought in this case. Misuse for any other purpose could be sanctioned.
The Need for Modification
The decision on whether there is good cause for revising the Order must weigh the plaintiffs' concerns for their privacy against the necessity of completing a discovery process in a way that is fair, "just, speedy and inexpensive" (Fed. R. Civ. P 1) in a complicated case).
No one could fairly argue that a judge, despite his or her broad discretion over the discovery process, is nevertheless precluded from amending a Protective Order when a provision in it is, in my view, incomprehensible and has created so much trouble and delay. It is better to start fresh and create a provision that works.
That need is urgent. For example, one of the solutions the plaintiffs propose for the subpoena problem is that the parties, under my supervision, create new third-party subpoenas. Once the third parties comply, the plaintiffs want to first review the production. If the plaintiffs again seek the right to redact information before Marriott sees the production, we are right back where we started. We cannot go on like this if we have any hope of finishing discovery.
Plaintiffs' Standing to Quash the Subpoena
As I have indicated in an early Report and Recommendation, a party does not have standing to "challenge a subpoena issued to a non-party unless the party claims some personal right or privilege in the information sought by the subpoena." (United States v. Idema, 118 Fed. App'x 740, 744 (4th Cir. January 4, 2005)).
ECF No. 649 at 13.
Accord: United States v. Graham, 824 F.3d 421, 425 (4th Cir. 2016)("A party has standing to quash a subpoena served on a non-party only if he has a personal right of privilege with respect to the requested information."); Robertson v. Cartinhour, No. Civ. A.Aw0-09-3436, 2010 WL 716221, at * 1-2 (D. Md. February 23, 2010); Clayton Brokerage Co. of St. Louis v. Clement, 87 FRD. 569, 570-571 (D. Md. 2010).
The Right of Privacy in the Information Demanded
The plaintiffs claim such a personal right of privacy in the information sought by the subpoenas. However, in United States v. Miller (425 US 435, 440 (1975)), the Supreme Court, invoking what has come to be called the "third-party doctrine," rejected a claim that parties have an expectation of privacy in information they willingly expose to others. Therefore, it followed that they had no expectation of privacy in, for example, original checks, deposit slips, and financial statements in the bank's possession where they had an account.
The Court stated:
The checks are not confidential communications but negotiable instruments to be used in commercial transactions. All of the documents obtained, including financial statements and deposit slips, contain only information voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business. (Id. at 442)
In accordance with this decision, courts in the 4th Circuit have concluded that people have no privacy right that permits them to quash a subpoena directed to a bank or similar institution seeking the bank records pertaining to their account (e.g., Neal v. State Employees Credit Union, 2020 US Dist. LEXIS 83553, 5-6 (E.D.N.C. April 17, 2020); Clayton Brokerage, 87. FRD at 570-571; Robertson, 2010 Wl 716221 at *2; Northern v. Windsor Invs. of North Carolina, LLC, No. 13-10661, 2015 Bankr. LEXIS 516, *6-10 (Bankr. MDNC February 11, 2015); First Mariner Bank v. Resolution Law Group, Civ. No. MJG-12-1133, 2014 US Dist. LEXIS 19565, *2-6 (D. Md. February 14, 2014). See also SEC v. Jerry T. Obrien, Inc., 467 US 735, 743 (not a violation of the 4th amendment to use against the defendant to secure by subpoena "financial records obtained from his bank"); United States v. Graham, 824 F.3d 421 (4th Cir. 2016) (applying Miller and third-party doctrine in a criminal case)).
Note the 4th Circuit's conclusion that the police did not need a warrant to secure cell-site location data from an ISP provider did not survive the contrary Supreme Court decision in Carpenter v. United States, 138 S. Ct. 2206 (2018).
Unfortunately for the plaintiffs, one of them was Judge Grimm.
In Corsair Special Situations Fund, L.P. v. Engineered Framing Sys., Inc. (No. 09-1201-PWG, 2011 Wl 3651821 (D. Md. August 17, 2011)) then Magistrate Judge Grimm confronted a claim of a right to privacy, justifying the quashing of an opposing party's subpoena upon a third party. The documents at issue were "telephone bills, invoices, incoming and outgoing call records. Incoming and outgoing text messages, dates of account, invoices, roaming fees, etc." (Id. at * 1). Judge Grimm analogized these records to bank records. He then stated of the business records:
As for the bills, invoices, dates of account, and roaming fees, case law pertaining to privacy rights in bank records is analogous, and therefore informative. Bank records "are not confidential communications, but instruments of commercial transactions" and "the business records of the bank" (Robertson v. Cartinhour, No. AW-09-3436, 2010 WL 716221, at *2 (D.Md. Feb.23, 2010) (quoting Clayton Brokerage Co., 87 FRD at 571); see United States v. Miller, 425 US 435, 440, 96 S.Ct. 1619, 48 L.Ed.2d 71 (1975)). (holding that bank documents are "business records of the bank" rather than the bank's customer's "private papers") (abrogated in part on other grounds by statute). Therefore, "the issuance of a subpoena requiring the bank to produce its records is not violative of any cognizable privacy right of the defendant." (Robertson, 2010 WL
Id. at * 3.
