*1 Dear Counsel:

This Letter Order addresses the discovery dispute between the Consumer Plaintiffs and Marriott regarding redactions under the Stipulated Protective Order (“SPO”) and third-party subpoenas, and Special Master (Judge) Facciola's Report and Recommendation regarding the same, ECF No. 704. The issue is fully briefed. See ECF Nos. 704, 713, 714, 715, 720, 721. A hearing is not necessary. See Local Rule 105.6 (D. Md. 2018). For the reasons discussed below, Judge Facciola's Report and Recommendation is adopted with modifications. Section 11 of the SPO is revised as described below. Consumer Plaintiffs’ motion for a protective order to quash Marriott's third-party subpoenas is denied, but the third-party subpoenas are subject to the protections of the SPO as modified herein. The changes to the SPO apply to all tracks in this multi-district litigation.

The parties’ first dispute is regarding Section 11 of the SPO, ECF No. 552, regarding the redaction of Personal Identifying Information (“PII”) or Highly Confidential Information.

Section 11 of the SPO states:

ECF No. 552. In other words, a party responding to a discovery request may redact PII or other highly confidential information. The redacting party is required to produce a log describing the redactions and confer with the requesting party, but nothing more. The SPO defines the terms “PII,” as follows:

*2 Id., § 1(l).

The definitions of “Confidential” and “Highly Confidential” Information encompass information that includes PII:

Id., § 1(b), (g).

The SPO contains additional protections for Confidential and Highly Confidential information. To begin with, a party may only use disclosures or discovery material to prosecute, defend, or settle this action. Id., § 6(a). And unless otherwise ordered, Confidential and Highly Confidential Information may only be disclosed to:

Id., § 6(b)–(c).

While the SPO was the result of arms-length negotiations prior to the commencement of discovery, what seemed in the abstract to be a mutually acceptable procedure for dealing with PII, and Confidential/Highly Confidential Information proved to cause a significant discovery logjam and source for unending disputes between the parties, that even the experienced and skilled assistance of the Special Master has been unable to resolve. The central culprit is Section 11, and it needs to be revised. Consumer Plaintiffs have used Section 11 of the SPO as a blunt instrument to redact significant portions of the documents they produced, including account numbers and nearly every line item on financial statements, including where Plaintiffs shopped or used their bank cards.

Marriott argues that disclosure of the account numbers that Plaintiffs claim were fraudulently used is necessary for Marriott to evaluate the claims against it and serve third-party subpoenas regarding the accounts. In addition, Marriott argues that the transaction history on the accounts is relevant for numerous reasons, including whether the payment cards or bank accounts were previously used at locations where plaintiffs now claim misuse occurred, where, when, and how often charges occurred on the payment cards or bank accounts around the time plaintiffs claim misuse occurred, whether the payment cards or bank accounts were used at merchants that suffered data breaches before the alleged misuse occurred, whether plaintiffs were refunded for the alleged misuse, and whether plaintiffs were refunded for other alleged misuse. See ECF No. 704-1. Plaintiffs maintain that their redactions are proper under the terms of the SPO. The parties have gone in circles regarding these issues for over a year. See ECF No. 704-1, Ex. B (December 20, 2019 Ltr. from Marriott's Counsel to Plaintiffs’ Counsel); id., Ex. C (April 14, 2020 Ltr. from Marriott's Counsel to Plaintiffs’ Counsel); ECF No. 649 (September 13, 2020 Report and Recommendation regarding redactions and disclosing account numbers); ECF No. 667 (October 21, 2020 Letter Order adopting Report and Recommendation). This is no longer acceptable. The entire premise of the Consumer Plaintiffs’ claims is that their PII was compromised by the Marriott data security breach, and this resulted in substantial damages. It is inconceivable that the discovery in this case could be accomplished in a manner that entirely insulates the plaintiffs from producing any PII to back up their claims of liability and damages. Yet that is how Plaintiffs have deployed Section 11. Undoubtedly, Plaintiffs’ PII is sensitive, confidential, and perhaps even highly confidential. But that status is deserving of reasonable protective measures, not a full discovery blackout.

