I. BACKGROUND

*1 Over the twelve months that I have served as Special Discovery Master in this case, I have held numerous mediated meet and confer and status conferences to address disagreements between the parties regarding specific discovery topics, the search for and production of electronically stored information (“ESI”) and disagreements over the permissible scope of discovery in this case through the lens of proportionality that now overlays the discovery process under the federal rules of civil procedure. The results of those interactions have advanced the discovery process through most of the ESI search and production process, the production of substantial numbers and pages of documents and the near completion of the written discovery process. Despite the progress made, there remain a number of disputes between the parties, most of which are grounded in their differing views as to the appropriate scope of discovery in this case.

The purpose of this Report and Recommendation is to comprehensively address those remaining disputes and issues so that the parties can efficiently schedule and complete the depositions necessary to bring the fact discovery process to a close. Because the starting point for any analysis of the scope of discovery is the claims and defenses asserted in the case, I summarize below the status and extent of those claims and defenses as the foundation for my recommended decisions regarding specific discovery issues that follow.

Current Scope of Claims and Defenses

Plaintiff, Bessemer System Federal Credit Union's (“Bessemer”) Second Amended Complaint contains thirteen (13) separate claims or counts. All of those claims arise out of the relationship between Bessemer and Defendants, Fiserv Solutions, LLC and Fiserv, Inc. (“Fiserv”) under a Master Agreement signed in 2014 pursuant to which Fiserv provided services to Bessemer. The strict contractual nature of the parties’ relationship resulted in this Court granting Fiserv's motions to dismiss Bessemer's negligence claim, negligent misrepresentation claim, constructive fraud claim, conversion claim, unfair trade practices and consumer protection law claim and unjust enrichment claim on the basis of the gist of the action doctrine because all of those tort claims arise out of the parties’ contractual agreement and/or are bound, limited or excluded by that agreement. See eToll, Inc. v. Alias/Savion Advert. Inc., 811 A.2d 10, 14 (Pa. Super 2002); Bruno v. Erie Ins. Co., 106 A.3d 48, 68-69 (Pa. 2014).

This Court denied Fiserv's motion to dismiss several additional tort claims asserted by Bessemer. But those remaining claims, as limited by this Court's decision on the Motion to Dismiss, are very narrowly drawn. Bessemer's fraud/fraudulent inducement claim relies on two specific alleged misrepresentations:

Those alleged facts are the sum and substance of Bessemer's fraud and fraudulent inducement claim contained in Count IV of its Second Amended Complaint.

This Court also permitted Bessemer to go forward with its bailment claim (Count VIII), its misappropriation of trade secrets claim (Count IX) and its defend trade secrets act claim (Count X). All of these claims, however, rest on the account records and member information that Bessemer provided to Fiserv during the parties’ contractual relationship. The bailment claim turns on the question of who owns information currently held by Fiserv and whether Fiserv has a legal or contractual obligation to return it to Bessemer. The trade secret claims survived because the Court held that it “cannot determine whether the information at issue constitutes a trade secret at this time, ...”

Because the Court permitted the fraud/fraudulent inducement and theft of trade secrets claims to go forward, it found that these intentional torts are not subject to the limitation of liability provision of the Master Agreement and, therefore, denied without prejudice Fiserv's motion to strike Bessemer's request for punitive damages. Thus, a punitive damages claim remains in the case but it relates solely to Fiserv's conduct in connection with the factual allegations underlying Bessemer's fraud/fraudulent inducement and theft of trade secret claims.

Finally, another important conclusion from this Court's Opinion addressing Fiserv's motion to dismiss the Second Amended Complaint is its determination that Bessemer has not set forth sufficient facts to support any standing to bring suit in a representative capacity on its members’ behalf. This finding was made in connection with the Court's dismissal with prejudice of Bessemer's claims against Fiserv under the Uniform Trade Practices and Consumer Protection Law (“UTPCL”). This determination makes it clear Bessemer's remining claims in this case are based on the contractual relationship between Bessemer and Fiserv under the 2014 Master Agreement along with four (4) relatively narrow tort and statutory claims.

