*1 Kevin T. Poindexter (“Poindexter”) has written a report that is an exhibit to Defendants' Opposition to Plaintiffs' Motion for Class Certification, ECF No. 885. The parties have been battling for months over whether paragraphs 22 to 39, which are sealed, should be made public.

Poindexter engaged in what he calls “locating and operating open-source intelligence.” Expert Report Poindexter at par. 2, Exhibit I to Defendant's Opposition to Plaintiffs' Motion for Class Certification, ECF No. 885 (Hereafter “Report”). To put it more simply, he searches the publicly available internet for information about people. Id. at par. 15.

He explained that the internet contains a “vast” amount of data about individuals that is generated by social media platforms, real estate records, civil/criminal court records, government documents, and employment databases. Id. at 10. Individuals can make this information available purposefully, or malefactors can steal it and use it without their permission. Poindexter searched the internet to find the personal data of the bellwether plaintiffs.

In paragraph 21 of his report, Poindexter summarizes what he found as follows:

Report at par. 21.

Poindexter also reports the following:

In paragraphs 40 to 43, Poindexter provides his conclusions as follows:

Thus, the public record in this case already provides detailed information about what Poindexter did and a summary of what he found. In a letter to me, Marriott's counsel explains its significance. That Poindexter's finding that the plaintiffs' personal information is already publicly available presents a defense to the merits of the plaintiffs' claim. It shows that any alleged theft of their data by the aforementioned breach did not harm them. Additionally, the presence of the information defeats the motion for class certification because “different plaintiffs have different pieces of information in the public domain.” Letter to the Special Master (undated) at 1.

*2 As noted, there is a battle over paragraphs 22-39 of Poindexter's report. In those sections, Poindexter describes the information he found about the plaintiffs. Specifically, he provided in his report the following information on each plaintiff:

1. Name

2. Age

3. Date of birth

4. Mailing address

5. Email address

6. Phone number

7. Potential relatives (including names and ages)

8. Social media or other application accounts (e.g., Instagram, Facebook, Twitter, Linkedln)

9. Employment records

10. Voter registration records (and/or political affiliation derived from these)

11. Civil and/or criminal legal records

12. Data breaches that potentially impacted the plaintiffs' information

13. Passwords stored in plain text

Report at 21.

Thus, if Marriott has its way, we will also learn[1] that Susie Smith is twenty-seven years old, lives in Chicago, and has a certain phone number and email address. She has a Facebook account, works at a car dealership, votes as a Democrat, was a plaintiff in a Title VII action, and has an brother named Vergil. She previously suffered a data breach on her computer other than the one referenced in this case.

I see no purpose whatsoever in the disclosure of this information. One of the central purposes of access to court records is to permit the public to evaluate the integrity and validity of the judicial process. Courthouse News Serv. v. Schaefer, 2 F. 4th 318, 321 (4th Cir. 2021). Given what is already on the public record, the public has all of the information needed to understand how Judge Grimm will deal with the plaintiffs' motion to find his report inadmissible and for class certification, insofar as the judge finds Poindexter's report relevant when he issues his decisions. Disclosure of the information in paragraphs 22 to 39 does not add an iota to that public understanding. And, frankly, I cannot divine any other reason to disclose it now.

I appreciate that Marriott claims that unless paragraphs 22-39 are unsealed, the public does not know that the plaintiffs' personal information is “otherwise publicly available.” Letter of Marriott's counsel to the Special Master at 3.

That is wrong. All the public needs to do is to read the first 21 paragraphs of Poindexter's report, the unsealed portion of the parties' pleadings that discuss it, and this report and recommendation, and it will learn what Poindexter found.

What Poindexter found is already public claims Marriott. But, as the plaintiffs point out, with a bit of sarcasm, if it is easy to find what Poindexter found why did Marriott need Poindexter? Letter of the plaintiffs' counsel to the Special Master, dated March 4, 2022, at 4.

More to the point, this is not a situation where a party is foolishly trying to seal a newspaper article. It is a collection of intimate details about the plaintiffs' lives, which are already scattered over the internet. Although it may be technically “public,” I see no reason for this Court to require the disclosure of that information when the details have nothing to do with the issues presently before the Court and will lead to the collection of those intimate details in one place on the internet (i.e., the Court's docket). Perhaps a given case may require that, but not this one.

*3 I hasten to add that there is nothing permanent about any of this. I am dealing only with the disclosure of this information between now and the Judge's resolution of the motion for class certification. What happens after that remains to be seen. Meanwhile, I find that unsealing paragraphs 22-39 of the Poindexter report would be an abuse of discretion, and I recommend that they remain sealed.

Dear Special Master Facciola:

Plaintiffs submit this letter brief in support of their confidentiality designations of ¶¶ 22-39 (and exhibits thereto) of the Expert Report of Kevin T. Poindexter (“Poindexter Report”). These paragraphs of the Poindexter Report contain a compilation of personally identifiable information (“PII”)[1] pertaining to numerous Bellwether Plaintiffs that deserve protection regardless of Defendants' assertions to the contrary. (See Ex. B to Stipulation, Poindexter Report at ¶¶ 22-39).

