*1 Despite the plaintiffs’ objection, Judge Grimm ordered that plaintiffs provide Marriott with information pertaining to (1) whether malware was detected on their electronic device(s), and (2) if so, whether the malware was capable of exfiltrating data from the device, and (3) if so, whether a root cause analysis of the malware was performed. Plaintiffs’ letter of February 25, 2022, at 2, citing ECF Nos. 752, 770.

The plaintiffs hired 4 Discovery to do the analysis. Marriott sought to take 4 Discovery's deposition and demanded that it produce documents that Marriott identified in its F. R. Civ. P. 30(b)(6) Notice of Deposition.

On July 2, 2021, the plaintiffs sought a protective order prohibiting the deposition and the production of documents by 4 Discovery. However, 4 Discovery moved for a protective order in the Northern District of Illinois. Judge Grimm accepted my recommendation that I not proceed with the motion for a protective order filed in this Court until the Northern District had acted.

After the Northern District had acted, I returned to the plaintiffs’ July 2, 2021, motion. In a videoconference with counsel, I expressed my concern that it was improvident and unnecessary to permit the deposition of 4 Discovery that Marriott sought or to resolve the privilege issues. The latter would probably require me to review the documents claimed to be privileged.

By this time, I had become more familiar with the theory of damages, articulated by Dr. Prince, that underlies plaintiffs’ motion for class certification. One premise of Dr. Prince's damage evaluation is that the plaintiffs’ personal data (called PII in this case) had an inherent value. A second premise is that the plaintiffs lost the benefit of their bargain when Marriott assured them it would protect their data but failed to do so while they were staying at a Marriott hotel.

Ultimately, I presided over Dr. Prince's deposition. That deposition concluded with my asking the Doctor if the hack that the plaintiffs complained about diminished the inherent value of plaintiffs’ PII. He advised me that it had not. In response to my next question, he indicated that if the inherent value of the PII was x the day before the hack, that value remained x after the hack.

I asked counsel to collect the material pertaining to discovery from 4 Discovery. They graciously did so and, after I reviewed it, I indicated to counsel that I believed I should recommend to Judge Grimm that he postpone consideration of plaintiffs’ motion for a protective order. In a subsequent email to counsel, included here as Attachment One, I explained why “resolution of this controversy is premature at least until Judge Grimm resolves whether plaintiffs will be able to advance the validity of Dr. Prince's opinion that plaintiffs’ PPI had an inherent value.” Attachment One at 1.

I also created a diagram for counsel, which is included as Attachment Two. On the diagram, I inserted stop signs at each point where I thought an issue or other event must be resolved before we could have any idea whether the existence of other malware on plaintiffs’ electronic devices would be relevant to any issue in this case.

*2 I put stop signs at

I then stated: “Finally, we have the question of what will happen to any individual claims irrespective of any other issue. That is far away. It is impossible, in my view, to predict the relevance of the 4 Discovery analysis to the individual claims today.” Id.

I sent a proposed stipulation to counsel that would postpone the resolution of the plaintiffs’ motion for a protective order sine die. I directed them to meet and confer to determine whether they would agree to my proposal. I directed Ms. Keller, plaintiffs’ counsel, to advise me whether there was any objection but not to identify the objector.

By this point, I became firmly convinced that the potential relevance of 4 Discovery's testimony was so attenuated and dependent on events that may never occur that Judge Grimm should postpone resolution of the issues pertaining to 4 Discovery's deposition at least until he resolved the motion for class certification.

As noted above, Dr. Prince told me that plaintiffs’ data had not lost any of its inherent value because of the hack. Any other potential reason for personal data loss, such as malware, has nothing to do with his theory of damages. And, if that is so, how would malware on plaintiffs’ electronic devices be relevant to any issue presently before the Court?

I then decided to permit Marriott to file a brief directed to why we should go forward with the deposition. I hoped that it would tell me why the deposition of 4 Discovery had anything to do with plaintiffs’ damages theories. Instead, Marriott devoted its entire brief to arguing it should have the discovery it seeks from 4 Discovery. The brief is therefore not devoted to my question --whether it should have that discovery now.

