*1 I. Introduction. Earlier in this case, I was confronted by the plaintiffs' effort to compel five categories of documents generated when Marriott hired BakerHostetler and then retained CrowdStrike.

I concluded that the most sensible course of action was to defer any discovery from CrowdStrike until Marriott indicated whether it would designate CrowdStrike as an expert witness (ECF No. 634). Judge Grimm affirmed my conclusion but indicated that it would suffice if Marriott would make or not make that designation by the deadline set for the designation of expert witnesses (ECF No. 662).

For reasons that are not important here, Judge Grimm decided to expedite that obligation (ECF No. 816 at 8), and Marriott has now indicated that it will not designate CrowdStrike as an expert witness.

II. The status of CrowdStrike. I have already explained that if Marriott does not designate CrowdStrike as an expert witness, CrowdStrike becomes by operation of law what the Federal Rules of Civil Procedure call an “Expert Employed Only for Trial Preparation” (Fed. R. Civ. 26[b)(4)(D(i). ECF No. 634 at 9).

“[A] party may not, by interrogatories or deposition, discover facts known or opinions held by an expert who has been retained by another party in anticipation of litigation or to prepare for trial and who is not expected to be called as a witness at trial” (Fed. R. Civ. 26(b])(4)(D). A party seeking discovery from such an expert may secure it only upon “showing exceptional circumstances under which it is impracticable for the party to obtain facts or opinions on the same subject by other means” (Fed. R. Civ. 26(b)(4)(D)(ii).

III. Plaintiffs' demand. After Marriott indicated that it was not going to designate CrowdStrike as an expert witness, counsel and I discussed the significance of that decision for any discovery from CrowdStrike at one of our weekly conferences. I directed counsel's attention to the five discovery demands that the plaintiffs had made that were one of the subjects of my Report and Recommendation that is ECF No. 634. The five categories are as follows:

IV. Plaintiffs' argument. I thought we had reached a common understanding during the conference that the plaintiffs would address whether they could establish the exceptional circumstances required by the rule to get the documents in the five categories specified in ECF No. 634.

That, however, is not what I got. Instead, I have from the plaintiffs their challenges to certain privilege claims made by Marriott. The challenge is premised on the argument that the plaintiffs need to meet a burden of showing exceptional circumstances only if Marriott shows that CrowdStrike prepared the document, claimed to be privileged, in anticipation of litigation. However, if CrowdStrike created the document to serve a Marriott business purpose, the privilege claims fail (letter of July 1, 2021, at 2).

*2 V. Analysis. That statement is incorrect. It confuses the rule pertaining to experts employed only for trial preparation, Fed. R. Civ. 26(b)(4)(D), with the rule that protects “documents and tangible things that are prepared in anticipation of litigation or for trial,” Fed. R. Civ. 26(b)(3)(A).

The former protects the facts known or opinions held by experts employed only for trial preparation; the latter protects the “documents and things” prepared for trial or in anticipation of litigation. Plaintiffs' proving that a document was not prepared in anticipation of litigation may defeat the claim that a document or thing is protected as “work product” under Fed. R. Civ. 26(b)(3)(A). But such a showing does not meet the plaintiffs' burden that they are entitled to “the facts known or opinions held” by an expert employed only for trial preparation.

This is so because Fed. R. Civ. 26(b)(4)(D) speaks to why a party hired the expert, whereas Fed. R. Civ. 26(b)(3)(A) speaks to why a party or its attorney prepared a document or a thing.

Suppose the party hired the expert only for trial preparation. In that case, the other party could not discover the facts known or the opinions held by that expert without showing exceptional circumstances “under which it is impracticable for the party to obtain facts or opinions on the same subject by other means” Fed. R. Civ. 26(b)(4) (D)(i). Thus, if the party seeking discovery demands the production of a document created by that expert, the first and controlling consideration is whether production of the document would yield the facts known or opinions held by an expert hired only for trial preparation. If it does, the discovery is prohibited. Whether that document was prepared in anticipation of litigation or for trial is irrelevant.

When, however, a party seeks discovery of a document or a thing from the other party, discovery is prohibited if the other party created the document or thing in anticipation of litigation. The sole question presented is why the party or its attorney created the document. Unlike the situation controlled by Fed. R. Civ. 26(b)(4)(D), the reason why the party hired the attorney is irrelevant to whether the thing or document is to be protected under Fed. R. Civ. 26(b)(3)(A).