As an initial matter, Plaintiffs' confidentiality designations are not ripe for adjudication since, whether the Poindexter Report constitutes a “judicial record,” is dependent upon the Court's ruling on Plaintiffs' motion to exclude the Poindexter Report. Even assuming Your Honor deems it appropriate to resolve this dispute prior to a ruling on the motion to exclude, however, the weight of authority establishes that Plaintiffs' privacy interests in protecting the types of compiled information contained in the Poindexter Report far outweigh any public right of access to such information. This is especially true where, as here, the information sought to be publicly disclosed is a collection of various forms of Plaintiffs' PII—making the potential for harm through fraud or identity theft particularly great—and Defendants have not identified any justification sufficient to allow for public access.

I. This Dispute is Not Ripe for Adjudication and Consideration Should Be Stayed.

As a threshold jurisdictional matter, this Court should stay consideration of Plaintiffs' confidentiality designations of ¶¶ 22-39 of the Poindexter Report as it is not ripe for judicial review. Ripeness requires this Court to determine whether adjudication of the issue before it is proper where consideration “rests upon contingent future events that may not occur as anticipated or indeed may not occur at all.” Marylanders for Fair Representation, Inc. v. Schaefer, 795 F. Supp. 747, 751 (D. Md. 1992); B.R. v. F.C.S.B., 17 F.4th 485, 493 (4th Cir. 2021) (“Under Article III, federal courts do not adjudicate hypothetical or abstract disputes.”). In conjunction with their class certification motion, Plaintiffs moved to exclude the Poindexter Report. (See ECF No. 914). That motion is fully briefed and presently pending. Should the Court rule the Poindexter Report is inadmissible, Defendants' confidentiality challenges thereto will be moot, as the Poindexter Report would not qualify as a “judicial record” and the public would have no right of access to it. See In re Application of the United States of America for an Order Pursuant to 18 U.S.C. Section 2703(d), 707 F.3d 283, 290-91 (4th Cir. 2013) (“[D]ocuments filed with the court are ‘judicial records’ if they play a role in the adjudicative process, or adjudicate substantive rights.”); Baxter Intern., Inc. v. Abbott Laboratories, 297 F.3d 544, 545 (7th Cir. 2002). This Court should thus reserve consideration of Plaintiffs' confidentiality designations until the admissibility of the Poindexter Report is determined, which will necessarily govern whether it constitutes a “judicial record.”

II. To the Extent Consideration is Not Stayed, the Common Law Standard Applies.

*4 Defendants incorrectly assert that Plaintiffs' PII contained in ¶¶ 22-39 of the Poindexter Report is not confidential because the Protective Order defines “Confidential” and “Highly Confidential” Information as “information ... that has not been made public, or is not otherwise available or accessible in the public domain....” (See ECF No. 552 at 3-4). But, as your Honor has correctly pointed out, the Protective Order does not set the standard for confidentiality when it comes to filing documents with the Court. See In re Marriott International, Inc. Customer Security Breach Litig., 2022 WL 18710, at *1-2 (D. Md. Jan. 3, 2022). Thus, the Protective Order, upon which Defendants rely, is not dispositive to the Court's determination of whether ¶¶ 22-39 of the Poindexter Report is properly redacted to protect Plaintiffs' legitimate privacy interests. Id.

Defendants also wrongly maintain that the more rigorous First Amendment right of access—requiring denial of access to be necessitated by a compelling interest—applies to exhibits filed in conjunction with class certification. But the Fourth Circuit has held only that the First Amendment right of access applies to documents filed in conjunction with dispositive motions, such as a motion for summary judgment. See Rushford v. New Yorker Magazine, Inc., 846 F.2d 249, 252 (4th Cir. 1988). The Fourth Circuit has never recognized a First Amendment right of access to the non-dispositive civil motion process. Virginia Dept. of State Police v. Washington Post, 386 F.3d 567, 580 (4th Cir. 2004). A motion for class certification is a non-dispositive motion and, therefore, “the right of access at issue arises under the common law.” Harris v. Smithfield Packing Co., Inc., 2010 WL 4877144, at *1 (E.D.N.C. Nov. 24, 2010); see also Cochran v. Volvo Grp. North America, LLC, 931 F. Supp. 2d 725, 728-29 (M.D.N.C. 2013) (declining to apply First Amendment standard to class certification motion). Accordingly, if and when the Court rules on Plaintiffs' confidentiality designations, the less rigorous common law standard applies.