Winston Churchill said that “generals are always prepared to fight the last war.” ” Marriott's generals fought the war to get discovery from 4 Discovery and won it handsomely. They overcame plaintiffs’ opposition to the discovery of their electronic devices and secured from Judge Grimm a specific protocol guiding how the plaintiffs would have to answer certain questions. Plaintiffs retained 4 Discovery to comply with the protocol, and 4 Discovery provided reports of its actions to counsel for both sides. Letter of February 25, 2022, Exhibit A, paras. 4–5.

Ms. Keller, plaintiffs’ counsel, has also explained to me, in a detailed declaration, the questions that Marriott's counsel asked as 4 Discovery did its work and the complete answers that plaintiffs’ counsel provided. Id., paras 7–10. Marriott's complaint that it needs discovery from 4 Discovery as if it had not had any is hard to understand. No one should complain of hunger with a loaf of bread under each arm.

It is equally incorrect for Marriott to claim that it needs discovery from 4 Discovery to use at the hearings on March 21, 2022, and April 20, 2022. Letter of January 24, 2022 at 1–2.

*3 First, it is impossible for malware on the electronic devices to have anything to do with the issues of the admissibility of expert testimony that the Judge will address at the hearing on March 21, 2022.

Second, as to the hearing on April 20, 2022, Marriott admits, as it must, that the presence of malware can only bear on the question of causality. Id. But that is not a class issue that Judge Grimm will resolve in determining whether he will allow a class action on the basis of plaintiffs’ damage theories. The presence of malware on a computer has nothing to do with whether Judge Grimm will permit a class action based on the inherent value of the plaintiffs’ PII or the benefit of the bargain theories.

The most that can be said is that there is a theoretical possibility that, irrespective of Judge Grimm's resolution of the motion for class certification, he will exercise his discretion under F. R. Civ. P. 26(c)(4) and permit plaintiffs to raise the issues of Marriott's negligence, breach of contract, or statutory or nominal damages as a class action. In that situation, Marriott may have a defense premised on the presence of malware on an individual plaintiff's electronic device.[1]

However, recall that Marriott opposes any such class action because “of the individualized nature of determining whether plaintiffs can prove defendants caused their alleged injuries.” Letter of January 25, 2022, at 3 and n.1. If Marriott prevails in that opposition, the need for discovery from 4 Discovery evaporates.

Alternatively, if Judge Grimm permits such an F. R. Civ. P. 26(c)(4) class action, there will be time enough to investigate whether Marriott can defend itself because there was malware on plaintiffs’ computers undetected by 4 Discovery. Unless and until that happens, spending time and money on that issue is wasteful.

Finally, Marriott now knows exactly what 4 Discovery did. If Marriott believes that 4 Discovery did a poor job and its conclusions should be disregarded, Marriott can hire its own expert to make that point. It does not need discovery from 4 Discovery to do that.

Therefore, I persist in my view that the resolution of the plaintiffs’ motion for a protective order be postponed. I recommend that the Court issue the following order:

1. Consideration by the Special Master of plaintiffs’ Motion for Protective Order and to Quash 4 Discovery Subpoena is stayed sine die.

2. The defendants reserve all their rights to demand the deposition of 4 Discovery and the production of the documents sought by subpoena served upon 4 Discovery. That subpoena is also Exhibit 5 to the Declaration of Amy Keller, July 2, 2021 (hereafter “Exhibit A”).

3. Plaintiffs reserve all their objections to that subpoena and the production by themselves or by 4 Discovery of the documents specified in Exhibit A.

4. Plaintiffs will preserve all documents demanded by Exhibit A that are in their possession, custody, or control until relieved from doing so by the Court, subject to the below paragraph.

*4 5. If plaintiffs have not already done so, they shall instruct 4 Discovery to preserve all documents demanded by Exhibit A that are in 4 Discovery's possession, custody, or control, until otherwise instructed, and inform plaintiffs’ counsel if 4 Discovery becomes at risk of ceasing operation or being acquired.

ATTACHMENT ONE

I appreciate your collection of the material pertaining to the controversy about 4 Discovery. I reviewed them again and I am now more firmly convinced that I was at our last conference and the resolution of this controversy is premature at least until Judge Grimm resolves whether plaintiffs will be able to advance the validity of Dr. Prince's opinion that plaintiffs’ PPI had an inherent value.

