eDiscovery Assistant

In re Marriott Int'l, Inc. Customer Data Sec. Breach Litig.

2021 WL 961066 (D. Md. 2021)

March 15, 2021

Download PDF

To Cite List

Summary

The court was asked to set aside a discovery order requiring thirty plaintiffs to produce their PCs, laptops, and tablets for mirror imaging. The court was asked to consider the relevance and intrusiveness of the ESI requested by Defendants, as well as the potential privacy implications of producing such information. The court allowed the 14-day period under Civil Local Rule 72-2 to lapse, after which the motion was deemed denied.

Additional Decisions

IN RE: MARRIOTT INTERNATIONAL, INC. CUSTOMER DATA SECURITY BREACH LITIGATION

MDL NO. 19-MD-2879

United States District Court, D. Maryland

Signed March 15, 2021

Facciola, John M., Special Master

REPORT AND RECOMMENDATION THIS DOCUMENT RELATES TO THE CONSUMER TRACT

I. The nature of the controversy

*1 The latest controversy between Marriott and Plaintiffs in the consumer track stems from Marriott's desire to have a forensic scientist scan the content of Plaintiffs’ digital devices.

II. The warring protocols

Plaintiffs’ Protocol

The controversy began with Marriott's Request for Production, which demanded the following:

3. The results of a forensic examination of the Plaintiff's devices that connect to the internet and contain electronically stored information, including a list of the indicators of compromise, to include malicious files, historical evidence of malicious files, and events logs of any antivirus software that may have removed the malware prior to examination, as identified via a forensic examination conducted in accordance with industry-standard best practices by an expert selected by Plaintiff, and using a methodology and program to be agreed upon by Plaintiff and Marriott.

Plaintiffs’ Exhibit A.

Plaintiffs objected (Plaintiffs’ Exhibit B). Plaintiffs explained that the parties negotiated a compromise “whereby an expert would perform a forensic examination of a random sample of Plaintiffs’ devices to search for evidence of any attack and, if no such evidence was found, the parties would move on.” Letter of March 2, 2021, at 1. Plaintiffs then proposed a protocol for the forensic examination as follows:

Specifically, the protocol provided that the vendor would create a forensic image of the selected devices and run automated scans looking for evidence of malware and viruses that could result in data exfiltration (as Marriott's request specifically delineated). If such malware was present, a “root cause” analysis would then be performed to determine when and how the malware was installed and whether it could have resulted in the exfiltration of sensitive information.

Id.

Marriott's Protocol

The intended examination by the forensic scientist

Marriott was dissatisfied and proposed a radically different approach. Under this proposed approach, the forensic scientist would not merely forensically examine the device to look for malware or viruses; it would examine the actual content on the device.

Marriott's demand led to further discussions, and under its most recent suggested protocol, requested the examination of:

1. Evidence of malware and other viruses. (Ex. A § III.5.a.)
2. Web browsing history and bookmarked pages. (Id. § III.5.b.)
3. Installed programs and applications. (Id. § III.5.C.)
4. Identification of the location of personal information on the devices, e.g., in emails, text messages, or text files. (Id. §§ III.5.d-h & 1.)
5. Evidence of Plaintiffs’ information security habits, such as wireless and Bluetooth connectivity and security. (Id. §§ III.5.i-k.)

Letter of March 8, 2021.

The forensic scientist will conduct the examinations under paragraphs 2, 3, 4, and 5 as follows:

1. Web browsing history and bookmarked pages:

I would recommend a remote-inspection approach where Plaintiffs’ experts or other consultants would host a remotely accessible platform where I could remotely access and analyze web browsing activity on Plaintiffs’ devices without the ability to save or download any information. Any data sought for production from Plaintiffs to Defendant would be marked in the course of this analysis and reviewed by Plaintiffs’ counsel for privilege prior to production.

2. Installed programs and applications:

Programs and applications can store, process, or transmit personal information and may have allowed personal information to be either publicly exposed or used for identity theft or fraud if those areas of the devices or the applications themselves were compromised. I understand Plaintiffs also object to providing a full listing of applications and programs installed on their devices. As such, I would recommend a similar remote-inspection approach.

3. Identification of the location of personal information on the devices, e.g., in emails, text messages, or text files.

c) Notes/Documents/Text Files

i. Documents in many different formats can contain personal information. If the location in which these documents were stored, or any other platform, system, or application that stored or transferred the documents was compromised, that could have allowed personal information to be either publicly exposed or used for identity theft or fraud.

f) Chats & Messages

i. Individuals often share personal information through chat and messaging platforms on their devices and may have allowed this sensitive information to be inadvertently publicly exposed if those areas of the devices or the messaging platforms themselves were compromised.

g) Email

i. Personal information in email accounts can be sent to other people; email accounts can be compromised, or locally stored email data can be stolen if a device storing the data is compromised. As such, any personal information stored in email on the devices or in accounts associated with the devices could have allowed personal information to be either publicly exposed or used for identity theft or fraud.

5. Evidence of Plaintiffs’ information security habits, such as wireless and Bluetooth connectivity and security.

h) Wireless Device Connectivity

i. Wireless devices used while traveling can be subject to interception or access by third parties when connecting to insecure or unofficial wireless networks. Connection to insecure or otherwise questionable wireless networks may have allowed personal information to be either publicly exposed or used for identity theft or fraud.

i) Bluetooth Data Transfer

i. Sharing or transferring information via Bluetooth can result in inadvertent disclosure of information to unknown third parties if the security of Bluetooth connections are not carefully verified before sending data. Even accidental sharing of information with an unknown third party can cause personal information to be either publicly exposed or used for identity theft or fraud.

Marriott's Exhibit B, Declaration of Kevin T. Poindexter.

There is now, therefore, a quantum difference between the parties. They have gone from a malware/virus scan to a new demand that Plaintiffs disclose to this scientist the content they have created on their electronic devices in the areas I have just specified.

II. Recommendation

I recommend that the Court reject Marriott's proposed protocol and direct the parties to use the Plaintiffs’ proposed protocol. I find that Marriott's protocol seeks inadmissible evidence and that even if that evidence is admissible, the demand for the information Marriott seeks is premature in certain respects and disproportionate in others.

The evidence sought by Marriott's demand is inadmissible.

When I first saw Marriott's proposed protocol at a conference with counsel, I told Marriott's counsel that I was concerned that the demand was based on an incorrect premise. In my view, its theory of the admissibility of Plaintiffs’ use of the internet was flawed. Marriott was trying to elicit evidence of Plaintiffs’ character or a character trait to establish a propensity to be negligent in their use of the internet. Marriott would then argue that it was Plaintiffs’ negligence that caused the breach.

Unfortunately, counsel for both parties have ignored the question that I find most troubling: Isn't Marriott attempting to find evidence that is not admissible based on the prohibition against Fed. R. Evid. 404(a)? The Rule provides:

Evidence of a person's character or character trait is not admissible to prove that on a particular occasion the person acted in accordance with the character or trait.

Marriott is saying that Plaintiffs carelessly shared their email addresses with their friends in unencrypted text messages or emails or provided their PPI[1] to providers of goods and services on the internet. From that use, Marriott will ask the jury to find that the Plaintiffs were equally careless and negligent in 2014–2018, and therefore the Plaintiffs, not Marriott, caused the data breach.

However, this argument claims that Plaintiffs have what the Rule calls “the character trait” of being negligent and careless, and therefore, they must have been just as negligent and careless in 2014–2018 and caused the breach. That, however, is precisely the inference the Rule prohibits.

Take a simple car accident case. Driver A and driver B collide at an intersection. A says B was negligent. At trial, A offers into evidence B's prior traffic violations for reckless driving to show that B is a terrible driver. Assume that Judge Grimm used that hypothetical in his Evidence class and asked a student whether the evidence of the violations for reckless driving is admissible. If the student said yes, you could offer the violations to show what kind of a driver B is, I am certain the judge would flunk him on the spot because that is exactly what the Rule prohibits. However, in my view, that is what Marriott is seeking to do by drawing a propensity from a party's prior behavior to prove that she acted in accordance with that trait.[2]

Even if the evidence was admissible, the demands made by Marriott's protocol are premature and disproportionate.

I also appreciate that Fed. R. Civ. P. 26(b)(1) provides that “[i]nformation within the scope of discovery need not be admissible in evidence to be discoverable.” This does not mean that the court cannot consider the inadmissibility of evidence in determining whether the evidence is within the scope of discovery. Rather, the contrary is true.

The Advisory Committee notes accompanying the 2015 amendment of Fed. R. Civ. P. 26 indicated that the amendment was intended to replace the troubling language in an earlier version of the Rule that allowed the discovery of inadmissible evidence if its discovery was reasonably calculated to lead to admissible evidence. Adv. Comm. Notes to Rule 26 (2015). The Committee then stated,

The “reasonably calculated” phrase has continued to create problems, however, and is removed by these amendments. It is replaced by the direct statement that “Information within this scope of discovery need not be admissible in evidence to be discoverable.” Discovery of nonprivileged information not admissible remains available so long as it is otherwise within the scope of discovery.

Id.

F.R. Civ. P. 26(b)(1) then defines the scope of discovery as “any nonprivileged matter that is relevant to any party's claim or defense” and proportional to the needs of the case. The latter determination requires balancing the factors in that Rule, including “the importance of the discovery in resolving the issues.” Obviously, inadmissible evidence cannot aid in the resolution of the issues in a case. It would be a strange civil procedure system that would find the discovery of evidence to be proportional to the needs of the case when that evidence will never see the evidentiary light.

Nevertheless, I am obliged to be comprehensive in this Report and allow for the possibility that Judge Grimm will disagree with my opinion that Marriott seeks inadmissible evidence. I will therefore assume the contrary—the evidence may be admissible—and indicate why Marriott's demands are premature and disproportionate.

Relevance to causality

Marriott argues that Plaintiffs’ present use of Plaintiffs’ digital devices to interface with the internet may show that their profligate disclosure of their PPI to others on the internet may permit the jury to conclude that there was another cause for the breach that is the subject of this case. Letter of March 8, 2021, at 3 (“Moreover, the less securely and sensitively Plaintiffs treat their personal information—e.g., by not securing it on their electronic devices and by providing to other third parties—the less likely a juror is to believe Plaintiffs claim that Marriott caused fraud or the risk of fraud.”)

First, as to causation, Marriott does not explain how Plaintiffs’ use of their digital devices in, let us say, 2020 could bear on the cause of a breach that occurred no later than 2018. Thus, Marriott has to be once again suggesting that Plaintiffs’ present use of the internet is evidence of how they used the internet in 2014–2018. In that case, we are back to the issue of the admissibility of character evidence.

In any event, there is, at most, a theoretical possibility that, for example, Plaintiffs’ indicating their names and credit card numbers to buy something from an internet vendor or their visiting a particular website might have caused a subsequent breach. But that possibility cannot justify the extensive demand that Marriott makes to have a third party see (1) every website Plaintiffs visited and (2) every text message or email they sent that contained their PPL As Justice Frankfurter once put it, albeit in a different context: “Surely, this is to burn the house to roast the pig.” Butler v. Michigan, 353 U.S. 383 (1957).

I should note that, in this context of proportionality, courts have permitted such forensic screening, and Marriott indicates that Plaintiffs agree to its legitimacy here. Letter of March 8, 2021, at 5. No matter how those courts use the words “forensic screening,” I take them to mean, in the context of this case, a scientific exploration to detect the presence of a virus, malware, or any other tool designed to capture data from a device without the knowledge of its owner. While that kind of examination may or may not prove causality in any given case, it is light years away from Marriott's proposal that a third party read, for example, every one of Plaintiffs’ email and text messages to search for their disclosure of their PPI.

Prematurity of the demand

Marriott also argues that it should be able to show that Plaintiffs’ negligent use of the internet, thereby jeopardizing Plaintiffs’ PPI, would contradict and weaken the claim that their PPI has a value. Thus, Marriott asks why the jury should award Plaintiffs’ damages for the loss of their PPI when Plaintiffs have shown so little interest in safeguarding it from being hacked and stolen. Letter of March 8, 2021, at 4.[3]

During our discovery conferences, Plaintiffs have explained that they will make the information bearing on the loss of their PPI value available to their experts. Those experts will, in turn, create a damages model supporting the claim that there is a monetary value to their PPI and that the breach has deprived them of that value.

Whether Plaintiffs’ PPI has value and the related questions of what will or will not diminish that value will be addressed by Judge Grimm.

Judge Grimm has indicated that he intends to subject Plaintiffs’ experts’ opinions to rigorous analysis under Fed. R. Evid. 702 to the point of hiring a technical expert to guide him on the science underlying those opinions. His resolution of whether Plaintiffs’ experts can present a damages model that attributes, for example, a value to Plaintiffs’ PPI or their ability to use credit cards to make purchases[4] will clarify whether evidence of Plaintiffs’ present use of their computers diminishing the value of their PPI is admissible. Moreover, if Marriott succeeds in having Judge Grimm reject the experts’ damage model, the jury will never consider the value of Plaintiffs’ PPI. The issue of whether Plaintiffs’ behavior on the internet diminished the value of their PPI will be irrelevant if Judge Grimm rejects as unfounded Plaintiffs’ theory that Plaintiffs’ PPI has a monetary value.

Marriott would counter that Plaintiffs could prevail, and their need for the information would then ripen, but fact discovery will be closed. I appreciate that and would recommend that Judge Grimm revisit (or direct me to revisit) this issue after he has resolved whether he will permit expert testimony on the Plaintiffs’ damage model. The alternative—permitting the extraordinary disclosure to a third person of every email or text message containing PPI the Plaintiffs wrote or every website they visited when the evidence yielded by that disclosure may never be relevant—makes no sense at all.

Relevance to injunctive relief

Marriott, noting that Plaintiffs seek injunctive relief, argues:

Plaintiffs also seek injunctive relief, arguing that an injunction is necessary to prevent them from injury due to further cyber-attacks. (See, e.g., id. ¶ 352.) Whether the Court issues an injunction should turn, in part, on the degree to which Plaintiffs protect their own information. If, for example, Plaintiffs do not protect their information, then an injunction would do nothing to prevent the harm they argue an injunction would protect against.

Letter of March 8, 2021, at 8.