Under the common law, “[t]o establish that a document is confidential, a designating party must show that it contains information within the scope of Fed. R. Civ. P. 26(c) and that there would be an identifiable harm from its disclosure.” Sprint Nextel Corp. v. Simple Cell Inc., 2015 WL 13840324, at *2 (D. Md. Oct. 5, 2015). “Rule 26 protects more than just trade secrets and confidential information.” Waterkeeper Alliance, Inc., v. Alan & Kristin Hudson Farm, 278 F.R.D. 136, 140 (D. Md. 2011) (Grimm, J.). Indeed, “courts have consistently granted protective orders that prevent disclosure of many types of information.” Id.[2] If a party establishes confidentiality and harm, as Plaintiffs do here, Defendants then “must establish that the information is sufficiently necessary to [their] case to outweigh the harm of disclosure,” which they cannot do. Id.

III. Regardless of the Applicable Standard, Courts Consistently Seal PII.

Plaintiffs' privacy interests—to be free from potential harassment, fraud, and identity theft—outweigh any public right of access to their compiled PII contained in ¶¶ 22-39 of the Poindexter Report. First, much (if not all) of the individual elements of PII contained in ¶¶ 22-39 of the Poindexter Report are confidential. Courts in this District and across the country routinely permit parties to redact or seal the types of PII contained in the Poindexter Report, including, without limitation, home addresses, phone numbers, email addresses, dates of birth, marital status, and personal employment information, regardless of the applicable standard and whether those materials can be found through paid web portals or otherwise.[3] See, e.g., Rothman v. Snyder, 2020 WL 7395488, at *4 (D. Md. Dec. 17, 2020) (“It is well established that parties may properly redact private personal information, including home addresses, personal phone numbers, and email addresses.”); see also Naillieux v. United States Mint, 2019 WL 8752280, at *1 (D. Md. Mar. 1, 2019) (Grimm, J.) (recognizing “personal identification information may be sealed”); Jones v. Food Empl. Labor Relations Ass'n, 2014 WL 346651, at *7 (D. Md. Jan. 29, 2014) (Grimm, J.) (sealing “Social Security number, date of birth, marital status and disability records”); Schaechtel v. Maryland Div. of Correction, 2015 WL 5331254, at *1 n. 1 (D. Md. Sept. 9, 2015) (Grimm, J.) (sealing home addresses due to “obvious confidentiality considerations”); Reaves v. Jewell, 2014 WL 6698717, at *2 (D. Md. Nov. 26, 2014) (redacting plaintiff's personal contact information); Young v. United Parcel Serv., Inc., 2011 WL 665321, at *22 (D. Md. Feb. 14, 2011) (sealing exhibits containing “personal employee information”).[4] The Poindexter Report is also replete with aggregated information related to non-parties who, other than being relatives of Plaintiffs, have nothing to do with this case. See Lynch v. Private Diagnostic Clinic, PLLC, 2018 WL 1384486, at *7 (M.D.N.C. Mar. 16, 2018) (protecting PII of nonparties is particularly compelling); Allgood v. Paperlesspay Corp., 2021 WL 3887558, at *2 (M.D. Fla. June 4, 2021) (sealing addresses, email addresses, telephone numbers, age, prior employment, and names and PII of relatives).

*5 The information contained in ¶¶ 22-39 of the Poindexter Report is also confidential for the independent reason that these paragraphs contain a compilation of Plaintiffs' PII not found in other places in such a format. The Supreme Court recognizes a distinction between “scattered disclosure” of bits of information and placing a “compilation” of otherwise hard-to-obtain information in the public domain. See U.S. Dept. of Justice v. Reports Committee for Freedom of Press, 489 U.S. 749, 763 (1989). For that reason, it has concluded that there is a “strong privacy interest ... in the nondisclosure of compiled computerized information” because of the “power of compilations to affect personal privacy that outstrips the combined power of the bits of information contained within.” Id. at 765-66; see also Thomas v. FTS USA, LLC, 193 F.Supp.3d 623, 635-36 (E.D. Va. 2016) (“[A]s the Supreme Court has observed, the right to privacy in compilations of personal information is particularly powerful....”).[5] Thus, all the information contained in ¶¶ 22-39 of the Poindexter Report is particularly sensitive and deserving of confidential treatment because it constitutes a compilation of Plaintiffs' PII.

Moreover, this information is confidential irrespective of whether certain elements of PII can be found scattered in obscure and discreet locations on the Internet via a search of public and private databases. The Supreme Court has explicitly rejected Defendants' theory of personal privacy—that Plaintiffs automatically relinquish their privacy interest in hard-to-obtain information that can potentially be found only through a comprehensive and focused search. See Reports Committee, 489 U.S. at 767 (1989) (“[O]ur cases have also recognized the privacy interest inherent in the nondisclosure of certain information even where the information may have been at one time public.”); Krakauer v. Dish Network, L.L.C., 2015 WL 12750446, at *2 (M.D.N.C. Nov. 18, 2015) (rejecting argument that the plaintiff's personal information is publicly available online and granting motion to seal home addresses, email addresses, and telephone numbers).Yet, that is exactly what Poindexter did here. He used Plaintiffs' PII provided to Defendants during discovery to search public and private databases for additional information relating to Plaintiffs and compiled all the PII he found in ¶¶ 22-39 of his report (and exhibits thereto). (See ECF No. 914). Like in Reports Committee, however, if the information contained in the Poindexter Report is “freely available” to the public, as Defendants contend, there would be no need for Defendants to hire Poindexter to spend approximately 200 hours researching Plaintiffs to compile their PII. Id.; see also Reports Committee, 489 U.S. at 764. Further, if the information Poindexter gathered regarding Plaintiffs was so freely available, Poindexter would not need each Bellwether Plaintiff's verified physical address to perform his research and verify the information he found pertained to a particular Bellwether Plaintiff, assigning a “confidence score” for his conclusions. (See ECF No. 914). Plaintiffs, therefore, like those in Reports Committee, have a “particularly powerful” privacy interest in the compilation of their PII—the individual elements of which are scattered and obscure (if they can be found in the public domain at all). See Thomas, 193 F.Supp.3d at 635-36.

