Opinion
C22-0094-KKE
12-06-2023
ANDREW LEONARD et al., Plaintiffs, v. MCMENAMINS INC, Defendant.
ORDER GRANTING PLAINTIFFS' FIRST MOTIONS TO COMPEL AND GRANTING IN PART AND DENYING IN PART PLAINTIFFS' SECOND MOTION TO COMPEL
Kymberly K. Evanson United States District Judge
This matter comes before the Court on Plaintiffs' motions to compel. Dkt. Nos. 39 & 49. The Court heard oral argument and for the reasons provided below grants the first motion and grants in part and denies in part the second motion.
I. BACKGROUND
On December 12, 2021, Defendant McMenamins suffered a ransomware attack that “may have affected the personal information of certain current and previous employees.” Dkt. No. 18 ¶ 29 (December 30, 2021 Notice of Data Breach provided in the Amended Complaint). McMenamins retained Stoel Rives LLP to “represent it in regard to the ransomware attack.” Dkt. No. 43 ¶ 3. On December 13, 2021, Stoel hired Stroz Friedberg to “provide consulting and technical services regarding a ransomware incident on behalf of McMenamins, Inc. (“Client”), which is Counsel's client.” Id. at 6-25. Stoel and Stroz Friedberg agreed to at least four supplemental scopes of work. Dkt. No. 48 at 109-123.On May 22, 2022, Stroz Friedberg published a document entitled “McMenamins Investigation Report.” Dkt. No. 43 at 27-41.
For legible versions of exhibits G, H, and I, see the praecipe at Dkt. Nos. 61-1-61-3.
On January 28, 2022, Plaintiffs, current and former employees of McMenamins, filed this putative class action lawsuit against McMenamins. Dkt. No. 1. On May 13, 2022, Plaintiffs filed their first amended complaint (the operative complaint) with causes of action for negligence, breach of contract, breach of implied contract, unjust enrichment/quasi-contract, breach of fiduciary duty, breach of confidence, bailment, violation of the Washington Consumer Protection Act (“CPA”), and declaratory relief. Dkt. No. 18 ¶¶ 130-234.
On September 14, 2023, Plaintiffs filed their first motion to compel seeking more fulsome responses to their first set of requests for production (“RFPs”) and interrogatories and to have McMenamins' privilege objections overruled. Dkt. No. 39. As part of the briefing on this motion, the parties attached highly redacted copies of the engagement letter with Stroz Friedberg (Dkt. No. 43 at 6-25), the scopes of work with Stroz Friedberg (Dkt. No. 48 at 109-123), and the Stroz Friedberg report (Dkt. No. 43 at 26-41). Plaintiffs also provided a copy of McMenamins' full privilege log for the Court's review. Dkt. No. 48 at 32-108. Notably, none of the redacted documents had been listed by McMenamins on its privilege log. Id. On October 19, 2023, Plaintiffs filed their second motion to compel seeking production of financial documents in response to a category of requests in their second RFPs. Dkt. No. 49.
After oral argument on both motions and without objection from either party, the Court ordered McMenamins to produce the engagement letter with Stroz Friedberg, related scopes of work, and the Stroz Friedberg report for in camera review. Dkt. No. 62. McMenamins complied, providing the engagement letter, second supplemental scope of work, and two Stroz Friedberg reportsfor the Court's review in camera.
McMenamins produced only one scope of work for in camera review even though Plaintiffs provided three additional redacted scopes of work in support of their first motion to compel. See Dkt. No. 48 at 114-123. McMenamins did not provide any explanation for why these additional scopes of work were not provided to the Court.
The Court will refer to these two reports in the singular as they appear to contain the same information in different forms.
II. LEGAL STANDARD
“Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case.” Fed.R.Civ.P. 26(b)(1). If “a party fails to answer an interrogatory submitted under Rule 33” or “fails to produce documents ... requested under Rule 34,” the requesting party can “move for an order compelling an answer [or] production.” Fed.R.Civ.P. 37(a)(3)(B). The party seeking to compel discovery has the burden of establishing that its requests are relevant. Fed.R.Civ.P. 26(b)(1). Once this showing is made, the party opposing production must “carry a heavy burden of showing why discovery” should be denied. Blankenship v. Hearst Corp., 519 F.2d 418, 429 (9th Cir. 1975).