Fiserv's Counterclaims

In Response to Bessemer's Second Amended Complaint, Fiserv asserted both affirmative defenses and a counterclaim. Thus, those defenses and counterclaim add to the subject matter and issues that are the appropriate basis for fact discovery under Fed.R.Civ.P. 26(b)(1). Fiserv's principal counterclaim asserts that Bessemer's actions in conducting an unsolicited security review of Fiserv's systems without Fiserv's consent (the “Security Review”) constituted a breach of the Master Agreement and a violation of law. Bessemer filed a motion to dismiss this counterclaim on the basis, inter alia, that it was authorized to conduct such a review but the Court denied that motion observing:

*3 Memorandum Opinion (Doc No. 120) at 19-23.

Based on the claims, defenses and counterclaims that currently exist in this case, as clarified and circumscribed through this Court's previous decisions on the parties’ respective motions to dismiss, I now address the appropriate scope of discovery in this case and make recommended decisions on the individual discovery disputes framed by the parties’ competing motions to compel and motions for protective order.

II. SCOPE AND PARAMETERS OF DISCOVERY

The above analysis of the remaining claims, defenses and counterclaims in this case provides the basis for defining an appropriate scope of discovery consistent with the dictates of Fed.R.Civ.P. 26(b)(1). Based on those claims, defenses and counterclaims, I recommend that the scope of discovery in this case be limited to the following areas:

III. RECOMMENDED DECISIONS ON THE PARTIES’ SPECIFIC REQUESTS IN THEIR MOTIONS TO COMPEL AND MOTIONS FOR PROTECTIVE ORDER AND ANCILLARY DISCOVERY ISSUES RAISED BY THE PARTIES

A. Bessemer's Discovery Motions

Bessemer seeks to compel Fiserv to list privileged documents and e-mail communications involving its counsel for periods after the initiation of this lawsuit. Fiserv opposes that request on the basis that the lawsuit is solely about the parties’ past contractual relationship and interactions and, therefore, any communications between counsel and their clients or third parties is not relevant to the claims, counterclaims and defense in the case nor likely to lead to the discovery of relevant and admissible information. Having considered the positions of both parties, it is my recommendation that Bessemer's Motion to Compel be DENIED. I recommend that the parties’ respective privilege logs need only log documents and written communications that each party designates as privileged through June 30, 2019. It is my determination that logging privileged documents after that date creates an unnecessary burden on both parties with little or no benefit.

*4 One aspect of Bessemer's Motion to Compel Responses to its Requests for Production relates to Fiserv's objections based on attorney-client and attorney work product privilege to the production of communications between its counsel and Fiserv employees in the course of the replevin action that Bessemer filed in the Court of Common Pleas of Mercer County, Pennsylvania. (See Bessemer's Memorandum of Law in Support of Motion to Compel Responses to Bessemer's Second Request for Production, Doc. No. 158).

Bessemer argues that these communications are critical to Bessemer's fraud, bailment and punitive damages claims. Bessemer argues that privilege does not apply because the communications between Fiserv's counsel and employees of Fiserv were not made for the purpose of securing legal advice and/or that Fiserv's counsel was simply acting as a conduit for false information to be provided to Bessemer and the Court. Lastly, Bessemer raises the crime-fraud exception to the attorney client privilege as a basis for its Motion to Compel.

Fiserv opposes Bessemer's Motion as both premature (before a privilege log is actually compiled and exchanged) and substantively deficient because it meets none of the required showings to invoke the crime fraud exception. (See Defendant's Memorandum of Law in Opposition to Bessemer's Motion to Compel, Doc. No. 174). Having thoroughly reviewed the arguments of both parties and the case law cited within their respective memoranda of law, I recommend that Bessemer's Motion to Compel be DENIED WITHOUT PREJUDICE to its right to raise specific challenges to privileged documents after a privilege log is compiled and exchanged between the parties.

