Opinion
2:24-cv-473-JLB-KCD 2:24-mc-8-JLB-KCD
06-24-2024
ORDER
KYLE C. DUDEK, UNITED STATES MAGISTRATE JUDGE
Before the Court is Petitioner William Rose's Motion to Compel Compliance with Non-Party Subpoena Served Upon KPMG, LLP (24mc8, Doc. 1) and his Motion to Compel Compliance with Non-Party Subpoenas Served Upon T-Mobile USA, Inc. (24cv473, Doc. 1-1). T-Mobile has responded in opposition and seeks to quash both subpoenas. (24mc8, Doc. 7; 24cv473, Doc. 4.) For the reasons stated below, the motion to compel KPMG's compliance is granted in part and denied in part. The motion to compel T-Mobile's compliance is denied.
Unless otherwise indicated, all internal quotation marks, citations, and alterations have been omitted in this and later citations.
During the latest status conference, the parties agreed that the pending motions overlap and should be considered together. (24mc8 Doc. 26.) Accordingly, the Court issues this single order addressing both.
I. Background
Rose's cellular provider is Cellular Touch Wireless-an authorized Metro by T-Mobile dealer. (23cv22, Doc. 1 ¶ 40.) On August 13, 2021, someone pretending to be Rose obtained control of his wireless account via a SIM swap. (Id.) Representatives of Cellular Touch Wireless allegedly “bypassed . . . T-Mobile's security protocols and transferred . . . [Rose]'s wireless telephone number [to an imposter] -- disconnecting the telephone number from [Rose]'s wireless phone's SIM card and then connecting the telephone number to a SIM card under the control of the [imposter].” (23cv22, Doc. 1 ¶ 40.) This let the imposter access Rose's bank accounts, from which they stole $280,414.60 in cryptocurrency. (Id. ¶¶ 39, 41, 47.) Rose now sues Cellular Touch Wireless, and his case is pending before this Court. (Id.)
Four days after the imposter obtained control of Rose's wireless account, T-Mobile confirmed that its “systems were subject to a criminal cyberattack that compromised [the] data of millions” of customers. (24mc8, Doc. 7-2 at 10.) It then hired KPMG to review its network security and “help [it] prevent future incidents like the August 2021 cyberattack.” (24mc8, Doc. 7 at 5.)
According to T-Mobile, the cyberattack is unrelated to the SIM swap that affected Rose's account. (24mc8, Doc. 7 at 12.) But Rose believes “the cybersecurity flaws that led, in large part, to the harm addressed in his Complaint” are those that KPMG was retained to assess. (24mc8, Doc. 1 ¶ 8.) So he sent KPMG a subpoena to produce eight categories of documents related to its work for T-Mobile under Rule 45. (24mc8, Doc. 1 ¶ 11, Doc. 1-3 at 8.) KPMG responded with objections before agreeing to produce (1) its engagement letter, and (2) draft reports, including the related documents, synthesizing KPMG's control validation work for T-Mobile. (24mc8, Doc. 1 ¶ 15, 17, Doc. 1-5.) The parties then signed an agreement to safeguard the information within the documents, but KPMG never followed through om production. (24mc8, Doc. 1 ¶ 16.)
Rose also sent T-Mobile two subpoenas. T-Mobile produced documents in response to the first subpoena. (24cv473, Doc. 23 at 2.) But the second subpoena, which seeks documents related to KPMG's investigation, remains at issue. (24cv473, Doc. 1-8.) T-Mobile believes the latter subpoena is “categorically objectionable.” (24cv473, Doc. 1-10.) The parties tried to confer, but to no avail.
That brings us to the two motions at issue. As for Rose's motion to compel production from KPMG, he argues the documents it agreed to produce are relevant because they concern flaws in T-Mobile's security defenses. (24mc8, Doc. 1 at 8.) Rose believes these flaws contributed to the unauthorized SIM swap that affected his account. T-Mobile disagrees. It launches a broadside attack on the KPMG subpoena, arguing it seeks confidential information that is neither relevant nor proportional to the needs of the case. (24mc8, Doc. 7 at 2-5, 11-12, 14-15.) Should the Court disagree, T-Mobile asks that parameters be set on KPMG's production to safeguard the confidential information therein. (Id. at 16.) For its part, KPMG says it “stands ready to comply” and will defer to the Court's ruling here. (24mc8, Doc. 8 at 1, 2, 5.)