III. ANALYSIS
A. Plaintiffs' First Motion to Compel is Granted.
In their first motion to compel, Plaintiffs ask the Court to (1) overrule McMenamins' privilege objections to Interrogatories 3-25, (2) overrule McMenamins' “incorporation by reference” objections, and (3) find McMenamins waived its privilege objections or find the privileges do not apply to the Stroz Friedberg report and related communications.Dkt. Nos. 39 & 46. McMenamins opposes the motion on the grounds that (1) the motion to compel is premature and moot, (2) the Stroz Friedberg report is protected under the attorney-client privilege and work product doctrine, and (3) related communications and information are protected under the attorneyclient privilege. Dkt. No. 42 at 8-17.
Plaintiffs' motion asks the Court to also overrule other categories of McMenamins' interrogatory objections. Dkt. No. 39 at 9-10. Based on McMenamins' representations during oral argument, the Court understands McMenamins is only withholding information based on its privilege objections.
Plaintiffs also raised disputes regarding search methodologies and McMenamins' response to RFP 9. Based on the representations made by counsel during oral argument, the Court resolved these disputes and ordered McMenamins to produce additional responsive documents and McMenamins' search methodologies. See Dkt. No. 62.
Based on the parties' representations at oral argument, the motion is not premature; the parties are at an impasse regarding the Stroz Friedberg report and related information and the adequacy of McMenamins' supplemental interrogatory responses. Where relevant, the Court notes disputes that have been mooted by subsequent agreement of the parties, and this order does not substantively address the mooted issues.
1. McMenamins must produce the full Stroz Friedberg report, engagement letter, scopes of work, and related communications.
a. The Stroz Friedberg report is not work product.
“The work-product doctrine protects from discovery documents and tangible things prepared by a party or his representative in anticipation of litigation.” United States v. Richey, 632 F.3d 559, 567 (9th Cir. 2011) (cleaned up). “To qualify for work-product protection, documents must: (1) be prepared in anticipation of litigation or for trial and (2) be prepared by or for another party or by or for that other party's representative.” Id. Both parties agree the Stroz Friedberg report was, at minimum, used for both business and legal advice making it a “dual purpose” document. See Dkt. Nos. 42 at 15, 46 at 6. The Court analyzes whether “dual purpose” documents can be withheld as protected work product under the “because of” test, where the Court reviews “the totality of the circumstances [to] determine whether the document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of litigation.” Richey, 632 F.3d at 568 (cleaned up). Under this standard, where a document would have been created in a substantially similar form regardless of potential litigation, work product protection does not apply. Id.
Numerous courts have considered similar disputes over cybersecurity consultant reports in the context of data breach litigation. In evaluating whether the given report should be withheld as protected work product, courts consider factors including whether the report provides factual information to the impacted entity (and others), whether the report constitutes the only investigation and analysis of the data breach, the types of services provided by the consultant, the relationship between the consultant and the impacted entity, and importantly, whether the report would have been prepared in a substantially similar form absent the anticipation of litigation. See, e.g., In re Experian Data Breach Litig., No. SACV 15-01592AG (DFMx), 2017 WL 4325583 (C.D. Cal. May 18, 2017); In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 142522, 2015 WL 6777384 (D. Minn. Oct. 23, 2015); Guo Wengui v. Clark Hill, 338 F.R.D. 7 (D.D.C. 2021).
McMenamins directs this Court to In re Target Corp. Customer Data Security Breach Litigation, where the court denied a motion to compel production of a cybersecurity consultant's report and related communications on work product grounds. 2015 WL 6777384, at *2-3. However, unlike here, Target had engaged in a two-track investigation of the subject data breach. On one track, it conducted its own business investigation to learn “how the breach happened and [how] Target could respond to it appropriately.” Id. at *2. Information arising from this investigation was not privileged and had been disclosed. On the second track, “Target established its own task force and engaged a separate team from Verizon to provide counsel with the necessary input.” Id. Material generated from this second track was withheld.