A number of the discovery requests that Bessemer directed to Fiserv contain broad requests for security audit information and communications or reports from third parties relating to the alleged problems or defects in the system and services that Fiserv provided to Bessemer under the Master Agreement. The primary relevance cited by Bessemer for this information is to support its fraudulent inducement claim as it may reflect knowledge that Fiserv possessed in advance of the parties entering into the 2014 Master Agreement. As noted earlier, the only specific alleged misrepresentation set forth in Bessemer's fraudulent inducement claim is a February 27, 2012 e-mail from Fiserv employee Reynolds to Bessemer's then CEO indicating that Fiserv's Virtual Branch online banking website satisfied FFIEC requirements when it allegedly did not. Although the specific basis for the fraudulent inducement claim is narrow, Bessemer is entitled to explore Fiserv's knowledge regarding any reported defects or shortcomings in the systems and services ultimately supplied to Bessemer under the 2014 Master Agreement for a limited period of time prior to the date that agreement was executed. That information could arguably support a fraudulent inducement claim based on alleged non-disclosure.

Fiserv has already produced to Bessemer its SOC audits on its Charlotte system for the years 2012 through 2014, as well as its internal meeting minutes for its teams in charge of Charlotte and Fiserv's Virtual Branch system for the same three years (2012 through 2014). It also produced any security incident reports related to those systems and products for 2012 to 2014. Given that the e-mail from Mr. Reynolds was sent early in 2012, I recommend that Bessemer's motion to compel additional production be GRANTED IN PART such that Fiserv should produce any and all security incident reports from 2011 for Charlotte and its Virtual Branch product as well as the Charlotte and Virtual Branch system meeting minutes for 2011. In all other respects, I recommend that Bessemer's motion to compel responses to its first and second requests for production be DENIED.

*5 Bessemer also moved to compel Fiserv to provide it with a detailed organizational chart for the various departments and management positions at Fiserv. In response, Fiserv advised that it does not have a comprehensive organizational chart that it can produce, but it did provide the names of those employees primarily responsible for the services provided to Bessemer and the management, upgrade and maintenance of its Charlotte and Virtual Branch systems. In light of Fiserv's response and the information provided to Bessemer, I recommend that Bessemer's motion to compel production of an organizational chart from Fiserv be DENIED.

Scattered among the 250 requests for production that Bessemer has served on Fiserv are numerous requests for production seeking production of any and all reports, external or internal communications, e-mails, analysis, etc. relating to any alleged or reported security deficiency, service complaint, data breach, alleged system deficiencies or client dissatisfaction relating to any other Fiserv customer and/or any Fiserv service or system. Fiserv objected to each and every one of these requests on the basis that they were overly broad, unduly burdensome and sought documents and information that are neither relevant to the issue, claims and defenses in this case nor calculated to lead to the discovery of relevant and admissible documents and information. Based on the scope of discovery I outlined at the beginning of this Report and Recommendation, it is my recommendation that Bessemer's Motion to Compel production of documents unrelated to Bessemer and/or the services supplied by Fiserv to Bessemer should be DENIED with the exception of the limited and proportional discovery related to the Charlotte and Virtual Banking systems and security incident reports for the time period 2011 through 2014 addressed above.

In this Motion, Bessemer seeks a protective order that precludes it from having to preserve or produce voicemails requested by Fiserv in its first set of discovery requests directed to Bessemer. Specifically, Fiserv seeks production of the following:

In response, Fiserv argues that Bessemer's motion fails to address whether or not any responsive voicemails are in fact available and/or preserved and that the above requests are narrowly drafted to comport with the counterclaim and defenses it asserted against Bessemer. Based on my review of the parties’ positions, I recommend that Bessemer's motion be GRANTED IN PART and DENIED IN PART.

First, Bessemer should respond to the discovery requests by indicating whether or not it has any such voicemails available to produce. Assuming it has any responsive voicemails, I recommend that it need produce only those voicemails that Fiserv personnel left for Bessemer personnel with respect to the Security Review. Because the deconversion process went forward over a number of months, as opposed to the short time period during which the Security Review was implemented, I agree with Bessemer that identification and production of voicemails related to the deconversion process fails the proportionality standard set forth in Fed.R.Civ.P. 26(b)(1).