In his latest Report and Recommendation at issue here, Judge Facciola noted several problems with Section 11 of the SPO. First, he concluded that Section 11(a) is either contradictory or so incomprehensible as to be useless. Specifically, the first sentence of Section 11(a) grants an absolute right to redact PII (“Any Producing Party may redact from any Disclosures or Discovery Material any “PII”, personnel files, or personal contact information for any person”) but the third sentence states that redaction is improper as to some information that contains PII but is not covered by the GDPR (“If the same responsive information is otherwise available and not subject to GDPR such information should be produced consistent with the terms of this Order which provides adequate protection without the need for redaction.”). Second, the redaction log provisions in Section 11(b), which do not require anything more than conferring with the other party, invites the impasse that the parties have continually reached. And third, the SPO does not speak to whether the information subject to the Order may be used in a subpoena to a third party. R&R at 9-10. Judge Facciola recommended that Section 11 be stricken and that the parties should be heard regarding the parameters for a revised redaction provision. Id. at 10.

*4 This Court has the power to modify a previously entered protective order for good cause. See United States v. (Under Seal), 794 F.2d 920, 928 (4th Cir. 1986) (noting “the district court's discretionary authority to modify [a protective order] for what it deems good cause shown.”). Factors that may help guide a court's exercise of discretion include “the reason and purpose for a modification, whether a party has alternative means available to acquire the information, the type of protective order which is at issue, and the type of materials or documents which are sought.” SmithKline Beecham Corp. v. Synthon Pharm., Ltd., 210 F.R.D. 163, 166 (M.D.N.C. 2002); see also Schaefer v. Family Med. Centers of S.C., LLC, No. 3:18-CV-02775-MBS, 2019 WL 2135675, at *12 (D.S.C. May 16, 2019) (same).

Marriott has demonstrated good cause for modification of the SPO. The reason and purpose for the modification and the type of materials which are sought weigh in favor of modification. The current SPO does not allow for necessary discovery for this case to proceed. Plaintiffs allege that their PII was hacked, and in some cases misused. Under the current SPO, however, all PII, including account information, is redacted from Plaintiffs’ documents. Fundamentally, the Plaintiffs must identify the individual Plaintiffs and accounts that they contend were hacked and how their PII misused. And it is equally fundamental that Marriott is entitled to investigate to determine whether the Plaintiffs contentions are as they claim. Plaintiffs cannot redact this essential information. It merits proper protection, but it clearly is discoverable.

Whether a party has an alternative means for obtaining the information also weighs in favor of modification. The parties have attempted to resolve this impasse for over a year with the able assistance of Judge Facciola and intervention by this Court. Alternative methods have failed.

Finally, the type of protective order at issue – a stipulated protective order agreed by the parties and signed by the Court – weighs against modification. It is true, as the Plaintiffs point out, that the SPO was the result of negotiations between the parties. But it is not immutable holy writ, and the parties’ agreed upon terms have proved unworkable in practice. As Judge Facciola summarized: “Plaintiffs have made redactions by insisting upon an absolute right to redact PII. Marriott insists that plaintiffs’ assertion of such a right makes legitimate discovery impossible. There the matter stands, and the parties have been standing there for nearly a year.” ECF No. 704 at 9. Discovery must proceed.

Therefore, I agree with Judge Facciola's Report and Recommendation to strike Section 11 of the SPO. Judge Facciola also recommended that the parties be heard on revisions to Section 11. In their letter briefs to Judge Facciola and before the Court, Marriott and the Consumer Plaintiffs have submitted their proposals for modification. They have been heard enough, and no further briefing is necessary.

Defendants propose that Section 11 of the SPO be modified so that the parties are permitted only to redact non-parties’ PII. See ECF Nos. 713; 704-1. Defendants argue that this modification will protect non-parties’ information but allow Defendants to investigate Plaintiffs’ misuse claims.

Plaintiffs oppose any changes to the SPO, but if it should be changed, Plaintiffs recommend striking the sentence that Judge Facciola found contradictory: “If the same responsive information is otherwise available and not subject to GDPR such information should be produced consistent with the terms of this Order which provides adequate protection without the need for redaction.” See ECF No. 714. This proposal addresses the ambiguity in Section 11, but does nothing at all to address the root of the discovery logjam caused by the use of the SPO to redact information necessary for Marriott to assess Plaintiffs’ claims and its defenses.