Thus, the only question presented is whether Marriott hired CrowdStrike in anticipation of litigation. If it did and Marriott will not call it as a witness, discovery of facts known or opinions held by CrowdStrike is prohibited by Fed. R. Civ. 26(b)(4)(D). In other words, the question of whether Marriott hired CrowdStrike in anticipation of litigation so that any discovery from it is prohibited is antecedent to the resolution of whether communications from or to CrowdStrike are privileged. I cannot reach the privilege question until the plaintiffs first establish that discovery is permitted from CrowdStrike, although Marriott hired it in anticipation of litigation but will not call it as an expert witness.

As the plaintiffs ignore, I have specifically found that Marriott hired CrowdStrike in anticipation of litigation. In ECF No. 718, I stated,

ECF No 718 at 11–12. See ECF No, 634 at 1–3, No. 707.

I credited Hoffman's statement that Marriott hired CrowdStrike so that his firm could advise his client, Marriott, about potential legal obligations in anticipation of “litigation and enforcement actions.” I have therefore already concluded that Marriott hired CrowdStrike in anticipation of litigation. Judge Grimm has affirmed my doing so, and I will not revisit it (ECF No. 808 (law of the case); Carlson v. Bos. Sci. Corp., 856 F3d 320, 325 (4th Cir. 2017) [same]).

Because Marriott hired CrowdStrike in anticipation of litigation, the plaintiffs are not entitled to ascertain the facts known or the opinions held by CrowdStrike unless they show exceptional circumstances “under which it is impracticable for the party to obtain facts or opinions on the same subject by other means” (Fed. R. Civ. 26[b)(4)(D)(ii). The plaintiffs do not acknowledge that requirement. Instead, they premise their entitlement to the documents in issue on their substantial need for them (letter of July 1, 2021, at 4–5). However, as I have explained, that is the wrong standard for the discovery they seek. I, therefore, must find that there is no legal basis for their application.

I recommend that the relief sought in the plaintiffs' letter of July 1, 2021, be denied.

The Honorable John M Facciola (Ret.) <facciolaj@georgetown.edu>

Dear Special Master Facciola:

Pursuant to the Court's admonition that work product and privilege challenges as they concern the “CrowdStrike investigation” “turn on a document by document assessment” (ECF No. 662), Plaintiffs file this motion to challenge Marriott's privilege and work product designations to 13 documents, as those documents were created “in the ordinary course of business irrespective of litigation.” Guo Wengui v. Clark Hill, PLC, 338 F.R.D. 7, 10 (D.D.C. 2021). These business-purposes documents include 1) ordinary communications regarding information learned by the Defendants' Cybersecurity Incident Response Teams (“CIRTs”) and 2) information about remediating cybersecurity risks on the Marriott network (under the project named “Silver Moon”). Marriott has designated these documents as privileged, claiming these documents were created to provide information to counsel in anticipation of litigation related to the September 2018 security incident. See Ex. A, Selected Crowd Strike Entries. But the facts of this case—clarified after a review of the privilege logs, related produced documents, and depositions—demonstrate that there are a handful of documents that the Special Master should review, as Marriott's claim of privilege is most suspect. These 13 documents do not include counsel or appear to be related to a business purpose “irrespective of litigation;” they are thus not privileged. Id. Now that Marriott has indicated that it does not plan to call CrowdStrike as an expert, Plaintiffs ask Your Honor to review the documents and assess whether Marriott properly withheld documents for privilege.

On September 1, 2020, Your Honor deferred making privilege determinations until Marriott disclosed whether it would designate CrowdStrike as a testifying expert. Dkt. 635 at 2. Marriott did not designate CrowdStrike as an expert witness. Dkt. 826. As Your Honor previously stated, “Marriott, if it intended to resist discovery from CrowdStrike, will have to establish that CrowdStrike is what the pertinent Rule, Fed. R. Civ. P. 26(b)(4)(D), calls an ‘Expert Employed Only for Trial Preparation.’ Under that Rule, the discovery of the facts its employees knew and their opinions are available only upon showing the exceptional circumstances specified in that Rule.” Dkt. 634 at 9. But first, Marriott must demonstrate that CrowdStrike was “retained or specially employed ... in anticipation of litigation.” Fed. R. Civ. P. 26(b)(4)(D). It is Marriott's burden to make this showing. See In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190, 192 (E.D. Va. 2019). Only then does the “exceptional circumstances” analysis becomes pertinent. Because Marriott cannot get over the first hurdle, it cannot claim that these documents are privileged.

It is not enough that anticipation of litigation was a reason for creation of the document. If the document had the “dual” purposes of litigation and business, the litigation purpose must be “the driving force behind [its] preparation.” In re Dominion, 429 F. Supp. 3d at 193 (quoting Nat'l Union Fire Ins. Co. of Pittsburgh, Pa. v. Murray Sheet Metal Co., 967 F.2d 980, 984 (4th Cir. 1992)) (emphasis added); see also In re Premera Blue Cross Customer Data Sec. Breach Litig. (“Premera I”), 296 F. Supp. 3d 1230, 1244 (D. Or. 2017) (where “documents and communications had a dual purpose—both business and legal, the Court must consider whether the communications and documents were prepared ‘because of’ the prospect of litigation”).