While McMenamins argues that the same is true here, the record demonstrates otherwise. See Dkt. No. 42 at 16 (“McMenamins conducted its own internal investigation, which it has produced information on in discovery.”). McMenamins' discovery responses contain no information about what any other allegedly non-privileged internal investigation entailed, the results of any such investigation, or McMenamins' response thereto. To the contrary, McMenamins withholds nearly all information related to the breach and its response to it on privilege grounds. See, e.g., Dkt. No. 40 at 77-78 (For example, in response to interrogatory No. 10, asking for factual information about the data breach, McMenamins objects based on privilege and states: “All non-privileged information about the Data Breach is included in the December 2021 Notice of Data Breach.”). As such, while it is true that Stroz Friedberg was retained by counsel, the similarities to the Target case end there. It is well-established that mere delegation of business functions to an attorney is insufficient to shield otherwise unprotected factual investigation from discovery. See Guo Wengui, 338 F.R.D. at 13 (collecting cases); see also Allied Irish Banks v. Bank of Am., N.A., 240 F.R.D. 96, 99 (S.D.N.Y. 2007) (“That [the plaintiff] hired a law firm to ‘assist' in the investigation is of no moment.... A party may not insulate itself from discovery by hiring an attorney to conduct an investigation that otherwise would not be accorded work product protection.”) (cleaned up).
McMenamins also relies on In re Experian Data Breach Litig., 2017 WL 4325583. There, Experian retained Jones Day as legal counsel and Jones Day in turn hired the cybersecurity consultant to help “provide legal advice to Experian regarding the attack.” Id. at *2. The court denied Plaintiff's motion to compel the consultant's report, finding the report was relevant to the defense of the litigation and not an internal investigation or remediation because the report was not provided to Experian's internal incident response team. Id. Here, as noted above, the Stroz Friedberg report is the only internal investigation arising from the data breach at McMenamins and the report itself acknowledges Stroz Friedberg participated in many internal business discussions.
The Court finds Guo Wengui more closely resembles the facts of this case. 338 F.R.D. 7. In that case, like here, the hacked entity (a law firm) failed to demonstrate that any meaningful investigation of the data breach occurred apart from the lone consultant report at issue. The court also noted that the report was shared with leadership and IT, just like the report here. The court recognized that the consultant was hired by counsel but found “that approach ‘appears to [have been] designed to help shield material from disclosure.'” Guo Wengui, 338 F.R.D. at 13 (quoting In re Dominion Dental Servs. USA Data Breach Litig., 429 F.Supp.3d 190, 195 (E.D. Va. 2019)). Other courts granting motions to compel cybersecurity reports also focus on the description of services in the scope of work and the availability of factual information from other non-privileged sources. See, e.g., In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F.Supp.3d 1230, 1245-46 (D. Or. 2017); Dominion Dental Servs., 429 F.Supp.3d 190; In re Cap. One Consumer Data Sec. Breach Litig., MDL No. 1:19md2915 (AJT/JFA), 2020 WL 2731238 (E.D. Va. May 26, 2020).
In light of the above persuasive authority and the Court's in camera review of the report, the Court finds that the Stroz Friedberg report is not protected work product. In short, the report provides only factual information. Stroz Friedberg was hired to determine the timing, means, and extent of the data breach while also participating in containment and restoration processes. The report also notes that Stroz Friedberg contributed to business discussions and provided remediation and investigative services. Further, the supplemental scope of work underscores that Stroz Friedberg was assisting with restoration services, not providing legal advice. Beyond the conclusory and self-serving first sentence of the report that Stroz Friedberg was engaged to assist in providing legal advice, there is no evidence this report was in fact used to provide legal advice. Instead, the report, engagement letter, scopes of work, and all other available evidence demonstrate that Stroz Friedberg drafted this report for a business purpose, unrelated to anticipated or pending litigation. The report is not work product.
Moreover, even if the report could be considered work product, Plaintiffs have demonstrated a “substantial need for the materials to prepare its case and cannot, without undue hardship, obtain their substantial equivalent by other means.” Fed.R.Civ.P. 26(b)(3)(A). As detailed above, the Stroz Friedberg report is the only available information about how the data breach occurred and what remedial efforts McMenamins undertook in response to it. At oral argument, McMenamins argued that the publicly available notice of data breach included the same information as the report, and constituted the entirety of non-privileged facts to which Plaintiffs are entitled. McMenamins' position is nonsensical. The report includes more than a dozen pages of highly technical and detailed information while the notice includes, at most, a dozen vague sentences. As such, even if the report was work product, Rule 26(b)(3)(A) compels its production.
b. The Stroz Friedberg report is not attorney-client privileged.
