Summary
concluding that defendant "cannot shield [consultant forensic work] from discovery by delegating [its] supervision to counsel"
Summary of this case from Guo Wengui v. Clark Hill, PLCOpinion
[Copyrighted Material Omitted] [Copyrighted Material Omitted]
Kim D. Stephens, Christopher I. Brain, and Jason T. Dennett, Tousley Brain Stephens PLLC, Keith S. Dubanevich, Steve D. Larson, and Yoona Park, Stoll Stoll Berne Lokting & Shlachter PC, Tina Wolfson, Ahdoot and Wolfson PC, James Pizzirusso, Hausfeld LLP, and Karen Hanson Riebel and Kate M. Baxter-Kauf, Lockridge Grindal Nauen PLLP, Of Attorneys for Plaintiffs.
Paul G. Karlsgodt, BakerHostetler LLP, James A. Sherer, BakerHostetler LLP, Daniel R. Warren and David A Carney, BakerHostetler LLP, and Darin M. Sands, Lane Powell PC, Of Attorneys for Defendant.
OPINION AND ORDER
Michael H. Simon, District Judge.
Plaintiffs bring this putative class action against Defendant Premera Blue Cross ("Premera"), a healthcare benefits servicer and provider. On March 17, 2015, Premera publicly disclosed that its computer network had been breached. Plaintiffs allege that this breach compromised the confidential information of approximately 11 million current and former members, affiliated members, and employees of Premera. The compromised confidential information includes names, dates of birth, Social Security Numbers, member identification numbers, mailing addresses, telephone numbers, email addresses, medical claims information, financial information, and other protected health information (collectively, "Sensitive Information"). According to Plaintiffs, the breach began in May 2014 and went undetected for nearly a year. Plaintiffs allege that after discovering the breach, Premera unreasonably delayed in notifying all affected individuals. Based on these and other allegations, Plaintiffs bring various state common law claims and state statutory claims.
Before the Court are Plaintiffs’ motion to compel and Premera’s motion to compel. Plaintiffs request an order requiring Premera to produce certain documents, described by category, that Premera has withheld based on assertions of attorney-client privilege or protection under the attorney work-product doctrine. Premera requests an order requiring Plaintiffs to produce specific devices and documents identified during depositions. For the reasons discussed below, Plaintiffs’ motion is granted in part and denied in part, and Premera’s motion is denied.
A. Plaintiffs’ Motion
The Court previously set out the standards applicable to attorney-client privilege and work-product protection. See ECF 132 at 2-5; available at In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F.Supp.3d 1230, 1237-40 (D. Or. 2017) ("Privilege Opinion"). Those standards are incorporated herein.
Plaintiffs challenge Premera’s withholding of several categories of documents. Premera responds that the identification of these categories is misleading, because Premera only has withheld documents that: (1) contain the legal advice of counsel; (2) were prepared by counsel; (3) contain edits by counsel; (4) are internal Premera documents prepared at the request of counsel for the purpose of informing legal counsel; (5) were prepared by or at the direction of counsel in anticipation of litigation; (6) were prepared by or at the direction of counsel for response to a regulatory investigation or inquiry; (7) are communications with or documents prepared by a third-party vendor for the purpose of communicating with an attorney to provide legal advice; (8) are communications with or documents prepared by a third-party vendor that contain work product; (9) are communications with or documents prepared by a litigation discovery vendor or other litigation support personnel; (10) are documents subject to the common interest agreement with the Blue Cross/Blue Shield Association; or (11) are documents with no substantial non-privileged information to redact.
Plaintiffs rely heavily on the Court’s Privilege Opinion in arguing the pending motion to compel. That Privilege Opinion, however, expressly did not involve any communications sent to or from counsel. Many of the documents at issue in the pending motion have been sent to or from either in-house or outside counsel. The Court will discuss general principles involved when a document is sent to or from an attorney or is prepared at the request of counsel. The Court will then apply these principles to representative samples from each of the categories identified by Plaintiffs to provide guidance to the parties. Based on this guidance, Premera then can reconsider its assertions of privilege, and revise and update its privilege log as needed, including by providing more detailed descriptions of its assertions of privilege. This Opinion and Order also will provide Plaintiffs with further information from which to determine whether they are entitled to additional documents. After Premera has updated its privilege log and production or notified Plaintiffs that it does not intend to make any further changes, if Plaintiffs continue to believe that certain documents are being improperly withheld, Plaintiffs have leave to renew their motion to compel.