*5 Attorney-client privilege applies only to communications between lawyers and clients. E.I. du Pont de Nemours & Co. v. Forma-Pack, Inc., 351 Md. 396, 415 (1998) (citation omitted); NLRB v. Interbake Foods, LLC, 637 F.3d 492, 502 (4th Cir. 2011). Additionally, the communication must pertain to legal assistance. E.I. du Pont de Nemours, 351 Md. at 415; Interbake, 637 F.3d at 502. The need for legal advice must be a but-for cause of the communication. Neuberger Berman Real Est. Income Fund, Inc. v. Lola Brown Tr. No. 1B, 230 F.R.D. 398, 411 (D. Md. 2005). “[U]nderlying facts by those who communicated with the attorney” are not privileged. Upjohn Co. v. United States, 449 U.S. 383, 395 (1981); In re N.Y. Renu With Moistureloc Prod. Liab. Litig., No. 766,000/2007, 2009 WL 2842745, at *3 (D.S.C. July 6, 2009) (“factual findings ... not based on communications from the client” are not privileged).

As Your Honor previously acknowledged, “privilege claims cannot be resolved in gross. Instead, [the Special Master] will have to examine each document to ascertain whether it is privileged.” Dkt. 635 at 3. Plaintiffs accordingly ask Your Honor to review this small sampling from the hundreds of CrowdStrike-related documents Marriott has withheld and divide them into two categories: documents related to the short-term incident response involving underlying facts (Ex. A, “SOW1” tab); and those related to long-term remediation, including an assessment of Marriott's cybersecurity (Ex. A, “SOW2” tab). Based on related documents and testimony, the but-for cause for these documents are business purposes and not litigation support, contradicting the asserted privilege.

A. “SOW1”: Incident Response Documents Were Created for a Business Purpose

Before Marriott had even discovered the breach at issue in this case, and before it could even anticipate this litigation, Marriott retained CrowdStrike to employ its Falcon tool to enhance its cybersecurity, in the summer of 2018. Ex. B, PX226, MI_MDL_01758979. On September 12, 2018, after discovery of the breach, Marriott and CrowdStrike executed a new Statement of Work 1 (“SOW1”), adding BakerHostetler's name. Ex. C, PX230, MIMDL00955464. The SOW divided CrowdStrike's work into three phases. Id. at '465. In “Phase 1: Incident Triage,” CrowdStrike committed to analyzing data provided by Marriott, discussing “business concerns related to the incident,” discussing the incident with Marriott's staff, and producing a “summary report with recommended next steps and effort estimates.” In “Phase 2: Investigation and Remediation,” CrowdStrike was tasked with determining compromised systems, analyzing Marriott's network, setting up CrowdStrike Falcon products on Marriott hardware devices, planning a “remediation event to deny the attacker further access” to Marriott's systems, and assisting Marriott “in conducting the remediation event.” Id. Finally, in “Phase 3: Strategic recommendations,” CrowdStrike agreed to “[p]rovide recommendations for long-term continuous security posture improvement.” Id.

SOW1 demonstrates that CrowdStrike's primary function was for business purposes—namely cybersecurity incidence response, identifying compromises, and remediating them. This work would occur regardless of the presence of BakerHostetler. In fact, the examination of logs for suspicious activities, of servers for artifacts, and of suspicious IP address, is the common work of both the Defendants' CIRTs and for a forensic investigator like CrowdStrike. See, e.g., Ex. D, Dep. of D. Hawkins at 148:11-149:19. As other courts have recognized, basic cybersecurity investigation would have been necessary even in the absence of litigation or Marriott's retention of counsel. Wengui, 338 F.R.D. at 10-11 (ordering disclosure of separate report that counsel had retained, finding that it was not privileged because it served multiple purposes); Premera II, 329 F.R.D. 656, 666 (D. Or. 2019) (“[Discovering how the breach occurred was a necessary business function regardless of litigation or regulatory inquiries. Premera needed to conduct an investigation as a business in order to figure out the problem that allowed the breach to occur so that Premera could solve that problem and ensure such a breach could not happen again.”).