*5 Neither party has addressed Section 11(a)’s allowance for redactions of “Highly Confidential” information in their proposals, which must also be addressed to resolve this dispute. Recall that the definition of “Highly Confidential” information includes PII. And in fact, Plaintiffs have explained their redactions on the basis that the information is highly confidential and contains PII. See ECF No. 714-1, Ex. A. If redactions are permitted under this provision, effectively no changes will have been made and the parties will find themselves in the same dispute as before.

Therefore, Section 11 of the SPO is revised as follows:

Plaintiffs argue that the unredacted information will be used to harass and embarrass them and that modifying the SPO will chill future litigants from filing claims. Of course, they have no factual basis to support such speculation because they have blockaded the discovery of all PII. However, under the SPO discovery information can only be used to prosecute, defend, or settle the case, and the SPO contains additional protection for Highly Confidential Information and Confidential Information (including PII) by limiting who can access the information. Any attempt to use the information to harass or embarrass may result in sanctions, and the Defendants would be unwise in the extreme were they to attempt to do so under the watchful eye of Judge Facciola and myself. These protections mitigate the concerns raised by Plaintiffs. Allowing disclosure of PII with these types of protections is consistent with previous decisions by this court and others. See, e.g., In re Subpoena Served on Regent Educ., Inc., No. 17-cv-3541-ELH, 2017 WL 6368618, at *3 (D. Md. Dec. 13, 2017) (permitting disclosure of PII if covered by a protective order); Paws Up Ranch, LLC v. Green, No. 12-cv-01547-GMN, 2013 WL 6184940, at *4 (D. Nev. Nov. 22, 2013) (finding financial records should be disclosed and that “privacy concerns can be mitigated by subjecting the banking records to a stipulated protective order that limits the use of the documents and the people with access to them”).

Thus, Judge Facciola's Report and Recommendation regarding Section 11 of the SPO, ECF No. 704, is adopted with the modifications to Section 11 stated above.

*6 Consumer Plaintiffs move for a protective order to quash Marriott's third-party subpoenas that have been or will be served. In total, 45 subpoenas are implicated, which are directed to: “(a) financial institutions and card brands that provided plaintiffs with payment card numbers that were allegedly misused; (b) merchants where those payment card numbers were purportedly used fraudulently; (c) places where identity thieves supposedly opened accounts in plaintiffs’ names; (d) debt collectors allegedly chasing plaintiffs for money owed on those fraudulent accounts; (e) credit-monitoring services from which plaintiffs purportedly made purchases; (f) the Department of State, which allegedly reissued one plaintiff a passport, per his request; (g) travel agencies through which plaintiffs supposedly booked hotel rooms; and (h) other businesses who suffered data breaches involving plaintiffs’ information.” ECF No. 721 at 1-2.

In his Report and Recommendation, Judge Facciola explained that “a party does not have standing to ‘challenge a subpoena issued to a non-party unless the party claims some personal right or privilege in the information sought by the subpoena.’ ” ECF No. 704 at 15 (citing United States v. Idema, 118 Fed. App'x 740, 744 (4th Cir. January 4, 2005)). Relying on the Supreme Court's decision United States v. Miller, 425 U.S. 435, 440 (1975) and decisions of courts within the Fourth Circuit, including by the undersigned in Corsair Special Situations Fund, L.P. v. Engineered Framing Sys., Inc., No. 09-1201-PWG, 2011 WL 3651821 (D. Md. August 17, 2011), Judge Facciola concluded that the Consumer Plaintiffs did not have a privacy-right in the financial records of the banks and financial institutions that Marriott seeks. ECF No. 704 at 17-19. I agree.

In their objection to Judge Facciola's Report and Recommendation, however, Consumer Plaintiffs argue that they are not moving to quash the subpoenas under Fed. R. Civ. P. 45, for which they recognize a third party generally lacks standing, but rather are moving for a protective order under Fed. R. Civ. P. 26(c). See ECF No. 715.

Rule 26(c)(1) provides that “A party or any person from whom discovery is sought may move for a protective order in the court where the action is pending....” Rule 26(c)(1) also states:

Fed. R. C. P. 26(c)(1).