*6 This motion is somewhat different than the prior motions to compel in that Fiserv does not argue that the examination reports are not relevant for discovery purposes. Rather, Fiserv responded to Bessemer's request by asserting that it is precluded by 18 U.S.C. § 641 from voluntarily producing these reports. Fiserv also noted that, in the Master Agreement, Bessemer agreed and acknowledged as follows:

Based on the statute and the above cited provision of the Master Agreement, it is my recommendation that Bessemer's Motion to Compel Fiserv to produce the FFIEC Examination Reports for Virtual Branch be DENIED. Bessemer should seek those reports via subpoena or FOIA Request to FFIEC. To the extent that Fiserv must consent to production of those reports by FFIEC, it must do so.

IV. FISERV DISCOVERY MOTIONS

A. Motion to Compel Responses to Various Interrogatories in Fiserv’ First Set of Discovery Requests

Fiserv is seeking supplemental responses from Bessemer to Interrogatory Nos. 3, 5, 7, 8, 12, 13, 16 and 21. These Interrogatories seek information or facts supporting Bessemer's fraudulent inducement claim, breach of contract claim and damages caused to Bessemer by alleged security vulnerabilities and contract breaches. In response to each of these interrogatories, Bessemer either objected, referred Fiserv to the Second Amended Complaint or its initial disclosures or provided an answer that Fiserv alleges is incomplete or inadequate.

I have reviewed and considered each of these interrogatories, Bessemer's objections and responses thereto and the argument presented by counsel with respect to each interrogatory. Based on that review and consideration, I recommend the following decisions with respect to each interrogatory at issue[2]:

My recommended decisions above regarding these interrogatories comes with this caveat. To the extent Bessemer later claims additional damages, breaches or misrepresentations that are not set forth in either its Second Amended Complaint, its Rule 26 Disclosures or its original and supplemental discovery responses, it risks this Court precluding Bessemer from introducing or relying upon that evidence at trial.

B. Fiserv's Motion to Compel Production of Documents Relating to Bessemer's Security Review

This motion and Bessemer's opposition thereto generated almost a full binder of briefs, affidavits, replies and sur-replies. The subject of these discovery requests is the “Security Review” that Bessemer conducted in September 2018 regarding Fiserv's online banking platform through use of a third-party. What Bessemer calls a “security review,” Fiserv characterizes as a “brute-force cyber-attack”. Those competing characterizations demonstrate the parties diametrically opposed view on this event. Despite those diametrically opposed views, however, the discovery issue itself is straight forward. Fiserv served Bessemer with eleven discovery requests relating to the Security Review and Bessemer's motives therefor and Bessemer responded to those discovery requests by invoking the attorney work product and consulting expert privileges.

Bessemer did produce a reacted copy of the engagement agreement between its litigation counsel and the third-party's security reviewer but nothing else. Bessemer has consistently argued that the security reviewer is a litigation consulting expert and that discovery related to his identity and any communication between the reviewer and counsel are protected from discovery by Fed.R.Civ.P. 26(b)(3)(A), (B) & (4)(D).

Each of the parties has cited a number of cases addressing the consulting expert privilege and protection provided under the above cited sections of Rule 26. Fiserv cites cases standing for the proposition that the rule does not preclude discovery information obtained by an “actor or viewer with respect to transactions or occurrences that are part of the subject matter of the lawsuit.” See Fed.R.Civ.P. 26(b)(4) at Advisory Committee Notes; C.L. Sander Bunzel Pulp & Paper Sales, Inc. v. Golder, 1990 WL 198151 (E.D. Pa., Dec. 4, 1990); Penn Gate Handling Systems, Inc. v. Westchester Surplus Lines Ins. Co., 2007 WL 9821901 at *1 (M.D. Pa., Feb. 27, 2007) (Court granted plaintiff's motion to compel because the consultant was retained to provide an estimate directly related to the coverage investigation at issue in the lawsuit, not in anticipation of litigation).