The Fourth Circuit, quoting a Supreme Court decision, has identified the factors that bear on the award of injunctive relief as follows:

Under the traditional equitable analysis, a plaintiff seeking injunctive relief must demonstrate:

(1) that it has suffered an irreparable injury; (2) that remedies available at law, such as monetary damages, are inadequate to compensate for that injury; (3) that, considering the balance of hardships between the plaintiff and defendant, a remedy in equity is warranted; and (4) that the public interest would not be disserved by a permanent injunction. eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388, 391, 126 S. Ct. 1837, 164 L. Ed. 2d 641 (2006)

S.A.S. Inst., Inc. v. World Programming Ltd., 952 F.3d 513, 527 (4th Cir. 2020). See also Beacon Theatres v. Westover, 359 U.S. 500, 506–507 (U.S. 1959) (“The basis of injunctive relief in the federal courts has always been irreparable harm and inadequacy of legal remedies.”)

Plaintiffs’ use of their computers and their access is not one of these factors, nor does it relate to any of them.

First, Plaintiffs’ negligent use of their devices does not render whatever damages they win an inadequate remedy for the harm done them by the breach. Additionally, the existence of those damages militates against a finding that they are threatened with irreparable harm. The Fourth Circuit has stated,

The possibility that adequate compensatory or other corrective relief will be available at a later date ... weighs heavily against a claim of irreparable harm. Sampson v. Murray, 415 U.S. 61, 90, 94 S. Ct. 937, 39 L. Ed. 2d 166 (1974). A plaintiff must overcome the presumption that a preliminary injunction will not issue when the harm suffered can be remedied by money damages at the time of judgment. Hughes Network Sys., Inc. v. Interdigital Commc'ns Corp., 17 F.3d 691, 693 (4th Cir. 1994).

Di Biase v. S.P.X. Corp., 872 F.3d 224, 230 (4th Cir. 2017).

Moreover, the award of those damages means that Plaintiffs are not threatened with irreparable harm post-verdict. “[G]enerally ‘irreparable injury is suffered when monetary damages are difficult to ascertain or are inadequate.’ ” Multi-Channel TV Cable Co. v. Charlottesville Quality Cable Operating Co., 22 F.3d 546, 551 (4th Cir. 1994.) “Irreparable,” after all, means “impossible to rectify or repair.” Compact Oxford English Dictionary 592 (2d rev. ed 2003). The availability of the damages Plaintiffs may win indicates that the harm to them from another breach is not irreparable.

Finally, there may be a profound public interest in how Marriott, one of the largest hoteliers in the world, manages the PPI that its guests make available to Marriott when they make a reservation or check into their room. Whether that interest is served by an injunction ordering Marriott to do or not do something to safeguard that PPI will require a careful, scientific evaluation of the state of Marriott's cybersecurity protection system when the injunction is sought. That Plaintiffs are not as careful as they should be in using the internet has nothing to do with the Marriott cybersecurity system's strength or weakness when Judge Grimm may have to determine whether the public interest in cybersecurity will be advanced or retarded by an injunction.

Therefore, I conclude that Marriott's demand for the information has nothing to do with Plaintiffs’ potential demand for injunctive relief, even if that demand was not premature.

III Conclusion

For the reasons stated in this Report, I recommend that the forensic examination of Plaintiffs’ devices be done in accordance with Plaintiffs’ proposed protocol, Plaintiffs’ Exhibit A. I further recommend that all Plaintiffs make their devices available as required by that protocol and that the forensic examinations be conducted promptly. Under the Plaintiffs’ protocol, they only need to deliver the devices to the forensic scientist, and I see no unreasonable invasion of their privacy from a search for malware and viruses.

John M. Facciola
Dated: March 15, 2021

Footnotes

[1]

I will use this acronym as it is defined in the Second Amended Stipulated Protective Order, E.C.F. No. 531, paragraph 1, (1). The lengthy definition is an appendix to this Report and Recommendation.

[2]

Edward J. Imwinkelried, An Evidentiary Paradox: Defending the Character Evidence Prohibition by Upholding a Non-Character Theory of Logical Relevance, The Doctrine of Chances, The Social Science Research Network Electronic Paper Collection, http://ssrn.com/abstrract=795725 at 7. The chart on that page is particularly helpful.

[3]

“In general, the more third parties to whom a Plaintiff provides personal information, the less likely a juror is to believe their claim that they consider this information highly sensitive or that they desire to protect the purported value of that information. And if Plaintiffs do nothing to secure the devices that contain their personal information, a reasonable juror could conclude that they do not, in fact, protect or value that information.” Letter of March 8, 2021.

[4]

See id. at 3.

* * * * *

March 2, 2021 Letter to Special Master with Exhibits A-H

The Honorable John M. Facciola (Ret.), facciola@georgetown.edu
Re: In re Marriott, MDL No. 2879 (D. Md.), Inspection of Consumer Plaintiffs’ Devices

Plaintiffs move for a protective order prohibiting Marriott's from obtaining a highly-invasive forensic analysis of nearly every file on—and the entire history of—Plaintiffs’ personal cell phone and computer use. Marriott's unprecedented and brazen discovery request seeks information that is not relevant to the case. Plaintiffs are not aware of any other court in a data breach case allowing the types of overly broad and unfettered personal device searches as Marriott is proposing here. Indeed, in the one case from which Marriott apparently patterned its discovery request, that court rejected Marriott's approach, allowed only limited discovery, and later expressed regret over the decision. Plaintiffs ask Your Honor to follow the weight of authority and reject Marriott's intrusive, unnecessary, and wholly disproportionate request.

A. Discovery Sought and Relevant History.

On September 20, 2020, Marriott requested:

The results of a forensic examination of the Plaintiff's devices that connect to the internet and contain electronically stored information, including a list of the indicators of compromise, to include malicious files, historical evidence of malicious files, and events logs of any anti-virus software that may have removed the malware prior to examination, as identified via a forensic examination conducted in accordance with industry standard best practices by an expert selected by Plaintiff, and using a methodology and program to be agreed upon by Plaintiff and Marriott. (Ex. A, emphases added)

Plaintiffs objected to this request on numerous grounds. (Ex. B) The parties conferred and, while Plaintiffs maintained their objections to any discovery at all, to avoid burdening the Court with additional discovery disputes, Plaintiffs negotiated a compromise whereby an expert would perform a forensic examination of a random sample of Plaintiffs’ devices to search for evidence of any attack and, if no such evidence was found, the parties would move on.

After the parties selected the custodians and prepared a list of eligible devices for selection, Plaintiffs provided a proposed Remote Collection and Examination Protocol (“Protocol”). (Ex. C) The Protocol was consistent with industry-standard collection methods, consistent with the scope of Marriott's request, and similar to protocols adopted in the small number of other cases which allowed such device inspection. Specifically, the Protocol provided that the vendor would create a forensic image of the selected devices and run automated scans looking for evidence of malware and viruses that could result in data exfiltration (as Marriott's request specifically delineated). If such malware was present, a “root cause” analysis would then be performed to determine when and how the malware was installed and whether it could have resulted in the exfiltration of sensitive information. Following the inspection, the vendor would produce a report for each plaintiff's devices which would detail the examination findings. The Protocol provided that the vendor would not view any additional files or data copied from the device unless it was necessary to perform a root cause analysis and only after obtaining permission.

On February 16, 2021, Marriott sent nearly 10 pages of proposed “revisions” to the Protocol, drastically broadening the scope of the proposed examination. (Ex. D) Marriott's revisions far exceeded the scope of its own request, which was limited to things like evidence of malware. Marriott now seeks, in part, examination and reports pertaining to all of the following: Web Browsing History and Bookmarked Pages; Installed Programs/Applications; Notes/Documents/Text Files; Photos/Digital Images of Personal Information or Passwords; Cloud Storage Accounts (Google Drive, OneDrive, DropBox, etc.); Apple/Google/Microsoft Account IDs; Chats & Message; Email; Wireless Device Connectivity; Bluetooth Data Transfer; and Passwords—in other words, every sensitive file that could ever exist on one's computer or cellular phone (including personal pictures, emails, passwords, and internet history).

Marriott's initial discovery request, already overbroad and objectionable, has now morphed into an unprecedented dive into Plaintiffs’ personal data. Not only does this proposed discovery have no relevance to the parties’ claims and defenses, but granting this discovery may result in several of the plaintiffs dropping out of the litigation entirely, as they would be a subject to a forensic search that is more intrusive and violative than the actual data breach at issue. This is not reasonable discovery; it is retaliation.

B. Legal Standard.

Rule 26(c) governs protective orders. Under that rule, the Court “may, for good cause, issue an order to protect a party or person from annoyance, embarrassment, oppression, or undue burden or expense, including ... forbidding the disclosure or discovery” of certain items or “prescribing a discovery method other than the one selected by the party seeking discovery.” Fed. R. Civ. P. 26(c)(1)(A), (C). Additionally, Federal Rule of Civil Procedure 26(b)(1) limits discovery to matters that are (1) “relevant to any party's claim or defense” and (2) “proportional to the needs of the case[.]” Fed. R. Civ. P. 26(b)(1).

C. Argument.

There is more than good cause to issue a protective order in this case. The sweeping forensic search Marriott seeks is untethered to the issues in the case, is much broader than Marriott's actual discovery request as written (which required Plaintiffs’ agreement), and implicates significant privacy concerns that are disproportional to the needs of this case. While a few courts have allowed very limited and targeted searches of some devices when tied to the case at issue, no prior data breach case has ever allowed the type of oppressive discovery Marriott seeks here.

1. Marriott's Proposed Discovery is Irrelevant.

Marriott has proffered two reasons for needing this discovery: 1) to show that other events may have triggered the loss of Plaintiffs’ information; and 2) to contest the inherent value Plaintiffs place on their data. Neither argument can justify the discovery Marriott seeks.

For Marriott's proposed discovery to have any possible relevance to causation, a series of remote and highly-speculative steps would have had to occur: a plaintiff would have had to experience a fraud event allegedly tied to the Marriott breach; then used a specific device at the time the fraud event took place; and then a forensic inspection would have had to reveal unauthorized access to the device and the same data at issue. But that could only provide a potential alternative basis for the fraud if Marriott limited the scope of its request to devices in use at the time of the fraud event (it did not) or there was a whole separate round of third-party discovery into that other breach. With discovery ending, these highly theoretical and unlikely occurrences cannot justify the intrusive nature of the Marriott's request.

Marriott's second justification fares no better. Marriott's suggestion that this discovery may reveal that Plaintiffs were careless with their personal information somehow demonstrating that they do not value privacy is fatally flawed because it has nothing to do with the claims or defenses in this case. One of Plaintiffs’ damages measures relates to the objective value of their personal information. Importantly, this has no bearing on any individual plaintiffs’ subjective feelings about their information. This is as if Marriott had wrongfully let a thief steal a car from each of the plaintiffs and plaintiffs claimed the “value” of the stolen cars. The relevant question is not how much each plaintiff loved her car, but how much the car is worth in the market. The same holds true here: as Your Honor already ruled, Plaintiffs will submit expert testimony establishing the objective market value of their data on an aggregate, classwide basis. Plaintiffs will not base damages claims on their subjective feelings about their personal information.

2. Marriott's proposed discovery is unlikely to shed light on a Plaintiff's subjective privacy valuation even if it were relevant.

Even if every sensitive file on a Plaintiffs’ computer was somehow relevant to the damages analysis, Marriott cannot explain how the information it seeks would actually shed light on that topic. As noted above, Marriott's proposed search protocol includes recent internet search history, personal images, photographs, and documents, personal emails and chat messages, login IDs and passwords, and even files stored on cloud storage accounts that are not physically present on the device. Marriott offers no substance behind what this information could reasonably be expected to show. For example, Marriott contends that a plaintiff's recent internet search history could show that he or she visited a “vulnerable” website. But how does Marriott show whether a website is “vulnerable”? And how does that devalue their data?

The additional information Marriott seeks is even more untethered to this case. Why would a Plaintiff's private internet search history from last week have any bearing on a breach that occurred seven years ago? What relevance do personal photographs or a Google search history on a plaintiff's computer have to their data security practices or value of their data? Why would a plaintiff's most personal text messages or emails have any bearing on the issues raised in this case? Stripped of the dubious pretense that this information could show plaintiffs did not value their data, it appears that the purpose of this discovery is to harass, embarrass, and call into question the plaintiffs’ character by digging through their most sensitive information.

3. The proposed discovery would be wildly disproportionate to the needs of the case, even if some of the information sought were somehow relevant.

Plaintiffs are aware of no precedent allowing this type of inspection of plaintiffs’ personal cell phone and computer devices simply because they were victims of a data breach. Two previous cases are particularly relevant: In re Anthem and Henson v. Turn.

In Anthem, the defendants initially sought the same type of discovery as Marriott requests here (essentially full forensic images of devices). The magistrate judge rejected that request, holding:

The Court finds that the burden of providing access to each plaintiff's computer system greatly outweighs its likely benefit. There is an Orwellian irony to the proposition that in order to get relief for a theft of one's personal information, a person has to disclose even more personal information, including an inspection of all his or her devices that connect to the internet. If the Court were to grant Anthem's request, it would further invade plaintiffs’ privacy interests and deter current and future data theft victims from pursuing relief.

In re Anthem, Inc. Data Breach Litig., 2016 WL 11505231, at *1 (N.D. Cal. Apr. 8, 2016) (Ex. E) (holding that the device discovery sought was “unreasonably intrusive and disproportional to the present needs of the case”).

The magistrate judge in that case later allowed a much narrower forensic examination of certain plaintiffs’ devices. It excluded handheld devices such as cell phones, and it was limited to the exact scope as the one Plaintiffs suggested here in an effort to compromise with Marriott. (Ex. F) Judge Lucy H. Koh, who presided over the litigation, said that even the more limited search—which had caused a plaintiff to drop out of the litigation—was not warranted. Judge Koh stated, “I would just say that—had this issue come to me as a first instance, I probably would not have compelled the discovery.” In re Anthem, Inc. Data Breach Litig., Dkt. No. 700, 6:3-13 (N.D. Cal. 2016) (Ex. G) This was so, she explained, because “the discovery is burdensome” and it is “pretty invasive.” Id.[1]

Perhaps the most detailed analysis on the question of whether to permit forensic analysis in a data privacy case is contained in Henson v. Turn, Inc., 2018 WL 5281629 (N.D. Cal. Oct. 22, 2018). (Ex. H) In that case, a class of subscribers to cellular and data services filed a data-privacy class action against the defendant for surreptitiously tracking their web history. Id., at *1. Like Marriott, the defendant submitted a request that plaintiffs produce: (1) their mobile devices for inspection or complete forensic images of their devices; (2) their full web browsing history from their devices; and (3) all cookies (lines of software code that monitor and gather information about users’ browsing and app use) stored on or deleted from their devices. See id.