My consideration of the materials and the thoughts we exchanged at our last conference led to refine the diagram I had made. Here is my revision:

I am attempting to indicate that evidence that malware on the bellwether plaintiffs’ device cannot possibly to any issue I can divine until we know whether Judge Grimm will permit plaintiffs to advance Dr. Prince's inherent value theory. If Judge Grimm rejects plaintiffs’ attempt, we have our first Stop sign. At that point, there will be, in my view, the need to reassess where the case goes from there. The same is true if Judge Grimm permits the theory but denies the motion for class certification. That would be the second Stop sign.

If on the other hands, plaintiffs prevail on the motion for class certification, we face the possibility of both parties moving for summary judgment. This is the next Stop sign.

It is again difficult to understand how the possibility of malware on the bellwether plaintiffs’ devices would bear on the issues presented by such motions.

Finally, we have the question of what will happen to any individual claims irrespective of any other issue. That is far away. It is impossible, in my view, to predict the relevance of the 4 Discover analysis to the individual claims today.

Whatever may happen under these or these scenarios, I think it indubitable that it is premature to consider the probative value of the 4 Discovery's analysis until (at least) Judge Grimm determines whether he will admit Dr. Prince's opinion.

I have no interest in spending my time and your money on an issue that threatens to become academic. I have decided to propose your agreeing on a stipulation postponing my resolution of the controversies arising from the 4 Discovery examination of the devices. I am sending you a proposed stipulation in a separate file.

I am comfortable with the stipulation. We are dealing with a company that can be subjected to a F. R. Civ. P. 30(b)(6) deposition. We are not dealing with an individual who decides to go to Tahiti and paint.

You will see that plaintiffs’ counsel are required to collect the documents called for by Martiott's subpoena and to preserve them indefinitely.

I think this is sufficient. Also, by agreeing to the stipulation neither party forfeits nor waives any objection they may have.

Please consider the stipulation and communicate to each other but not to me whether it is acceptable. Ms. Keller will send me an email in seven days. She will indicate only whether the stipulation is acceptable to all parties. She is to indicate that it is or is not in a single sentence. She is not to tell me who has objected. Once I learn that, I will decide what to do and advise you.

ATTACHMENT TWO

*5 January 24, 2022

Sent Via E-Mail (facciola@me.com)

Dear Special Master Facciola:

Judge Grimm's case schedule for the Consumer Track provides for one discovery period for all discovery relevant to class certification and merits. Marriott served a Rule 45 subpoena on 4Discovery, LLC (“4Discovery”) seeking documents and a 30(b)(6) deposition related to the reports that 4Discovery prepared. These reports discussed 4Discovery's findings as to malware on plaintiffs’ electronic devices. Marriott sought this discovery to gather evidence to use in opposition to Plaintiffs’ Motion for Class Certification and to defend itself on the merits. Despite an order from the Northern District of Illinois denying 4Discovery's motion to quash, to date Marriott has been unable to obtain this discovery from 4Discovery.

This discovery is undoubtedly relevant to the pending motion for class certification. Among other reasons, this discovery is relevant to Marriott's argument that the alleged loss of plaintiffs’ PII can be traced to any number of sources, which creates individualized issues that predominate over any alleged common ones. While Marriott has been denied the opportunity to incorporate this discovery into its opposition to class certification, the Court is still evaluating whether certification is appropriate here. In particular, Marriott still has the opportunity to obtain this information for use at the March 21, 2022 hearing with the experts and the April 20, 2022 hearing on Plaintiffs’ Motion for Class Certification. This discovery should proceed now.

Plaintiffs are seeking certification of not only Rule 23(b)(3) classes for “PII Value Damages” and for “Benefit of the Bargain Damages,” but of a Rule 23(c)(4) liability class. (ECF No. 859, Pls.’ Mot. for Class Cert. (Mot.), 3 (“Plaintiffs seek certification under Rule 23(c)(4) of the state classes for liability purposes only for Plaintiffs seeking individualized damages related to identity fraud, time spent responding to the breach, and other out-of-pocket losses.”), id. at 10 (“And any damages that cannot be resolved on a classwide basis can be handled through certification under Federal Rule 23(c)(4).”).