Second, Plaintiffs will be placed at a significant risk of harm if their PII is disclosed on the public docket. Courts consistently recognize that PII can be used to commit identity theft and that placing PII on the electronic docket creates a serious risk of misuse. See, e.g., In re U.S. Office of Personnel Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 56 (D.C. Cir. 2019) (“It hardly takes a criminal mastermind to imagine how [personal] information could be used to commit identity theft.”); Bird v. Barr, 2019 WL 2870234, at *3 n. 2 (D.D.C. July 3, 2019) (“The adoption of electronic case management systems and mandatory e-filing, combined with ever-greater access to powerful Internet search tools and publicly available databases ... heighten the risks of misuse of a litigant's identity....”); Engeseth v. Cty. of Isanti, 665 F. Supp. 2d 1047, 1048 (D. Minn. 2009) (same); Mitchell v. Univ. of Pittsburgh, 2021 WL 3472152, at *2 (W.D. Pa. Aug. 6, 2021). This is particularly true where, as here, the PII to be disclosed on the docket is a compilation, which provides potential threat actors with a “one-stop shop” that can be misused to harass, defraud, and commit identity theft. See Reports Committee, 489 U.S. at 763 (“Plainly there is a vast difference between the public records that might be found after a diligent search ... and a computerized summary located in a single clearinghouse of information.”). To place Plaintiffs at even greater risk after being victims of Marriott's data breach defies credulity. Plaintiffs have thus established confidentiality and harm with respect to their PII contained in the Poindexter Report.

IV. Defendants Cannot Show That Public Disclosure of Plaintiffs' PII is Necessary.

*6 Because Plaintiffs have sustained their burden to establish confidentiality and harm, Defendants must establish that ¶¶ 22-39 of the Poindexter Report is “sufficiently necessary to [their] case to outweigh the harm of disclosure,” which they cannot do. Waterkeeper Alliance, Inc., 278 F.R.D. at 140. Despite Plaintiffs' repeated requests for Defendants to explain the necessity for placing Plaintiffs' PII on the public docket, Defendants have not provided any legitimate purpose for doing so. Rather, Defendants rely solely on the Protective Order to justify their improper attempts to publicize Plaintiffs' PII. (See, e.g., Ex. 4, 11/3/2021 Email from D. Marinucci (“No we're not required to identify a ‘benefit’ of having information be public; the order allows us to challenge information filed in conjunction with class certification briefing, which we did.”)). But even the Protective Order (which does not govern here) requires Defendants to challenge designations “in good faith,” which requires a legitimate purpose beyond the public's alleged right to know. See ECF No. 552 at § 5; Waterkeeper Alliance, Inc., 278 F.R.D. at 144 (noting it is improper to “pad the record” by needlessly citing marginally relevant information to inject it into the public record); Todd v. Tempur-Sealy International, Inc., 2015 WL 1006534, at *7 (N.D. Cal. Mar. 6, 2015) (“While Plaintiffs' brief [addresses] whether Defendant has good cause to maintain confidentiality, nowhere have they identified a legitimate purpose for disclosing the challenged materials....”).

Defendants' assertion that disclosure of Plaintiffs' PII is necessary to their opposition to class certification is belied by their brief. Defendants cite to ¶¶ 21-39 of the Poindexter Report in support of two sentences in their opposition brief in which they wrongly state that Plaintiffs “freely share much of [their PII] on the public internet” and “most of them have had their personal information breached many times before.” (See ECF No. 888 at 3). Notwithstanding their incorrect claims, Defendants cannot establish a need to actually expose Plaintiffs' PII on the public docket to fully advance these arguments—especially since Plaintiffs have agreed that the text in the brief may be unsealed and have withdrawn their confidentiality designation of ¶ 21 of the Poindexter Report, which fully encapsulates the types of information Poindexter claims is publicly available (as opposed to the actual information). See Colicchio v. Office of Personnel Management, 2011 WL 382403, at *1 n.1 (D. Md. Feb. 3, 2011) (sealing record and noting that parties filed unsealed memorandum that public may fully access); Washington v. Montgomery Cnty., 2018 WL 3585259, at *2 n. 4 (D. Md. July 26, 2018) (same).