Magistrate Judge Laurel Beeler rejected the “request to inspect the plaintiffs’ mobile devices or for complete forensic images” as it “call[s] for information that is not relevant and is disproportional to the needs of the case.” Id. at *5. She explained:

• The breadth of the search “threatens to sweep in documents and information that are not relevant to the issues in this case, such as the plaintiffs’ private text messages, emails, contact lists, and photographs.” Id. (collecting cases rejecting broad discovery of irrelevant documents).

• The question of discovery proportionality “is not limited to ... financial considerations. Courts and commentators have recognized that privacy interests can be a consideration in evaluating proportionality, particularly in the context of a request to inspect personal electronic devices.” Id. (collecting cases, emphasis added).[2]

• “[I]n light of the fact that the plaintiffs’ devices likely contain information not relevant to this case, may contain privileged information, and implicate significant privacy concerns, [defendant's] request for the plaintiffs to allow it to directly inspect their devices (or produce complete forensic images of their devices) is not relevant or proportional to the needs of this case.” Id. at *7.

• “[R]equiring the plaintiffs to produce their full browsing history presents significant privacy concerns” and that the defendant “has not shown that its request for the plaintiffs’ full browsing history and cookies ... is relevant or proportional to the needs of this case.” Id. at *8.

There is even less of a need for discovery in this case than in Henson, which was actually about a defendant who tracked Plaintiffs’ browsing history.

D. Conclusion

There is good cause to issue a protective order. Marriott seeks discovery no court in a similar matter has ever ordered (although other defendants have tried) —not to prosecute claims or support its defenses, but to “punish” and harass individuals for daring to sue it. Marriott has no proper basis—much less a proportionate one—for seeking Plaintiffs’ web browsing habits, personal photographs, emails and text messages, or passwords. And as Your Honor has already recognized, Plaintiffs’ damages claim that Marriott owes them the “value” of their personal information does not turn on any individual plaintiff's subjective feelings about his or her data. Plaintiffs respectfully request that Your Honor prohibit this irrelevant, overly broad, intrusive, and disproportionate discovery.

Respectfully,
/s/ Amy E. Keller, /s/ Andrew N. Friedman, /s/ James J. Pizzirusso
Co-Lead Counsel, Consumer Track

Footnotes

[1]

Even the Supreme Court has recognized that the “storage capacity of cell phones has several interrelated consequences for privacy” and that “[a]n Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual's private interests or concerns[.]” Riley v. California, 573 U.S. 373, 394–95 (2014).

[2]

See, e.g., Tingle v. Hebert, 2018 WL 1726667, at *7–8 (M.D. La. Apr. 10, 2018) (finding that “Defendants have also made no showing that the requested forensic examination of Plaintiff's personal cell phone and personal email accounts are proportional to the needs of this case” and holding that “ ‘[t]he utility of permitting a forensic examination of personal cell phones must be weighed against inherent privacy concerns’ ”); Crabtree v. Angie's List, Inc., 2017 WL 413242, at *3 (S.D. Ind. Jan. 31, 2017) (denying request to forensically examine plaintiff's personal cell phones and holding that the forensic examination “is not proportional to the needs of the case because any benefit the data might provide is outweighed by Plaintiffs’ significant privacy and confidentiality interests”); Hespe v. City of Chicago, No. 13 C 7998, 2016 WL 7240754, at *3 (N.D. Ill. Dec. 15, 2016) (affirming order denying request to inspect plaintiff's personal computer and cell phone because, among other things, inspection “is not ‘proportional to the needs of this case’ because any benefit the inspection might provide is ‘outweighed by plaintiff's privacy and confidentiality interests’ ”); Areizaga v. ADW Corp., 2016 WL 9526396, at *3 (N.D. Tex. Aug. 1, 2016) (denying request to inspect plaintiff's personal computer, smart phone, and other electronic devices because the request “is not proportional to the needs of the case at this time, when weighing [defendant]’s explanation and showing as to the information that it believes might be obtainable and might be relevant against the significant privacy and confidentiality concerns implicated by [defendant]’s request”).

EXHIBIT A

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND, Southern Division
IN RE: MARRIOTT INTERNATIONAL, INC. CUSTOMER DATA SECURITY BREACH LITIGATION
THIS DOCUMENT RELATES TO THE CONSUMER TRACK
MDL No.: 19-md-2879
Judge Grimm
DEFENDANT MARRIOTT'S SECOND SET OF REQUESTS FOR PRODUCTION TO BELLWETHER PLAINTIFF ROGER CULLEN

Pursuant to Rules 26 and 34 of the Federal Rules of Civil Procedure, defendants Marriott International, Inc. and Starwood Hotels and Resorts Worldwide, LLC (collectively, “Marriott”) hereby serve the following request for the production of documents.

INSTRUCTIONS

1. If, in responding to this request, the meaning of the request is not clear on its face, or you encounter any ambiguity in construing the request or instructions, you shall make your best effort to interpret the request within the context of this litigation and shall explain in your response the matter deemed ambiguous and the construction or interpretation chosen or used in responding to the request.

2. For the purposes of this discovery request, the singular includes the plural, and vice versa; the conjunctive shall also be construed in the disjunctive, and vice versa; and the past tense includes the present tense where the clear meaning is not distorted by change of tense.

3. This request for production is continuing in nature and, pursuant to Rule 26(e) of the Federal Rules of Civil Procedure, you are under a duty to seasonably supplement your response.

4. If you refuse to respond to this request for production, in whole or in part, state clearly the basis for such refusal. If a privilege is claimed, identify the information for which the privilege is claimed and set forth the nature of the privilege asserted.

REQUEST FOR PRODUCTION

3. The results of a forensic examination of the Plaintiff's devices that connect to the internet and contain electronically stored information, including a list of the indicators of compromise, to include malicious files, historical evidence of malicious files, and events logs of any anti-virus software that may have removed the malware prior to examination, as identified via a forensic examination conducted in accordance with industry standard best practices by an expert selected by Plaintiff, and using a methodology and program to be agreed upon by Plaintiff and Marriott.

Date: September 29, 2020

/s/ Lisa M. Ghannoum

Consumer Defendant's Co-Lead Counsel

EXHIBIT B

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND, SOUTHERN DIVISION
IN RE: MARRIOTT INTERNATIONAL INC., CUSTOMER DATA SECURITY BREACH LITIGATION
MDL No. 19-md-2879
Hon. Paul W. Grimm
CONSUMER PLAINTIFF ROGER CULLEN'S OBJECTIONS TO DEFENDANT MARRIOTT'S SECOND SET OF REQUESTS FOR PRODUCTION TO CONSUMER PLAINTIFF ROGER CULLEN

Pursuant to Rules 26 and 34 of the Federal Rules of Civil Procedure, Plaintiff Roger Cullen (“Plaintiff”) sets forth herein answers and objections (collectively, “Responses”) to Marriott Defendant's (“Marriott” or “Defendants”) Second Set of Requests for Production (“RFPs”) to Plaintiffs, dated September 29, 2020.

No incidental or implied admissions are intended in these Responses. Plaintiff's Response to all or any part of the RFPs should not be taken as an admission that (1) Plaintiff accepts or admits the existence of any fact(s) set forth or assumed by the RFPs; (2) Plaintiff has possession, custody or control of information responsive to that RFP; or (3) documents exist that are responsive to the RFPs.

PLAINTIFF'S RESPONSES AND OBJECTIONS TO MARRIOTT'S SECOND SET OF REQUESTS FOR PRODUCTION

REQUEST FOR PRODUCTION:

The results of a forensic examination of the Plaintiff's devices that connect to the internet and contain electronically stored information, including a list of the indicators of compromise, to include malicious files, historical evidence of malicious files, and events logs of any anti-virus software that may have removed the malware prior to examination, as identified via a forensic examination conducted in accordance with industry standard best practices by an expert selected by Plaintiff, and using a methodology and program to be agreed upon by Plaintiff and Marriott.

RESPONSE TO REQUEST FOR PRODUCTION:

Plaintiff objects to this Request because it is vague and ambiguous, highly invasive, harassing and intrusive, overbroad, overly burdensome, seeks entirely irrelevant information, and there are substantially less burdensome and less intrusive means of obtaining the information Marriott seeks. Plaintiff further objects because the discovery sought in this Request is disproportional to the needs of this case as Plaintiff's privacy interests in the information contained on his/her devices and the burden and expense of complying with this Request far outweigh any likely benefit.

This Request is vague and ambiguous because Marriott fails to explain which of Plaintiff's devices it seeks to have forensically examined, and fails to explain or provide definitions for any of the technical terms it uses in its Request, leaving Plaintiff to guess at the precise scope of Marriott's Request.

This Request is highly invasive, harassing, and intrusive because it would require Plaintiff to submit his/her most personal devices such as cell phones, iPads, laptop and desktop computers to be forensically examined, which might contain sensitive personal and financial information including, but not limited to, private photos of and communications with non-parties to this litigation. These devices may also contain personal browsing history, protected health information, attorney-client communications, and other personal and financial information that serves no purpose in this case.

This Request is overbroad because it provides no limitation on the scope of devices potentially subject to forensic examination, meaning Plaintiff may be subject to providing personal devices that were used prior to or subsequent to the events giving rise to this litigation. This Request is further overbroad because it does not limit the request to Plaintiff's personal devices, thus any devices used for employment or other purposes would be included, which could implicate the privacy rights of non-parties to this litigation. Any personal or employment devices that are forensically examined may further have confidential and proprietary information which would require the consent of these third parties.

This Request is overly burdensome because requiring Plaintiff to locate and produce his/her Personal devices without limitation would require Plaintiff to spend significant time searching for all such devices, even in cases where they may not be easily accessible. For instance, it is common for Plaintiff, like all consumers, to periodically replace his/her devices, often times requiring him/her to trade in or donate the device to a third party. Plaintiff may not even own the device, requiring Plaintiff to locate and review the terms of the contract with the provider of the device, further subjecting Plaintiff to significant time and effort, which is simply disproportionate with any likely benefit to be obtained from this discovery. To the extent a device is no longer in the possession of Plaintiff, then Plaintiff further objects that this discovery is improper and not directed toward the proper party. In addition and given the COVID-19 pandemic, Plaintiff objects to the extent this discovery would require Plaintiff to either provide the personal devices to third parties to conduct the forensic examination or require third parties to meet with Plaintiff in person, potentially increasing the risk of transmission and/or subjecting Plaintiff to COVID-19, especially for discovery that would bear little to no relevance on this case. Plaintiff also objects to the extent that conducting a forensic examination of Plaintiff's devices would interfere with Plaintiff's daily use of those devices for an undisclosed amount of time and would unduly interrupt Plaintiff's personal and/or work life in a manner that is disproportional to the needs of the case. This Request seeks information that is entirely irrelevant because it requires the forensic examination of all Plaintiff's devices without limitation, even where there is no indication that such devices maintain any of the Personal Information provided to Starwood or Marriott and even where such devices may have been obtained prior to or well after the Data Breach and misuse occurred, bearing no relevance on Plaintiff's claims or Marriott's defenses. Moreover, many of Plaintiff's alleged injuries, such as “loss of the benefit of the bargain,” are not premised upon the theory that Plaintiff's PII (which was accessed in the Data Breach) has already been used for illicit gain. For such categories of harm, evidence that Plaintiff's PII might possibly have also been stolen from his/her own computer systems is completely irrelevant. Further, the discovery sought in this Request is not proportional to the needs of this case because any benefit the inspection might provide is far outweighed by Plaintiff's privacy and confidentiality interests in the information contained on his/her devices. Finally, this Request is objectionable because there are significantly less burdensome and intrusive means to obtain the information Marriott seeks. For instance, Marriott can propound interrogatories or requests for admission upon Plaintiff, or question Plaintiff at his/her deposition, requiring Plaintiff to response under penalty of perjury whether Plaintiff is aware of any malware or other malicious files on Plaintiff's personal devices.

Given that this Request is vague and ambiguous, highly invasive, harassing, and intrusive, overbroad, overly burdensome, seeks entirely irrelevant information and information that is disproportional to the needs of this case, and given that there are substantially less burdensome and intrusive means of obtaining the information Marriott seeks, Plaintiff will not produce any documents or devices in response to this request.

Dated: October 29, 2020

/s/Amy E. Keller
/s/James J. Pizzirusso
Consumer Plaintiffs' Co-lead Counsel

Norman E. Siegel, Daniel Robinson, MaryBeth V. Gibson, Megan Jones, Ariana J. Tadler, Timothy Maloney, Jason Lichtman, Gary F. Lynch
Consumer Plaintiffs' Steering Committee

Veronica Nannis, James Ulwick
Consumer Plaintiffs' Liaison Counsel

EXHIBIT C

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND, SOUTHERN DIVISION
IN RE: MARRIOTT INTERNATIONAL CUSTOMER DATA SECURITY BREACH LITIGATION
THIS DOCUMENT RELATES TO: ALL CONSUMER ACTIONS
MDL NO. 19-md-2879
Judge Paul W. Grimm
REMOTE COLLECTION AND EXAMINATION PROTOCOL

Consumer Plaintiffs and Defendants (collectively, the “Parties”) in the above-captioned matter stipulate and agree to the following protocol for the collection, examination, and production of data concerning Marriott's Request for Results of Examination of Plaintiffs’ Devices, as the parties agreed to on or around January 6, 2021.

I. Device Identification

1. Prior to scheduling any remote collections or preservations, each Custodian shall provide a detailed schedule of electronic devices to be forensically imaged and a secure address to send a remote collection kit containing the necessary hardware. This schedule will, at a minimum, include the following information:

a. Custodian Name
b. Device Description
c. Make/Model/Serial #
d. Estimated total storage capacity (used and available for use)

II. Collection and Imaging

2. Respective to each Custodian, upon receiving the schedule of devices 4Discovery shall propose dates and times for a remote collection kit to arrive at each Custodian's provided address. A signature will be required at the time of delivery. Within 2 days of delivery, each Custodian will participate in a virtual meeting with a 4Discovery collection specialist at an agreed upon time to facilitate collection and preservation of the specified devices. Collections will be performed using industry standard tools and methodology. This methodology will vary per device. If any encryption or passcodes are being used to protect the device(s), these codes will be provided by the Custodian to 4Discovery at the time of imaging.