Causation is critical to each Rule 23(c)(4) question for which plaintiffs seek certification. As requested in plaintiffs’ Memorandum in Support of its Motion for Class Certification, plaintiffs asked the Court to certify the following issues for its Rule 23(c)(4) class:

(Mot. 43).[1]

Plaintiffs’ putative class claims against Marriott require proof that it caused plaintiffs’ injuries. (See ECF 958, Joint Bellwether Class Certification Claims and Defenses Spreadsheet.) Plaintiffs’ claims of injuries and damages arise from their allegation that their personal information was stolen from the Starwood guest reservation database in the cyberattack. Thus, whether the same information from the guest reservation database was also captured by malware on plaintiffs’ personal devices and harvested by another hacker is absolutely relevant to causation. See Dolmage v. Combined Ins. Co. of Am., 2017 WL 1754772, at *9 (N.D. Ill. May 3, 2017) (recognizing relevance of individualized evidence of exposure to other data breaches in data-breach class certification causation analysis); McGlenn v. Driveline Retail Merch., Inc., 2021 WL 165121, at *9-10 (C.D. Ill. Jan. 19, 2021) (denying class certification in data breach litigation for lack of causation commonality because, inter alia, evidence showed several purported class members had been involved in other data breaches).

This Court has already found that the fact that there are multiple grounds for the loss of personally identifiable information is “absolutely relevant.” (See Mar. 24, 2021 Hrg. Tran., at 1-18.) During the March 24, 2021 hearing, Judge Grimm stated, “I don't know whether we'll be dealing with substantial factors or substantial factor causation, or whether we're going to be dealing with but-for causation. But in any event, if the evidence is that there were multiple data security breaches on devices being used by the plaintiffs, that it would be relevant.” Id. at 17. The information sought from 4Discovery is pertinent to Marriott's opposition to class certification because it shows the individualized nature of determining whether plaintiffs can prove defendants caused their alleged injuries. See Windham v. Am. Brands, Inc., 565 F.2d 59, 68 (4th Cir. 1977) (requirement to individually try causation and damages predominated); Lienhart v. Dryvit Sys., Inc., 255 F.3d 138, 149 (4th Cir. 2001) (“functional equivalent of a full-blown trial on damages causation for each putative class member ... [does not] meet the prerequisites of Rule 23(b)(3)”).

Regardless of whether plaintiffs are pursuing a “PII Value Damages” theory based on a diminishment in value of their PII or a “Market Value” theory, Marriott is entitled to obtain discovery to show that these damages theories are not susceptible to classwide proof. If some Bellwether Plaintiffs had their data compromised as a result of what 4Discovery deems is PII-extracting malware and others had malware that 4Discovery classified differently, Marriott should be permitted to take discovery now and allow the experts and the Court to hear how it impacts the plaintiffs’ theory of damages.

*7 The discovery sought from 4Discovery is also relevant to the merits of plaintiffs’ claims. In fact, Judge Grimm noted that it is not credible to deny that discovery related to malware on plaintiffs’ devices is relevant. (See Mar. 24, 2021 Hrg. Tran., at 17.) Information about plaintiffs’ use of their devices, including the presence of malware, is relevant to disproving numerous allegations. Among other things, the discovery is relevant to the allegation that Plaintiffs treat personal information as highly sensitive; that Marriott's alleged loss of that information devalued plaintiffs’ PII; and that plaintiffs would not have stayed at a Marriott hotel had they known of Marriott's security practices. In addition, this discovery is relevant to rebut plaintiffs’ argument that the Starwood cyberattack caused the misuse of their information. Evidence of plaintiffs’ own data handling and possible other avenues that their data could have been lost or stolen is thus relevant to the merits.

Judge Grimm recognized the importance of this discovery. As he noted when granting Marriott's motion to compel the inspection of plaintiffs’ devices, the information 4Discovery analyzed and reported on is:

Id. at 17-18.