1. General Standards
As the Court previously discussed, the attorney-client privilege is limited only "to information related to obtaining [legal] advice" and "a document prepared for a purpose other than or in addition to obtaining legal advice and intended to be seen by persons other than the attorney, does not become subject to the privilege merely by being shown to the attorney." Mechling v. City of Monroe, 152 Wn.App. 830, 853, 222 P.3d 808 (2009) (emphasis added). Moreover, the attorney-client privilege is a "narrow privilege," it "does not shield facts from discovery, even if transmitted in communications between attorney and client," and it "must be strictly limited to the purpose for which it exists." Newman v. Highland Sch. Dist. No. 203, 186 Wn.2d 769, 777-78, 381 P.3d 1188 (2016). The privilege does, however, apply "to any information generated by a request for legal advice, including documents created by clients with the intention of communicating with their attorneys." Doehne v. EmpRes Healthcare Mgmt., LLC, 190 Wn.App. 274, 281, 360 P.3d 34 (2015). This can include reports and other documents generated at the request of in-house counsel or risk management if done for the purpose of assisting to address issues of liability or to avoid or prepare for litigation. Id. at 282-83, 360 P.3d 34.
a. Email communications
In considering emails sent to and from counsel, the emails must request or provide legal advice, as opposed to containing merely a factual discussion, to be entitled to attorney-client protection. See Newman, 186 Wn.2d at 778, 381 P.3d 1188 ("The attorney-client privilege does not shield facts from discovery, even if transmitted in communications between attorney and client."); Doehne, 190 Wn.App. at 282-83, 360 P.3d 34 (noting that the focus of the privilege analysis must be the purpose for which a document was created). An exception to this is facts transmitted to counsel so that counsel can provide adequate legal representation. See Upjohn Co. v. United States, 449 U.S. 383, 390, 101 S.Ct. 677, 66 L.Ed.2d 584 (1981) (noting that attorney-client privilege extends to "the giving of information to the lawyer to enable him to give sound and informed advice"). This exception, however, should not be allowed to swallow the rule that facts are not shielded from discovery even if transmitted to an attorney.
Directly seeking legal advice is privileged, even if it relates to a business function. See In re Premera, 296 F.Supp.3d at 1244 ("If, however, communications were sent to or from counsel seeking or providing actual legal advice, such as about possible legal consequences of proposed text or an action being contemplated by Premera, then such communications would be privileged."). Companies regularly seek legal advice from attorneys relating to business functions. See Upjohn, 449 U.S. at 392, 101 S.Ct. 677 ("In light of the vast and complicated array of regulatory legislation confronting the modern corporation, corporations, unlike most individuals, ‘constantly go to lawyers to find out how to obey the law.’ " (quoting Burnham, THE ATTORNEY-CLIENT PRIVILEGE IN THE CORPORATE ARENA, 24 Bus. Law. 901, 913 (1969) ).
b. Draft documents
Draft documents prepared by attorneys, at the request of attorneys, or otherwise prepared by Premera employees or third-party vendors, and sent to and from attorneys for legal advice relating to those drafts, are likely subject to the attorney-client privilege or work-product protection. This is a different situation than the Court previously addressed, because those were documents prepared by Premera employees who were not attorneys and sent to and from employees who were not attorneys.
A draft document prepared by outside counsel and emailed to its client Premera for review is protected by the attorney-client privilege and work-product protection. See, e.g., Roth v. Aon Corp., 254 F.R.D. 538, 541 (N.D.Ill. 2009) ("Indeed, most courts have found that even when a final product is disclosed to the public, the underlying privilege attached to drafts of the final product remains intact."). An exception to this would be if counsel is drafting the document as a delegatee of Premera’s business function. Brawner v. Allstate Indem. Co., 2007 WL 3229169, at *4 (E.D. Ark. Oct. 29, 2007) (noting that defendants "may not generally assert a blanket privilege as to those facts that were generated by its investigation merely because ... they elected to delegate their ordinary business obligations to legal counsel" (quotation marks omitted) ); Lumber v. PPG Indus., Inc., 168 F.R.D. 641, 646 (D. Minn. 1996) (noting that the plaintiffs could not "shield their investigation ... merely because they elected to delegate their ordinary business obligations to legal counsel"). A draft prepared at the request of counsel or otherwise prepared by Premera or a third-party vendor and sent to counsel for review and legal advice is subject to the attorney-client privilege. See In re Banc of California Sec. Litig., 2018 WL 6167907, at *2 (C.D. Cal. Nov. 26, 2018) ("When a client sends a draft disclosure document to an attorney for comment or input, the attorney-client privilege attaches to the draft and remains intact even after the final document is disclosed."). The fact that a document may be prepared for a business purpose does not preclude it from being privileged if it is sent to an attorney for the purpose of receiving legal advice relating to that document. If, however, a draft document that is prepared for a business purpose (such as a breach notification letter or press release) is merely sent to an attorney for the attorney’s file or information, and not for the purpose of receiving legal advice, or is distributed among Premera employees or to third-party vendors for general discussion and an attorney is merely copied, then the document is not privileged merely because it is sent to an attorney.