Rather, it appears that Defendants seek to publicly disclose Plaintiffs' PII for two improper purposes. First, Defendants seek a premature order from this Court that Plaintiffs' PII is not confidential to support their specious damages argument that Plaintiffs have no legitimate expectation of privacy in their PII. This is an issue of fact that should not be resolved through a discovery dispute. Second, Defendants likely seek to deter Plaintiffs (and future data breach victims) from pursuing relief by further exposing Plaintiffs' PII (much of which was not even implicated in the data breach and is irrelevant to this action). See In re Anthem, Inc. Data Breach Litig., 2016 WL 11505231, at *1 (N.D. Cal. Apr. 8, 2016) (noting “[t]here is an Orwellian irony to the proposition that in order to get relief for a theft of one's personal information, a person has to disclose even more personal information” and declining to “further invade plaintiffs' privacy interests and deter current and future data theft victims from pursuing relief”). This Court should not permit Defendants to further victimize Plaintiffs by exposing their PII, when no legitimate purpose exists and disclosure is not necessary for the public to understand the Court's class certification ruling. See Doe v. Public Citizen, 749 F.3d 246, 267 (4th Cir. 2014); see also Horowitz v. Peace Corps, 428 F.3d 271, 278 (D.C. Cir. 2005) (“If there is no public interest in the disclosure of certain information, something, even a modest privacy interest, outweighs nothing every time.”). Defendants' confidentiality challenges should be denied.

I hereby certify that a copy of the foregoing was sent to Defendants' counsel and the Court on this 4th day of March 2022.

Dear Special Master Facciola:

Marriott opposes plaintiffs' request to permanently seal portions of Kevin T. Poindexter's Expert Report (“Poindexter Report” or “Report”). The Report synthesizes the results of Mr. Poindexter's search of publicly available sources for plaintiffs' personal information—like addresses, phone numbers, and email addresses. It shows that much of this information is already publicly available in an “amalgamated” format.

The personal information Mr. Poindexter located in the public domain is the same information at the heart of plaintiffs' case. It is the same information plaintiffs allege Marriott failed to protect. It is the same information plaintiffs argue has an “inherent value” that Marriott should pay to them. And it is the same information plaintiffs will need to present to a jury to successfully prove their case.

Plaintiffs nevertheless ask the Court to seal that personal information. They do so by lobbing unfounded accusations about Marriott's intent. And while their counsel argues that unsealing would put plaintiffs at risk, they do not provide any declaration supporting a finding that any plaintiff actually would be at risk.

To be clear, Marriott does not challenge the Report's sealing for an “improper purpose.” Rather, the Report should be unsealed because the publicly available nature of plaintiffs' information is a defense to their claims that Marriott caused them harm. At bottom, Marriott's argument is simple: if someone's name and address, for example, is already publicized on the internet or in public databases, the hacker's theft of that same name and address did not harm plaintiffs. This is both a merits defense on causation and damages and an integral part of Marriott's opposition to class certification because different plaintiffs have different pieces of information in the public domain. To substantiate this defense, Marriott relies on evidence that plaintiffs' information is in fact public through the Report.

The Court should hold that Marriott has the right to use that Report to defend themselves in the light of day. Plaintiffs have spent the past few years arguing in the public spotlight that Marriott caused them catastrophic harms through one of the “largest data breaches in history.” (2d Am. Compl. (ECF 418) ¶¶ 1, 3.) Marriott should be able to respond in open court by showing that the information at issue was already public—and its opposition here is narrowly tailored to that end.[1]

*8 What is more, plaintiffs have not met the common law's high burden to permanently seal judicial records. Plaintiffs' appeal to emotion and an unavailing “amalgamation” argument is not enough. They need to show that a countervailing interest heavily outweighs the public's interest in access. Because they have not done so, Your Honor should recommend that the Court unseal paragraphs 22-39 of the Report (and exhibits thereto).

I. The Poindexter Report Is A “Judicial Record” Under The Common Law.

This dispute is ripe for adjudication. Despite plaintiffs' objections to the timing of this briefing (Ltr. at 1), Your Honor has made clear that, pursuant to the final paragraph of the Court's Nov. 30, 2021 Letter Order (ECF 940), now is the time for resolution of this dispute (see Jan. 3, 2022 Report & Recommendation (ECF 954); Court's Jan. 18, 2022 Order adopting same (ECF 968)).

Plaintiffs also argue that, because Judge Grimm has not yet relied upon the Report in rendering a decision, it is not a “judicial record” under the common-law analysis. (Ltr. at 1.) It is.