3. 4Discovery shall create a full and complete forensic image of each device prior to starting any analysis. These forensic images will be shipped to the 4Discovery lab and shall reside solely in 4Discovery's custody for the length of the matter. The original device(s) will remain in the control of each Custodian. 4Discovery will ensure that the devices are not altered or harmed in any way.

4. While data responsive to the analysis steps described below will be sent to Counsel for review, copies of original data and forensic images collected shall not be released to counsel or experts for the parties and shall not be released from 4Discovery's custody for any reason absent written permission from the Custodian.

III. Analysis and Production

5. 4Discovery will perform automated scans on the forensic image to look for evidence of malware and review the log files of any antivirus or antivirus programs that have been installed on the Custodian's device. This review will be performed using various anti-virus scans, a review of file lists for suspicious files, analysis of any previously executed command line strings, and a review of system registry hives and event logs. 4Discovery will not view any additional files or data copied from the device unless necessary to perform a root cause analysis.

6. If there is evidence of malware on a device, 4Discovery will determine whether the malware is of the type that could result in the exfiltration of sensitive user data stored on the device. If it is, 4Discovery will perform a root cause analysis to determine when and how the malware was installed and whether it resulted in the exfiltration of sensitive information. For purposes of performing the root cause analysis, 4Discovery will not view any pictures or other files on the device until after it has discussed the nature of the analysis with counsel for the parties and obtained permission from the Custodian to do so.

7. 4Discovery shall then produce a forensic examination report for each Custodian's devices which details the examination findings.

IV. Data Disposition

8. Upon receiving written authorization provided by Counsel, 4Discovery will securely delete all collected data.

EXHIBIT D

I. Device Identification

1. Prior to scheduling any remote collections or preservations, each Custodian (as agreed to by the Parties) shall provide 4Discovery a detailed schedule of electronic devices to be forensically imaged and a secure address to send a remote collection kit containing the necessary hardware. This schedule will, at a minimum, include the following information:

a. Custodian Name
b. Device Description
c. Make/Model/Serial #
d. Estimated total storage capacity (used and available for use)

II. Collection and Imaging

3. 4Discovery shall create a full and complete forensic image of each device prior to starting any analysis. These forensic images will be shipped to the 4Discovery lab and shall reside solely in 4Discovery's custody for the length of the matter. The original device(s) will remain in the control of each Custodian and will be preserved consistent with the plaintiffs’ obligations to preserve evidence. 4Discovery will ensure that the devices are not altered or harmed in any way during the imaging process.

4. While responsive data will be sent to counsel for the Parties for review, copies of original data and forensic images collected shall not be released to counsel or experts for the Parties and shall not be released from 4Discovery's custody for any reason absent written permission from the Custodian or Court order.

III. Analysis and Production

5. 4Discovery will conduct a forensic examination of the agreed upon devices and produce a report containing the following items:

a. Malware Scans

i. 4Discovery will perform automated scans on the forensic images to look for evidence of viruses or malware and identify and review the log files of any antivirus or anti-malware programs that have been installed on the devices. This review will be performed using various antivirus scans, a review of file lists for suspicious files, analysis of any previously executed command line strings, and a review of system registry hives and event logs.

ii. 4Discovery will produce a report identifying any evidence any viruses and/or malware found on each device, including both the current antivirus and malware findings, as well as any historical information. The report will also identify the methodology or methodologies used to scan the forensic images.

b. Web Browsing History and Bookmarked Pages

i. 4Discovery will examine the active web history information for any internet browsers found on the devices and carve or search for any deleted internet history as well. In addition, any bookmarked or otherwise saved websites in any browser or format will be examined.

ii. The report will include any analytics available on internet history and bookmarked/saved websites, such as frequency of visit, first and most recent visit, etc. The report will also include the full parsed internet history (both active and deleted-recovered) showing the full list of all available entries and all parsed metadata in an industry standard format. Additionally, the report will include all information about any bookmarked or saved websites including the location where it was found, website it points to and/or was from, and any associated dates.

c. Installed Programs/Applications

i. This examination will include the identification of all installed programs or applications, and any artifacts indicative of programs or applications that were previously installed or used that are no longer installed.

ii. The report will include a list of all installed programs and applications with the context of when and where they were installed and any relevant configuration options. Any artifacts related to previously installed programs and applications should include the location the artifact was found, any contextual details, and the program or application to which the artifact relates.

d. Notes/Documents/Text Files

i. 4Discovery will examine and/or search all notes, documents, and text files on the devices and identify any on the devices or a synchronized cloud-based account, that contain personal information or usernames, passwords, passcodes, pins, passphrases, and/or other types of security keys (e.g., answers to security questions) that the Custodian used to secure personal information or access any website, program, application, or account (as used in this protocol “passwords”). As used in this protocol, the term “personal information” is information concerning a single person, including but not limited to a person's name, gender, address, electronic mail address, telephone number, social security number, driver's license information, state identification information, passport information, telephone number, financial information, information about a person's banking or other type of account, payment card information, date of birth, place of birth, nationality, employer information, membership or loyalty program information, geolocation information, mother's maiden name, and social media account ID or profile information (including username and photo or other data from social media accounts).

ii. The report will identify all documents found that contained any personal information or passwords, including the location, dates, and metadata from the documents. Any documents found in an application, platform, cloud-based storage, or email system should include the context of where the item was found and any transfer or send/receive artifacts about the item. The report will also include a copy of any notes, documents, or text files found to contain personal information or passwords.

e. Photos/Digital Images of Personal Information or Passwords

i. 4Discovery will conduct a search for all images of items revealing personal information or passwords. While 4Discovery may start by asking the Custodians if they have any such images, this examination will also include a search and review designed to identify such images on the devices or any related online accounts. The type of images to be reported upon include photographs, screen shots, or any images of passports, drivers’ licenses, social security cards, birth certificates, credit cards, or a screenshot, image or photograph of any application, website, document, or anything else that shows personal information or passwords of the Custodian.

ii. 4Discovery will include in their report information about all images of personal information or passwords, including the details and context of how/where they were found, where they were transferred or sent to/from, and include copies of the images.

f. Cloud Storage Accounts (Google Drive, OneDrive, DropBox, etc.)

i. This examination will include identifying any and all cloud storage or file transfer platforms that were connected to the devices, synced with the devices, or that the devices accessed and with which the devices may have transferred data. Each of the cloud storage platforms identified should be collected and their data included in this overall examination. The data stored in any cloud storage platforms should be examined to determine if any of the data contains personal information or passwords.

ii. The report will include a list of all cloud storage accounts identified in the examination with contextual information and metadata, as well as a copy of any files found on cloud storage platforms found to contain personal information or passwords.

g. Apple/Google/Microsoft Account IDs

i. On each device, 4Discovery will examine any login information or accounts that are connected to the device and provide a list of any identified accounts. This shall include accounts such as Microsoft accounts being used to login to Windows computers, Apple accounts (iCloud or other) being used with any iPhones, iPads, or Mac computers, and any Google accounts being used on Android based phones, Google Chromebooks, or Windows computers.

ii. 4Discovery will include in their report a list of any accounts found to be in use as well as any accounts that may have been used historically based on any artifacts or findings on the devices examined, including the context of where and how each was found.

h. Chats & Messages

i. 4Discovery will examine all chat and messaging applications on the Custodians devices to identify any persistent or ephemeral messaging applications. For any applications identified, all extant messages will be parsed into readable form and searched for any personal information or passwords in the message content or as included as attachments.

ii. The reporting on this area will include a list of all chat and messaging applications found, details around where the applications reside as well as their account information and configuration. Any messages that include personal information or passwords in the message or an attachment should be included in the report as well.

i. Email

i. This examination will include identifying any email continent, both messages and attachments, that may contain or refer to any personal information or passwords. This should include both email data stored on the devices and email in any online email accounts that are connected to any of the devices.

ii. This report will include any and all available metadata as well as a copy of the email messages and/or any attachments where the message or any attachment contains personal information or passwords.

j. Wireless Device Connectivity

i. 4Discovery will examine any artifacts relating to Wi-Fi network connections to determine what wireless networks were connected to, when, and using what type of security.

ii. The report will include a list of all artifacts related to connecting to wireless networks including all available metadata.

k. Bluetooth Data Transfer

i. 4Discovery will examine any artifacts related to Bluetooth connections that could facilitate data transfer, including Apple AirDrop and Android Nearby Share, or any other Bluetooth transfer applications or technologies.

ii. The report will include a list of all artifacts related to connecting to and/or transferring data with Bluetooth devices capable of data transfer, including all available metadata.

l. Passwords

i. On each device, 4Discovery will search for and identify any information they can determine may be passwords or other account credentials stored on the devices, or in any cloud storage or email platform connected to or used by the Plaintiffs on the devices. This analysis should also capture any context to the passwords/credentials such as any notes around them or site, service, or username noted with them.

ii. 4Discovery will include in their report a list of any identified passwords, account information, or other credentials as well as the context of how and where each was found. The report should be encrypted, and password protected to secure and protect this password related information as well as other sensitive information being reported upon.

m. General Search

i. In addition to the specific analysis included in the examination to attempt to locate personal information or passwords, a general non-targeted search will be run to identify personal information or passwords stored anywhere else on the devices. This search will leverage tools designed to identify personal information or passwords or search patterns designed to identify personal information or passwords.

ii. The report will include a list of all files, artifacts, or fragments containing potential personal information or passwords that were identified through this process. Any items already identified in any other analysis focus areas in this protocol may be withheld from reporting in this focus area as long as all the same information is being reported. The report should include all metadata and contextual information about what was found, where, bearing what dates, and any other metadata or information about each item. The identified items themselves should also be included in the report. The report will also identify the methodology or methodologies used to conduct this search.

n. Other Analysis

i. Any other analysis, evaluation, or steps 4Discovery deems appropriate to serve the purpose of this examination should also be performed.

ii. Forensic investigators performing an examination commonly identify other items of interest while carrying out a predetermined protocol even if not explicitly written into the protocol. If this occurs, or if 4Discovery has other ideas it believes should be included, these tasks or items will be added as additional analysis focus areas.

iii. Any additional work being performed will be included in the report describing the work and any findings or observations.

6. 4Discovery shall produce a forensic examination report for all analysis focus areas listed above including all Custodians’ devices and accounts. To the extent the information described above to be included in the report can fit and makes sense to include inline in the report, it may be included inline. But for larger sets of data that would not fit well inline, those information sets should be included as attachments to the report and/or can be produced in native form.

7. 4Discovery shall provide its report to counsel for Plaintiffs and Defendants simultaneously and as soon as possible but in no event more than 14 days following the date of this agreement.

8. 4Discovery's report shall be provided to counsel for Plaintiffs and Defendants without any screening review by Plaintiffs’ counsel.

9. If requested by either Plaintiffs’ counsel or Defendants’ counsel, 4Discovery shall make itself available to discuss its report and the methodologies used to complete it with counsel or any expert for Plaintiffs or Defendants following 4Discovery's production of the report.

IV. Data Disposition

10. Upon receiving written authorization provided by counsel for Plaintiffs and Defendants, 4Discovery will securely delete all collected data in its possession.

EXHIBIT E

In re Anthem, Inc. Data Breach Litigation
Case No. 15-md-02617 LHK (NC)
Signed 04/08/2016
ORDER DENYING ANTHEM'S REQUEST TO COMPEL DISCOVERY OF PLAINTIFF'S COMPUTER SYSTEMS
Re: Dkt. No. 479

EXHIBIT F

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
IN RE ANTHEM, INC. DATA BREACH LITIGATION
Case No. 15-md-02617 LHK (NC)
ORDER GRANTING ANTHEM'S REQUEST TO COMPEL DISCOVERY OF PLAINTIFFS’ COMPUTER SYSTEMS, SUBJECT TO PROTOCOL
Re: Dkt. No. 549

The Anthem Defendants seek a discovery order compelling each of the named plaintiffs to provide the results of a forensic analysis of certain of their devices that connect to the internet (desktop computers, laptop computers, and tablets, but not mobile phones such as iPhones). The forensic analysis by a third party examiner is proposed to identify malicious files, historical evidence of malicious files, and event logs of anti-virus software that may have removed the malware prior to examination.

According to Anthem, the information it seeks is relevant to causation. By exploring plaintiffs’ devices, Anthem asserts that it may determine whether the plaintiffs’ computer systems contain malware, viruses, or other electronic indicators suggesting that their personally identifiable information or personal health information was compromised before the cyberattack on Anthem. Plaintiffs, on the other hand, object to the discovery as highly invasive, intrusive, and burdensome.

The Court, on referral from District Court Judge Lucy H. Koh, heard the motion on October 26, 2016. The Court at a previous hearing determined that Anthem's request for plaintiffs to produce their devices to Anthem directly was not proportional to the needs of the case. Dkt. No. 502. In that order, the Court suggested that Anthem needed a more targeted approach, and rejected Anthem's request as overly intrusive of plaintiffs’ privacy.

The Court finds that Anthem's narrowed proposal seeks relevant information and is proportional to the needs of the case. The protocol described in this order is less intrusive than Anthem's first proposal for three reasons: (1) the devices will be provided to a third party examiner, not Anthem; (2) handheld devices are excluded; and (3) the Court will limit the production to the devices of 30 plaintiffs, to be selected by Anthem.

The protocol follows. The costs of the Independent Forensic Examiner will be paid by defendants.

I. SELECTIONS OF PLAINTIFFS AND INDEPENDENT FORENSIC EXAMINER

By November 4, Anthem must identify the 30 plaintiffs who will be subject to the forensic examination. By that same date, plaintiffs must select an expert Independent Forensic Examiner (“the Independent Forensic Examiner”) from among those proposed by Anthem, that has the capacity to conduct the entire data acquisition, data preservation, and forensic review in accordance with industry standards as described in resources such as the National Institute of Standards and Technology (NIST) draft Scale-Invariant Feature Transform protocols and procedures.

This analysis will include a forensic scan of device data for the limited purpose of identifying malware or malicious files, undertaking root cause analysis of select malware when identified, and the generation of a summary report for the Defendants and their experts, as described below. At no time will Defendants or their experts be provided a copy of any forensic image collected from the Plaintiffs.