2. Press Releases, Notices to Customers, and Documents Relating to Remediation
Plaintiffs argue that Premera improperly is withholding 21 documents relating to news articles, public relations, and press releases simply because an attorney is either on the communication or the document was prepared at the request of counsel. Plaintiffs add that Premera wrongfully is withholding 436 documents or communications concerning notices to customers and others relating to the data breach. Finally, in this category, Plaintiffs contend that Premera improperly is withholding 74 documents relating to remediation. Premera asserts that these documents properly are withheld because they fall within one of the eleven enumerated categories identified by Premera as the only types of documents they withheld.
a. Press releases
A review of the privilege log relating to the challenged "press" documents reveals potentially different privilege issues. For email communications, attorneys are included on all the challenged documents. It is unclear from the privilege log descriptions, however, that legal advice is the purpose of all the communications, as opposed to a merely factual discussion. For example, many of the communications are identified simply as "discussing" published articles about different topics (Premera’s data breach, cybersecurity, etc.). If this discussion involves seeking legal advice about how that particular article might affect Premera or litigation, or how from a legal perspective Premera should comment on the article, it is privileged. See In re Premera, 296 F.Supp.3d at 1244 ("If, however, communications were sent to or from counsel seeking or providing actual legal advice, such as about possible legal consequences of proposed text or an action being contemplated by Premera, then such communications would be privileged."). If that discussion merely involves the facts in the article or facts about how others are responding to the article, and does not contain a request for legal advice or the provision of any legal advice from attorneys, then merely because attorneys are included on the email does not render the email privileged.
There are also emails that appear to be communications back-and-forth between Premera employees and counsel relating to an article Premera’s Chief Executive Officer was drafting. These appear more likely to include privileged communications— Premera asking for and receiving legal advice about how the article should be written to minimize legal exposure, whether its contents could impact Premera’s risk of liability, and the like. Again, based on the privilege log description, it is difficult to ascertain whether that is in fact what the communications contain, but the subject line of the emails and the overall log entries supports such an inference.
Finally, there are two entries that include an attachment apparently sent to counsel titled "Premera Monitoring Report 8am." These entries state that the attachment involves "public relations issues" and is privileged because it is from a third-party vendor (Edelman) and contains work product. In the Privilege Opinion the Court found that having an attorney hire a third-party vendor to perform business functions, including conducting investigations, preparing reports, or performing other duties (expressly including public relations), does not serve to convert the business function into a legal function or make any resulting documents work product or related communications subject to the attorney-client privilege. In re Premera, 296 F.Supp.3d at 1242-44 (citing cases). Indeed, the Court expressly found public relations relating to the data breach to be a business function Premera would have had to perform regardless of any litigation, and specifically mentioned Edelman as a vendor performing a business function. Id. at 1242. Premera’s privilege log entry does not explain how Edelman is performing a legal function and not a business function in preparing the public relations-related monitoring reports, nor how by merely (apparently) sending this report to counsel makes the report privileged or subject to work-product protection. The privilege log does not indicate that this was sent to counsel seeking counsel’s legal advice or input on the report.
The privilege log identifies who the document is from, an executive at Edelman, a public relations firm, but not who is the specific recipient.
b. Notices
Plaintiffs challenge 436 documents relating to Premera’s notification to customers and others of the data breach. For the first example, the challenged documents include emails to and from outside counsel relating to the breach notice, frequently asked questions ("FAQ"), scripts for when people call with questions, and other similar documents. Plaintiffs argue that none of the challenged documents contain edits or redlines in the privilege log description and thus they cannot be withheld on privilege grounds, citing to the Court’s Privilege Opinion. The cited discussion regarding edits or redlines, however, related to internal documents drafted by Premera employees and sent among Premera employees, not communications sent to and from counsel. In the Privilege Opinion, the Court noted that if Premera employees were forwarding redlines or edits of counsel, those could be redacted. That does not mean, however, that communications to and from counsel can only be privileged if they contain edits or redlines.
As discussed above, a client can email an attorney asking for legal advice and obtain the advice in a return email without any edit or redline involved. It appears that many of the challenged communications in this category likely seek the advice of outside counsel regarding how the letters, FAQ, scripts, etc. should be drafted. The primary purpose of the communication would then be for legal advice, and the communication would be privileged. Although Premera may have had to notify their clients of the breach regardless of litigation and prepare a script for when customers call after notification regardless of litigation, that does not mean that Premera cannot seek the advice of counsel and have that legal advice protected by the attorney-client privilege. As noted, corporations regularly seek legal advice on how to conduct business functions. This is different from delegating an ordinary business function to an attorney or using an attorney to hire a third party to conduct a business function in order to try to shield the business function with the attorney-client privilege.