*6 Thus, the 6 documents on Sheet 1 (SOW1) related to incident response should be produced:

B. “SOW2”: Remediation Documents Were Created for a Business Purpose

Plaintiffs also seek review and production of documents related to what CrowdStrike referred to as the “Silver Moon” project, which was a review of the Marriott network. (Ex. A, sheet 2). After the Starwood breach was detected, Marriott engaged CrowdStrike in a new statement of work to do a compromise assessment of its own system on October of 2018. Ex. E, SOW2, MI_MDL_02548053, '054. CrowdStrike suggested “doing it as a Mod to the current work to ... keep it under privilege.” Id. Instead, a separate statement of work was issued. See, e.g., Ex. F, MI_MDL_02464539. The “Project Summary” of SOW2 referenced business advice, not legal advice. It stated, “[t]he Global Info. Security Team [not lawyers] identified a need to complete a security assessment,” and “CrowdStrike will provide a detailed report to Marriott ... and recommendations for Marriott to remediate results of attacker activity.” Id. The Project Summary does not mention litigation, regulatory investigations, or legal advice of any kind. In December of 2018, Craig Hoffman of BakerHostetler altered SOW2 to give Baker a role if and when any reports would issue. Ex. G, MI_MDL_00468565. Mr. Hoffman did not direct that the report be performed; he asked only for his law firm to be given a role after-the-fact and after business advice was provided.

The “Compromise Assessment” reports (log entries 9495–97) were to “proactively identify any suspicious activity within the Marriott environment and pinpoint other areas of risk on the network[.]” Ex. H, MI_MDL_02552173 at '174. CrowdStrike's 30(b)(6) witness testified that the Report's purpose was to understand cybersecurity risks, not for legal advice in handling the Starwood breach. Ex. I, Dep. of J. Perry at 107:2–11, 112:10–16, 115:20–116:7, 206:21–207:6. CrowdStrike repeatedly updated Marriott personnel and non-lawyers on its assessment of the Marriott system without attorney involvement. Ex. J, MI_MDL_02418255; Ex. K, MI_MDL_01718789, at '789–90; Ex. L, MI_MDL_02522467; Ex. M, MI_MDL_01700237; Ex. N, MI_MDL_02530322. This included a status report (log entry 1689) that was attached to Ex. O, MI_MDL_01686512—a document that Your Honor previously found not privileged in rejection of Marriott's claw back. Dkt. 707. Taking the Wengui case, and replacing the entities with those entities from this case, the result is clear: Marriott should have to produce these documents.

Additionally, to the extent any litigation purpose is furthered by these tasks, that purpose was not the but-for cause of them. See Wengui, 338 F.R.D. at 13; Neuberger, 230 F.R.D. at 411; Premera I, 296 F. Supp. 3d at 1244; see also AVX Corp. v. Horry Land Co., No. 4:07-CV-3299-TLW-TER, 2010 WL 4884903, at *9 (D.S.C. Nov. 24, 2010) (communication from consultants providing services directly to the client are not privileged). Further, even if the Report was created to aid Mr. Hoffman's rendering of legal advice about threatened or pending litigation (which it was not), its assessment contains non-privileged factual findings that must be produced. Upjohn Co. v. United States, 449 U.S. 383, 395 (1981) (holding that “underlying facts by those who communicated with the attorney” are not privileged).

*7 As such, the 7 Compromise Assessment/Silver Moon documents on Sheet 2 of Exhibit A should be reviewed by Your Honor for an assessment of privilege.[1]

C. Alternatively, Plaintiffs Have Substantial Need for These Materials

Even assuming that these CrowdStrike documents were privileged or work product, Plaintiffs have a “substantial need” for them under Fed. R. Civ. P. 26(b)(3)(A). CrowdStrike's communications include factual findings from the incidence response to the Starwood breach and the assessment of the Marriott system to repel similar incursions. They are relevant to understanding what happened, and how to avoid it happening again.

The substantial need test for fact work product as set out in Rule 26(b)(3) has been described as “little more than an ‘anti-freeloader’ rule, and the seeking party's burden is not terribly demanding.” Sanford v. Virginia, No. 3:08-cv-835, 2009 WL 2947377, at *2 (E.D. Va. Sept. 14, 2009) (finding plaintiff had substantial need to get interviews taken by hospital's risk management personnel, as memories of witnesses faded making them effectively “unavailable”). Fairness alone can dictate production of investigatory notes. S.E.C. v. Sentinel Mgmt. Grp., Inc., No. 07 C 4684, 2010 WL 4977220 at *11 (N.D. Ill. Dec. 2, 2010) (“[T]he court is persuaded by Bloom's argument that it would not be fair for the SEC to have access to the information provided by the witnesses [who took the Fifth Amendment] but not [the defendant]”); Suggs v. Whitaker, 152 F.R.D. 501, 507-508 (M.D.N.C. 1993) (compelling disclosure where witness's statement about the accident to defendant's insurance adjuster was the “only contemporaneous statement of a direct witness of the accident, and because only defendants have such a statement”).

