Opinion
4:20-cv-00137-KGB
09-30-2021
KEVIN SIMMONS, BILLIE OVERSTREET, AND JAMES YOUNG, Each Individually and on Behalf of All Others Similarly Situated PLAINTIFFS v. USABLE CORPORATION DEFENDANT
OPINION AND ORDER
Kristine G. Baker United States District Judge
Before the Court is defendants USAble Mutual Insurance Company (“USAble”) motion for summary judgment (Dkt. No. 24). Plaintiffs Kevin Simmons, Billie Overstreet, James Young, S. Todd Miller, Scott Cavanaugh, and Janel Broadhurst (jointly “plaintiffs”) oppose the motion (Dkt. No. 32). For the following reasons, the Court grants USAble's motion for summary judgment (Dkt. No. 24).
USAble Mutual Insurance Company states that it was incorrectly named as “USAble Corporation” in the case caption (Dkt. No. 24, at 1).
I. Statement Of Facts
Unless otherwise stated, the facts are drawn from defendant's statement of undisputed facts and plaintiffs' response to defendant's statement of undisputed facts (Dkt. Nos. 26, 33).
USAble is an Independent Licensee of Blue Cross Blue Shield Association and offers health and dental insurance policies for individuals and families throughout the State of Arkansas (Dkt. No. 26, ¶ 1). USAble regularly maintains, accesses, uses, receives, and transmits the Protected Health Information and Personal Identifiable Information (collectively, “PHI”) of its members to assess and determine eligibility for claims of coverage and reimbursement (Id., ¶ 2). The Enterprise Information Security Office (“EIS”), a functional department within USAble, is responsible for the security of the enterprise's information (Id., ¶ 3). EIS was previously designated as the Information Security Office, and the change to EIS came early in the applicable statutory period; the name modification did not substantively alter the information security functions for which the department was responsible (Id., ¶ 4). EIS is, and was during the applicable statutory period, responsible for a variety of security functions, managing security related deployment, and developing projects and security policy that align with USAble's enterprise security operations with industry and regulatory compliance (Id., ¶ 5).
The Lead Information Security Analyst and Information Security Analyst positions were located within EIS during the applicable statutory period (Id., ¶ 6). Mr. Simmons, Ms. Overstreet, and Mr. Miller were employed as Lead Information Security Analysts at USAble (Id., ¶ 7). Ms. Broadhurst, Mr. Cavanaugh, and Mr. Young were employed as Information Security Analysts at USAble (Id., ¶ 8).
Both the Lead Information Security Analyst and the Information Security Analyst positions were designated as either Level I, Level II, or Level III, each requiring progressively more experience than the preceding “Level” (Id., ¶9). However, plaintiffs deny that the stated job descriptions for the roles accurately reflect the job duties performed by plaintiffs (Dkt. No. 33, ¶ 9).
In February 2017, Al Ross was hired by USAble as the Supervisor of EIS and immediate supervisor of plaintiffs (Dkt. No. 26, ¶ 11). Mr. Ross was promoted to Manager of EIS in or about September 2018 (Id., ¶ 12). Devin Shirley was the Director of EIS and Mr. Ross's immediate supervisor during the entire applicable statutory period and, beginning in September 2017, became Chief 4 Information Security Officer in conjunction with his Director of EIS position (Id., ¶ 13).
Prior to February 2017, plaintiffs had substantial leeway in defining their work schedules, including the liberty to work from home (Id., ¶ 14). Mr. Ross set standardized office hours for EIS employees in order to increase their shared time in the office and, thereby, enable more opportunities to engage each other on EIS matters (Id., ¶ 15). Plaintiffs claim, with identical estimations, that they worked “at least 60-65 hours per week on average. However, there were weeks that each of us [plaintiffs] had to work up to 75 hours . . ., ” excluding the “5-15 extra hours per week” plaintiffs purportedly spent “on-call.” (Id., ¶ 16). Plaintiffs complain that Mr. Ross “shifted who was performing which job duties almost bi-weekly, as well as who would be the back-up for each duty.” (Id., ¶ 17).