As explained above, discovery from 4Discovery is relevant to both the experts’ opinions on plaintiffs’ PII value theories and individual causation issues. Thus, it is important that Marriott obtain this information before the March 21, 2022 hearing on expert challenges. Allowing this discovery to go forward now, close in time to the end of the discovery period and while the issues are fresh in potential deponents’ minds is the most efficient course. Otherwise, if discovery is not permitted until after a class-certification ruling and appeals are taken, it could be years before Marriott is able to obtain this information.

As Your Honor acknowledged during the parties’ recent conference, it is not guaranteed that any e-discovery company will continue to operate.[2] Not only could 4Discovery cease to exist, but the employees who conducted the device inspections could leave the company and not be accessible to provide the information required to prepare for a 30(b)(6) deposition of 4Discovery. This is an unnecessary risk that could easily be eliminated if Marriott is permitted to finish the fact discovery it seeks on this important matter.

/s/ Lisa M. Ghannoum

Daniel R. Warren

Lisa M. Ghannoum

Baker & Hostetler LLP

127 Public Square, Suite 2000

Cleveland, OH 44114-1214

Tel: 216.621.0200

Fax: 216.696.0740

Email: dwarren@bakerlaw.com

Email: lghannoum@bakerlaw.com

Gilbert S. Keteltas

Baker & Hostetler LLP

1050 Connecticut Ave. NW, Suite 1100

Washington, D.C. 20036

Tel: 202.861.1530

Fax: 202.861.1783

Email: gketeltas@bakerlaw.com

February 25, 2022

VIA E-MAIL (facciolj@georgetown.edu)

Special Master John M. Facciola (Ret.)

Dear Special Master Facciola:

*8 This controversy began over Marriott's request for production no. 3, which sought discovery into any malware present on Plaintiffs’ devices. Plaintiffs moved for a protective order in response to the request. The Court resolved the parties’ dispute by ordering the protocol to be used for Plaintiffs to respond to Marriott's request for production, and Plaintiffs complied with the order (including answering all of Marriott's questions related to the same). Despite Plaintiffs’ compliance with the Court's order, Marriott sought to circumvent that order and the court's orders on the parties’ discovery by seeking further discovery about Plaintiffs’ devices, beyond those limitations ordered by this Court, via a Rule 45 subpoena served on Plaintiffs’ discovery vendor/consulting expert requesting privileged documents and communications. On July 2, 2021, Plaintiffs submitted their request for a protective order to your Honor.

While Plaintiffs have objected to the relevance and proportionality of Marriott's request for production no. 3 from the inception of the parties’ dispute, the immediate question posed by Your Honor is whether the controversy must be resolved at this time in light of the minimal (if any) relevance and proportionality to the current issues pending before the Court, specifically Defendants’ motion to exclude Dr. Prince's expert opinions and Plaintiffs’ motion for class certification.

Marriott's January 24, 2022, submission provides no basis for Your Honor to reverse course on the Court's prior determination that the controversy is premature and that consideration of Plaintiffs’ Motion for Protective Order and to Quash 4Discovery Subpoena should be stayed sine die.

Marriott has already fully responded to Plaintiffs’ class certification motion and challenged Plaintiffs’ experts, (See ECF Nos. 885, 895), but yet Marriott argues that “documents and a 30(b)(6) deposition related to the reports that 4Discovery prepared ... as to malware on plaintiffs’ electronic devices” is relevant and necessary to “the experts’ opinions on plaintiffs PII value theories and individual causation issues.” (MI Supplemental Submission at 1-3). While it makes such conclusory allegations, Marriott has yet to articulate what information it seeks to elicit from the documents and deposition or how such information is relevant, proportional, and necessary to the pending motions or to any of Plaintiffs’ assertions of collective harm: (1) market price damages; (2) damages for the value of the stolen information; (3) statutory damages; and (4) nominal damages. (See ECF No. 858 at 33-37).