II. FORENSIC IMAGING

First, the Independent Forensic Examiner will access the selected Plaintiffs’ devices to acquire and preserve its data by creating a forensic image. The Court recommends that this data acquisition be conducted by the Independent Forensic Examiner at a location and a convenient time selected by each Plaintiff. The Independent Forensic Examiner will acquire a forensic image of each of the Plaintiffs’ devices. A forensic image is a bit by bit duplicate of the physical sectors of a device's storage media. The Independent Forensic Examiner will perform the imaging process by using industry-standard tools—AccessData FTK Imager Lite for Windows computers and Paladin 7 Boot CD/USB for Apple computers—that have been tested and validated for use in forensic examinations. The images will be captured and stored by the Independent Forensic Examiner using industry-standard methods to preserve evidentiary chain of custody and verify the forensic copy's authenticity against the original device. These methods also ensure that Plaintiffs’ devices and operating systems will not be altered or harmed. After acquiring the forensic images, the Independent Forensic Examiner will not require any further access to Plaintiffs’ devices.

III. FORENSIC REVIEW AND SCAN

After acquisition, the Independent Forensic Examiner will undertake the following steps to determine if indicators of compromise are on Plaintiffs’ devices that connect to the internet and contain electronically stored information relating to any Plaintiff. The Independent Forensic Examiner will first conduct a scan for indicators of compromise, to include malicious files, historical evidence of malicious files, and event logs of any anti-virus software that may have removed the malware prior to examination, using select tools that are tailored to the operating systems installed on the hard disks of the devices. Those tools will include commercial, off-the-shelf software, such as Malwarebytes for Windows and Windows Defender for Windows-based operating systems and Malwarebytes for Mac and Clam A/V for Apple-based operating systems.

If malware or malicious files are discovered during the initial scan of a device, the Independent Forensic Examiner will confer with Defendants’ experts regarding the findings to determine whether an additional root cause analysis is necessary. A root cause analysis determines the type of malware that was installed on the device, the date it was first installed, the method by which it was installed, and the malware's mode of operation to include whether data or credentials were stolen from the device. The Independent Forensic Examiner will conduct this root cause analysis on the same device images which were collected from Plaintiffs and subjected to the initial scan.

IV. GENERATION OF SUMMARY REPORT

At the conclusion of the analysis, the Independent Forensic Examiner will generate a report for the Parties that will contain a summary of the scans conducted on Plaintiffs’ devices, the results of those scans to include any malware or malicious files that were identified, and the results of any root cause analyses conducted on that malware or malicious files. The Independent Forensic Examiner will provide this report in an industry-standard encrypted format, with the decryption key provided through separate means. The Parties and their experts will destroy the report at the conclusion of the litigation.

V. DESTRUCTION OF FORENSIC IMAGES

The forensic images of Plaintiffs’ devices will never be supplied to the Defendants or their experts. These forensic images will be destroyed in accordance with forensic industry standards after the conclusion of the Independent Forensic Examiner's analysis.

VI. MEET AND CONFER REQUIRED

If the parties have any disputes about this Protocol, they must promptly meet and confer in an effort to resolve the dispute.

IT IS SO ORDERED.

Dated: October 31, 2016

NATHANAEL M. COUSINS

United States Magistrate Judge

EXHIBIT G

EXHIBIT H
Henson v. Turn, Inc.
United States Distrtict Court, N.D. California, San Francisco Division
Case No. 15-cv-01497-JSW (LB)
Signed 10/22/2018
ORDER ADJUDICATING DISCOVERY DISPUTE REGARDING REQUESTS FOR (1) INSPECTION OR FORENSIC IMAGES OF MOBILE DEVICES, (2) WEB BROWSING HISTORY, AND (3) COOKIES

Attachments to Exhibit H

March 8, 2021
The Honorable John M. Facciola (Ret.) via email to facciola@georgetown.edu
Re: In re: Marriott International, Inc. Customer Data Security Breach Litigation, 8:19-md-02879; Marriott's Response in Opposition to the Consumer Plaintiffs’ Motion for Protective Order

Dear Special Master Facciola:

Stripped of histrionics and adjectives, Plaintiffs’ motion makes three claims: (1) Marriott seeks full images of Plaintiffs’ phones and computers, (2) those devices have no relevant information, and (3) Marriott's true goal is to harass or retaliate against Plaintiffs. Each claim is incorrect.

First, Marriott's proposed protocol does not seek full images. It asks a third-party expert—whom Plaintiffs already selected—to identify relevant forensic information on their phones and computers, and then to produce only that relevant information. Second, Plaintiffs filed this case—a nationwide class action seeking hundreds of millions of dollars in damages—alleging that Marriott harmed personal information they consider “highly-sensitive” and that they “place significant value in data security.” (ECF No. 537 ¶¶ 20-95, 273.) All of their damage theories are rooted in these basic allegations—and Marriott is entitled under Rule 26 to test those allegations during discovery.

Plaintiffs’ last argument is belied by the falsity of the first two. This is not retaliation. It is discovery. Indeed, the Court has already rejected Plaintiffs’ blanket attempt to shield personal information because “[t]he entire premise of the Consumer Plaintiffs’ claims is that their PII was compromised by the Marriott data security breach, and this resulted in substantial damages.” (ECF No. 726 at 4.)

Plaintiffs’ motion to prevent discovery they essentially agreed to provide months ago is a continuation of their campaign to obstruct and delay Marriott's discovery of information necessary to its defense. Marriott asks the Court to reject Plaintiffs’ tactic.

Marriott is not seeking full images of Plaintiffs’ devices.

Plaintiffs suggest repeatedly that Marriott is seeking to review “nearly every file on—and the entire history of—Plaintiffs’ personal phone and computer use.” (Pls’ Ltr. 1; see also id. at 4-5.) Not so. Rather, just like Plaintiffs’ proposal, Marriott's protocol asks an expert of Plaintiffs choosing to forensically search for specific information on their devices, and then to only produce that specific information. (Compare Pl. Ltr., Ex. C (Plaintiffs’ proposal), with Pl. Ltr., Ex. D (Marriott's resp.).)

Plaintiffs’ motion also ignores that Marriott revised its protocol in response to Plaintiffs’ concerns. In fact, Marriott further narrowed its proposed protocol in its email to you on February 25, deleting the request for a forensic review of photographs that Plaintiffs claimed was too intrusive. Marriott attaches the protocol that is actually at issue—including redlines to reflect the additional offered compromise noted below—to this letter as Exhibit A.

Marriott's proposal protects against the production of irrelevant information.

Marriott's proposal asks that a third-party expert look for five categories of information:

1. Evidence of malware and other viruses. (Ex. A § III.5.a.)
2. Web browsing history and bookmarked pages. (Id. § III.5.b.)
3. Installed programs and applications. (Id. § III.5.c.)
4. Identification of the location of personal information on the devices, e.g., in emails, text messages, or text files. (Id. §§ III.5.d-h & l.)
5. Evidence of Plaintiffs’ information security habits, such as wireless and Bluetooth connectivity and security. (Id. §§ III.5.i-k.)

The search for and production of categories 1, 4, and 5 will not result in the production of extraneous information. Importantly, and contrary to Plaintiffs’ suggestion (see Pl. Ltr. 3), Marriott would not receive all of Plaintiffs’ text messages and emails—only those that reflect storing or sharing of personal information. And while categories 2 and 3 could in theory result in the production of extraneous information, the protective order prevents any such information from being used for the nefarious purposes Plaintiffs claim to fear. (See ECF No. 726 at 6 (“[U]nder the SPO discovery information can only be used to prosecute, defend, or settle the case, and the SPO contains additional protection for Highly Confidential Information and Confidential Information (including PII) by limiting who can access the information.”).) But to further assuage Plaintiffs’ concerns, Marriott has revised the protocol further (Exhibit A) to provide for its expert to inspect the data responsive to categories 2 and 3, identifying for production only relevant information.

The information Marriott seeks is relevant.

The information Marriott seeks is focused on identifying evidence of: (1) the risk of or actual theft of Plaintiffs’ personal information unrelated to the Starwood cyberattack, (2) instances where Plaintiffs freely provided to others the personal information they claim in this case to carefully protect, and (3) Plaintiffs’ security habits on devices containing their personal information. Marriott's expert, Kevin Poindexter of Crypsis, explains in the attached declaration how each category of forensic information identified above will reflect this type of evidence. (See Poindexter Dec., Ex. B.)

Plaintiffs concede the first category of information could cause data to be lost. (Pl. Ltr. 2.) But that is only the tip of the iceberg. For example, websites that people visit can result in the theft of personal information with or without malware being installed on the device. (Poindexter Dec. ¶ 6(a)(i).) Similarly, websites often allow or require people to share their personal information voluntarily. (Id.) The same is true of applications on computers and phones. (Id. ¶ 6(b)(i).) How Plaintiffs connect to wireless Internet or Bluetooth applications, and the related security settings they use, will evidence their security practices for devices that contain personal information. (Id. ¶ 6(h)-(i).)

Under Rule 26, relevance is “broadly construed to encompass any possibility that the information sought may be relevant to the claim or defense of any party.” O'Malley v. Trader Joe's E., Inc., 2020 WL 6118841, at *3 (D. Md. Oct. 15, 2020) (quotation omitted). The information Marriott seeks—that is, the risk of Plaintiffs’ information being stolen, Plaintiffs’ freely giving their information to other persons or entities, and Plaintiffs’ own security practices—meets this standard.

First, the evidence is relevant to plaintiffs’ misuse theory of damages and their request for injunctive relief. Plaintiffs concede that if their information was stolen from their own devices prior to fraud for which they blame Marriott, that is relevant to causation of that fraud. (Pl. Ltr. 2-3.) Plaintiffs argue that this means the search should be limited to devices in “use at the time of the fraud event.” (Id. at 3.) Marriott agrees that all of Plaintiffs’ devices in operation prior to any alleged fraud are relevant and should be searched for evidence of alternative sources of that fraud.

But each plaintiff also alleges that he or she “remains at a substantial and imminent risk of future harm” and that they “continue to suffer injury as a result of the compromise of their Personal Information.” (ECF No. 537 ¶¶ 20-95, 273.) Having put the future at issue, Plaintiffs cannot cut Marriott's discovery off at the date of any particular fraud. Moreover, the less securely and sensitively Plaintiffs treat their personal information—e.g., by not securing it on their electronic devices and by providing to other third parties—the less likely a juror is to believe Plaintiffs claim that Marriott caused fraud or the risk of fraud. Plaintiffs also seek injunctive relief, arguing that an injunction is necessary to prevent them from injury due to further cyber-attacks. (See, e.g., id. ¶ 352.) Whether the Court issues an injunction should turn, in part, on the degree to which Plaintiffs protect their own information. If, for example, Plaintiffs do not protect their information, then an injunction would do nothing to prevent the harm they argue an injunction would protect against.

Second, the evidence Marriott seeks is relevant to Plaintiffs’ loss-of-value damages theory. Plaintiffs argue that, “as Your Honor already ruled, Plaintiffs will submit expert testimony establishing the objective value of their data on an aggregate, classwide basis.” (Pl. Ltr. 3 (emphasis in original).) They similarly attribute a ruling to you that “Plaintiffs’ damages claim that Marriott owes them the ‘value’ of their personal information does not turn on any individual plaintiff's subjective feelings about his or her data.” (Id. at 5 (emphasis in original).) Plaintiffs cite no order from you or Judge Grimm on either alleged point, and Marriott is aware of none. How and if Plaintiffs’ prove their alleged “lost value” theory is still in dispute, and the time has not yet come for those determinations.

In any event, Plaintiffs claim that “because their Personal Information is now in the hands of criminals, it is less valuable.” (ECF No. 473 at 14.) How Plaintiffs used or disclosed—and continue to use or disclose—their personal information, both before and after the Starwood incident, is thus relevant to whether Marriott caused their information to lose value, as well as the value of the information itself. In any market for information, information that had never been disclosed and has since never been disclosed would be more valuable than information that has been disclosed 50 times. In short, the issue is not whether a Plaintiff “loved her car”; it is whether the stolen car was missing a bumper and had 150,000 or 15 miles on it. (Compare Pl. Ltr. 3.)

Alternatively, the Court ruled that Plaintiffs could attempt to prove they were damaged based on “the economic benefit the consumer derives from being able to purchase goods and services remotely and without the need to pay in cash or a check,” specifically noting that “[c]onsumers choose whether to exchange their personal information for these goods and services every day.” In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 462 (D. Md. 2020). The evidence Marriott seeks will inform whether Plaintiffs have suffered any inability to exchange their information. And, under the Court's order, this evidence is also relevant to determine how each of the Plaintiffs chooses to exchange his or her information for goods and services.

Third, the evidence is designed to test specific allegations that Plaintiffs make in the complaint. Each Plaintiff alleges his or her personal information is “highly sensitive.” (ECF No. 537 ¶¶ 20-95.) Each also claims to “place significant value in data security,” and “would not have stayed at a Marriott Property, purchased products or services at a Marriott Property, and/or would have paid less” if they knew what Plaintiffs allege is “the truth” about Marriott's data security. (Id. ¶¶ 273, 275.)

Marriott does not have to take Plaintiffs’ word for it. If a Plaintiff, for example, provided personal information to dozens of merchants to receive free shipping or other online discounts, that fact contradicts the allegation that Plaintiffs place significant value in data security. Plaintiffs’ browsing history and applications (e.g., applications related to specific merchants that store personal information) may contain this evidence. The evidence Marriott seeks may also show that a Plaintiff frequented a website or has an application or program known to gather or steal personal information.[1] In general, the more third parties to whom a Plaintiff provides personal information, the less likely a juror is to believe their claim that they consider this information highly sensitive or that they desire to protect the purported value of that information. And if Plaintiffs do nothing to secure the devices that contain their personal information, a reasonable juror could conclude that they do not, in fact, protect or value that information.

The discovery Marriott requests is proportional.

Proportionality is based on “the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to the relevant information, the parties’ resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit.” O'Malley, 2020 WL 6118841, at *3. Plaintiffs largely ignore these factors and focus on the so called “unprecedented” nature of Marriott's request, and rely on In re Anthem, Inc. Data Breach Litig., 2016 WL 11505231 (N.D. Cal. Apr. 8, 2016), and Henson v. Turn, Inc., 2018 WL 5281629 (N.D. Cal. Oct. 22, 2018).