The Court observes, however, that there are numerous entries in this category that simply state that the emails include privileged information "related to" the notification of various entities. If this type of email discussion does not otherwise qualify for protection, it must be produced. The Court has already held that the notification of customers and others about the data breach was primarily a business function. Discussions regarding those notifications, even if they include attorneys, are similarly business functions unless the communications seek or provide legal advice, or provide factual information to the attorneys so that counsel can provide adequate legal services. Premera should ensure that all the emails "related to" notifications that it has designated as privileged qualify for the privilege.
The next example involves draft documents. As discussed above, draft documents sent to or from counsel seeking the legal advice and input of counsel on those drafts are privileged. This includes draft notification letters. Documents drafted by counsel in anticipation of litigation (and not drafted as a delegated business function) are entitled to protection under the work-product doctrine, and if sent to Premera as part of counsel’s representation are entitled to attorney-client privilege protection.
One example included in this category are drafts of "scripts" (as opposed to emails discussing the scripts, which would be covered by the Court’s discussion relating to emails above). Various scripts were prepared and given to Premera employees setting out what they could say when customers called with certain types of questions after receiving notification of the data breach. The privilege log in this category indicates that one script was prepared by outside counsel. Another script was prepared by Premera at the request of outside counsel. Outside counsel states in his declaration that his firm provides legal advice after a data breach regarding how to respond in anticipation of litigation and regulatory investigations.
To qualify for work-product protection, materials must: "(1) be prepared in anticipation of litigation or for trial and (2) be prepared by or for another party or by or for that other party’s representative." U.S. v. Richey, 632 F.3d 559, 567 (9th Cir. 2011) (quotation marks omitted). When materials are prepared for a "dual purpose," meaning they are not prepared exclusively for litigation, then the "because of" test applies. Id. at 568. Under that test, "[d]ual purpose documents are deemed prepared because of litigation if in light of the nature of the document and the factual situation in the particular case, the document can be fairly said to have been prepared or obtained because of the prospect of litigation." Id. (quotation marks omitted). Courts, however, must view "the totality of the circumstances and determine whether the document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of litigation." Id. (quotation marks omitted).
The Court finds it reasonable to believe that absent the prospect of litigation, what Premera said to customers who called after receiving notification of the data breach might well have been in a substantially different format. Absent litigation, Premera might not have used "scripts" but may have just had talking points, or what was contained in the scripts might have been different. Concerns about litigation likely restricted what Premera was willing to say and how much information Premera was willing to provide to worried customers. The scripts were therefore prepared "because of" the anticipated litigation and regulatory inquiries. Accordingly, the drafts of the scripts that were prepared by outside counsel or at the request of outside counsel are subject to protection under the work-product doctrine. The actual final scripts, however, which were intended to be read to, and thus disclosed to, third parties (persons calling Premera with questions about the data breach), are not privileged and must be produced.
The final example is an attachment to counsel for Premera Blue Cross (a joint defense party) containing a list of Premera members that require a notice in Spanish. This document does not appear to be requesting legal advice. It appears to be providing factual information, but not factual information necessary for the attorneys to provide adequate legal representation. Thus, the mere fact that the attachment was sent to counsel is insufficient to render the document privileged.
c. Remediation
Plaintiffs challenge 74 documents withheld that relate to remediation. Plaintiffs argue that remediation is a business function, as previously found by the Court. Many of these are emails to or from counsel. As discussed above, if they contain actual legal advice or requests for legal advice, they can be withheld for privilege. Additionally, if they are providing factual information requested by counsel so that counsel can provide adequate legal representation, they can be withheld as privileged.
Other documents in this category are attachments provided to counsel that were prepared by third-party vendors. The vendors are not identified, and the attachments are not described with any detail. The Court previously found that third parties performing general remediation efforts, even if hired by counsel, are performing a business function. In re Premera, 296 F.Supp.3d at 1246-47. Accordingly, the fact that a third-party vendor prepared a remediation-related document and sent it to outside counsel is insufficient to designate that document as subject to the attorney-client privilege or work-product protection. The attachment must constitute giving factual information to counsel so that counsel can provide sound and informed legal advice or have been sent to the attorney requesting the attorney’s legal advice and input.