Notably, over Plaintiffs’ objections, Marriott already received discovery into “whether the same information from the guest reservation database was also captured by malware on plaintiffs’ personal devices and harvested by another hacker” in the form of the 4Discovery reports, which cost Plaintiffs over $75,000 to produce. The 4Discovery reports detail the exact information Judge Grimm ordered Plaintiffs to provide to Marriott—specifically, for each bellwether plaintiff: (1) whether malware was detected on their device(s) and, if so, (2) whether the malware was capable of exfiltrating data from the device and, if so, (3) the results of a root cause analysis of the malware. (ECF Nos. 752, 770). Indeed, three of the 4Discovery reports showed that malware was detected on bellwether plaintiffs’ devices, including one report identifying malware capable of exfiltrating sensitive data (See Ex. A, Decl. of Amy Keller). Despite Marriott's assertation that this discovery was necessary to its opposition to class certification, neither the 4Discovery reports, nor the word “malware,” was mentioned even once in Marriott's class certification opposition. (See generally ECF No. 885). At no point did Marriott's expert, Dr. Tucker—who purports to rebut Plaintiffs’ expert opinion modeling how damages for the value of the stolen PII will be proven on a class-wide basis—discuss the 4Discovery reports, malware, or even whether bellwether plaintiffs were the subject of other data breaches. (See generally ECF No. 885-2-). Instead, Marriott leaned into its argument that, under Dr. Prince's loss of PII damage model, “if information about a particular class member has inherent value, the fact that the class member's data is available from other sources due to a data breach does not necessarily result in a decrease in the data's inherent value” and its position (albeit incorrect) that the “non-rivalrous” nature of the PII requires a finding of no damages. (ECF No. 885 at 12-13). Marriott's position in its class certification opposition brief belies its position here.

*9 Furthermore, throughout the course of this litigation Marriott engaged in extensive discovery (including depositions) from each bellwether plaintiff regarding the devices they used, the manner and methods with which they stored and shared their data, and prior data breaches they were potentially subjected to, including the information known to have been disclosed therein. Indeed, in Marriott's opposition brief it detailed the “many other data breaches involving equally or more sensitive information than is at issue here” that bellwether plaintiffs have allegedly been subject to. (ECF No. 885 at 8). To the extent Judge Grimm finds that evidence of “whether the same information from the guest reservation database was also ... harvested by another hacker” is “absolutely relevant to causation” at the class certification stage, as Marriott asserts, the matter has already been fully raised for consideration in Marriott's opposition to class certification.[1]

Finally, there is no support for Marriott's suggestion that Your Honor should issue an advisory opinion now on Plaintiffs’ motion for protective order because of Marriott's unfounded, hypothetical, and remote concern that a business is not “guaranteed” to continue to operate, particularly when dealing with a reputable company like 4Discovery, which has been operating for over a decade. See B.R. v. F.C.S.B., 17 F.4th 485, 493 (4th Cir. 2021) (“Under Article III, federal courts do not adjudicate hypothetical or abstract disputes.... And federal courts do not issue advisory opinions.”). Further, Marriott's speculation regarding the remote possibility that 4Discovery could go out of business does not warrant that Plaintiffs should bear the tens of thousands of dollars necessary to collect and cull documents and information from 4Discovery to alleviate Marriott's entirely speculative fears.

For the reasons set forth herein, Plaintiffs respectfully agree with Your Honor's determination and support the entry of a Report & Recommendation ordering:

1. Consideration by the Special Master of plaintiffs’ Motion for Protective Order and to Quash 4Discovery Subpoena is stayed sine die and until the resolution by Judge Grimm of Defendants’ Motion to Exclude Dr. Prince's Opinions. ECF No. 893.

2. The defendants reserve all their rights to demand the deposition of 4Discovery and the production of the documents sought by Exhibit A to the subpoena served upon which is Exhibit 5 to the Declaration of Amy Keller, July 2, 2021 (hereafter “Exhibit A.”).

3. Plaintiffs reserve all their objections to that subpoena and the production by themselves or by 4 Discovery to the documents specified in Exhibit A.

4. Plaintiffs will preserve all documents demanded by Exhibit A that are in their possession, custody, or control until relieved from doing so by the Court, subject to the below paragraph.

5. If plaintiffs have not already done so, they shall instruct 4Discovery to preserve all documents demanded by Exhibit A that are in 4Discovery's possession, custody, or control until otherwise instructed, and to inform Plaintiffs’ counsel if they become at risk of ceasing operation or being acquired.