These cases support the Court compelling discovery consistent with Marriott's protocol. Both orders deny discovery requests related to turning over full images to the defendant. See Anthem, 2016 WL 11505231, at *1 (“Defendants seek a discovery order compelling each of the named plaintiffs either to provide access to, or produce forensically sound images of, their computer systems that connect to the internet.”); Henson, 2018 WL 5281629, at *1 (request was “to directly access its opponents’ devices or forensic images”). And neither court stated that a full forensic image was never appropriate. The Henson court stated it did “not mean to imply that there could never be an instance where a request to directly inspect a litigant's electronic devices or forensic images, or a request that a litigant produce his complete web browsing history or cookies, would be relevant and proportional.” 2018 WL 5281629, at *8.

More to the point, Marriott's protocol does not require that a full image—or anything close to a full image—be disclosed. It targets limited areas of the devices likely to contain relevant information, as described in detail above. Thus, Anthem and Henson support Marriott: in neither case was the defendant denied all forensic information, as Plaintiffs request here.

In Anthem, the Court ordered a search for malware, as Plaintiffs admit. (Pl. Ltr. 4.) Anthem argued malware was relevant, so the court's order does not imply that the only possible relevant information on electronic devices is malware. See Anthem, 2016 WL 11505231, at *1 (“Anthem asserts that it may determine whether the plaintiffs’ computer systems contain malware, viruses, or other electronic indicators suggesting that their personally identifiable information or personal health information was compromised”).

As explained above and in Mr. Poindexter's declaration, relevant information beyond malware exists on Plaintiffs’ devices. Citing Judge Koh's comments in an unrelated hearing, Plaintiffs suggest the Anthem Court “regretted” the decision. In fact, Judge Koh rejected the challenge to the Magistrate Judge's order compelling a forensic inspection for malware. (See Ex. C.)

The Henson defendants also received significant information from the plaintiffs’ electronic systems. There, plaintiffs “already forensically imaged their devices and [were] producing information from those images” and agreed to produce any browsing history that was possibly relevant to the case. Henson, 2018 WL 5281629, at *7-8. This is what Marriott is requesting through its proposed protocol (Exhibit A). Indeed, it may be that Plaintiffs are fighting so hard here because they did not take steps to prevent the loss of relevant information from their devices.

Marriott is not harassing Plaintiffs; Plaintiffs are stonewalling Marriott.

Marriott's request is not unprecedented. “Forensic imaging is not uncommon in the course of civil discovery.” List Indus., Inc. v. Umina, 2019 WL 1933970, at *4 (S.D. Ohio May 1, 2019) (quotation omitted)). And forensic information was searched and produced in both Anthem and Henson. See also In re Apple Inc. Device Performance Litig., 2019 WL 3973752, at *2 (N.D. Cal. Aug. 22, 2019) (ordering forensic review of plaintiffs’ cell phones).

As noted in Apple, “[p]laintiffs are not passive third parties or defendants sued by the party seeking the invasion.” Id. Plaintiffs chose to sue Marriott, to allege value in and the unique loss of their personal information, and to claim Marriott devalued that information and caused fraud and the risk of future fraud. And, on top of their choices, they were selected as bellwether plaintiffs in this MDL—a select group whose claims should be fully tested. “It is well-established that a plaintiff cannot bring suit and then limit the defendant's discovery that is targeted at the subject matter of the plaintiff's claims.” Id.; see also Barfell v. Brucker, 2018 WL 4568861, at *1 (E.D. Wisc. Sept. 24, 2018) (“Plaintiff's claims of deliberate indifference to his serious medical needs place his medical health at issue, which entitles Defendants to conduct discovery related to his medical health and to obtain his medical records.”).

But that is what Plaintiffs have done throughout this litigation. They have produced few documents (all but a handful have produced fewer than 100 pages), evasively answered interrogatories, redacted personal information they put at issue, and continued to stymie Marriott's attempts to discover relevant information from third parties.

Sincerely,
/s/ Daniel R. Warren
/s/ Gilbert S. Keteltas
/s/ Lisa M. Ghannoum
Co-Lead Counsel for Marriott

Footnotes

[1]

Plaintiffs quip that “how does Marriott show whether a website is ‘vulnerable?’ ” Expert testimony is one answer, and Plaintiffs know this. What's more, it is well known and documented that some types of websites are riskier than others. See https://usa.kaspersky.com/blog/risky-websites-42/15946/; https://www.sagacent.com/dangerous-websites-on-internet/.

EXHIBIT A TO LETTER

Consumer Plaintiffs shall submit their devices that connect to the Internet to the following protocol for the collection, examination, and production of data concerning Marriott's Request for Results of Examination of Plaintiffs’ Devices.

I. Device Identification

1. Prior to scheduling any remote collections or preservations, each Consumer Plaintiff (referred to as “Custodians”) shall provide 4Discovery a detailed schedule of electronic devices they own that connect to the Internet and a secure address to send a remote collection kit containing the necessary hardware. This schedule will, at a minimum, include the following information:

a. Custodian Name

b. Device Description

c. Make/Model/Serial #

d. Estimated total storage capacity (used and available for use)

II. Collection and Imaging

3. 4Discovery shall create a full and complete forensic image of each device prior to starting any analysis. These forensic images will be shipped to the 4Discovery lab and shall reside solely in 4Discovery's custody for the length of the matter. The original device(s) will remain in the control of each Custodian and will be preserved consistent with the plaintiffs’ obligations to preserve evidence. 4Discovery will ensure that the devices are not altered or harmed in any way during the imaging process.

III. Analysis and Production

5. 4Discovery will conduct a forensic examination of the agreed upon devices and produce a report containing the following items:

a. Malware Scans

i. 4Discovery will perform automated scans on the forensic images to look for evidence of viruses or malware and identify and review the log files of any antivirus or anti-malware programs that have been installed on the devices. This review will be performed using various antivirus scans, a review of file lists for suspicious files, analysis of any previously executed command line strings, and a review of system registry hives and event logs.

ii. 4Discovery will produce a report identifying any evidence any viruses and/or malware found on each device, including both the current antivirus and malware findings, as well as any historical information. The report will also identify the methodology or methodologies used to scan the forensic images.

b. Web Browsing History and Bookmarked Pages

i. 4Discovery will examine the active web history information for any internet browsers found on the devices and carve or search for any deleted internet history as well. In addition, any bookmarked or otherwise saved websites in any browser or format will be examined.

ii. The report will include any relevant analytics available on internet history and bookmarked/saved websites, such as frequency of visit, first and most recent visit, etc. The report will also include the full parsed relevant internet history (both active and deleted-recovered) showing the full list of all available entries and all parsed metadata in an industry standard format. Additionally, the report will include all relevant information about any bookmarked or saved websites including the location where it was found, website it points to and/or was from, and any associated dates.

ii.iii. Relevant information to be included in the report pursuant to Part 5.III.b will be identified through a remote-inspection during which 4Discovery hosts a remotely accessible platform for Marriott's expert to remotely access and analyze all forensically identified web history without the ability to save or download any information. Any information sought for production will be marked during this analysis and reviewed by Plaintiffs’ counsel for privilege or other applicable protections prior to production.

c. Installed Programs/Applications

i. This examination will include the identification of all installed programs or applications, and any artifacts indicative of programs or applications that were previously installed or used that are no longer installed.

ii. The report will include a list of all relevant installed programs and applications with the context of when and where they were installed and any relevant configuration options. Any artifacts related to previously installed programs and applications should include the location the artifact was found, any contextual details, and the program or application to which the artifact relates.

ii.iii. Relevant information to be included in the report pursuant to Part 5.III.c will be identified through the process described in Part 5.III.b.iii.

d. Notes/Documents/Text Files

i. 4Discovery will examine and/or search all notes, documents, and text files on the devices and identify any on the devices or a synchronized cloud-based account, that contain personal information or usernames, passwords, passcodes, pins, passphrases, and/or other types of security keys (e.g., answers to security questions) that the Custodian used to secure personal information or access any website, program, application, or account (as used in this protocol “passwords”). As used in this protocol, the term “personal information” is information concerning a single person, including but not limited to a person's name, gender, address, electronic mail address, telephone number, social security number, driver's license information, state identification information, passport information, telephone number, financial information, information about a person's banking or other type of account, payment card information, date of birth, place of birth, nationality, employer information, membership or loyalty program information, geolocation information, mother's maiden name, and social media account ID or profile information (including username and photo or other data from social media accounts).

ii. The report will identify all documents found that contained any personal information or passwords, including the location, dates, and metadata from the documents. Any documents found in an application, platform, cloud-based storage, or email system should include the context of where the item was found and any transfer or send/receive artifacts about the item. The report will also include a copy of any notes, documents, or text files found to contain personal information or passwords.

e. Cloud Storage Accounts (Google Drive, OneDrive, DropBox, etc.)

i. This examination will include identifying any and all cloud storage or file transfer platforms that were connected to the devices, synced with the devices, or that the devices accessed and with which the devices may have transferred data. Each of the cloud storage platforms identified should be collected and their data included in this overall examination. The data stored in any cloud storage platforms should be examined to determine if any of the data contains personal information or passwords.

ii. The report will include a list of all cloud storage accounts identified in the examination with contextual information and metadata, as well as a copy of any files found on cloud storage platforms found to contain personal information or passwords.

f. Apple/Google/Microsoft Account IDs

i. On each device, 4Discovery will examine any login information or accounts that are connected to the device and provide a list of any identified accounts. This shall include accounts such as Microsoft accounts being used to login to Windows computers, Apple accounts (iCloud or other) being used with any iPhones, iPads, or Mac computers, and any Google accounts being used on Android based phones, Google Chromebooks, or Windows computers.

ii. 4Discovery will include in their report a list of any accounts found to be in use as well as any accounts that may have been used historically based on any artifacts or findings on the devices examined, including the context of where and how each was found.

g. Chats & Messages

i. 4Discovery will examine all chat and messaging applications on the Custodians devices to identify any persistent or ephemeral messaging applications. For any applications identified, all extant messages will be parsed into readable form and searched for any personal information or passwords in the message content or as included as attachments.

ii. The reporting on this area will include a list of all chat and messaging applications found, details around where the applications reside as well as their account information and configuration. Any messages that include personal information or passwords in the message or an attachment should be included in the report as well.

h. Email

i. This examination will include identifying any email continent, both messages and attachments, that may contain or refer to any personal information or passwords. This should include both email data stored on the devices and email in any online email accounts that are connected to any of the devices.

ii. This report will include any and all available metadata as well as a copy of the email messages and/or any attachments where the message or any attachment contains personal information or passwords.

i. Wireless Device Connectivity

i. 4Discovery will examine any artifacts relating to Wi-Fi network connections to determine what wireless networks were connected to, when, and using what type of security.

ii. The report will include a list of all artifacts related to connecting to wireless networks including all available metadata.

j. Bluetooth Data Transfer

i. 4Discovery will examine any artifacts related to Bluetooth connections that could facilitate data transfer, including Apple AirDrop and Android Nearby Share, or any other Bluetooth transfer applications or technologies.

ii. The report will include a list of all artifacts related to connecting to and/or transferring data with Bluetooth devices capable of data transfer, including all available metadata.

k. Passwords

i. On each device, 4Discovery will search for and identify any information they can determine may be passwords or other account credentials stored on the devices, or in any cloud storage or email platform connected to or used by the Plaintiffs on the devices. This analysis should also capture any context to the passwords/credentials such as any notes around them or site, service, or username noted with them.

ii. 4Discovery will include in their report a list of any identified passwords, account information, or other credentials as well as the context of how and where each was found. The report should be encrypted, and password protected to secure and protect this password related information as well as other sensitive information being reported upon.

l. General Search

i. In addition to the specific analysis included in the examination to attempt to locate personal information or passwords, a general non-targeted search will be run to identify personal information or passwords stored anywhere else on the devices. This search will leverage tools designed to identify personal information or passwords or search patterns designed to identify personal information or passwords.

ii. The report will include a list of all files, artifacts, or fragments containing potential personal information or passwords that were identified through this process. Any items already identified in any other analysis focus areas in this protocol may be withheld from reporting in this focus area as long as all the same information is being reported. The report should include all metadata and contextual information about what was found, where, bearing what dates, and any other metadata or information about each item. The identified items themselves should also be included in the report. The report will also identify the methodology or methodologies used to conduct this search.

m. Other Analysis

i. Any other analysis, evaluation, or steps 4Discovery deems appropriate to serve the purpose of this examination should also be performed.

ii. Forensic investigators performing an examination commonly identify other items of interest while carrying out a predetermined protocol even if not explicitly written into the protocol. If this occurs, or if 4Discovery has other ideas it believes should be included, these tasks or items will be added as additional analysis focus areas.

iii. Any additional work being performed will be included in the report describing the work and any findings or observations.

7. 4Discovery shall provide its report to counsel for Plaintiffs and Defendants simultaneously and as soon as possible but in no event more than 1421 days following the date of this agreementPlaintiffs are ordered to conduct the forensic examination described in this protocol.

8. Except for the review process identified in Parts III.5.b & c, 4Discovery's report shall be provided to counsel for Plaintiffs and Defendants without any screening review by Plaintiffs’ counsel.

IV. Data Disposition

10. Upon receiving written authorization provided by counsel for Plaintiffs and Defendants, 4Discovery will securely delete all collected data in its possession.

EXHIBIT B TO LETTER

DECLARATION OF KEVIN T. POINDEXTER

I, Kevin T. Poindexter, declare as follows:

1. I am a Senior Consultant at Crypsis, a Palo Alto Networks Company (“Crypsis”), a cybersecurity consulting firm specializing in digital forensic investigations, data breach and computer crime response, and cyber risk management services. I have personal knowledge of the following facts, and if called to testify, I could and would competently testify thereto. Crypsis was retained by Baker & Hostetler LLP (“Counsel”), on behalf of its client Marriott, to provide digital forensic consulting services in this matter.