Throughout discovery, Marriott's witnesses, including those who directed the CIRT, have repeatedly denied memory of investigatory facts, while their notes have been withheld as privileged.[2] Accenture CIRT members have been equally opaque.[3] Meanwhile, Plaintiffs have been unable to depose database administrators whose accounts were compromised, but who are in India, such as Pramod Achary (whose recent interrogatory responses indicate that no one interviewed him after the breach, Ex. T at 6–7). The contemporaneous information obtained in 2018 and 2019 during the investigations are the most reliable and available records.

*8 Second, Plaintiffs have brought claims for injunctive relief, and are entitled to know the entire universe of remediation recommendations presented to Marriott. If CrowdStrike made deficiency findings that Marriott has not corrected, or remediation recommendations that it has not implemented, this information can only be discovered—and more importantly confirmed—by actually reviewing the documents sought by Plaintiffs that Marriot has improperly withheld. As with Sentinel Management (cited above), fairness requires Plaintiffs to see what compromises Marriott itself corrected, and the feasibility to make those changes.

For the foregoing reasons, Plaintiffs request that Your Honor review the selected CrowdStrike-related documents to assess the claimed privilege.

Respectfully,

To: The Honorable John M. Facciola, via email at facciola@me.com July 6, 2021

Dear Special Master Facciola:

Plaintiffs were permitted to brief whether, under Federal Rule of Civil Procedure 26(b)(4)(D), “exceptional circumstances” exist to justify the discovery they seek of Marriott's expert CrowdStrike. (Ex. H, 6/28/21 Facciola Email.) But plaintiffs do not even try to show exceptional circumstances. Rather, as with their recent IBM letter, plaintiffs yet again resort to accusing BakerHostetler (“Baker”) and Marriott of entering into a sham arrangement with CrowdStrike to shield “business” services from discovery. (Pls. Ltr. at 1-2.) Their recycled argument rings hollow yet again.

Your Honor already has heard from Craig Hoffman and John Warren in declarations explaining that Marriott engaged Baker in anticipation of litigation and adverse regulatory actions to provide legal advice about potential statutory and contractual obligations stemming from the incident, and that Baker, in turn, needed the assistance of consulting experts like CrowdStrike and IBM to provide legal advice. And Your Honor already has made findings in prior Reports and Recommendations based on those declarations. (ECF 634, 707, 718, 808, 834.) In particular, Your Honor has noted the testimony that CrowdStrike was retained under a contract with Baker and Marriott; has noted that CrowdStrike was retained because Baker did not have the technical tools and expertise to investigate network intrusions; and has found that CrowdStrike's presence on calls with Hoffman and Warren did not waive privilege. (ECF 718, at 11-17.) Your Honor also ruled Baker and Marriott engaged IBM to facilitate Baker's provision of legal advice, under very similar circumstances to those at issue here. (ECF 834.) Plaintiffs offer no reason to turn aside these declarations and findings. At bottom, CrowdStrike is a consulting expert whose communications with, and work product for, Baker and Marriott are not subject to discovery under Rule 26(b)(4)(D). Moreover, because none of plaintiffs' extraneous arguments compel the discovery they now seek, their motion should be denied.

Factual and Procedural Background

As Your Honor is well aware, and as Messrs. Hoffman and Warren have explained at length, Marriott anticipated that litigation was imminent no later than September 10, 2018. (Ex. K, 8/14/20 Warren Decl. ¶¶ 15-19; Ex. J, 8/14/20 Hoffman Decl. ¶¶ 10-11; Ex. C, 12/26/20 Warren Decl. ¶¶ 6-13.) Two days later, Baker engaged CrowdStrike to assist in its investigation into the Starwood cyberattack so that Baker had the information it needed to provide legal advice to Marriott regarding potential legal obligations and in anticipation of lawsuits and regulatory actions. (Ex. J, 8/14/20 Hoffman Decl. ¶¶ 12-18; Ex. K, 8/14/20 Warren Decl. ¶¶ 20-21.) Because Baker on its own did not have the specialized tools and knowledge to gain an understanding of the Starwood network or incident, it had to rely on forensics experts to analyze and translate its client's technical information to provide legal advice. (Ex. J, 8/14/20 Hoffman Decl. ¶¶ 12-18; Ex. D, 12/14/20 Hoffman Decl. ¶¶ 6-7.)