A common-law presumptive right of access extends to all “judicial records.” See Doe v. Pub. Citizen, 749 F.3d 246, 265-66 (4th Cir. 2014); Churchill v. Prince George's Cnty. Pub. Schs., 2019 WL 528180, at *4 (D. Md. Feb. 11, 2019) (Grimm, J.) (same). District Courts have consistently found that documents filed in conjunction with class certification are “judicial records” under the common law. See, e.g., Mr. Dee's Inc. v. Inmar, Inc., 2021 WL 294775, at *6 (M.D.N.C. Jan. 28, 2021) (“[B]riefs and exhibits filed in connection with a motion for class certification are considered judicial records to which the common-law presumption of access attaches.”); see also Kingery v. Quicken Loans, Inc., 2014 WL 1794863, at *1 (S.D. W.Va. May 6, 2014) (similar); Minter v. Wells Fargo Bank, N.A., 2010 WL 5418910, at *14 (D. Md. Dec. 23, 2010) (“Although the Fourth Circuit has not explicitly held that a First Amendment right of access exists with regard to non-dispositive civil motions such as the motion for class certification at issue here, precedent favors access to information within the court's control.”). Here, Marriott filed the Poindexter Report in support of their opposition to plaintiffs' motion for class certification.

Accordingly, the parties' dispute regarding the common law's right-of-access presumption is ripe now. And while the First Amendment's right-of-access presumption does and will not apply until Judge Grimm expresses his reliance on the Report in a ruling (see, e.g., Nov. 30, 2019 Ltr. Order (ECF 418) at 3), that fact is irrelevant to the Court's analysis under the common law.

II. Plaintiffs Have Not Met Their Burden To Overcome The Common Law's Right-Of-Access Presumption.

Plaintiffs bear the burden of demonstrating that the common law's right-of-access presumption should be overcome. Paradyme Mgmt., Inc. v. Curto, 2018 WL 5013831, at *3 (D. Md. Oct. 16, 2018) (Grimm, J.). “Regardless of whether the right of access arises from the First Amendment or the common law, it ‘may be abrogated only in unusual circumstances.’ ” Va. Dep't of St. Police v. Wash. Post, 386 F.3d 567, 576 (4th Cir. 2004) (citation omitted).

As a threshold matter, plaintiffs identify the wrong test for this analysis. They argue, “[u]nder the common law, ‘[t]o establish that a document is confidential, a designating party must show that it contains information within the scope of Fed. R. Civ. P. 26(c) and that there would be an identifiable harm from its disclosure.’ ” (Ltr. at 2 (quoting Sprint Nextel Corp. v. Simple Cell Inc., 2015 WL 13840324, at *2 (D. Md. Oct. 5, 2015)).) But that is the standard for a protective order, not whether a judicial record can be sealed. See Sprint Nextel Corp., 2015 WL 13840324, at *1 (deciding motion for re-designation of documents under protective order under Rule 26). And plaintiffs' discussion of Waterkeeper Alliance, Inc. v. Alan & Kristin Hudson Farm, 278 F.R.D. 136 (D. Md. 2011), ignores Judge Grimm's discussion of the common law's and First Amendment's right-of-access tests. (Compare Ltr. at 2 with Waterkeeper, 278 F.R.D. at 142, 142 n.3.) Indeed, Judge Grimm explained in Waterkeeper that the challenged documents at issue may lose their confidential status once they are submitted and considered as part of dispositive motions. Waterkeeper, 278 F.R.D. at 142.

*9 To overcome the common law's right-of-access presumption, plaintiffs must show that “ ‘countervailing interests heavily outweigh the public interest in access.’ ” Churchill, 2019 WL 528180, at *4. Courts consider a number of factors under this test, including “ ‘whether the records are sought for improper purposes, such as promoting public scandals or unfairly gaining a business advantage [and] whether release would enhance the public's understanding of an important historical event.’ ” Va. Dep't of St. Police, 386 F.3d at 575 (citation omitted). And, most importantly here, courts consider “ ‘whether the public has already had access to the information contained in the records.’ ” Id. (emphasis added). Plaintiffs have not met their burden under this test.

The relevant information in the Poindexter Report is already public. The common law's right-of-access presumption carves out an exception for information already available to and accessible by the public. See, e.g., Bowman v. Int'l Bus. Machs. Corp., 2012 WL 5285891, at *1-2 (S.D. Ind. Oct. 25, 2012) (unsealing exhibits to class-certification brief); In re App. for Access to Video Exhibits, 2021 WL 5769379, at *5 (D.D.C. Dec. 6, 2021) (“[W]hen much of the critical information [sought to be disclosed] is already in the public forum, this factor weighs in favor [of] greater disclosure.”); Strauss v. Credit Lyonnais, S.A., 2011 WL 4736359, at *2, *9 (E.D.N.Y. Oct. 6, 2011) (“[A]ny documents or information that are otherwise publicly available ... need not be sealed or redacted.”); In re App. of N.Y.T Co. for Access to Certain Sealed Court Records, 585 F. Supp. 2d 83, 93-94 (D.D.C. 2008) (unsealing warrant materials as “much of the critical information [wa]s already in the public forum”). And in analogous contexts, the law is clear that information that is publicly available is entitled to less protection and implicates fewer privacy concerns (if any) than truly “private,” non-public information. See, e.g., Reclaim the Records v. Dep't of Vet. Affairs, 2020 WL 1435220, at *6 (S.D.N.Y. Mar. 24, 2020) (discussing “public domain” doctrine, under which materials normally immunized from disclosure under the Freedom of Information Act (“FOIA”) “lose their protective cloak once disclosed and preserved in a permanent public record”).