716221, at *2) (quoting Clayton Brokerage Co., 87 FRD at 571). A phone company's invoices to customers, likewise, are business records of the phone company, and not personal documents in which a customer could have a reasonable expectation of privacy (see generally Robertson, 2010 WL 716221, at *2; Clayton Brokerage Co., 87 FRD. at 571). Without a reasonable expectation of privacy, Defendant Marie Hildreth has no standing to challenge the subpoena insofar as it pertains to the phone company's records, i.e., the bills, invoices, dates of account, and roaming fees (see Idema, 118 Fed. App'x 740; Brown, 595 F.2d at 967; Covad Commc'ns Co., 2009 WL 3739278, at *3; Clayton Brokerage Co., 87 FRD at 571).
The plaintiffs make only a broad claim of privacy to interdict the subpoenas. But the plaintiffs have no privacy interest in the service of a subpoena upon a bank insofar as the subpoena seeks what Judge Grimm described as "the business records of the bank." Thus, their motion for a protective order premised on their nonspecific claim of privacy fails.
Although the plaintiffs do not object to the subpoenas' specific paragraphs, an analysis of each of those specific paragraphs is necessary to dispose fully of their motion for a protective order. That analysis shows they do not have a right of privacy against the banks' production of the information specified in the subpoenas.
The Specific Demands of the Subpoenas
The subpoenas demand the following:
1. All account holder statements for a particular credit card.
2. All communications or notifications between a particular plaintiff and the entity subpoenaed regarding (a) suspected fraud or unauthorized use of that card; (b) replacing that card; (c) alerts from card brands indicating to the holder their possible compromise in a data-security incident (or otherwise).
3. All documents and communications related to charges made by a particular company or its website identified by name in the subpoena (e.g., hanes.com or Mayfair.com).
4. All agreements between the party being served, such as account holder agreements.
5. All documents related to other authorized users of the account.
6. All recordings of telephone calls between the party being served and the account holder.
I will use the shorthand phrase "bank" for the clumsier "entity being subpoenaed."
First, the credit card statements are exactly what Judge Grimm described as business records. They record transactions against an account in the same way as a check. Similarly, charges made against the account by providers of goods and services are nothing more than debits against the account which the bank recorded in the ordinary course of its business. They too are the bank's business records, as Judge Grimm defined that term.
Second, the communications to and from a third party to the entity being subpoenaed cannot be protected by any privacy privilege the plaintiffs could claim. The plaintiffs neither sent nor received them. This is also true of communications from the bank to the plaintiffs—to which the plaintiffs did not respond. Nor can documents related to other authorized users of the account other than the plaintiffs somehow fall within the plaintiffs' privacy.
Third, the communications between the bank and the plaintiffs are not protected by the plaintiffs' privacy. The heart and soul of the "third-party doctrine" articulated in the Miller case are that a party does not have any claim of privacy in what that party discloses to a third party. The Supreme Court stated, "that a bank depositor has no legitimate 'expectation of privacy' in financial information voluntarily conveyed to . . . banks and exposed to their employees in the ordinary course of business." (Miller, 425 US at 422). This is because everyone takes the risk that when they disclose information to a third party, that third party may disclose it, in turn, to someone else (Id.). Therefore, the plaintiffs have no claim to privacy to the agreement they had with the bank or in their communications with the bank. The bank was a party to the agreements and any other communications. It is free to disclose their contents in response to Marriott's subpoenas.
Finally, there is one interesting exception: Although federal law does not prohibit one party to a telephone conversation to tape-record it, Maryland law does, at least if one of the parties to the call is in Maryland. (Perry v. Maryland, 357 Md. 37, 39-40 (Md. 1996)). Therefore, paragraph 9 of the subpoena, which demands the recordings of telephone calls between plaintiffs and banks, are illegal if either party to the conversation lives in Maryland. Marriott will have to be sensitive to this prohibition when it drafts the final version of the subpoenas.
I appreciate that the plaintiffs wish to create a new regimen. They, perhaps using the proportionality factors in Fed. R. Civ. P 26(b)(1) would ask me to assist in drafting the subpoenas Marriott will issue. When the plaintiffs see what the banks produce and then redact from the documents, the banks produce what they claim to be permitted to redact by paragraph 11 of the Protective Order.
The problem is that this regimen (1) contradicts the 4th Circuit's holding in Idema that they have no standing to complain about a subpoena served on a third party; (2) the Supreme Court's decision in Miller that they have no right to privacy in the banks' business records; and (3) Judge Grimm's decision applying Idema and Miller and concluding once again that the plaintiffs have no standing to complain about subpoenas served on a third party and no privacy interest in a bank's business records.
Except for the phone calls between themselves and the banks, the plaintiffs failed to establish that the subpoenas violated their privacy, and their motion for a protective order must be denied.
Conclusion
I recommend that paragraph 11 be stricken from the Protective Order and that the parties be heard as to how it should be revised. I further recommend that the plaintiffs' motion for a protective order be denied.
/s/_________
John M. Facciola Dated: 12/2/2020