Should Your Honor determine that the controversy is not premature, Plaintiffs respectfully request Your Honor grant their Motion for Protective Order and to Quash 4Discovery Subpoena because, inter alia: (1) Marriott attempts to use Rule 45 to expand the limited discovery allowed by Judge Grimm in response to Marriott's request for production no. 3 and Plaintiffs’ motion for protective order related to the same (ECF Nos. 752, 770); (2) Marriott improperly seeks party discovery through Rule 45, and in contravention of the parties’ ESI protocol (ECF No. 310) and the court's scheduling order (ECF No. 759); (3) no cause exists to permit discovery on discovery; and (4) the documents, communications, testimony, and information sought is covered by the attorney-client privileged and/or work product doctrine.

*10 Respectfully Submitted,

Amy E. Keller (D. Md. Bar No. 20816)

DICELLO LEVITT GUTZLER LLC

Ten North Dearborn Street, Sixth Floor

Chicago, Illinois 60602

Tel. 312-214-7900

akeller@dicellolevitt.com

Andrew N. Friedman (D. Md. Bar No. 14421)

COHEN MILSTEIN SELLERS & TOLL PLLC

1100 New York Avenue, NW, Suite 500

Washington, D.C. 20005

Tel. 202-408-4600

afriedman@cohenmilstein.com

James J. Pizzirusso (D. Md. Bar No. 20817)

HAUSFELD LLP

888 16th St., NW, Suite 300

Washington, D.C. 20006

Tel. 202-540-7200

jpizzirusso@hausfeld.com

EXHIBIT A

In re MARRIOTT INTERNATIONAL CUSTOMER DATA SECURITY BREACH LITIGATION

No. 8:19-md-02879-PWG

I, Amy Keller, declare as follows:

1. I am a Partner at the law firm of DiCello Levitt Gutzler LLC, and was appointed as Plaintiffs’ Co-Lead Counsel in this action on April 29, 2019, by Judge Grimm (ECF 13). I submit this declaration in support of Plaintiffs’ Motion for Protective Order based upon my personal knowledge.

2. In the course of this litigation, Plaintiffs’ counsel engaged 4Discovery as an e-discovery litigation vendor to assist with collection, searching, and producing Plaintiffs’ electronically stored information (“ESI”) in this action.

3. As part of that same engagement, 4Discovery also served as Plaintiffs’ litigation vendor to produce reports on ESI responsive to Marriott's Request for Production (“RFP”) No. 3, pursuant to the Remote Collection and Production Protocol (“Protocol”) the parties were Ordered by the Court to use. (ECF 752-1, 752, 768, 770).

4. The Court-approved Protocol provided for a report detailing examination findings (ECF 752-1 at 23, ¶ 7) of a contingent, three-step analysis: first, determine whether there is evidence of malware (ECF 752-1 at 23, ¶ 5); if yes, then determine whether the malware is of the type that could result in the exfiltration of sensitive user data (ECF 752-1 at 23, ¶ 6); if yes, then perform a root cause analysis to determine when and how the malware was installed and whether it resulted in the exfiltration of sensitive information (id.).

5. On May 4, 2021, Plaintiffs provided Marriott with two “sample” documents for review: (1) 4Discovery Marriott Malware Scan Methodology (the “4Discovery Methodology”) for determining whether malware existed on Plaintiffs’ devices; and (2) a draft report responsive to RFP No. 3. The email and attachments are attached hereto as Exhibit 1.

6. After receiving nothing from Marriott in response to the sample documents, Plaintiffs produced additional Plaintiffs’ reports responsive to RFP No. 3 on May 13, 2021.

7. On May 13th, Marriott posed certain questions to Plaintiffs related to the sample documents. Specifically, Marriott asked the following questions:

The email is attached hereto as Exhibit 2.

8. Plaintiffs responded to Marriott's questions, on May 20, 2021, stating:

The Special Master was copied on that email. That response is attached hereto as Exhibit 3.

9. The parties discussed this response on their May 20, 2021 Zoom conference with Special Master Facciola. After Special Master Facciola read the above answer to the parties during the call (shortly after the 1-hour mark in the recording), Marriott's counsel stated that they might have “one or two more questions” and that the parties “may be able to finalize” their questions about malware reports without needing to discuss it before the Special Master. They requested an opportunity to send a follow-up email to Plaintiffs’ counsel.

