In the case In re Marriott Int’l Inc. Customer Data Security Breach Litigation, No. 19-MD-2879 (Judge Grimm) (D. Md. July 20, 2021), Special Master John M. Facciola identified a compromise solution to the defendant’s request asking the plaintiffs to identify their time and effort in monitoring their bank, credit card, and other accounts related to the defendant’s data breach for unauthorized purchases by recommending the five plaintiffs with the most time claimed to be spent to “produce the documents reflecting the time spent monitoring their financial accounts for January 1, 2021, to June 30, 2021.”
Case Background
In this data breach litigation multi-district litigation (MDL) presided over by Maryland District Judge Paul W. Grimm, the plaintiffs demanded to be compensated for their time and effort in monitoring their bank, credit card, and other accounts to detect whether someone had used their “personally identifiable information” to make unauthorized purchases by exploiting documents revealed by the breach. To challenge the claims, defendant Marriott demanded “[a]ll documents reflecting the attempt to mitigate damages … or documents reviewed during any time spent monitoring financial accounts.”
The plaintiffs responded that they had produced documents reflecting their mitigation efforts in response to these demands and gave their best estimate of their time using different methodologies but balked at the demand for the documents they reviewed as they monitored their accounts, saying “it will take hundreds of thousands of dollars to comply with the Request”. The defendant claimed it would simply “take an envelope and a stamp.”
Special Master’s Recommendation
Special Master Facciola began discussing his proposed solution by stating: “My solution begins with the observation that the discovery now sought is unique. Parties generally seek a document or electronically stored information to find out its contents. In this instance, however, Marriott does not care about the contents. It does not care whether one of the plaintiffs bought a bathing suit. It does not even care that a document showed that someone the plaintiff did not know bought a bathing suit using the plaintiff’s credit card. It cares only about how long it took a plaintiffs to investigate whether someone had charged his credit card for the unauthorized bathing suit.”
Noting that he “determined that the plaintiffs’ mean time in the chart in Marriott’s letter…was twenty-seven hours”, Special Master Facciola stated: “The results are striking. The plaintiffs did not spend about the same amount of time monitoring their accounts. One plaintiff took five times more time than the median to monitor her accounts. Another took four times more than the median, and three others took twice the median hours.”
Finding that “Marriott’s demand that all the plaintiffs produce all their records is overbroad” because the mean amount spent was “about one hour per month”, Special Master Facciola stated: “Accordingly, I will therefore not permit any further discovery from the plaintiffs who spent twenty-eight hours or less monitoring their accounts.”
As for the five plaintiffs at the top of the list, Special Master Facciola noted: “if these plaintiffs had the habit of monitoring their financial accounts each month, then the evidence of how they did it one month would indicate how they did it every month” and stated: “Therefore, I recommend that Judge Grimm order the five plaintiffs…to produce the documents reflecting the time spent monitoring their financial accounts for January 1, 2021, to June 30, 2021.” Special Master Facciola also stated: “I find that, now that I have narrowed the scope of the discovery, it is proportional to the needs of the case.”
With regard to the plaintiffs’ concerns about confidentiality and privacy, Special Master Facciola deferred to Judge Grimm on both concerns, stating that “Judge Grimm, not Marriott, will determine what is and is not confidential” and that “Judge Grimm has specifically rejected the plaintiffs’ claim that the protections provided by the SPO [Stipulated Protective Order] are inadequate to protect their privacy.”
So, what do you think? Do you think this was a reasonable compromise? Please share any comments you might have or if you’d like to know more about a particular topic.
Case opinion link courtesy of eDiscovery Assistant, an Affinity partner of eDiscovery Today.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.
Thanks, Doug! Another excellent post.
[…] only have to look to yesterday’s post to see an introduction of discovery and cybersecurity, which is why the term “cyber discovery” […]