Plaintiffs identify the following as duties for which they were collectively “responsible for” since 2017, including: (1) Policies and Procedures; (2) Business Continuity Program Management; (3) Disaster Recovery Program Management; (4) Disaster Recovery Exercising; (5) Vulnerability Management; (6) Patch Management; (7) Threat Hunting; (8) Threat Intelligence; (9) SIEM (Security Information and Event Management); (10) Employee Training and Awareness; (11) Database Activity Monitoring; (12) SDLC (System Development Lifecycle) Management; (13) Incident Management; (14) Cap Keeper; (15) Audit Management; (16) Risk Assessment; (17) Risk Analysis; (18) Contract Review; (19) Vendor Security Management; (20) HITRUST Compliance Management; (21) Service Now; and (22) DLP (Data Loss Prevention) (Id., ¶ 18). Ms. Broadhurst also includes “working on the SharePoint site which was the ‘warehouse' of all BCBS of Enterprise Policies and Procedures (EPP)” and, “[b]ecause [she] was the Administrator of this web site (EPP) [she] spent approximately 20 hours on the website and 30 hours auditing.” (Id., ¶ 18).
USAble states that each plaintiff played an integral and distinctive role in safeguarding the information of USAble (Id., ¶ 20).
A. Plaintiffs
1.Kevin Simmons
Prior to his employment with USAble, Mr. Simmons received a Bachelor of Business Administration in Management and a Master of Business Administration in Information Systems from the University of Arkansas at Little Rock (“UALR”) and held several positions at the University of Arkansas for Medical Sciences (“UAMS”), including Systems Analyst, Instructor, and Subject Research Educator (Id., ¶ 21). Mr. Simmons was hired by USAble on or about September 22, 2008, in the position of “security analyst” and was subsequently promoted to-and employed during the applicable statutory period as-Lead Information Security Analyst I (Id., ¶ 23). Prior to his employment with USAble as a permanent employee, Mr. Simmons was employed by GVH, a contractor of USAble (Id., ¶ 24).
During his employment with USAble, the company paid for Mr. Simmons to obtain certain “security” certifications, including: Certified Information Systems Security Professional (“CISSP”), Certified Information Security Manager (“CISM”), and HITRUST Certification (Id., ¶ 25). Mr. Simmons continues to maintain his CISSP and CISM certifications as they are each relevant to his career as a security professional (Id., ¶ 26).
Mr. Simmons' role within EIS centered on regulatory compliance, consuming approximately 30 hours per week of the 50 to 55 hours he contends that he worked each week during the applicable statutory period (Id., ¶ 27). Mr. Simmons denies that he had any authority to bring USAble into compliance with regulations, but rather he asserts that he used the requirements stated in the applicable regulations to create policy language, generally in a team setting, that was then subject to the editing and approval of Mr. Ross or Mr. Shirley followed by editing and approval of the Security Committee before implementation (Dkt. No. 33, ¶ 27).
Mr. Simmons utilized his knowledge and expertise of pertinent security regulations, framework, and requirements to perform a number of discrete functions in this position, including drafting policies and procedures, providing insight into security requirements applicable to USAble, evaluating new lines of business, and reviewing contracts (Dkt. No. 26, ¶ 28). Mr. Simmons confirmed that he was in fact determining what regulations and requirements applied, such as for endpoint security, which included researching which regulations and requirements applied, where necessary, and familiarizing himself with what those requirements were (Dkt. No. 33, ¶ 28).
During the applicable statutory period, EIS was tasked with developing policies and procedures for the purpose of achieving “HITRUST certification” (Dkt. No. 26, ¶ 29). The “HITRUST certification” that USAble was seeking to achieve is distinct from the individual HITRUST certification Mr. Simmons received (Id., ¶ 30). A company that is HITRUST certified uses the certification as a “selling point, [a] marketing point” for their business, as it conveys that a company has sought to ensure regulatory compliance and enhance the security of its information (Id., ¶ 31). USAble decided to attain HITRUST certification (Id., ¶ 32). HITRUST certification requires, inter alia, that a company maintain certain policies which, as alluded to above, Mr. Simmons, along with his co-employees in EIS, were commissioned to develop for USAble (Id., ¶ 33).
Mr. Simmons argues generally that he did not develop the requirements reflected in the policies and procedures but rather repeated the requirements of applicable regulations to create policy language, generally in a team setting, and subject to the editing and approval of Mr. Ross and Mr. Shirely (Dkt. No. 33, ¶ 29).