The final document the Court will discuss in this category is a timeline prepared by in-house counsel relating to Premera’s remediation efforts. Premera has not shown that this timeline would not have been prepared in substantially the same format absent anticipated litigation or regulatory investigations. As a business, Premera presumably would have tracked its remediation efforts. Accordingly, this document is not subject to work-product protection. Because it is not a document seeking or providing legal advice, it is not subject to the attorney-client privilege.
3. Drafts
Plaintiffs assert that Premera continues to withhold 405 drafts of internal business documents. The documents include draft scripts prepared by outside counsel and in-house counsel, draft FAQs prepared by in-house counsel, draft narratives generated at the request of outside counsel to respond to regulatory inquiry requests, draft notices to customers generated by in-house counsel, draft news articles, and other documents.
Although Plaintiffs state that they do not seek production of documents containing redlines or edits, many of the documents specifically requested by Plaintiffs state in the privilege log that they contain edits of counsel. Indeed, Plaintiffs quote PrivID_005640 ("Draft letter edited by counsel ... regarding op-ed article ..."). The basis for withholding stated in the privilege log for that document is "edits by counsel." For the documents containing edits by counsel, the Court finds that the privilege designation is appropriate. The Court discussed above that scripts prepared by or at the request of outside counsel are entitled to work-product protection. Narratives drafted to help prepare responses to regulatory inquiries are also entitled to work-product protection, because they were prepared for the regulatory inquiry and not a general business purpose. They are also likely subject to the attorney-client privilege because the drafts were emailed back-and-forth to counsel for review.
The remaining documents in this category should be considered based on the guidelines the Court has set forth in this Opinion and Order. If the documents were sent to and from attorneys seeking legal advice and input, they are privileged. If the documents were drafted by counsel or at the request of counsel in anticipation of litigation with a primary purpose of litigation, they are subject to work-product protection. Business documents, however, such as drafts of newspaper articles, press releases, and notification letters, that are merely sent to or from attorneys without seeking or providing legal advice or input, are not privileged.
4. Business and Technical Documents
Plaintiffs challenges 62 documents relating to internal audits, security assessments and reviews, 131 documents relating to information technology and security, and 226 documents relating to Premera’s investigation and response to the data breach. Plaintiffs argue that the primary purpose of these documents is business, not legal.
The same as the other categories, some of these are email communications with counsel and should be evaluated as set forth above. Regarding Premera’s audits and investigations of their information technology and security, Premera’s general information technology and training, and Premera’s investigation of the data breach, the Court is not persuaded that these were primarily done with legal purpose and not business purpose. As a business, Premera needs periodically to audit its information technology and security and training. After the breach, it also needed to conduct such an audit. This would have happened regardless of any pending litigation or regulatory investigations.
Premera provides the Declaration of Gabriel Bender, who states that he, as Assistant General Counsel and Director of Privacy at Premera, and his predecessor, request "[c]ertain types of audits and internal investigations" with the intent that the results be provided to the legal team so the legal team can provide "legal advice as necessary to the company." ECF 237 at 2. Mr. Bender states that he designates these audits and investigations attorney-client privileged because they are intended to assist counsel.
It may well be that counsel will use the results of the audits and investigations "as necessary" in providing legal advice. That does not mean, however, that the primary purpose of the audits or investigations is legal instead of business. For example, Plaintiffs note that the 2013 and 2014 technology audits have been withheld by Premera under this same claim of privilege. The 2013 audit was performed before the data breach occurred and the 2014 audit before the breach was discovered. These audits thus are normal business functions performed on a regular basis, to enable Premera to assess the state of its technology and security. Premera cannot shield them from discovery by delegating their supervision to counsel. Brawner, 2007 WL 3229169, at *4; Lumber, 168 F.R.D. at 646.
Regarding Premera’s investigation into the cause of the breach, discovering how the breach occurred was a necessary business function regardless of litigation or regulatory inquiries. Premera needed to conduct an investigation as a business in order to figure out the problem that allowed the breach to occur so that Premera could solve that problem and ensure such a breach could not happen again. Accordingly, the Court finds that Premera’s investigation into the breach was conducted primarily for a business purpose. If, however, an attorney took the information from these documents and drafted a different document in preparation for litigation, that document would be protected. Additionally, just because an underlying audit or investigatory report is not privileged, an email to an attorney seeking legal advice regarding the report would be privileged and could be redacted. A draft report sent to counsel seeking legal advice and input on the draft also would be privileged.
Regarding Premera’s investigation into its physical security, there is no indication that this was triggered by anticipation of litigation or the regulatory inquiries. The data breach was not committed through a physical intrusion. Premera’s investigation into its physical security was primarily a business function, ensuring that Premera was secure from future physical intrusions, even though this particular incident was unrelated to such conduct.