Turning to the T-Mobile subpoena, Rose argues the responsive documents are needed to show T-Mobile “failed to properly implement and execute security procedures,” ignored security threats, “ignored and bypassed numerous security protocols on [his] account,” and did not protect his personal identifying information. (24cv473, Doc. 1-1 at 13-14.) As it did in response to the KPMG subpoena, T-Mobile maintains that Rose is pursuing confidential information that is neither relevant nor proportional to the needs of his case. (24cv473, Doc. 4 at 12-19.) It also asserts that “complying with Mr. Rose's sweeping requests would be unduly burdensome.” (Id. at 19-21.)
II. Legal Standard
“Rule 45 is the proper vehicle for obtaining documents and other materials from nonparties relevant to a pending lawsuit.” Landstar Glob. Logistics, Inc. v. Haskins, No. 3:09-CV-1163-J-32JRK, 2011 WL 13176155, at *1 (M.D. Fla. Jan. 25, 2011). But it “must be read in conjunction with Rule 26 [which] clearly defines the scope of discovery for all discovery devices.” Id. Rule 26 “allows discovery regarding any matter, not privileged, that is relevant to the subject matter of the pending litigation and proportional to the needs of the case.” Sims v. BMW of N. Am. LLC, No. 6:22-CV-1685-PGB-EJK, 2023 WL 8254357, at *3 (M.D. Fla. Nov. 29, 2023).
When a non-party “objects or otherwise fails to produce the documents requested by” a Rule 45 subpoena, the court may “entertain a motion to compel.” Adebiyi v. City of Riverdale, Georgia, No. 1:09-CV-0025-RWS-JFK, 2010 WL 11493740, at *1 (N.D.Ga. Mar. 12, 2010). Where a party seeks to quash a subpoena, as here, he “bears the burden to establish that the information sought is protectable under Rule 45, but the party issuing the subpoena bears the burden of proving the requests are relevant.” Meide v. Pulse Evolution Corp., No. 3:18-CV-1037-J-34MCR, 2019 WL 1518959, at *4 (M.D. Fla. Apr. 8, 2019). Whether the motion to compel seeks relevant information must be answered before the court considers a request to quash or modify the subpoena. Sims, 2023 WL 8254357, at *3.
III. Discussion
A. KPMG Subpoena
As the party moving to compel, Rose must first show that KPMG's engagement letter and draft reports, including the supporting documents, relate to his claims against Cellular Touch Wireless. Meide, 2019 WL 1518959, at *4. “To determine the relevancy of the information sought [through discovery], the court takes note of the facts set forth in the[] complaint.” Miller v. MP Glob. Prod., LLC, No. CIV.A. 12-00747-KD-N, 2014 WL 1017887, at *2 (S.D. Ala. Mar. 17, 2014). “The term relevant under [Rule 26] is construed broadly to encompass any matter that bears on, or that reasonably could lead to other matter that bears on, any issue that is or may be in the case.” Sims, 2023 WL 8254357, at *3.
Rose claims he was the victim of a SIM swap. He alleges Cellular Wireless employees “bypassed Metro by T-Mobile's security protocols and transferred to an [imposter,] [Rose]'s wireless telephone number -disconnecting the telephone number from [his] wireless phone's SIM card and then connecting the telephone number to a SIM card under the control of the [imposter].” (23cv22, Doc. 1 ¶ 40 (emphasis added).) He also believes this was not an isolated incident. (Id. ¶¶ 51, 52.) Rather, he has obtained information showing the same unique International Mobile Equipment Identity number was used in other unauthorized SIM swaps “at or about the same time[.]” (Id. ¶ 51.) According to Rose, this individual was able to repeatedly bypass T-Mobile's security protocols because of the cybersecurity flaws KPMG was retained to assess:
52. Upon further information and belief, Defendant was aware that its security systems and internal software platform contained significant holes and weaknesses that permitted unchecked security bypasses and allowed unauthorized actors to enter the system and gain control over customer accounts and information; yet Defendant did not take adequate measures to address those holes and weaknesses.(Id. ¶ 52 (emphasis added).)
Because the documents KPMG agreed to produce could “bear on” or “lead to other matter that bears on” the allegations in Paragraph 52 above, such materials fall within the broad reach of Rule 26. Sims, 2023 WL 8254357, at *3.