2. Prior to my employment at Crypsis, I served as a sworn law enforcement officer with over 20 years of service. I have more than 10 years of training and experience in digital and mobile forensics, including conducting and overseeing forensic acquisitions and analyses of laptops, desktops, servers, and mobile devices in criminal investigations, civil litigation, and internal investigations. I have extensive training and experience in using computer and mobile forensic tools and techniques, including tools such as Blacklight, Cellebrite, Forensic Toolkit, Magnet AXIOM and X Ways Forensic. I also have received training in the investigation and analysis of networked and stand-alone computer systems and mobile devices, including Microsoft Windows, Mac, and Linux operating systems and Android and Apple-branded mobile devices. I have forensically acquired and analyzed hundreds of digital media items, including desktops, laptops, mobile devices, and server computers. I have performed forensic analysis on a wide range of digital forensic matters, including metadata analysis, file transfer, deletion activity, and electronic document movement chronology among different storage media. I hold active certifications as a Commonwealth of Virginia Certified Law Enforcement Officer, National White-Collar Crime Center Certified Cyber Crime Examiner (3CE), Cellebrite Certified Physical Analyst (CCPA), and Certified Blacklight Examiner (CBE). Attached as Exhibit A is a copy of my curriculum vitae, which details additional aspects of my qualifications, experience, and background.

3. I understand that Plaintiffs have alleged certain incidents of identity theft occurred in this matter. A critical component of understanding how identity theft could have occurred, or whether it can be attributed to a particular source, is determining how Plaintiffs stored, used, and shared their personal information. Insecure storage or sharing of personal information could lead to identity theft separate and apart from any security incident that may have occurred at Starwood. Additionally, the secure sharing or storing of personal information to an online platform that then experienced a security incident could also have resulted in the release of sensitive personal information, separate and apart from any security incident that may have occurred at Starwood. Understanding how Plaintiffs stored their personal information, how they shared that information, and with whom the information was shared prior to any alleged incidents of identity theft is critical in identifying how those alleged to have committed these fraudulent acts may have come into possession of Plaintiffs’ personal information. This identification process would best be performed on the device Plaintiffs’ used prior to the time of any claim of identity theft. To the extent the devices in use prior to the claims of identity theft no longer exist, examining Plaintiff's current devices can provide information about how they use, store, and share personal information.

4. I also understand that there are claims of ongoing risk related to Plaintiffs’ personal information in this matter. To the extent ongoing risk is a factor, the alleged risk continues to the present day and beyond. As such, any storage, use, or sharing of personal information to present day is relevant to determine how the information is stored and shared, and what risks may exist related to the personal information separate and apart from any security incident that may have occurred at Starwood, either before or after the time of the alleged security incident with Starwood.

5. Personal information can be freely offered into a variety of applications and web sites. It can also be stolen by programs or websites designed to capture and transmit personal information. An analysis of what applications were installed and what websites were visited will help demonstrate how personal information may have been shared/stolen. Analysis of what cloud platforms or what online email, chat, or other systems were in use will also help determine what other systems may have been involved in any potential theft of personal information through other online resources. Analysis of wireless and Bluetooth connection will help identify whether or not each examined Plaintiff connected to insecure wireless connections which may have stolen, or contributed to the theft of personal information. Analysis of notes, documents, and general searches for personal information will help identify if and where personal information was stored on Plaintiffs’ devices. Any identified information would then be evaluated for how it may have been stored, used, or shared, contributing to the potential for identity theft or ongoing risk. Malware or viruses on the Plaintiffs’ computers will be identified both for current infections as well as log files showing historical infections which could potentially steal personal information. Finally, any passwords or other credentials stored on Plaintiffs’ computers will be evaluated to determine whether or not Plaintiffs’ engaged in sub-optimal security practices such as using the same passwords for multiple services. If so, any system that experienced a security incident but did not include any personal information could be relevant if the same password or credential was also used for some other service that did store personal information.

6. The following analysis areas are typically found on the devices selected for examination and are a sampling of the data that could be analyzed in order to provide conclusions of how each plaintiff stored, used, shared, and secured their personal information on their devices as well as identify potential areas where this data may have been publicly exposed or used for identity theft or fraud. This analysis could be performed leveraging the collection process proposed by Plaintiffs utilizing their own expert for the collection, analysis process, and production of data described in this protocol.

a) Web Browsing History and Bookmarked Pages

i. Websites can be a platform where personal information is stored or shared. Some websites can also be sources of potential compromise for a device as some websites can steal personal information with or without leaving malware on a device, allow an attacker to gain access to a device, passwords, or credentials, or to plant viruses or malware onto a device for later exploitative use. As such, websites visited on the devices could have allowed personal information to be either publicly exposed or used for identity theft or fraud. I understand Plaintiffs object to providing their entire web history. As such, I would recommend a remote-inspection approach where Plaintiffs’ experts or other consultants would host a remotely accessible platform where I could remotely access and analyze web browsing activity on Plaintiffs’ devices without the ability to save or download any information. Any data sought for production from Plaintiffs to Defendant would be marked in the course of this analysis and reviewed by Plaintiffs’ counsel for privilege prior to production.

b) Installed Programs/Applications

i. Programs and applications can store, process, or transmit personal information and may have allowed personal information to be either publicly exposed, or used for identity theft or fraud if those areas of the devices or the applications themselves were compromised. I understand Plaintiffs also object to providing a full listing of applications and programs installed on their devices. As such, I would recommend a similar remote-inspection approach.

c) Notes/Documents/Text Files

i. Documents in many different formats can contain personal information. If the location in which these documents were stored, or any other platform, system, or application that stored or transferred the documents was compromised, that could have allowed personal information to be either publicly exposed or used for identity theft or fraud.

d) Cloud Storage Accounts (Google Drive, OneDrive, DropBox, etc.)

i. Personal information stored in cloud storage platforms, if compromised, could have allowed personal information to be either publicly exposed, or used for identity theft or fraud, even without any compromise occurring on the devices themselves.

e) Apple/Google/Microsoft Account IDs

i. Plaintiffs’ accounts used to login or sync any devices may have been compromised, which may have allowed personal information to be either publicly exposed or used for identity theft or fraud.

f) Chats & Messages

i. Individuals often share personal information through chat and messaging platforms on their devices and may have allowed this sensitive information to be inadvertently publicly exposed if those areas of the devices or the messaging platforms themselves were compromised.

g) Email

i. Personal information in email accounts can be sent to other people; email accounts can be compromised, or locally stored email data can be stolen if a device storing the data is compromised. As such, any personal information stored in email on the devices or in accounts associated with the devices could have allowed personal information to be either publicly exposed or used for identity theft or fraud.

h) Wireless Device Connectivity

i. Wireless devices used while traveling can be subject to interception or access by third parties when connecting to insecure or unofficial wireless networks. Connection to insecure or otherwise questionable wireless networks may have allowed personal information to be either publicly exposed or used for identity theft or fraud.

i) Bluetooth Data Transfer

i. Sharing or transferring information via Bluetooth can result in inadvertent disclosure of information to unknown third parties if the security of Bluetooth connections are not carefully verified before sending data. Even accidental sharing of information with an unknown third party can cause personal information to be either publicly exposed or used for identity theft or fraud.

j) Passwords

i. Any stored passwords may have been accessed by an attacker if the device or account holding the stored password information was compromised. Also, it is common for some users to use the same password for multiple accounts and a compromise of one system or platform that does not contain any personal information could lead to an attacker accessing other platforms that do contain personal information leveraging the same password.

k) Malware Scans

i. Computer viruses and malware can be used by attackers to steal personal information, to gain remote access to a device, or for a variety of other purposes. If an attacker did compromise any of the devices, the associated accounts, or any of the platforms or information protecting personal information, then the compromise could have allowed personal information to be either publicly exposed or used for identity theft or fraud.

l) General Search

i. Temporary files, uncommon file types, or other unexpected storage locations may contain copies of personal information that a Custodian does not even know exist but could nonetheless be accessed by an attacker if the device was compromised. If an attacker were able to gain access to any of these files, the compromise could have allowed personal information to be either publicly exposed or used for identity theft or fraud.

7. Because we need to understand how Plaintiffs’ stored, used, and shared personal information in order to evaluate the risks posed for potential identity theft, other types of potential fraud, and ongoing risk, the types of analysis described above are necessary, narrowly tailored to identify relevant information, and involve limited burden on Plaintiffs.

8. I declare under the penalty of perjury that the foregoing is true and correct.

Executed on March 8, 2021 at Lynchburg, Virginia.

Kevin T. Poindexter

EXHIBIT A to Declaration

Kevin Poindexter
CRYPSIS, A PALO ALTO NETWORKS COMPANY
Senior Consultant, March 2019 to Present
McLean, VA
Maintain an active case load of digital forensic engagements in internal investigations, civil matters, and cybercrime engagements. Perform digital forensic acquisitions and examinations on laptop and desktop computers, e-mail and file servers, handheld/mobile devices, and network logs. Types of analysis include (but not limited to) document authentication, the theft or misappropriation of intellectual property or other data, computer hardware forensics and data recovery, and investigations into computer/network intrusions or hacking.

LYNCHBURG SHERIFF'S OFFICE
Sworn Auxiliary Deputy Sheriff, March 2019 to Present
Lynchburg, VA
Sworn to maintain full Certified Law Enforcement Officer powers, including arrest authority, in the Commonwealth of Virginia.

LYNCHBURG POLICE DEPARTMENT
Detective, January 1999 to March 2019
Lynchburg, VA
Served as detective and digital forensic examiner in the department's criminal investigations division and forensics unit. Participated in local, state, and federal investigations into a wide array of traditional and cyber-based crimes involving data breaches, wire fraud, and organized crime. Duties included interviewing witnesses, interrogating suspects, completing written reports detailing response, forensic procedures, and evidentiary findings, as well as testifying in court. Provided law enforcement digital forensic imaging, mobile device data extractions, examination, and investigative services for a number of federal agencies including the United States Secret Service, Federal Bureau of Investigation, Bureau of Alcohol Tobacco and Firearms, Department of Health and Human Services, Social Security Administration and the U.S. Department of Homeland Security Investigations, as well as local police and sheriff's departments across the Commonwealth of Virginia.

EDUCATION

LIBERTY UNIVERSITY
B.S., Criminal Justice, May 2010

Testimony
I have provided investigative testimony in more than 200 court appearances over the past 22 years as a sworn law enforcement officer in both state and federal court. Most of the cases that I have testified in from 2011 to present were related to criminal investigations I conducted and/or subsequent digital forensic examinations that I performed on computers and mobile devices related to various criminal offenses. The cases listed below are cases in which I was qualified as an expert and provided testimony as an expert in the field of digital forensics.

Circuit Court, Bedford County, Virginia

Commonwealth v. Kevin Soto-Bonilla – CR17000350 - Capital Murder – 2019. Provided expert trial testimony leading to a conviction of my acquisition and examination of multiple mobile devices and WhatsApp communications tying defendant's involvement related to a MS-13 gang related homicide.

Commonwealth v. Victor Rodas – CR17000180 - Capital Murder – 2018. Provided expert testimony of my acquisition and examination of multiple mobile devices and WhatsApp communications tying defendant's involvement related to a MS-13 gang related homicide.

Circuit Court, City of Lynchburg, Virginia

Commonwealth v. Gary Hicks – CR16000089 – Possession of Child Pornography – 2016. Provided expert trial testimony leading to a conviction concerning child sexual exploitation material located on defendant's computer.

Circuit Court, Amherst County, Virginia
Commonwealth v. Edward Leroy Marshall, JR. – CR15M15271-03 - 2nd Degree Murder- 2016, Provided expert testimony leading to a conviction, related to cellphone data connecting the defendant to the homicide.

Commonwealth v. Cordell Carter – CR14015034-01 – 1st Degree Murder – 2014. Provided expert testimony leading to a conviction, related to cellphone data connecting the defendant to the homicide.

Circuit Court, Campbell County, Virginia
Commonwealth v. Darrell Wayne Delp – CR14000085 – Agg Sexual Battery of multiple children <13 and Possession of Child Pornography – 2014. Provided expert trial testimony leading to a conviction, concerning child sexual exploitation material created by defendant which was found on defendant's computer and additional digital media.

Juvenile & Domestic Relations Court, Nelson County, Virginia
Commonwealth v. Kenneth Alan Spratt – CR14000065 - Object Sex Pen: Victim <13 and Possession of Child Pornography – 2014. Provided expert testimony during a preliminary hearing leading to a guilty plea and conviction, concerning child sexual exploitation material created by defendant which was found on defendant's computer and additional digital media.