*9 Moreover, after litigation from the Starwood cyberattack had been filed, Baker engaged CrowdStrike to perform a compromise assessment of Marriott's separate network. (Ex. D, 12/14/20 Hoffman Decl. ¶¶ 12-15; Ex. E, 6/2/21 Hoffman Decl. ¶¶ 6-16.) The purpose of this engagement was to understand Marriott's technical data, including its current security posture, which was important to developing effective advocacy with regulators in the context of adverse regulatory proceedings and enforcement. CrowdStrike's assistance in understanding Marriott's technical data also was important because then-ongoing litigation included claims for injunctive relief directed at Marriott's current security posture. (Ex. E, 6/2/21 Hoffman Decl. ¶¶ 9-12.)

These two engagements with CrowdStrike mirror the two IBM engagements Your Honor addressed in the recent resolution of the IBM privilege dispute, as reflected in Your Honor's findings of fact. (See ECF 834 at 7-13; see also Ex. F, 6/23/21 Hoffman Decl.; Ex. G, 6/23/21 Warren Decl.) Moreover, much like IBM's work, the work CrowdStrike performed under these two engagements was wholly separate from the licensing agreement Marriott was contemplating entering into with CrowdStrike for the use of the Falcon tool on Marriott-controlled devices prior to the discovery of the Starwood incident. (Ex. K, 8/14/20 Warren Decl. ¶¶ 5-9; Ex. A, 7/6/21 Hoffman Decl. ¶¶ 25, 28.)

On June 14, 2021, the Court ordered Marriott to decide within three business days whether it would designate CrowdStrike as an expert witness. (ECF 816). On June 18, 2021, Your Honor entered a report confirming that Marriott had indicated that it would not designate CrowdStrike as a testifying expert. (ECF 826.) Your Honor then permitted plaintiffs to brief whether exceptional circumstances exist under Rule 26(b)(4)(D) for the discovery they seek. (Ex. H, 6/28/21 Facciola Email.)

Legal Standard

“Ordinarily, a party may not, by interrogatories or deposition, discover facts known or opinions held by an expert who has been retained or specially employed by another party in anticipation of litigation or to prepare for trial and who is not expected to be called as a witness at trial.” Fed. R. Civ. P. 26(b)(4)(D). A party “may do so only ... on showing exceptional circumstances under which it is impracticable for the party to obtain facts or opinions on the same subject by other means.” Id. Put simply, a party may not obtain discovery of a consulting expert's data, communications, or reports absent extraordinary circumstances. See Lowes's Home Ctrs., Inc. v. THF Clarksburg Dev. Two Liab. Co., 2013 WL 3367304, at *3 (N.D. W. Va. July 5, 2013) (“Lowes [sic] shall not be required to produce to Defendants any document that Fayette or Triad prepared on or after April 26, 2007 in connection with their work as consultants to Lowe's litigation counsel”); MeadWestvaco Corp. v. Rexam, PLC, 2011 WL 2938456, at *6 (E.D. Va. July 18, 2011) (“Defendant is not required to discover the documents prepared by these non-testifying experts because MWV cannot demonstrate that exceptional circumstances require Defendant to produce this information.”).

Marriott also continues to claim protection under the attorney-client privilege, which encompasses work performed by “retained professionals who assist the attorney to better understand the facts in providing competent legal advice to the attorney's client.” Richardson v. Sexual Assault/Spouse Abuse Res. Ctr., Inc., 764 F. Supp. 2d 736, 742 (D. Md. 2011) (citing United States v. Kovel, 296 F.2d 918, 921 (2d. Cir. 1961)). And it continues to invoke the work product doctrine, which “protects from disclosure documents and other tangible items ‘prepared in anticipation of litigation or for trial by or for another party or its representative,’ [including] a party's consultant.” Goldstein v. F.D.I.C., 494 B.R. 82, 90 (D.D.C. 2013).[1]

Argument

*10 Plaintiffs' argument is two-fold: (1) they claim that neither CrowdStrike engagement was carried out in anticipation of litigation and (2) they have “substantial need” for CrowdStrike's communications and work product. (Pls. Ltr. 3-5.) Both arguments fail.

Plaintiffs challenge 13 documents that fall into three categories related to CrowdStrike's expert work: (1) documents concerning Baker's investigation into hotel property management systems (“PMS”), (2) documents concerning Baker's investigation into [Redacted], and (3) the compromise assessments of Marriott's network.[2] Plaintiffs try to argue these materials were created for “a business purpose” and would have been created “regardless of the presence of BakerHostetler.” (Pls. Ltr. 3.) But they are wrong on both fronts.