*10 Bessemer, on the other hand, argues that the security reviewer was retained directly by litigation counsel and that his activities were limited to litigation activities as described by the following language in the engagement agreement:

Bessemer also cites cases in which Federal Courts denied motions to compel discovery from security consultants hired by litigation counsel in data breach cases on the basis of work product protection. See e.g., In Re Experian Data Breach Litig., 2017 U.S.Dist. LEXIS 162891, *22 (C.D. Cal., May 18, 2017); In Re Target Corp. Consumer Data Sec. Breach Litig., 2015 U.S.Dist. LEXIS 151974, *11 (D.Minn., Oct. 23, 2015); Jenesco, Inc. v. Visa U.S.A, Inc., 296 F.R.D. 559, 581 (M.D. Tenn. 2014).

None of the cases cited by the parties is on all fours with the facts, claims and counterclaims in this case. The cases relied upon by Fiserv typically involve third-party consultants who conduct tests, analysis or investigation prior to the filing of litigation on behalf of one of the parties to the litigation as opposed to being retained by litigation counsel. Bessemer's data breach cases involve litigation consulting experts retained by litigation counsel after the occurrence of a data breach to assist in ongoing litigation or reasonably anticipated litigation arising out of that event.

Subsequent to oral argument, Fiserv provided the undersigned with the recent unpublished opinion in Twitter, Inc. v. Musk, 2022 WL 3656938 (Del. Chanc. Ct., Aug. 25, 2022). In that case, the court compelled discovery from a consultant hired by defendant to conduct a preliminary analysis of data supplied by Twitter because the defendant relied on that data to terminate an Acquisition Agreement. That termination led to the widely publicized litigation between Twitter and Mr. Musk. The court's principal reasoning for compelling production was that, despite defendant's claim that the data specialists were retained by counsel in anticipation of litigation and to assist counsel in rendering legal services as non-testifying experts, these consulting experts were also “actor[s] or viewer[s] with respect to transactions or occurrences that are a part of the subject matter of [this] lawsuit.” Id. at *2. The Twitter court made this determination despite the fact that the consulting experts entered into engagement letters with litigation counsel that contained language similar to the engagement letters between Bessemer's counsel and the security reviewer. Unlike the current case, however, the consulting expert in Twitter was retained prior to any litigation between the parties whereas the security reviewer retained by Bessemer was retained after Bessemer had filed suit against Fiserv in Mercer County, Pennsylvania.[3]

*11 After analyzing the arguments, case law and submissions of both parties on this issue, I recommend that Bessemer's Motion for Protective Order regarding this discovery and Fiserv's Motion to Compel discovery be GRANTED IN PART and DENIED IN PART as follows:

I further recommend that this decision be without prejudice to Bessemer's right to preserve its privilege objection at deposition or Fiserv’ right to challenge any privilege designations by Bessemer related to the Security Review. In my estimation, this Recommended Decision balances Fiserv's right and need for discovery relating to the Security Review so the Court can “assess the actions leading up to, and involved in, the Security Review, the motivations behind it, and the information that was ultimately accessed as a result of the Review.” See Memorandum Opinion at 20 (Doc. No. 120) and Bessemer's legitimate privilege objections.

IV. MISCELLANEOUS DISCOVERY DISPUTES

The recommended decisions set forth above address all of the major discovery disputes between the parties. Nevertheless, given the extensive number of interrogatories, requests for production and requests for admission served by the parties in this case, there likely remain other issues specific to one or more requests or interrogatories. Based on the scope of discovery established in this Report and Recommendation, counsel for the parties should meet and confer regarding any remaining “request specific” disputes. The recommended decisions herein, if affirmed and adopted by the Court, should provide the parties with the necessary guidance to efficiently complete the fact discovery process in this case.

V. CONCLUSION

Based on the analysis above and the recommended decisions contained herein, I have attached a Proposed Order for the Court's consideration.