Thus, the Court turns to T-Mobile's request to quash the subpoena. Rule 45 “specifies when a court should, or must, quash a subpoena to a third-party.” Feingold v. Cardinale, No. 22-CV-20375, 2023 WL 4763149, at *3 (S.D. Fla. Apr. 25, 2023). “The party seeking to quash a subpoena bears the burden of establishing at least one of the requirements articulated under Rule 45(d)(3).” Sims, 2023 WL 8254357, at *2. At issue here, a court may quash or modify a subpoena that requires “disclosing a trade secret or other confidential research, development, or commercial information[.]” Fed.R.Civ.P. 45 (d)(3)(B)(i). “However, [t]here is no absolute privilege for trade secrets or similar confidential information.” Sams v. GA W. Gate, LLC, 316 F.R.D. 693, 698 (N.D.Ga. 2016).
As the party seeking protection, T-Mobile “must first establish that the information [sought] is indeed confidential and then demonstrate that its disclosure might be harmful.” In re H.M.B. Ltd., No. 17-21459-CIV, 2018 WL 4778459, at *12 (S.D. Fla. July 2, 2018). “This has been described as a heavy burden.” Id.
If T-Mobile satisfies its heavy burden, Rose must then “show a substantial need for the testimony or material that cannot be otherwise met without undue hardship.” Wachovia Ins. Servs., Inc. v. Paddison, No. 406CV083, 2006 WL 8435309, at *18 (S.D. Ga. July 18, 2006). “If the requesting party establishes these facts, the court may order . . . production only upon specified conditions. Those conditions often include protective measures, such as confidentiality orders.” Sams, 316 F.R.D. at 698.
T-Mobile argues the Court should quash the subpoena because the responsive documents concern “confidential, security-related research that requires protection.” (24mc8, Doc. 7 at 14.) As Chris Wallace, T-Mobile's Senior Director for Offensive Security and Vulnerability Management, explains in his affidavit, KPMG's reports have “highly sensitive information about T-Mobile's network infrastructure and [the] newly adopted information security practices and solutions, which defend the network from constant cyberattacks.” (24mc8, Doc. 7-6 ¶ 5.) According to Wallace, if revealed, the content of the responsive documents “could give those seeking to harm T-Mobile a roadmap to infiltrate T-Mobile's systems and elude the latest controls. . . to compromise T-Mobile's network.” (Id ¶ 6.) Thus, T-Mobile has “tightly controlled” KPMG's work product, restricting its access to only “key technology and security personnel.” (Id.)
While Rose pooh-poohs T-Mobile's concerns, he never contests its assertion that the requested documents have confidential information that would be harmful if revealed. (24mc8, Doc. 12 at 9-10.) With no substantive opposition, the Court finds T-Mobile has met its “heavy burden.” In re H.M.B. Ltd., 2018 WL 4778459, at *12.
Thus, Rose needs to “show a substantial need for the . . . material that cannot be otherwise met without undue hardship[.]” Paddison, 2006 WL 8435309, at *18. He must “demonstrate that the disclosure of [the confidential research] is both relevant and necessary to the underlying litigation.” Luiken v. Runzheimer Int'l, Ltd., No. 11-MC-34, 2011 WL 3423335, at *1 (E.D. Wis. Aug. 3, 2011). Rose has done so. He alleges the employee who approved the SIM swap bypassed T-Mobile's security protocols. (23cv22, Doc. 1 ¶ 40.) And they were only able to do so because T-Mobile's “security systems and internal software platform contained significant holes and weaknesses that permitted unchecked security bypasses and allowed unauthorized actors to enter the system and gain control over customer accounts and information[.]” (Id. ¶ 52 (emphasis added).) To support this contention, Rose needs to understand T-Mobile's network security at the time of the SIM swap. And that evidence is not in the possession of Defendant Cellular Touch Wireless because, as Chris Wallace explained, “KPMG's work product is not available outside of T-Mobile and KPMG.” (24mc8, Doc. 7-6 ¶ 6.) Thus, Rose has shown substantial need.
Because Rose substantially needs information that is confidential and cannot otherwise be obtained, the Court may “order . . . production under specified conditions[.]” Fed.R.Civ.P. 45 (d)(3)(C). Rose concedes that restrictions and protections are appropriate. (24mc8, Doc. 12 at 10.) And T-Mobile has conditions in mind. (24mc8, Doc. 7 at 16.) Therefore, the Court will direct the parties to jointly craft a protective order that lets Rose view the documents KPMG agreed to produce while safeguarding their valuable and confidential information. If the parties cannot reach an agreement, they are to notify the Court within thirty days.