USAble purchased policy templates to provide a starting point for EIS in the drafting process, though some were unable to be utilized (Dkt. No. 26, ¶ 34). These “templates” were inadequate, and Mr. Simmons was tasked with ensuring that each policy was in compliance with applicable regulations (Id., ¶ 35). Policies were divided up among the Lead Information Security Analysts and Information Security Analysts, who individually developed initial policy drafts (Id., ¶ 36). Thereafter, the group of analysts would reconvene to collectively review and provide input as to the policy drafts (Id., ¶ 37). Due to time constraints, this collective policy review was eventually reduced to a review with one or two people (Id., ¶ 38). Depending on its substance, Mr. Simmons took into consideration the input provided by his co-workers (Id., ¶ 39). In the event that Mr. Simmons disagreed with the input, he argued his position to the group (Id., 40). Mr. Simmons objects to this representation, adding that he made changes to the policies he drafted based on input from his coworkers and did not have authority to resolve disagreements regarding policy language (Dkt. No. 33, ¶ 39-40).
Policies that Mr. Simmons drafted were presented to Mr. Ross and Mr. Shirley, to whom Mr. Simmons provided his recommendations (Dkt. No. 26, ¶ 41). Mr. Simmons recommended to Mr. Ross that policies should more closely track the language of the applicable regulation (Id., ¶ 42; Dkt. No. 33, ¶ 41). Once Mr. Ross and Mr. Shirley “agreed” with how the policy was “written and how [it] looked, ” it was forwarded to the Security Committee for approval and implementation (Id., ¶ 43). The Security Committee was comprised of voting and non-voting members (Id., ¶ 44). The voting members were “all executives, high level, ” and would vote on whether to approve the policy under consideration (Id., ¶ 45). Mr. Simmons was a non-voting member of the Security Committee and, in this capacity, “volunteered information” to the voting “executives” and provided “input” if the voting “executives” had specific inquiries (Id., ¶ 46). Throughout the entire policy-development process, USAble argues that Mr. Simmons utilized his knowledge of regulatory and security frameworks to draft policies, make recommendations or suggestions, and provide input, toward the goal of HITRUST certification and, ultimately, information security and regulatory compliance (Id., ¶ 47). Mr. Simmons asserts that he used the language of the regulations to draft policies, that he had no authority to deviate from the requirements of the regulations when drafting policies, and that his recommendations were rejected (Dkt. No. 33, ¶ 47).
Separate from the development of the HITRUST certification policies, Mr. Simmons developed and drafted other policies and procedures, such as a (SDLC) (System Development Lifecycle) “policy of best practices.” (Dkt. No. 26, ¶ 48). Mr. Simmons developed “guidelines” based off “NIST [] 800-53, which is a regulation often used, ” for USAble software developers to utilize when creating computer programs (Id., ¶ 49). Employing his knowledge of regulatory requirements, in particular SP 800-53, Mr. Simmons distilled this comprehensive set of security controls into a “policy format” to ensure that “consistent and secure code [was] developed.” (Id., ¶ 50). The SDLC (System Development Lifecycle) policy drafted by Mr. Simmons was submitted to the Security Committee-of which he was a member-for approval (Id., ¶ 51). Mr. Simmons argues that, rather than “developing” policies, he merely drafted policy language based on the language of applicable regulations, which was then subject to review and editing by Mr. Ross and Mr. Shirley (Dkt. No. 33, ¶ 48).
USAble asserts that Mr. Simmons further deployed his knowledge of applicable regulations and security frameworks to provide recommendations pertaining to information security requirements (Dkt. No. 26, ¶ 52). Drawing on his “knowledge of regulatory requirements, ” Mr. Simmons researched regulations and advised decisionmakers as to the relevant content (Id., ¶ 53).
Mr. Simmons assessed for compliance a “broad spectrum of tools” that provided “endpoint security” for USAble (Id., ¶ 54). An “endpoint” is any device that is physically at the endpoint on a network, such as desktop computers, laptop computers, and printers (Id., ¶ 55). Through his knowledge of the regulatory requirements applicable to USAble, Mr. Simmons determined what the USAble's “security requirements were for endpoint” protection (Id., ¶ 56).
While regulatory compliance is imperative to USAble, “[r]egulations and best practices are not always one and the same.” (Id., ¶ 57). Mr. Simmons maintained knowledge not only of applicable regulations but also what were “best practices.” (Id., ¶ 58).