In Fangman v. Genuine Title, LLC, a court in this District found that a plaintiff had standing to seek a protective order forbidding a third-party from responding to a subpoena under Rule 26(c)(1). No. CV RDB-14-0081, 2016 WL 560483 at *3 (D. Md. Feb. 12, 2016). However, in Eichenwald v. Rivello, another court in this District explained that Fangman was not departing from the general rule that a party does not have standing to quash a third-party subpoena, but rather that the plaintiff in Fangman had alleged a personal right or privilege in the information sought. 321 F. Supp. 3d 562, 564 (D. Md. 2018) (Bredar, C.J.).

*7 Even assuming Plaintiffs have standing to challenge the subpoenas under Rule 26(c)(1), their request for a protective order to quash the subpoenas is denied. Rule 26(c) permits the entry of a protective order upon a showing of good cause “to protect a party or person from annoyance, embarrassment, oppression, or undue burden or expense.” Plaintiffs argue that good cause exists to quash the subpoenas for several reasons. First, they argue Marriott's request for seven years of Plaintiff's financial records, which will include information about irrelevant transactions including information that would be highly personal or embarrassing, is overbroad. Second, Plaintiffs argue that Marriott's subpoenas violate the SPO and encompass financial accounts that Marriott has not confirmed were compromised in the data breach. And finally, Plaintiffs suggest a less intrusive method for Marriott to obtain information would be to serve discovery on Plaintiffs regarding other third-party data breaches of which they were victims. ECF No. 715.

Marriott argues that Plaintiffs never explain how the third-party subpoenas could cause Plaintiffs “annoyance, embarrassment, or oppression” or how it will lead to any burden or expense from Plaintiffs. Further, Marriott argues that the information is relevant to the following:

ECF No. 721 at 4. Finally, Marriott argues that Plaintiff's alternative solution to ask Plaintiffs directly the information it seeks is neither required by the rules nor sufficient.

Based on the foregoing, Plaintiffs have not established good cause to prevent third-parties from responding to the subpoenas. The information that Marriott seeks is relevant to its defense. While the seven-year scope of the information requested is broad, this corresponds to the seven-year scope of Plaintiffs’ claims and therefore is not overly broad. Plaintiffs concerns that the information revealed in the subpoenas may be used to embarrass or harass them can be mitigated through the use of other procedures that limit who may access the materials and how they are handled. Indeed, this is the ultimate result in Fangman, the case on which Plaintiffs rely. In that case, Judge Bennett denied the plaintiff's request for a protective order to quash the subpoenas, and instead ordered the third-party subpoenas to be subject to a protective order that addresses the handling and use of personal identifying and financial information. See Fangman v. Genuine Title, LLC, No. CV RDB-14-0081, 2016 WL 560483, at *5 (D. Md. Feb. 12, 2016). Here, the SPO, as modified by this Order, already contains such procedures. Therefore, the third-party subpoenas are subject to the SPO and Consumer Plaintiffs may review the information produced for treatment as Highly Confidential Information or Confidential Information. This will limit who will be able to view any sensitive material that qualifies as Highly Confidential or Confidential Information and require that the documents may only be used to prosecute, defend, or settle this case.

Thus, Judge Facciola's Report and Recommendation regarding the third-party subpoenas, ECF No. 704, is adopted with the modification that the third-party subpoenas are subject to the SPO as modified herein. Future third-party subpoenas will also be subject to the modified SPO.

*8 Although this dispute is between Marriott and the plaintiffs in the Consumer Track, the SPO was negotiated and agreed to between all parties in this MDL, including the plaintiffs in the Government, Financial Institution, Securities, and Derivative Tracks. To avoid further disputes regarding the same issues, the changes to the SPO discussed herein apply to all tracks. Specifically, Section 11 of the SPO is modified as discussed above for all tracks and all third-party subpoenas are subject to the SPO.

In summary, Judge Facciola's Report and Recommendation, ECF No. 704, is adopted with modifications. Section 11 of the SPO is amended as described herein. Consumer Plaintiffs motion for a protective order to quash Marriott's third-party subpoenas is denied. The third-party subpoenas, and all other third-party-subpoenas, are subject to the SPO. These changes apply to all tracks.

I close with this observation. This particular dispute has unacceptably delayed discovery and placed the current discovery schedule in jeopardy. That needs to change, and counsel and the parties need to make up for lost time. Judge Facciola and I will be carefully watching how things progress going forward, and I will take this into careful consideration should there be any future request to extend the existing discovery deadlines.

Although informal, this is an Order of Court and will be docketed accordingly.