Premera’s response to the breach, however, was likely affected by the anticipation of litigation and regulatory inquiries. Other than the initial business steps of remediation, notifying customers, and making public statements, which Premera would have had to do regardless, the later actions by Premera were likely guided by advice of counsel and concerns about potential liability. Thus all of Premera’s "response" to the breach is not primarily a business function.
The documents in this category include some already discussed, such as scripts and narratives. They should be evaluated based on the Court’s guidance in this Opinion and Order.
5. Documents Disclosed to Third Parties
Plaintiffs challenge 114 documents they assert were disclosed to third-party vendors, 159 documents that were disclosed to Mandiant, and other documents that relate to work being provided by third-party vendors, which Plaintiffs argue are also subject to third-party waiver. The Court begins with Plaintiffs’ final category, documents not disclosed to any third party but that relate to services provided by a third party. Plaintiffs provide no legal authority for the proposition that all such documents have had privileged waived because they relate to work a third party is performing. The Court declines to so find. The fact that an attorney is being asked to give legal advice about something a third-party vendor is working on does not extinguish the attorney-client protection. For example, if a Premera employee emails counsel and asks for legal advice about the scope of work to be given to a third-party vendor, or about drafting the contract for a third-party vendor to sign, or about some aspect of the third-party vendor’s performance, all of that would be subject to the attorney-client privilege. To otherwise hold would eviscerate the protection of the attorney-client privilege, because corporations and individuals regularly use third parties to provide services and will regularly need to consult attorneys about the third party’s services. In other words, if an email or document would be subject to the attorney-client privilege or work-product protection, it does not lose that protection because the underlying subject matter relates to work being done by a third-party vendor.
That said, as with all the draft documents discussed in this opinion, if a third-party vendor is performing a business function and has prepared a draft document and if Premera employees are emailing and discussing the draft document, the fact that an attorney is on the email does not automatically render the draft document or the email privileged. The email must independently qualify as privileged and the draft is only privileged if the attorney is being asked to provide legal input and advice on that draft. Similarly, if Premera employees generally are discussing factual information relating to a third-party vendors’ services with counsel, and not requesting or receiving legal advice or providing facts to the attorney to provide legal services, the email would not be privileged.
Regarding documents provided to third-party vendors, the Court notes that not all third-party vendors are providing a business service. In the Privilege Opinion the Court found that some appear to be providing legal services. For vendors providing legal services, privilege and work-product protections attach in the same manner as communications with counsel and there is no waiver. The Court suggests that if disputes between the parties remain relating to documents shown to third-party vendors, Premera provide more information regarding how the vendor is performing legal services (e.g., whether the vendor was hired by counsel, the broad category of services being provided by the vendor, etc.) so that Plaintiffs can more effectively determine whether to challenge the disclosure as creating a waiver.
Regarding Mandiant, Mandiant has been hired by Premera’s outside counsel and thus is not a "third party" that would trigger the waiver of privilege if documents are shown to Mandiant. Although the Court found that Mandiant’s change in supervision from Premera to outside counsel was insufficient to change Mandiant’s focus from a business purpose to a legal purpose because the scope of work did not change, that does not turn Mandiant into a stranger for purposes of privilege. Indeed, the Court expressly anticipated that there would be attorney-client privileged and work-product protected information provided to Mandiant that would need to be protected. In re Premera, 296 F.Supp.3d at 1246 ("[G]iven Mandiant’s role in working with outside counsel, there may be some privileged communications or work-product protected information in the withheld documents. Thus, if there are specific documents or portions of documents that Premera contends contain privileged information ... or work-product information ... then they may properly be withheld." (alteration added) ). Accordingly, disclosure to Mandiant does not waive privilege.
6. Documents for which Protection Under the Work-Product Doctrine is Claimed
Plaintiffs challenge 60 documents for which Premera has asserted work-product protection. Plaintiffs also generally challenge any document in any category for which work-product has been asserted. Plaintiffs argue that Premera fails to demonstrate that the documents were prepared in anticipation of litigation or "because of" litigation if the document serves a dual purpose. In this Opinion and Order, the Court has provided guidance on evaluating work-product protection for draft documents and various categories of documents. If disputes remain after the parties apply this guidance, then Plaintiffs may renew their motion.
B. Premera’s Motion
Premera moves to compel production of specifically-identified personal computers, including tablets (collectively, "Devices"), from named Plaintiffs April Allred, Barbara Lynch, Debbie Hansen-Bosse, Elizabeth Black, Gabriel Webster, Krishendu Chakraborty, Laura Webster, Mary Fuerst, Howard Kaplowitz, Ralph Christopherson, Ross Imbler, and William Fitch. Premera also moves to compel documents related to issues discussed at depositions for which Premera does not believe all documents have been produced.