CERTIFICATIONS
Certified Cyber Crime Examiner (3CE), National White-Collar Crime Center (NW3C), January 2019 to Present
Cellebrite Certified Physical Analyst (CPOSESSION OF CHILD PORNOGRAPHYA), June 2017 to Present
Cellebrite Certified Operator (CCO), September 2015 to Present

BlackBag Technologies Blacklight Certified Examiner (BCE), July 2015 to Present
Virginia Certified Law Enforcement Officer, Virginia Department of Criminal Justice Services, June 1999 to Present
DME Forensics, DVR Examiner User Certification, September 2017 to 2019
AccessData Certified Examiner (ACE), April 2012 to 2015

PROFESSIONAL AND CIVIC AFFILIATIONS

Senior Vice President, Blue Ridge Chapter, Virginia Police Benevolent Association, June 2018 to Present
Associate Member, Association of Certified Fraud Examiners (ACFE), December 2018 to Present
Member, High Tech Crime Investigator's Association (HTCIA), Mid-Atlantic Chapter, March 2017 to Present
Member, Virginia Commonwealth's Attorney's Services Council, Cybercrime Task Force, 2018 to 2019
Affiliate Member, Southern Virginia Internet Crimes Against Children Task Force, 2011 to 2019
Regional Director, Central Shenandoah Region, Virginia Gang Investigator's Association, 2006 to 2019
LPD Member, Lynchburg Sexual Assault Response Team, March 2011 to March 2019
President, Blue Ridge Chapter, Virginia Police Benevolent Association, June 2012 to June 2018
Treasurer/Board Member, Big Brothers & Big Sisters of Central Virginia, June 2011 to December 2017
Founding Member of Youth Education and Support (YES) Program, 2005 to 2006
LPD Member, Lynchburg Sexual Assault Response Team, 2011 to 2019

DIGITAL FORENSIC TRAINING
SANS Institute
September 2019: FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
National Computer Forensic Institute
February 2018: Network Intrusion Response Program (NITRO)
June 2016: Paraben Mobile Forensics

September 2015: Mobile Device Examiner Course (MDE)
Teel Technologies

November 2017: In-System Programming (ISP) for Mobile Devices
National White Collar Crime Center (NW3C)
September 2016: Basic Network Intrusion Investigations
August 2016: Intro to Computer Networks
November 2015: Macintosh Forensic Analysis
July 2013: iDevice Forensics
July 2013: Macintosh Triage and Imaging
June 2013: Windows Internet Trace Evidence
May 2013: Windows Artifacts
March 2012: Intermediate Data Recovery & Acquisition
August 2011: Basic Data Recovery & Acquisition (BDRA)

Digital Intelligence
April 2012: AccessData Bootcamp
September 2011: EnCase Versatile Preservation & Examination Responder (VPER)
September 2011: Digital Forensics w/ FRED

AWARDS AND RECOGNITION
Lynchburg Commonwealth's Attorney's Office, Outstanding Police Service Award, Digital Forensics, May 2016
Lynchburg Police Department, Meritorious Service Award, Digital Forensics, May 2016
United States Secret Service, Certificate of Appreciation for Digital Forensic Work, May 2015
Federal Bureau of Investigation, Certificate of Appreciation for Digital Forensic Work, May 2015
U.S. Social Security Administration OIG, Letter of Commendation for Digital Forensic Work, July 2012
Over 100 Lynchburg Police Department Commendations, January 1999 to 2019

TEACHING AND PRESENTATIONS
General Instructor, Virginia Department of Criminal Justice Services, June 2003 to December 2020
Investigations Instructor, Central Virginia Criminal Justice Academy
Digital Forensic Investigations, 2012 to 2019
Gang/Organized Crime Investigations Instructor, Central Virginia
Criminal Justice Academy Basic/In-Service Police Academy, 2006 to 2015
Criminal Justice Course Instructor, Liberty University, 2012

Gang Identification Instructor, Virginia Attorney General's Office, 2012
Background Investigations Instructor, Southwestern Virginia Criminal Justice Academy Virginia Forensic Nurses Annual Conference, November 2009
Virginia Commonwealth Attorney's Service Council, January 2009
Strategic Therapy Associates Annual Conference, May 2008
Virginia Crime Stoppers Annual Conference, 2007

EXHIBIT C TO LETTER

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA, SAN JOSE DIVISION
In Re Anthem, Inc. Data Breach Litigation
Case No: 15-md-02617-LHK (NC)
MOTION FOR RELIEF FROM NONDISPOSITIVE PRETRIAL ORDER OF MAGISTRATE JUDGE
[REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED]

On October 31, 2016, Magistrate Judge Cousins issued a discovery order requiring thirty plaintiffs to produce their PCs, laptops, and tablets for mirror imaging. (Friedman Decl., Ex. 1.) [REDACTED] If upheld, this order would mark the first time data breach victims have been subjected to intrusive forensic inspections of their personal devices, and would likely chill future participation in this and other data breach litigation.

Plaintiffs respectfully request that the Court set aside the order, as Judge Cousins applied the wrong legal standard. The law requires a heightened showing of good cause before private individuals may be compelled to provide mirror images of their personal devices—in recognition of the vast compendia of private information that such mirror images inevitably contain. Judge Cousins failed to apply this heightened standard, and as a result allowed Defendants to proceed with what he termed a “fishing expedition.” If Defendants were not requesting that Plaintiffs’ digital devices be cloned, such a fishing expedition might be permissible. There is a possibility, however slight, that one of the rare forms of PC crimeware capable of exfiltrating data was installed on a plaintiff's computer around the time of the Anthem data breach. If that crimeware were still detectible two years later, its existence could be relevant under one of the three damages theories Plaintiffs are pursuing. But when the form of discovery sought involves mirroring every bit of digital information on Plaintiffs’ devices, a different standard is required—a higher standard of relevancy that should have been applied below.

The discovery order could also be set aside on two other grounds. The first is that the underlying document request Defendants moved to enforce was legally impermissible. It sought to require Plaintiffs to generate new data that would be provided to Defendants, even though Rule 34 only authorizes a party to request things already in existence. The second is that, even if mirror images were not involved, Judge Cousins could not weigh the relevance and intrusiveness of the protocol Defendants are now requesting without first knowing what that analysis would entail.

Plaintiffs appreciate that Judge Cousins was trying to accommodate Defendants, who have scaled back what they are asking for, with the close of discovery in the offing. But Defendants’ proposal still involves the highly-invasive and unsettling procedure of cloning Plaintiffs’ digital devices. Judge Cousins's earlier observation still applies: “there is an Orwellian irony to the proposition that in order to get relief for a theft of one's personal information, a person has to disclose even more personal information, including an inspection of all his or her devices that connect to the internet.” (4/8/16 Order [Dkt. No. 502] at 2.) Mirror imaging of digital devices by independent experts is reserved for “extreme situations” under the law, such as when a particular computer is the subject of the lawsuit. Data breach cases have never before been found to pose such an “extreme situation,” but it will undoubtedly become common for defendants to demand mirror imaging of plaintiffs’ devices in future data breach cases if this discovery order is permitted to stand. Plaintiffs accordingly urge the Court to exercise its authority under Rule 72(a) and set aside the present discovery order as contrary to law.

A. Judge Cousins Applied The Wrong Legal Standard.

Under Rule 72(a), the Court is empowered to modify or set aside Judge Cousins’ discovery order if it is “clearly erroneous or contrary to law.” The Court's review of the underlying factual determinations should be deferential, but its review of the underlying law is de novo (as is its review of mixed questions of law and fact), and the Court should reverse if it finds that Judge Cousins applied the wrong legal standard or failed to apply relevant case law. See Silicon Storage Tech. v. Nat'l Union Fire Ins. Co. of Pittsburgh, PA, No. 13-CV-05658-LHK, 2015 WL 5168696, at *4 (N.D. Cal. Sept. 3, 2015) (“a magistrate judge's legal conclusions are reviewed de novo to determine whether they are contrary to law”); Ingram v. PG&E, No. 12-CV-02777-JST, 2013 WL 6174487, at *2 (N.D. Cal. Nov. 25, 2013) (“Mixed questions of fact and law are reviewed de novo.”); J & J Sports Prods. v. Bracamontes, No. 11-CV-03713 YGR, 2013 WL 1149742, at *2 (N.D. Cal. Mar. 19, 2013) (“A legal conclusion is ‘contrary to law’ if the magistrate judge applies the wrong legal standard”); U.S. v. Cathcart, No. C 07-4762 PJH, 2009 WL 1764642, at *2 (N.D. Cal. June 18, 2009) (“A decision may be contrary to law if it fails to apply or misapplies relevant statutes, case law, or rules of procedure”).

Here, Plaintiffs contend that Judge Cousins applied the wrong legal standard and failed to apply relevant case law governing requests to mirror image a party's personal computer. Our personal computers, laptops, and tablets contain a running digital diary of our activities: they catalog the webpages we visit, track our internet searches, log our emails with friends and family (and attorneys), and store photographs and videos of loved ones. Accordingly, the law requires a “heightened showing of good cause” before parties may be compelled to produce mirror images of their digital devices. Cefalu v. Holder, No. 12-0303 TEH (JSC), 2013 WL 4102160, at *1 (N.D. Cal. Aug. 12, 2013). “[C]ourts have allowed independent experts to obtain and search a ‘mirror image’ of a party's computer equipment,” only in the “extreme situation where data is likely to be destroyed or where computers have a special connection to the lawsuit.” Memry Corp. v. Kentucky Oil Tech., N.V., No. C04-03843 RMW (HRL), 2007 WL 832937, at *3 (N.D. Cal. Mar. 19, 2007).

Judge Cousins's order does not address this heightened standard, much less conclude that Defendants have satisfied it. In fact, Judge Cousins evaluated the parties’ respective expert testimony and concluded that Defendants are on “a fishing expedition.” (Friedman Decl., Ex. 2 at 30.) Defendants claim that mirror images will be used to assess the existence of malware on Plaintiffs’ devices, and those assessments might reveal that someone other than Anthem stole and monetized Plaintiffs’ identities. (Id. at 14.) They submitted expert testimony showing that hackers could have used keystroke loggers to capture everything typed into a Plaintiff's computer. That may be theoretically true, but the vast majority of malware detected by off-the-shelf software is “adware.” (Id., Ex. 5 (Karabelnik Decl.), ¶ 7.) And even when “crimeware” is detected, it is seldom a keystroke logger or other program capable of extracting personal data. (Id., ¶¶ 8, 10.) It simply is not economically rational for hackers to infiltrate personal computers one-by-one and laboriously collect individual PII. (Id., ¶¶ 14-18.) That is why hackers target the large compilations of PII maintained by corporations like Anthem. (Id., ¶ 15.) Finally, even if this exceedingly rare (and economically inefficient) form of crimeware was on Plaintiffs’ computers around the time of the Anthem data breach, it would be long gone and undetectable at this point. (Id., ¶¶ 12-13.) There is, in other words, a very low chance that Defendants’ requested discovery would lead to relevant information. Defendants truly are engaged in a fishing expedition, and while fishing expeditions may be permitted from time to time under ordinary circumstances, they are not permitted under the heightened standard of good cause applicable here.

Instead of assessing whether Defendants had demonstrated heightened good cause for imaging Plaintiffs’ digital devices, as required by case law like Cefalu and Memry, Judge Cousins permitted Defendants to proceed based on a finding that their current imaging request is less intrusive than their prior imaging request. (Id., Ex. 1 at 2.) He cited three reasons: (1) the devices will be provided to a third-party examiner, not Anthem; (2) handheld devices are excluded; and (3) production will be limited to 30 plaintiffs.[1] (Id.) These caveats do not change the legal standard, however; Defendants are still seeking mirror images and so still must make a heightened showing of good cause. As the Memry court found, mirror images should be ordered only in “extreme situation[s]”—even when the proposal is that the image be produced only to “a third party consultant pursuant to a protocol to be determined by the parties or the court.” Memry, 2007 WL 832937 at *3. Turning over a forensic record of one's entire digital life is invasive regardless of who receives it. Whether Defendants or one of the consultants suggested by Defendants takes custody, either way Plaintiffs are losing control over their most personal of details (and will be devoting several hours while their devices are imaged). Similarly, the fact that Defendants would not be imaging each and every one of plaintiffs’ devices does not diminish the invasiveness of those mirror images that would be created. Judge Cousins was required to assess whether Defendants’ had satisfied the heightened legal standard set forth in Cefalu and Memry before any mirror images could be compelled. Because he failed to do so, his order compelling the creation of mirror images of thirty plaintiffs’ digital devices is contrary to law and should be set aside.

B. Judge Cousins's Order Is Contrary To Law In Other Respects As Well.

Plaintiffs believe that Judge Cousins's order is contrary to law and should be set aside for two additional reasons as well. The first is that the subject of Defendants’ motion to compel, Request for Production No. 33, does not comply with the federal rules. It calls for Plaintiffs to create and produce data that is not yet in existence—namely, the results of an unidentified malware program that is to be run on their digital devices. (Friedman Decl., Ex. 4.) But “Rule 34 cannot be used to require the adverse party to prepare, or cause to be prepared, a writing to be produced for inspection ... it can only be used to require the production of things in existence.” Lamon v. Adams, No. 1:09-CV-00205-LJO, 2015 WL 1879606, at *3 (E.D. Cal. Apr. 22, 2015).

The second reason is that Request No. 33 included no information about the forensic scans to be used, it simply asked for “a program to be agreed upon by Plaintiffs and the Anthem Defendants.” (Friedman Decl., Ex. 4.) This is important because the results of the scans will be conveyed to Defendants, and so even if mirror images were not involved, the Court could not accurately evaluate either the relevance or the intrusiveness of this information under Rule 26(b)(1) without knowing what it would contain. After briefing was complete, Defendants submitted a proposed protocol (adopted in pertinent part by Judge Cousins) that included examples of scanning software that will detect far more than the specific type of crimeware Defendants say they are looking for. (Id., Ex. 6.) One problem with using overly-broad scans is that they detect files—like website tracking cookies and adware—whose names alone reveal information about Plaintiffs’ internet browsing history. (See id., Ex. 5, ¶¶ 4-5, 7.) Another is that finding any “malware”—including these relatively benign tracking cookies or adware—authorizes the forensic examiner to “confer” with Defendants, to potentially run a “root cause analysis” that could probe deep into Plaintiffs’ internet, email, and download histories, and to convey the results of that analysis to Defendants in a summary report. (Id., Ex. 1 at 3-4.) [REDACTED]

While Plaintiffs are asking the Court to set aside the present discovery order, they do not rule out the possibility that Defendants could propose a protocol that (i) would not require mirror imaging, (ii) would involve remotely scanning devices for crimeware capable of exfiltrating PII only, and (iii) would exclude private information from the results conveyed to Defendants. Request No. 33 and Defendants’ later proposed protocol do none of this, however, and in the many conversations the parties have had in an effort to reach a compromise, Defendants have never moved off their intrusive demand that Plaintiffs’ devices be mirror imaged.

Dated: November 4, 2016

Respectfully Submitted,
/s/ Andrew N. Friedman
COHEN MILSTEIN SELLERS & TOLL PLLC
/s/ Eve H. Cervantez
ALTSHULER BERZON LLP
Co-Lead Plaintiffs’ Counsel
GIRARD GIBBS LLP
LIEFF CABRASER HEIMANN & BERNSTEIN, LLP
Plaintiffs’ Steering Committee

Footnotes

[1]

The 30 Plaintiffs covered by the Order are not limited, however, to those who have alleged damages as the result of identity theft related to the Anthem data breach.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA, SAN JOSE DIVISION
LORALEE GIOTTA, et al., Plaintiffs,
v.
ANTHEM, INC., et al., Defendants.
Case No. 15-MD-02617-LHK
ORDER RE: MOTION FOR RELIEF FROM NONDISPOSITIVE PRETRIAL ORDER OF MAGISTRATE JUDGE
Re: Dkt. No. 630

On November 4, 2016, Plaintiff filed a motion for Relief from Nondispositive Pretrial Order of Magistrate Judge. The Court finds that a response to the motion is unnecessary, and the Court will not order a briefing schedule. Instead, the Court will allow the 14-day period under Civil Local Rule 72-2 to lapse, after which the motion will be deemed denied.

IT IS SO ORDERED.
Dated: November 17, 2016
LUCY H. KOH
United States District Judge