McMenamins also claims that the Stroz Friedberg report is protected under the attorneyclient privilege. In the Ninth Circuit, communications are protected by the attorney-client privilege when the following eight elements are satisfied: “(1) Where legal advice of any kind is sought (2) from a professional legal adviser in his capacity as such, (3) the communications relating to that purpose, (4) made in confidence (5) by the client, (6) are at his instance permanently protected (7) from disclosure by himself or by the legal adviser, (8) unless the protection be waived.” United States v. Ruehle, 583 F.3d 600, 607 (9th Cir. 2009). “[T]he attorney-client privilege is strictly construed.” Id.
McMenamins argues the Stroz Friedberg report is attorney-client privileged because it was “created at the request of counsel, by a third party engaged to assist in the provision of legal advice” and “the report notes that it is confidential and privileged.” Dkt. No. 42 at 14. This argument ignores the first factor: whether legal advice was sought. For the same reasons the report is not work product, it also fails to be attorney-client privileged: the report does not provide legal advice. Moreover, McMenamins' privilege log does not identify attachments to allegedly privileged communications, so the Court is unable to confirm to what extent it was shared among McMenamins employees and others, or whether the report was, in fact, kept confidential and privileged.
In sum, McMenamins must produce a full copy of the report.
c. Entries on the privilege log that include Stroz Friedberg are generally not attorney-client privileged and must be produced.
McMenamins has apparently withheld in full all communications between any McMenamins employees and Stroz Friedberg personnel. No such communications have been produced, and McMenamins' privilege log categorizes communications involving its employees, counsel, and Stroz Friedberg as attorney-client privileged. Dkt. No. 48 at 124-139 (excerpt identifying communications that include Stroz Friedberg). McMenamins' response to the motion to compel does not address these communications explicitly but rather argues generally that “the information related to [the] Stroz Friedberg report” is attorney-client privileged. Dkt. No. 42 at 14. McMenamins does not argue the communications are protected work product.
To be attorney-client privileged, the communications with employees, counsel, and Stroz Friedberg must be related to legal advice. Ruehle, 583 F.3d at 607. There can be circumstances when a cybersecurity consultant works with counsel to provide legal advice after a data breach. See Premera, 296 F.Supp.3d at 1246 (“[G]iven Mandiant's role in working with outside counsel, there may be some privileged communications or work-product protected information in the withheld documents.”). However, neither the engagement letter nor the scope of work identifies any work by Stroz Friedberg related to the provision of legal advice. The evidence demonstrates Stroz Friedberg was providing a business service, by seeking and providing factual information to McMenamins and their counsel. And factual information contained in an email is not protected merely because an attorney was copied. See Newman v. Highland Sch. Dist. No. 203, 381 P.3d 1188, 1191 (Wash. 2016) (“The attorney-client privilege does not shield facts from discovery, even if transmitted in communications between attorney and client.”). Thus, communications involving Stroz Friedberg concerning the facts of the attack and McMenamins' response, investigation(s), and remediation are not privileged. McMenamins must revise its privilege log to remove, and produce, any such communications. To the extent any communications containing factual material also include legal advice, redacted versions must be produced and the justification for said redactions detailed on McMenamins' revised privilege log.
The Court expects most, if not all, communications that include Stroz Friedberg will be removed from the privilege log and produced.
2. McMenamins must supplement its responses to Plaintiffs' first set of interrogatories and RFPs.
In accordance with the Court's ruling that the Stroz Friedberg report and related factual information and communications are not privileged, McMenamins must supplement its responses to Plaintiffs' first set of interrogatories and RFPs to include any information or documents that were withheld on privilege grounds in a manner inconsistent with this order. See Dkt. No. 40 at 47-53, 69-90. These updated answers and responses must comply with the Federal Rules of Civil Procedure. Specifically, McMenamins cannot incorporate objections and responses by reference, as such answers make it impossible to determine how each objection relates to any given request. Interrogatories must “be answered separately and fully.” Fed.R.Civ.P. 33(b)(3). Any objections to interrogatories “must be stated with specificity.” Fed.R.Civ.P. 33(b)(4). Likewise, any objection to a request for production “must state whether any responsive materials are being withheld on the basis of that objection.” Fed.R.Civ.P. 34(b)(2)(B), (C).