1. Devices
Plaintiffs responded to all of Premera’s RFPs requesting the Devices with identical objections. Plaintiffs object to producing the Devices for Premera to image, or producing forensic images of the Devices, on the grounds that the Devices are not relevant, and production of them are an undue invasion of privacy, are unduly burdensome, are intended to harass and intimidate the named Plaintiffs, are disproportionate to the needs of the litigation, and that Premera has not met its heightened burden to show good cause required to obtain these personal Devices. Premera first argues that Plaintiffs’ "boiler plate" objections must be disregarded. This argument is without merit. Although Plaintiff lodged the same objection for all Premera’s requests for the personal Devices of the named Plaintiffs, the objection was not boilerplate. Plaintiffs made specific objections relating to the request for personal computers and cited to relevant case law.
Regarding relevance, in its motion Premera argues that the Devices "directly relate to the heart of this case." Specifically, Premera asserts that because named Plaintiffs testified regarding specific incidents of potential identity theft, such as the opening of fraudulent credit cards, "Plaintiffs must establish an actual causal link between the Defendant data breach and their alleged harm." Premera argues that Plaintiffs cannot make this link if their Devices have malware or evidence of other intrusions. Premera asserts by way of example named Plaintiff Mr. Christopherson’s testimony that his bank account information was obtained by "scammers" and that Premera is entitled to Mr. Christopherson’s Device "in order to determine precisely what the scammers took from Mr. Christopherson and whether such evidence disrupts the causal link that Plaintiffs allege exists between the Defendant breach and the alleged harm to Mr. Christopherson."
The flaw in Premera’s argument is that Plaintiffs are not alleging any identity theft-related injuries or seeking any such damages. Indeed, this fact is why Premera is challenging the adequacy of the named Plaintiffs as class representatives and class counsel as adequate representation for the class in the pending class certification motion. The only damage theories alleged by Plaintiffs are: (1) a market price premium theory— a benefit of the bargain theory— relating to the premiums paid by Plaintiffs and whether they received the full value of what they paid for with those premiums when they received inadequate data security provided by Premera; and (2) a loss of value theory, relating to the loss of value in Plaintiff’s private information in having their information breached. Neither of these damage theories involve incidents of identity theft or fraud and whether there is a "causal link" between any such incidents and the data breach at Premera.
In its reply brief, however, Premera asserts that the devices are also relevant because Plaintiffs continue to assert that their data was misused as a result of data exfiltration in pursuing their claims, even if they are not pursuing damages based on that misuse, and the devices will help determine whether data breach exfiltration or some other cause resulted in the alleged misuse. This is a sufficient statement of relevance, which generally has a low threshold for discovery, although as discussed below becomes important in the context of proportionality.
Regarding Plaintiffs additional objections, in response to Premera’s motion to compel, Plaintiffs focus on their objection of disproportionality. Plaintiffs acknowledge that Rule 34 of the Federal Rules of Civil Procedure allows a party to request "to inspect, copy, test, or sample ... designated documents or electronically stored information" or "data or data compilations ... stored in any medium." Plaintiffs argue, however, that courts recognize that "The Advisory Committee noted that Rule 34 ‘is not meant to create a routine right of direct access to a party’s electronic information system, although such access might be justified in some circumstances.’ " Brocade Commc’ns Sys., Inc. v. A 10 Networks, Inc., 2012 WL 70428, at *1 (N.D. Cal. Jan. 9, 2012). Plaintiffs assert that the circumstances required to warrant intrusion into the Devices are not present in this case and production of the Devices is not proportional.
Courts have found good cause for the production and imaging of personal computers and that the production is proportional to the needs of the case when there is a "close relationship between [the] plaintiff’s claims and [the] computer equipment," such as in a misappropriation of trade secrets claim. Ameriwood Indus., Inc. v. Liberman, 2006 WL 3825291, at *1 (E.D. Mo. Dec. 27, 2006); see also Brocade, 2012 WL 70428, at *2 ("Thus, Brocade has shown that forensic imaging and analysis of the deleted files is relevant to at least Brocade’s trade secret misappropriation and copyright claims, and to testing the veracity of A10’s claims as to whether any of Brocade’s source code files on Mr. Szeto’s hard drives were accessed while A10 was developing the source code for the AX Series devices, or whether any of Brocade’s source code files on Mr. Szeto’s hard drives were ever deleted."); Balboa Threadworks, Inc. v. Stucky, 2006 WL 763668, at *3 (D. Kan. Mar.24, 2006) ("Courts have found that such access is justified in cases involving both trade secrets and electronic evidence, and granted permission to obtain mirror images of the computer equipment which may contain electronic data related to the alleged violation.").
