*1 I. Introduction to the controversy. The plaintiffs demand to be compensated for their time and effort in monitoring their bank, credit card, and other accounts. They have to detect whether someone had used their “personally identifiable information” (ECF No. 271, para. 1(K)) to make unauthorized purchases by exploiting documents revealed by the breach. Plaintiffs have also done this monitoring to prove (if necessary) that they mitigated their damages.

II. Marriott's demands. Marriott has used discovery to gather the information that it will use to challenge these claims. Marriott wanted to equip itself with the information that, for example, will show that the plaintiffs cannot possibly have spent the time they will claim they did in monitoring their accounts.

Marriott's interrogatory number 7 asked the plaintiffs to provide details about this claim. Interrogatory number 8 asked them to identify the actions they took in mitigating damages caused by the breach. Marriott also propounded a Fed. R. Civ. P. 34 demand for the documents the plaintiffs claimed to have reviewed when they monitored their accounts. Thus, in its Request for Production of Documents number 16, Marriott demanded “[a]ll documents reflecting the attempt to mitigate damages ... or documents reviewed during any time spent monitoring financial accounts.”

III. Plaintiffs’ responses. Plaintiffs respond that they have produced documents reflecting their mitigation efforts in response to these demands and gave their best estimate of their time using different methodologies.

They pointed out that Marriott had issued subpoenas under Fed. R. Civ. P. 45(a) to the issuing credit card companies or banks for documents pertaining to their accounts. Using all this information, Marriott conducted seven- and (in some cases) nine-hour depositions of the plaintiffs. Its counsel probed how each of the plaintiffs arrived at the estimates the plaintiffs provided of the amount of time each of them spent monitoring their accounts. Counsel for Marriott used all the documents Marriott had secured from the banks, credit card companies, and the plaintiffs to do this. As the plaintiffs see it, “Marriott has had an abundant opportunity during depositions to inquire about documents produced and methodologies used [by plaintiffs] to give their best estimates of time.” Letter of July 8, 2021, at 2. Their letter reproduces a portion of a deposition of one of the plaintiffs that shows Marriott doing just that. Id. at 3.

However, the plaintiffs balk at the demand for the documents they reviewed as they monitored their accounts. Thus, as the plaintiffs point out, the controversy comes down to whether Marriott can compel the plaintiffs’ compliance with its Request for Production Number 16 “to produce all documents reviewed during any time spent monitoring financial accounts.” Id. at 1.

IV. The burden of compliance. The parties differ radically in their articulation of the burden that the plaintiffs will have to endure to comply with Request for Production number 16.

*2 Marriott marvels at the fuss the plaintiffs are making. Marriott reasons that, because the plaintiffs collected the information they used to monitor their accounts, all they have to do is to produce it. Letter of June 30, 2021, at 4–5.

The plaintiffs say that they would now have to recreate the process of monitoring their accounts for the period from notice of the breach to today. To comply with this Request, they “would have to produce every bank record, every credit card statement, and every line record they ever reviewed—even if no fraudulent charges were made and no matter how irrelevant.” Letter of July 8, 2021, at 2. They contend that they will have to spend “hundreds of hours and thousands of dollars to have a vendor collect every single statement from the plaintiffs’ online bank accounts and credit card companies.” Letter of July 8, 2021, at 4.

Thus, plaintiffs say it will take hundreds of thousands of dollars to comply with the Request. Marriott says it will take an envelope and a stamp.

V. A solution. Had discovery not ended, and had we world enough and time, unraveling all of this to find the truth might make sense. The parties could do another round of depositions or interrogatories to determine what each of the plaintiffs still had in their possession. In my view, however, there is another solution that will resolve this controversy.

My solution begins with the observation that the discovery now sought is unique. Parties generally seek a document or electronically stored information to find out its contents. In this instance, however, Marriott does not care about the contents. It does not care whether one of the plaintiffs bought a bathing suit. It does not even care that a document showed that someone the plaintiff did not know bought a bathing suit using the plaintiff's credit card. It cares only about how long it took a plaintiffs to investigate whether someone had charged his credit card for the unauthorized bathing suit.

Therefore, Marriott's only use of the document is to ascertain whether it did or did not disclose that something had gone wrong. In the absence of showing that one of the plaintiffs suffered from the breach uniquely, one would expect that the time needed to review them would be about the same for each plaintiff.

To determine whether that was true, I determined that the plaintiffs’ mean time in the chart in Marriott's letter (Letter of June 30, 2021, at 2) was twenty-seven hours. The average was thirty-three hours. I then produced the following chart from that analysis:

VI. The results deduced from the charts. The results are striking. The plaintiffs did not spend about the same amount of time monitoring their accounts. One plaintiff took five times more time than the median to monitor her accounts. Another took four times more than the median, and three others took twice the median hours.

VII. Findings and rulings from the charts. The chart first shows that Marriott's demand that all the plaintiffs produce all their records is overbroad. Suppose Marriott expects to cross-examine the plaintiffs to show that they are exaggerating the time they spent. In that case, I cannot imagine an American jury finding that a customer who was the victim of a breach grossly exaggerated the time she spent monitoring her financial accounts when she spent twenty-seven hours doing that over a three-and-a-half-year period. That is about one hour per month. I would guess that most Americans take that much time doing their banking if a data breach has not victimized them. Accordingly, I will therefore not permit any further discovery from the plaintiffs who spent twenty-eight hours or less monitoring their accounts.