Here, the relevant information in the Report is already in the public domain. Indeed, the point of Mr. Poindexter's testimony is that the personal information plaintiffs allege Marriott failed to protect is already publicly available. And that is also the very reason the information is relevant to Marriott's merits and class-certification defense. The Court should unseal the Report for this reason alone.

The public will benefit from having access to the Report. Public access to the Report is also necessary because it will enhance the public's understanding of a historical event—i.e., what plaintiffs call one of the “largest data breaches in history.” That access is also “necessary in the long run so that the public can judge the product of the courts in a given case,” which is particularly important in a case that involves such a breach. Columbus-Am. Discovery Grp. v. Atl. Mut. Ins. Co., 203 F.3d 291, 303 (4th Cir. 2000). This case has received considerable publicity, and the public has a right to examine the Court's treatment of such a matter. See Doe, 749 F.3d at 27 (“The ability of the public and press to inspect docket sheets is a critical component to providing meaningful access to civil proceedings.”).

As it stands now, the public does not know that the personal information plaintiffs allege Marriott failed to protect is otherwise publicly available. And without unsealing the Report, the public will not know the details of that public availability. See, e.g., Fidlar Techs. v. LPS Real Estate Data Sols., Inc., 2013 WL 5973938, at *2 (C.D. Ill. Nov. 8, 2013) (“[W]hen a court finds it necessary to consider certain information in making a decision, that information should ordinarily be made available to public scrutiny in order to preserve the integrity of the judicial process.”); Jackson v. Deen, 2013 WL 2027398, at *14 (S.D. Ga. Apr. 3, 2013) (“What transpires in the courtroom is public property. And open proceedings may be imperative if the public is to learn about the crucial legal issues that help shape modern society.... That is why there is a presumption of public access to court records...”).

*10 Marriott does not object to sealing the Report for an improper purpose. Plaintiffs offer the unsubstantiated opinion that Marriott opposes the Court's sealing of the Report for an improper purpose. (Ltr. at 5.) That is not true. The information in the Report is essential to the claims and defenses in this case, including at class certification. Whether a plaintiff's information is already public goes directly to causation and damages, as it disrupts the causal chain between a plaintiff's alleged damages and Marriott's alleged failure to protect her information. It is also relevant to Marriott's class-certification opposition: what, if any, of each plaintiff's personal information is already public demonstrates that individualized issues predominate over common questions.

Marriott must be able to defend itself in the public eye. Just as the public has the right to access civil proceedings, a defendant has a coextensive right to defend itself by telling its side of the story in open court. Courts have thus determined that “basic fairness” dictates that civil defendants, at a minimum, have a right to name their accuser and defend themselves publicly. See, e.g., Doe v. Ind. Black Expo, Inc., 923 F. Supp. 137, 141-42 (S.D. Ind. 1996) (“Basic fairness requires that where a plaintiff makes ... accusations publicly, he should stand behind those accusations, and the defendants should be able to defend themselves publicly.”). Similarly, courts have rejected motions to seal class-certification briefing and related exhibits for the very reason Marriott states here: because these documents go directly to the merits of the case. See, e.g., Fitzhenry-Russell v. Dr. Pepper Snapple Grp., Inc., 326 F.R.D. 592, 617-18 (N.D. Cal. 2018) (sealing only a “limited amount” of the class certification brief and exhibits because “class certification brief[ing] addresse[s] the merits of the case”).

Plaintiffs do not offer compelling reasons that “heavily outweigh” the common law's right-of-access presumption. Plaintiffs first argue that sealing the Report is necessary for them “to be free from potential harassment, fraud, and identity theft.” (Ltr. at 2.) But plaintiffs do not support their argument with citations—much less declarations—from which the Court could agree with their claim. And ipse dixit is not enough to overcome the common law's right-of-access presumption.

Courts frequently cite the absence of verified documentation like a declaration to support a party's position on a motion to seal as evidence that the party's argument is specious. See, e.g., Williams v. Estates LLC, 2021 WL 6202726, at *1 (M.D.N.C. Oct. 20, 2021) (denying motion to seal when party “filed no evidence to support th[eir] claim [and] provide[d] no declaration”); In re Nat'l Collegiate Athletic Assoc. Athletic Grant-in-aid Cap Antitrust Litig., 2018 WL 1576456, at *1 (N.D. Cal. Mar. 30, 2018) (denying motion to seal for “all information for which no declaration in support of sealing was provided” and further “den[ying] leave to seal” if “information ha[d] [already] been publicly disclosed”). Judge Grimm followed this line of reasoning in this case. (See ECF 418 at 4 (denying motion to seal because Marriott “offer[ed] no particularized support for the proposition that sealing ... [wa]s necessary”).) And Your Honor should recommend that he do the same in this dispute.[2]