B. T-Mobile Subpoena
In his September 2023 subpoena to T-Mobile, Rose seeks a similar batch of documents concerning KPMG's investigation of T-Mobile's security system. As above, such documents could “bear on” or “lead to other matter that bears on, any issue that is or may be” in Rose's case against Cellular Touch Wireless. Sims, 2023 WL 8254357, at *3. Thus, they too fall within the broad reach of Rule 26.
But T-Mobile argues the Court should quash the September 2023 subpoena “because complying with Mr. Rose's sweeping requests would be unduly burdensome.” (24cv473, Doc. 4 at 19.) A subpoena that subjects the recipient “to undue burden” must be quashed or modified. Fed.R.Civ.P. 45 (d)(3)(A)(iv). In determining whether a subpoena falls into this category, the reviewing court must “balance the interests served by demanding compliance with the subpoena against the interests furthered by quashing it.” Jordan v. Comm'r, Mississippi Dep't of Corr., 947 F.3d 1322, 1337 (11th Cir. 2020). “An undue burden is one which is beyond that normally necessary” and requires the moving party “to show more than expense or difficulty.” Arval Serv. Lease S.A. v. Clifton, No. 3:14-CV-1047-J-39MCR, 2015 WL 12818837, at *2 (M.D. Fla. June 23, 2015).
“To determine whether a subpoena imposes an undue burden, the court must consider at least six factors: (1) [the] relevance of the information requested; (2) the need of the party for the documents; (3) the breadth of the document request; (4) the time period covered by the request; (5) the particularity with which the party describes the requested documents; and (6) the burden imposed.” TIC Park Ctr. 9, LLC v. Cabot, No. 16-24569-CIV, 2017 WL 9988745, at *2 (S.D. Fla. June 9, 2017). “The status of the subpoena recipient as a non-party is also a factor that can weigh against disclosure in the undue burden inquiry.” Jordan, 947 F.3d at 1337. “Claims of undue burden should be supported by a statement (generally an affidavit) with specific information demonstrating how the request is overly burdensome.” Strike 3 Holdings, LLC v. Doe, No. 6:22-CV-1166-RBD-DCI, 2022 WL 17582574, at *1 (M.D. Fla. Dec. 12, 2022).
T-Mobile argues the third and fourth factors weigh in its favor because Rose requests “information about almost the entirety of T-Mobile's security infrastructure from January 1, 2021 through the present date, despite Mr. Rose alleging that his losses resulted from only one Cellular Touch employee accessing his account without authorization on one day in August 2021.” (24cv473, Doc. 4 at 20-21.) T-Mobile also argues the sixth factor because its “engagement of KPMG spanned multiple years, generating hundreds of thousands of documents with many custodians on multiple teams. It would have to devote significant, valuable resources to collect and organize all of that data, diverting employees from their full-time jobs of keeping T-Mobile's network secure.” (Id. at 21.)
Rose's theory of the case is not as cramped as T-Mobile suggests. But the Court agrees that he asks too much of T-Mobile, who is not a party to the underlying suit. As written, the subpoena requires T-Mobile to produce just about every scrap of paper and communication related to KPMG's review of its security systems, which spans nearly three years. (24cv473, Doc. 1-8.) As Chris Wallace explained in his declaration, “[t]here are hundreds of thousands of emails, slide presentations, meeting notes, and other miscellaneous documents generated as part of KPMG's engagement. These materials are not centrally located but are housed with many custodians throughout T-Mobile. To identify all work done as part of KPMG's August 2021 engagement (much less collect and review the material) would require hundreds (if not thousands) of hours of T-Mobile employee time.” (24cv473, Doc. 4-9 ¶ 7.) Through Wallace's declaration, T-Mobile has shown that complying with Rose's “sweeping requests would be unduly burdensome.” (24cv473, Doc. 4 at 19, Doc. 4-9 ¶ 7.) Rose will also be receiving many of the same documents from KPMG, as ordered above. So his need for the subpoena on T-Mobile is significantly reduced. After considering all these factors, the Court will quash the September 2023 subpoena.
It is thus ORDERED:
1. The Court GRANTS IN PART AND DENIES IN PART Rose's Motion to Compel Compliance with Non-Party Subpoena Served Upon KPMG, LLP. (24mc8, Doc. 1.) The parties must meet and confer to craft a protective order that lets Rose view the documents KPMG agreed to produce while safeguarding their valuable and confidential information. If the parties cannot reach an agreement, they are to notify the Court within thirty days.
2. The Court DENIES Rose's Motion To Compel Compliance with NonParty Subpoenas Served Upon T-Mobile USA, Inc. (24cv473, Doc. 1-1.)