*3 That leaves the five plaintiffs at the top of the list. As to them, Marriott's trying to get all their records is also an overreach.

I would have to suppose that, once alerted to the breach, these five plaintiffs had first identified all the accounts that could have been affected. But once the plaintiffs collected them, I would also suppose that there would be another regression to the mean, that is, from that point on, they spent about the same amount of time each month monitoring their accounts.

And, although analogies limp, they are at times helpful. Fed. R. Evid. 406 permits evidence of a person's habit to be admitted “to prove that on a particular occasion the person ... acted in accordance with that habit.” We can then say that if these plaintiffs had the habit of monitoring their financial accounts each month, then the evidence of how they did it one month would indicate how they did it every month.

This principle requires me to reject Marriott's demand for all the plaintiffs’ records. There is no reason to believe that the records in any one month are aberrational and not representative of the records the plaintiffs have reviewed every month. I therefore conclude that records for a much smaller period of time will suffice because what is true of that month is likely true for every month since the breach. Additionally, since it must be easier to get more recent records than older ones, I believe that records from January 1, 2021, to June 30, 2021, will suffice.

Therefore, I recommend that Judge Grimm order the five plaintiffs named Marks, Gononian, Lawrence, Guzikowski, and O'Brien to produce the documents reflecting the time spent monitoring their financial accounts for January 1, 2021, to June 30, 2021.

VIII. The discovery I am recommending is proportionate. Attempting to ascertain why these five plaintiffs spent so much more time monitoring their accounts than the others is relevant to their claim for damages.

I find that, now that I have narrowed the scope of the discovery, it is proportional to the needs of the case. The issue of damages for the time spent monitoring the plaintiffs’ accounts is important. Indeed, for some of the plaintiffs, it is their only claim for damages. The amount of controversy could be substantial because this case may be a class action seeking to award these kinds of damages to many people. I find that Marriott does not have access to this information in the sense of not knowing what plaintiffs actually reviewed. Only plaintiffs do, and the discovery is important to resolving what damages plaintiffs sustained. I, therefore, conclude that the benefits of the discovery I am ordering outweigh the burdens I am imposing. Fed. R. Civ. P. 26(b)(1).

I hasten to add that I see no reason why the plaintiffs should hire vendors or spend hundreds of thousands of dollars doing this. I expect the plaintiffs to produce no more than what the plaintiffs use every month to monitor their accounts. If, as I hope, they have copies of what I want them to produce, that will suffice. If they do not, but they bank electronically, records for the past six months should be available from their bank or credit card company with a username and a password. If any of the plaintiffs do not bank electronically and do not have the documents I only ask that they get a copy of their account statement from their bank, credit card company, or, if they monitor it, their investment banker if they have an investment account. I am ordering this because I understand based on my own experience that the burden upon the plaintiffs to produce what I am ordering will be slight if they follow my directions. If the burden is not slight owing to circumstances of which I am unaware, the plaintiffs’ counsel should advise me immediately.

*4 IX. Plaintiffs’ concerns about confidentiality. Plaintiffs fear that Marriott's position seems to be that a closed account cannot be designated confidential under the Stipulated Protective Order and 502(d) and (e) Clawback Order (“SPO”). Letter of July 8, 2021, at 5. If that is right, they will suffer a great loss of privacy if they disclose their account statements. That Marriott takes a certain position is not the point. I must remind the plaintiffs that Judge Grimm, not Marriott, will determine what is and is not confidential. ECF No. 270, 271, para 5(d).

Furthermore, Judge Grimm has specifically rejected the plaintiffs’ claim that the protections provided by the SPO are inadequate to protect their privacy. The judge has stated:

Letter Order of January 22, 2021, at 6.

Plaintiffs also express the concern that disclosure of their account statements might expose them to another data breach. Id. I appreciate their concern and share it.

From this point forward, all communications and transmission of information or documents pertinent to this Recommendation by the parties or their counsel, whether to another party, counsel, or me, shall be encrypted before transmittal.

X. Meet and confer. Finally, I appreciate that paragraph 11 (b) of the SPO requires a party making any redactions of PPI to provide a log of these redactions. The parties then must confer on whether the redactions will impair the Requesting Party's ability to search for relevant information and “if so, whether reasonable technical means exist to permit search without compromising the protections set forth herein.” I anticipate that the plaintiffs intend to make redactions, which will trigger this requirement. I expect the parties to have those discussions as soon as Marriott learns of the redactions the plaintiffs intend. I express my willingness to be a party to those discussions if counsel believes that would be helpful. I am anxious to get this matter resolved. If these discussions are fruitless, counsel should advise me, and I will decide what to do.

I recommend that plaintiffs Marks, Gononian, Lawrence, Guzikowski, and O'Brien be required to produce the documents reflecting the time spent monitoring their financial accounts for January 1, 2021, to June 30, 2021.