*11 Plaintiffs' next argument—that their privacy is violated by the Report's “amalgamation” of already-public information—does not change this basic conclusion. “[T]he strength of such an argument is contingent on whether the information sought to be protected from disclosure is already public.” See, e.g., Anderson v. N.Y.C. Health & Hosps. Corp., 2020 WL 1047054, at *2 (S.D.N.Y Mar. 4, 2020). And the Report does not “amalgamate” plaintiffs' information any more than it is already compiled and available on the internet. Indeed, as Exhibit A shows, much of the information plaintiffs claim Marriott is nefariously trying to compile in one place is already compiled in aggregate form on the internet. That should be dispositive of plaintiffs' argument. See, e.g., Reclaim the Records, 2020 WL 1435220, at *7 (rejecting amalgamation argument where information was already aggregated publicly).

In any event, plaintiffs' cited case law is inapposite. U.S. DOJ v. Reporters Committee For Freedom of Press, 489 U.S. 749 (1989), involved the disclosure and dissemination of “arrests, indictments, acquittals, convictions, and sentences” of four non-parties by federal agencies. Id. at 757. Three exemptions to FOIA's disclosure requirements specifically prohibit agencies from disclosing the type of information contained in criminal rap sheets even if already otherwise publicly available. Id. at 755, 762-63.

This dispute also involves disclosure of party information—not unnamed third parties—that is critical to the merits of this case. And plaintiffs do not argue that the information sought to be disclosed are prohibited or “exempt” from disclosure under specific federal law, like FOIA. See Cutshall v. Sundquist, 193 F.3d 466, 481 (6th Cir. 1999) (the Reporters Committee Court's “references to the possibility of a constitutional right to keep matters from being disclosed ... was mere dicta” and concluding that “[plaintiff] ha[d] no constitutional right to keep his registry information from being disclosed”). Furthermore, as explained in Reporters Committee, the “amalgamation” problem there dealt with “the compilation of otherwise hard-to-obtain information” because “there is a vast difference between the public records that might be found after a diligent search of courthouse files, county archives, and local police stations throughout the country and a computerized summary located in a single clearinghouse of information.” Id. at 764 (emphasis added). The information here is neither hard to find nor obtain and is available to anyone with internet access at the click of a mouse.

Thomas v. FTS USA, LLC, 193 F. Supp. 3d 623 (E.D. Va. 2016), and Krakauer v. Dish Network, L.L.C., 2015 WL 12750446 (M.D.N.C. Nov. 18, 2015), are also distinguishable. Thomas involved the Fair Credit Reporting Act's prohibition of the disclosure of consumer reports and made a passing, one-sentence reference to “aggregation” of personal information. 193 F. Supp. 3d at 635-36. And Krakauer involved personal information of putative class members who had not chosen to participate in the lawsuit—and that information was irrelevant to the merits of the case. 2015 WL 12750446, at *2.

Plaintiffs also cited many rulings on unopposed motions to seal. In those cases, parties did not need to put forth compelling reasons justifying sealing, and the courts likewise did not need to engage in extensive analysis. See, e.g., Reaves v. Jewell, 2014 WL 6698717, at *2 (D. Md. Nov. 26, 2014); Young v. United Parcel Serv., Inc., 2011 WL 665321, at *22 (D. Md. Feb. 14, 2011); Lynch v. Private Diagnostic Clinic, PLLC, 2018 WL 1384486, at *6 (M.D.N.C. Mar. 16, 2018); Allgood v. Paperlesspay Corp., 2021 WL 3887558, at *1 (M.D. Fla. June 4, 2021); Washington v. Montgomery Cnty., 2018 WL 3585259, at *2 n.4(D. Md. July 26, 2018); Mitchell v. Univ. of Pitt., 2021 WL 3472152, at *1 (W.D. Pa. Aug. 6, 2021).

*12 Many of plaintiffs' cited cases involve personal information of nonparties to the lawsuit. See Mitchell, 2021 WL 3472152, at *2; Lynch, 2018 WL 1384486, at *7; Engeseth v. Cnty. of Isanti, Minn., 665 F. Supp. 2d 1047, 1048 (D. Minn. 2009). As discussed, courts treat non-parties' information differently than plaintiffs'. See Krakauer, 2015 12750446, at *2. And plaintiffs' other cases are likewise no help. In re Anthem involved a dispute over a discovery request. 2016 WL 11505231, at *1 (N.D. Cal. Apr. 8, 2016). And in Doe, the Fourth Circuit instructed the district court “to unseal the record in its entirety,” reasoning that “[w]ithout access to judicial opinions, public oversight of the courts, including the processes and outcomes they produce, would be impossible.” 749 F.3d at 267, 275 (emphasis added).

Your Honor should recommend that the Court deny plaintiffs' request for the same reason.