On occasion, USAble considered entering new lines of business, which would require an assessment of what regulations USAble would be obligated to comply with should it move forward with the new line of business (Id., ¶ 59). Mr. Ross or Mr. Shirley “would come to [Mr. Simmons] and say, ‘Look at this and see if there would be any - - what regulations would apply? Would it be insurance? Would it be HIPAA? Would it be PCI [Payment Card Industry Data Security Standard]?” (Id., ¶ 60). Utilizing his knowledge of the vast number of regulatory requirements and security frameworks, Mr. Simmons analyzed the line of business and “provide[d] information back” to Mr. Ross and/or Mr. Shirley (Id., ¶ 61).
Mr. Simmons also reviewed select “security related” contracts to which USAble was a party in order to assess USAble's obligations under the particular contract with respect to security (Id., ¶ 62). Some contracts required USAble to attest that it was “SOC2” compliant (Id., ¶ 63). If a contract required that USAble be SOC2 compliant, Mr. Simmons had to assess USAble's internal controls, make a determination as to whether USAble was compliant, and report his determination to Mr. Ross (Id., ¶ 64).
In order to stay abreast of the vast regulatory requirements, security frameworks, certifications, and best practices, Mr. Simmons would nightly review “audit findings, ” analyze the “latest threat intel type information, ” “[r]egulations, HITRUST requirements, ” and “NIST . . requirements.” (Id., ¶ 65). Mr. Simmons performed “training” in order to maintain his “certifications.” (Id., ¶ 66). Mr. Simmons ensured that he was informed about security issues and how such issues could affect USAble by, for example, reading “CNN report[s]” and reviewing “intel reports” from the FBI that alert readers as to “potential bad actors and vulnerabilities.” (Id., ¶ 67). He specifically looked for “bad actors” or “vulnerabilities” that targeted the healthcare industry or pertained to technologies that USAble utilized (Id., ¶ 68). “For instance, when Anthem, which is a BlueCross company, was hacked, wanting to know . . . what happened to them was a major concern; because it's a . . . sister company.” (Id., ¶ 69).
While Mr. Simmons spent substantial time on matters concerning regulatory compliance, he considered “audits” his subject matter expertise (Id., ¶ 70). During the applicable statutory period, the Arkansas Insurance Department (“AID”) audited USAble (Id., ¶ 71). USAble hired a third party to perform its “risk assessment[s], ” which entail the “same type of questions” as audits but are “internal.” (Id., ¶ 72). USAble performed assessments annually (Id., ¶ 73). Where an assessment has certified that USAble is “secure, ” an external auditor may be willing to accept an “attestation” based on the assessment results to show that USAble complied with certain portions of the audit that overlapped with the assessment (Id., ¶ 74).
Approximately two weeks prior to an audit or assessment, Mr. Simmons would receive a list of questions eliciting the information and documentation that the auditor was “looking for.” (Id., ¶ 75). Mr. Simmons went “to the right person” to obtain the requisite information and ensured that all the information and documentation sought was “pulled together” and submitted to the auditor (Id., ¶ 76). The auditor spent approximately two weeks on site conducting meetings, including with Mr. Simmons, to obtain the information he sought (Id., ¶ 77). If an employee conveyed information to an auditor poorly, Mr. Simmons would help “guide them in a direction on an answer, ” if possible (Id., ¶ 78). If he saw that USAble was “having difficulty in an area” of the audit, Mr. Simmons would report it to Mr. Ross or Mr. Shirley (Id., ¶ 79).
After the audit, the auditor would issue his “initial report and additional requests” before finalizing his report (Id., ¶ 80). Some auditors would return for a “follow up three to six months later to do the same things again . . . [, ] especially if they found any potential issues.” (Id., ¶ 81). If an audit or assessment uncovered a “serious” issue, Mr. Simmons would prepare a “write-up” that was sent to “management” for “review” and to “take action.” (Id., ¶ 82). For example, “over 60, 000 records containing PHI [and] PII information of customers” were being maintained on “file servers” that were open to anyone within the company that had a “log in, ” which was a “major HIPAA violation.” (Id., ¶ 83 (referencing the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-6 (“HIPAA”)). Mr. Simmons reported this to Mr. Ross and Mr. Shirley and participated in a “big meeting” with Kathy Ryan, Mr. Shirley, Mr. Ross, “IT management, ” and “IBM consultants” on how to address the issue (Id., ¶ 84). Kathy Ryan is Executive Vice President, Chief Administrative Officer and Chief Information Officer for USAble (Id., ¶ 85).