The relevance asserted by Premera, however, is not closely related to Plaintiffs’ claims or damages, or even Premera’s defenses. As discussed above, Premera has not shown any relevance to Plaintiffs’ damages theories. Premera’s relevance argument accepted by the Court is quite narrow— that Plaintiffs still argue that their data has been misused. This may meet the low threshold for relevance of some information that potentially may be found on Plaintiffs’ Devices, but it does not show a sufficiently close relationship between Plaintiffs’ claims and the Devices to support the Court ordering the burdensome and intrusive imaging of Plaintiffs’ Devices.
Premera has not argued that the Devices are relevant to Plaintiffs’ loss of value theory, such as by potentially containing evidence that Plaintiffs’ information was previously exposed to the market, thereby reducing the value of Plaintiffs’ Sensitive Information before the alleged data breach.
Plaintiffs’ claims are that Premera: (1) breached its contracts by failing to provide adequate data security; (2) engaged in an unfair practice by failing to provide data security; (3) engaged in deceptive practices by failing timely to notify its customers and regulators of its inadequate data security and the data breach (an omissions claim); (4) was negligent in providing inadequate data security; and (5) violated California’s Confidentiality of Medical Information Act in providing inadequate data security and allowing the Sensitive Information of putative class members’ who reside in California to be accessed. None of these claims is closely related to the information likely contained on Plaintiffs’ Devices. Plaintiffs’ claims are unlike the misappropriation of trade secret claims or other claims where the data on the computers and hard drives were central to the claims. At most, the data on Plaintiffs’ Devices and the alleged "misuse" of Plaintiffs’ information are peripheral and remotely relevant to any of Plaintiffs’ claims or Premera’s defenses.
Additionally, with respect to relevance, Premera’s request "for complete forensic images of the devices threatens to sweep in documents and information that are not relevant to the issues in this case." Henson v. Turn, Inc., 2018 WL 5281629, at *5 (N.D. Cal. Oct. 22, 2018). The vast majority of what is on Plaintiffs’ Devices likely does not relate to any possible data exfiltration that may have occurred from those computers.
Furthermore, with respect to proportionality, although such issues "often arise in the context of disputes about the expense of discovery, proportionality is not limited to such financial considerations. Courts and commentators have recognized that privacy interests can be a consideration in evaluating proportionality, particularly in the context of a request to inspect personal electronic devices." Id. (footnote omitted) (citing cases). Considering the limited relevance of Plaintiffs’ Devices, the fact that the Devices are not closely related to the claims and defenses in this case, and the burden to Plaintiffs and their privacy interests, the Court finds at this time and based on the information and arguments presently before the Court, that Premera’s request for a forensic image of Plaintiffs’ devices is not proportional to the needs of the case. See id. at *7 (denying request for such "extraordinary" access). Accordingly, Premera’s motion to image Plaintiffs’ Devices is denied.
2. Documents
Premera requests that certain documents be produced relating to incidents and issues discussed at the depositions of the named Plaintiffs. Although Plaintiffs responded to the requests for production by raising several objections, Plaintiffs nonetheless additionally responded that they had already produced responsive documents but would conduct an additional diligent search. Counsel for Plaintiffs submitted a declaration stating that after those additional searches were performed, Plaintiffs produced approximately 64 additional pages of responsive documents. Counsel further states that he has informed counsel for Premera that there are no further responsive documents.
In its reply brief, Premera notes that during their depositions, several Named Plaintiffs testified about specific documents that have not been produced. Although the Court understands that Plaintiffs believe that they already have conducted a reasonably diligent search, to be confident that all responsive documents have been produced, Plaintiffs shall conduct another reasonably diligent search from the identified Named Plaintiffs to ensure the production of all responsive documents. If Plaintiffs do not locate any additional responsive documents, that is acceptable, even if Premera is "hard-pressed to believe" that the current production is all the responsive documents that exist. Plaintiffs remain under both legal and professional obligations to supplement their production if additional documents are discovered in the future. Further, Plaintiffs shall not be permitted to file with Court or use at any trial documents responsive to a request for production issued by Premera that was not timely produced. Although the Court is requiring Plaintiffs to perform another reasonable search, Premera’s motion to compel production of documents is denied. If no additional documents are located, there is no production to compel.
CONCLUSION
Plaintiffs’ Motion to Compel (ECF 231) is GRANTED IN PART AND DENIED IN PART as described in this Order. Premera’s Motion to Compel (ECF 240) is DENIED.
IT IS SO ORDERED.