10. In subsequent communications, Marriott asked for clarification about whether the reports were identifying any malicious malware found or only if the malware was capable of exfiltrating data. On May 27, 2021, Plaintiffs answered in great detail:

The email string is attached hereto as Exhibit 4.

11. Plaintiffs have no record of receiving further substantive questions on the reports from Marriott after the May 27, 2021, email.

12. 4Discovery followed the Protocol for each of the fifteen (15) bellwether Plaintiffs.

13. Specifically, the 4Discovery Methodology was used to determine whether malware existed on the devices of each bellwether Plaintiff.

14. If the 4Discovery Methodology resulted in a finding that “No” there was no malware found, then that determination was noted on the report and no additional steps were performed. This was the case for twelve of the bellwether Plaintiffs.

15. Malware was found on the devices of three of the bellwether Plaintiffs’ devices.

16. In those three (3) instances where the 4Discovery Methodology resulted in a finding that “Yes” malware was found, 4Discovery proceeded to the next step and determined whether the malware was of the type that could result in the exfiltration of sensitive user data. If the answer was “No,” then no additional steps were performed. This was the case for two of the three Plaintiffs that proceeded to this step.

17. One of the bellwether Plaintiffs had a “Yes” in the second step, finding malware of the type that could result in the exfiltration of sensitive user data.

18. For that Plaintiff, 4Discovery proceeded to the third step and performed a root cause analysis.

19. For each of the bellwether Plaintiffs, and consistent with the Protocol, detailed of the examination findings were set forth in a report.

20. Plaintiffs produced the final of Plaintiffs’ reports responsive to RFP No. 3 on June 10, 2021.

21. Plaintiffs solely incurred the costs for performing the malware device inspections and the creation of the reports, and have paid their discovery vendors (including 4Discovery) a substantial amount of money for their e-discovery services, including their services in the production of the reports responsive to Marriott's RFP No. 3.

22. Two weeks after Plaintiffs produced the final report, on June 24, 2021, Plaintiffs received notice from Marriott on its intent to serve a subpoena on Plaintiffs’ e-discovery vendor. The notice and subpoena is attached hereto as Exhibit 5.

23. Marriott served the subpoena on 4Discovery on June 29, 2021.

24. At Plaintiffs’ request, the parties held a meet and confer on June 29, 2021. Plaintiffs explained to Marriott that 4Discovery was Plaintiffs’ discovery vendor, not a testifying expert, and that 4Discovery had assisted with ESI collection efforts as well as Plaintiffs’ device inspections—all at the direction of counsel and solely for the provision of legal advice related to this litigation. There is no business-related purpose for the work that 4Discovery did, and they would not have done the work but for this litigation. The litigation was the sole reason for their work. On that conference, Plaintiffs asked what information Marriott was seeking. Marriott stated that it believed 4Discovery did not follow the Protocol, and informed Plaintiffs’ counsel that certain items were “missing” from the reports.

*13 25. As set forth above, Plaintiffs’ device inspection and malware reports followed the Protocol. Accordingly, Plaintiffs do not believe that anything was “missing” from the reports, either.

26. With respect to the information sought by Marriott through its subpoena, the underlying communications between 4Discovery and Plaintiffs or their counsel, the documents created as a result of 4Discovery's work on behalf of Plaintiffs in this litigation, and all work and services performed by 4Discovery, were done at the direction of Plaintiffs’ counsel in anticipation of this litigation and for Plaintiffs’ counsel to provide legal advice in this action.

27. For example, the device schedules (requested in the document request and included in deposition topics) were created by counsel for this litigation through privileged communications with the Plaintiffs, and communicated by counsel to 4Discovery. Such documents and communications are privileged. However, the reports included a description of what devices were scheduled. Below are the topics covered by the subpoena, and a description of why they were improper, in addition to being untimely.

I declare that the foregoing is true and correct under the penalties of perjury under the laws of the United States.

Dated: July 2, 2021

Amy E. Keller

DiCello Levitt Gutzler LLC