After an audit or assessment, Mr. Simmons provided his analysis and opinion of the audit or assessment to Mr. Ross or Mr. Shirley, which was ultimately forwarded to the auditor (Id., ¶ 86). If applicable, Mr. Simmons may also advise Mr. Ross or Mr. Shirley if there was a particular audit or assessment response that could have been clearer or place USAble in a superior position with relation to compliance (Id., ¶ 87). USAble asserts that Mr. Simmons' insight and expertise in audits and assessment was of particular authority and influence as Mr. Ross and Mr. Shirley did not have much knowledge of audits and assessments and were not very helpful (Id., ¶ 88). Mr. Simmons objects to the conclusion that he had authority or influence (Dkt. No. 33, ¶ 88). Mr. Simmons tracked audit findings in a tool called “Cap Keeper.” (Dkt. No. 26, ¶ 89). After receiving a “final report” from the auditor, he entered the information into Cap Keeper (Id., ¶ 90). With the Cap Keeper tool, Mr. Simmons tracked the status of audit findings and remediation of issues identified by the findings (Id., ¶ 91).
On a rotational basis, Mr. Simmons was “on-call” to respond to “potential security incident[s], security questions, ” or other security matters “that needed to be addressed” (Id., ¶ 92). Mr. Simmons' rotation would last one week per month to 6 weeks (Id., ¶ 93). If a “security incident” occurred, a “security ticket” was created, alerting Mr. Simmons to a security issue that needed to be addressed (Id., ¶ 94). When Mr. Simmons was alerted to a security incident, he performed a preliminary investigation of the issue (Id., ¶ 95). First, he instructed the IT department to “run [a] scan[]” to see if there was a virus on the computer (Id., ¶ 96). “For instance, if you thought . . . the incident was caused by a bug, ” Mr. Simmons would ask “IT to isolate the machine and then run some scans.” (Id., ¶ 97). Second, he directed IT to remove the virus and asked if they “found anything else and . . . continue monitoring those machines to see if . . . any more computer bugs [come up].” (Id., ¶ 98). Third, Mr. Simmons wrote a report of the incident, including the “lessons learned, ” which was provided to Mr. Ross and ultimately Mr. Shirley (Id., ¶ 99). Included in his report was his assessment of where the virus originated, such as “an e-mail attachment that they clicked on accidentally” or “a Web site.” (Id., ¶ 100).
USAble also asserts that another aspect of Mr. Simmons' position with USAble was to review software or security issues and provide his recommendation-or “suggestion”-as to what software, program, or tool could be used to remedy effectively and efficiently the issue (Id., ¶ 101). Mr. Simmons objects to that characterization, but he admits that he “was selected to organize a group that researched possible avenues or software to disallow information from being saved certain places but he did not select the member of his group and his role was limited to organizing and scheduling meetings.” (Dkt. No. 33, ¶ 101). Mr. Simmons was a member of a group tasked with researching avenues, software, programs, and tools that USAble could use to aid in maintaining security by disallowing information like PHI to be sent in an unsecured manner (Dkt. No. 26, ¶ 102). Mr. Simmons contributed his knowledge of information security to the interdepartmental group (Id., ¶ 103). During the process, the group was instructed to assess a Data Activity Monitoring tool from IBM called “Guardium.” (Id., ¶ 104). Mr. Simmons believed IBM Guardium was a good product that did what it was assigned to do and provided his input to Mr. Shirley (Id., ¶ 105). Mr. Simmons helped “oversee the [IBM Guardium] project” and “get it put in place.” (Id., ¶ 106).
Mr. Simmons worked on a project to assess and select an “identity access management” program for USAble to utilize (Id., ¶ 107). Identity access management controls how USAble employees log into the organization's network (Id., ¶ 108). After being narrowed down to “two products, SailPoint and IBM, ” Mr. Simmons evaluated the products and “recommend[ed] [] SailPoint . . .” (Id., ¶ 109).
2.Billie Overstreet
Prior to her employment with USAble, Ms. Overstreet received a Bachelor of Science in Organization Management from Central Baptist College in Conway, Arkansas (Id., ¶ 110). In 1999, she was hired by USAble as a “meditech HMO claims examiner” (Id., ¶ 111). Ms. Overstreet was subsequently eventually promoted to-and employed during the applicable statutory period as-Lead Information Security Analyst III (Id., ¶ 112). During her employment with USAble, the company paid for Ms. Overstreet to obtain certain “security” certifications, including: Certified Business Continuity Professional (“CBCP”) through Disaster Recovery Institute International; Global Information Assurance Certification Information Security Fundamentals (“GISF”); and HITRUST certification (Id., ¶ 113). Ms. Overstreet continues to maintain her certifications as they are each relevant to her career as a “business continuity” professional (Id., ¶ 114).