PMS Analysis (Log Entry Nos. 157, 158, 4842, 8933 & 11132): During the investigation of the Starwood network, a command that installed malware on certain PMS devices that was designed to search for data matching the format of payment card data read from the magnetic stripe of a payment card was identified. When Mr. Hoffman learned of this finding, he developed a list of questions he needed addressed so that he could determine [Redacted]. This information was necessary for Baker to provide advice regarding legal obligations to notify payment card networks and determine notification obligations, as well as in advance of anticipated adverse regulatory proceedings and litigation. (Ex. A, 7/6/21 Hoffman Decl. ¶¶ 9-10 & Ex. 2 to Decl.)

In the documents at Log Entry Nos. 157 and 158, CrowdStrike prepared findings in response to counsel's questions relating to the Starwood PMS devices.[3] Indeed, the document in Log Entry No. 158 explicitly states it is responding to counsel's questions. Log Entry No. 157 references sending the analysis to Aleksandra Vold, a Baker attorney who worked with Mr. Hoffman on this matter. (Id. ¶ 11.) And, as the document Marriott is submitting for in camera review shows, the analysis in Log Entry 158 was sent to Ms. Vold, Mr. Hoffman, and another Baker attorney to address their questions. (Id. ¶ 10 & Ex. 2 to Decl.)

Log Entry Nos. 8933 & 11132 are duplicates of the same email. Here again, Mr. Hoffman was requesting analysis of the malware found on the PMS devices within the same timeframe and for the same purpose, as this string of PMS-related documents shows. (Ex. A, 7/6/21 Hoffman Decl. ¶¶ 18-19.) Once again, the purpose of this analysis was to communicate information to Mr. Hoffman, at his request and under his direction, so that he could provide legal advice and respond to anticipated legal proceedings—these documents are clearly in anticipation of litigation. (Id. ¶ 19.) Indeed, the analysis CrowdStrike attached to the email identified in these log entries states it is responding to questions from counsel. And those are the same questions Ms. Vold asked CrowdStrike to address. (Compare PHENX_L0002_000415599 with Ex. A, 7/6/21 Hoffman Decl., Ex. 2 to Decl.)

*11 Log Entry No. 4842 relates to a PMS device on which the investigation identified queries that were run in 2017. In response to this finding, Baker requested that CrowdStrike and Marriott's GIS team—including Connor Crawford—gather information about the queries so Baker could advise Marriott about any potential notification obligations, as well as in advance of anticipated adverse regulatory proceedings and litigation. (Ex. A, 7/6/21 Hoffman Decl. ¶¶ 15-16.) Moreover, as the parent email to Log Entry No. 4842 shows, Mr. Crawford and Dennis Hawkins, another member of Marriott's GIS team who was assisting Mr. Hoffman, were requesting another Marriott employee [Redacted] (PHENX_L0002_000415503, at 1-3.) Because Mr. Hoffman needed this information to provide legal advice and respond to anticipated litigation and adverse regulatory proceedings, CrowdStrike was clearly acting as a consulting expert. (Ex. A, 7/6/21 Hoffman Decl. ¶¶ 15-17.)

The PMS devices and malware referenced in these documents are discussed in the PFI Report. (PFI Report at MI_MDL_00000047-48, 51, 57, 69-71.) This shows yet again plaintiffs have had ample opportunity to discover the underlying facts of the incident from non-privileged sources, including through the Rule 30(b)(6) deposition of Verizon, meaning that they do not even meet their own “substantial need” standard, much less the highly demanding bar of “exceptional circumstances.”

[Redacted] Analysis (Log Entry Nos. 10096 & 10102): These two documents are interrelated and concern an analysis performed regarding the [Redacted] for the NDS database. In response to a request from Baker, Dan Moor, an Accenture employee working under an engagement by Baker, and CrowdStrike undertook an analysis of [Redacted]. (Ex. A, 7/6/21 Hoffman Decl. ¶¶ 5-8.) Mr. Moor sent his analysis to select members of Marriott's GIS team who were working at Mr. Hoffman's direction.[4] The analysis was then sent to Mr. Hoffman. (Id. & Ex. 1 to Decl.)

As Log Entry Nos. 10096 and 10102 (page two) show, Mr. Moor worked with CrowdStrike to investigate this issue, incorporated CrowdStrike's findings into his overall analysis, and then shared his overall analysis with CrowdStrike. Moreover, Mr. Moor and CrowdStrike undertook these actions at Mr. Hoffman's direction for the purpose of providing him information so that he could provide Marriott legal advice in anticipation of litigation and adverse regulatory proceedings. (Ex. A, 7/6/21 Hoffman Decl. ¶¶ 5-8.) Because the purpose of these documents was to communicate information to Mr. Hoffman, at his request and under his direction, so that he could understand technical information to provide legal advice, they are protected communications.