B. Plaintiffs' Second Motion to Compel is Granted in Part and Denied in Part.
Plaintiffs' second motion seeks an order compelling McMenamins to produce documents responsive to RFPs 42-56, and 59. Dkt. No. 49. Plaintiffs argue the financial documents they seek in these RFPs are relevant (1) to prove McMenamins' negligence, breach of fiduciary duties, and violation of the CPA; (2) for a punitive damages analysis under the CPA; and (3) to enable Plaintiffs to make a realistic appraisal of the case. Id. McMenamins argues in response to Plaintiffs' motion that because it had already agreed to “produce documents related to its financial investments in cybersecurity,” the remaining requests are irrelevant and overbroad. Dkt. No. 53.
As a threshold matter, McMenamins' discovery responses only objected to the requests at issue based on relevance, and not on overbreadth or burden, the grounds McMenamins argues now. See Dkt. No. 50 at 30-34. Those objections may not be raised for the first time in this posture. See Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468, 1473 (9th Cir. 1992) (“It is well established that a failure to object to discovery requests within the time required constitutes a waiver of any objection.”); O. L. v. City of El Monte, Case No. 2:20-cv-0797 RGK (JDEx), 2021 WL 926105, at *3 (C.D. Cal. Jan. 11, 2021) (“[O]bjections not raised in a written response to discovery may not be raised for the first time in a discovery motion.”). Accordingly, while the Court agrees that many of the requests appear overly broad, because McMenamins limited its objections to relevance, the Court will likewise limit its evaluation of the requests to relevance grounds.
McMenamins also objected to various requests as “unreasonably duplicative” of other requests and incorporated by reference their previously stated objections. See e.g., Dkt. No. 50 at 32, 33. However, the “incorporated” objections state only relevance. Id. Moreover, for each request, McMenamins also said it would produce nonprivileged, responsive documents. However, it is impossible to know for each request whether any such documents have been or will be produced, what might be withheld, and on what basis. Dkt. No. 50 at 30-34.
The bar for relevance in civil discovery is low. See Fed.R.Civ.P. 26(a)(b)(1). Plaintiffs argue that the requests are relevant to prove McMenamins' liability for their substantive claims, by showing that McMenamins allegedly breached various duties to “adequately fund cybersecurity protections given the financial resources available to it, and in light of its decisions to allocate funding for other purposes.” Dkt. No. 49 at 5. McMenamins' offer to provide documents only related to financial investments in cybersecurity would presumably not reach records documenting choices in favor of other expenditures. Plaintiffs additionally argue that their requests are relevant to showing their entitlement to treble damages under the CPA and for case assessment purposes.
Given the generous standard for relevance in civil discovery, and McMenamins' meager objections, the Court finds that Plaintiffs have met their burden of showing that the following requests seek information relevant to their claims: RFPs 42, 43, 44, 46, 48, 51, 52, 53, 54, 55, and 56. Plaintiffs' motion to compel is thus granted for these requests. By contrast, Plaintiffs have failed to show how RFPs 45 (“all records indicating any and all sales”), 47 (“copies of all form 1099s”), 49 (“all bank statements for all bank accounts”), 50 (“copies of all records, bills and invoices pertaining to the expenses and gross receipts” of Defendant going back to 2017), and 59 (“[d]ocuments sufficient to show the ownership of Defendant”) seek information that is relevant to their claims and that they would not otherwise obtain from answers to other requests.
Accordingly, Plaintiffs' second motion to compel is granted in part and denied in part. McMenamins must produce all nonprivileged documents responsive to the RFPs identified above.
IV. CONCLUSION
For these reasons, the Court GRANTS Plaintiffs' first motion to compel (Dkt. No. 39) and GRANTS IN PART AND DENIES IN PART Plaintiffs' second motion to compel (Dkt. No. 49). McMenamins is ORDERED to:
(1) produce a full copy of the Stroz Friedberg report, engagement letter, and all scopes of work by December 13, 2023;
(2) reproduce its privilege log by January 5, 2024;
(3) update its responses to Plaintiffs' first set of discovery by January 5, 2024, and
(4) produce all nonprivileged, responsive documents to RFPs 42, 43, 44, 46, 48, 51, 52, 53, 54, 55, and 56 by January 5, 2024.
Dated this 6th day of December, 2023.