Marriott Compromise Assessments (Log Entry Nos. 9495, 9496, and 9497): These are compromise assessment reports CrowdStrike prepared for Mr. Hoffman at his direction for the reasons explained in a prior declaration and which Your Honor has already reviewed in camera. (Ex. E, 6/2/21 Hoffman Decl. ¶¶ 13-21; ECF No. 808.) The analysis reflected in these reports was of critical importance to the provision of legal advice on the response to lawsuits and regulatory investigations that had emerged. This analysis is essentially the same as that which applied to the IBM X-Force Red engagement, as explained in Mr. Hoffman's June 23, 2021 declaration on that topic and in his declaration being submitted today. (Ex. F, 6/23/21 Hoffman Decl. ¶¶ 18-23; Ex. A, 7/6/21 Hoffman Dec ¶¶ 20-28.) In other words, Your Honor has already rejected a nearly identical claim when faced with essentially the same factual support from the attorney supervising the assessments, which were done to inform legal advice in existing litigation, and which use methods and approaches not normally done for business purposes.. Your Honor should reject plaintiffs' claim once again.

*12 Given the extensive factual record showing that CrowdStrike is an expert retained in anticipation of litigation, the only remaining issue is the one plaintiffs failed to brief: whether “exceptional circumstances” exist which justify invading the relationship between Baker and its consulting expert. Plaintiffs' failure to address this issue is telling given the high bar set by Rule 26(b)(4)(D). See 8A Charles Alan Wright, et al., Federal Practice and Procedure § 2032, at 105 (3d ed. 2010) (recognizing that party “seeking discovery from nontestifying retained experts faces a heavy burden”); cf. Faller v. Faller, 2010 WL 3834865, at *16 (D. Md. Sept. 28, 2010) (affirming grant of motion to compel where court found “exceptional circumstances” standard was met because it was not only “impracticable” but “impossible” for plaintiffs to obtain information they sought).

Far from “impracticable,” plaintiffs have been able to obtain discovery from a litany of other sources. Courts deny access to consulting expert materials when alternative discovery is available. See Faller, 2010 WL 3834865, at *16 (“[C]ourts have ‘recognized the availability of other means of obtaining information sought under Rule 26(b)(4)(B) as a conclusive factor militating against a finding of exceptional circumstances.’ ”); Lowes, 2013 WL 3367304, at *3 (denying discovery of litigation consultant's work where proponent had access to other discovery). They even deny access where the proponent suffers much greater prejudice than plaintiffs ever could here. See Mt. Hawley Ins. Co. v. Felman Prod., Inc., 2010 WL 2671531, at *1-2 (S.D.W. Va. July 1, 2010) (Rule 26(b)(4)(D)'s protection applied even though defendant was only belatedly claiming privilege and had waived privilege over some materials).

Indeed, plaintiffs have deposed CrowdStrike, Marriott, and Accenture—along with numerous current and former Marriott and Accenture information security employees—about the incident, as well as deposed Verizon about its PFI investigation. Not only that, but Marriott has produced extensive forensic data, logs, and artifacts that CrowdStrike had access to so that plaintiffs and their experts could replicate CrowdStrike's findings. And one of Judge Grimm's first orders in this case required Marriott to produce Verizon's PFI Report, which allowed them to tailor their written discovery and deposition questioning to obtain relevant, non-privileged facts about the incident. (See ECF 281.)

Guo Wengui v. Clark Hill, PLC, 338 F.R.D. 7 (D.D.C. 2021), which Plaintiffs cite repeatedly, does not counsel otherwise.[5] First, the case does not even cite, much less analyze, Rule 26(b)(4)(D). Second, it is factually distinct. The court in Guo Wengui specifically found on the record before it that, unlike here, the report in question had been widely shared and was for business purposes, not litigation. See id. Those are not the circumstances here, as Mr. Hoffman and Mr. Warren have explained. (Ex. J, 8/14/20 Hoffman Decl. ¶¶ 26-30; Ex. K, 8/14/20 Warren Decl. ¶ 25; Ex. B, 12/29/20 Hoffman Decl. ¶¶ 36-39; Ex. A, 7/6/21 Hoffman Decl. ¶¶ 26-27.) The question is not whether post-breach work by cybersecurity experts may sometimes be discoverable. It is whether this work by CrowdStrike following this incident was or was not done in anticipation of litigation (as shown above), and whether it is impracticable, if not impossible for plaintiffs to discover the underlying facts of the incident without invading Marriott's protected relationship with CrowdStrike. Plaintiffs have not even tried to meet their heavy burden to show that such exceptional circumstances exist. Accordingly, the Court should deny plaintiffs' motion.[6]

*13 /s/ Lisa M. Ghannoum