Business continuity is the process of creating and maintaining systems of prevention and recovery to deal with threats to a company that encompassed, on average, 30 hours per month of Ms. Overstreet's purported work time (Id., ¶ 115). Ms. Overstreet estimated that she spent 30 hours on “Business Continuity Program Management.” (Id., ¶ 116). Because USAble-as a “business”-is “ever changing, ” “technology is ever changing, ” and the “demand of [] vendors were ever changing, ” business continuity is “an ongoing[, ] ever breathing and living process.” (Id., ¶ 118).
Ms. Overstreet was responsible for continually verifying that proper documentation was in place for approximately 90 USAble departments, each with individualized business continuity plans in order to ensure that each department could respond to “any disruption to [USAble] of any kind, ” including the loss of a facility, workplace, work force, application, or vendor (Id., ¶ 119). Disruptions could stem from, inter alia, security breaches, natural disasters, and even fire drills (Id., ¶ 120). A “disruption” may include, “loss of facility, loss of work place, loss of work force, loss of application, loss of vendor.” (Id., ¶ 121). “[St]ate regulations, industry standards, [and] best practices” required or recommended that insurance companies, like USAble, maintain a business continuity plan so that they could continue operating and recover customer data in the event of a disruption (Id., ¶ 122). Ms. Overstreet maintained familiarity with these regulations and standards to ensure that USAble's departmental business continuity plans were in compliance (Id., ¶ 123). In an effort to maintain compliance, USAble's departments were required to update their business continuity plans twice a year (Id., ¶ 124). On each of these semi-annual occasions, Ms. Overstreet individually met with each of USAble's 90 distinct departments regarding their respective business continuity plans (Id., ¶ 125). Prior to her meetings, Ms. Overstreet answered numerous inquiries from departmental employees making revisions to their business continuity plans (Id., ¶ 126). During her meetings, Ms. Overstreet and the department employee responsible for that particular department's plan went over the plan and did “tabletop exercises.” (Id., ¶ 127).Ms. Overstreet utilized her expertise in business continuity management and regulatory knowledge to analyze each departmental business continuity plan and to provide “insight” as to its regulatory compliance to Mr. Ross (Id., ¶ 128).
The Court takes notice of the fact that paragraph 121 of the Statement of Undisputed Facts does not include a citation to the record (Dkt. No. 26, ¶ 121). However, the Court relies on Ms. Overstreet's deposition testimony, wherein she confirms that she defined a “disruption” as any “loss of facility, loss of work place, loss of work force, loss of application, [or] loss of vendor.” Overstreet Dep. 38:4-7.
The Court takes notice of the fact that paragraph 127 of the Statement of Undisputed Facts does not support the assertion made (Dkt. No. 33 ¶ 127). Specifically, the cited material in paragraph 127 does not include the term “tabletop exercise.” (Dkt. No. 26, ¶ 127; Dkt. No. 33, ¶ 127). However, the Court relies on Ms. Overstreet's deposition testimony, wherein she confirms the statements paragraph 127 attributes to her (Dkt. No. 26, ¶ 127). Overstreet Dep. 61:4-7.
Closely related to “business continuity” is “disaster recovery, ” and Ms. Overstreet spent approximately 40 hours each month on “disaster recovery exercising.” (Id., ¶ 129). During these weekend-long events a “critical system”-a technology that enabled USAble to meet its core policies, such as customer service- would be taken down and shut down, moved to a backup facility, and brought back up as seamlessly as possible in order to simulate an actual disaster (Id., ¶ 130). Performing disaster recovery exercises is both a regulatory requirement and best practice (Id., ¶ 131). Both HIPAA and HITRUST require an annual disaster recovery exercise (Id., ¶ 132). Many USAble customers required it, and many vendors requested that USAble both maintain a disaster recovery plan and conduct the annual exercise (Id., ¶ 133).
Ms. Overstreet, in concert with other participants, planned the disaster scenario that would be used in the disaster recovery exercise (Id., ¶ 134). The scenario was subject to the approval of Mr. Ross, who would either “sit in” on the planning meetings or receive a written or oral synopsis from Ms. Overstreet (Id., ¶ 135). In 2017, Ms. Overstreet ran the disaster recovery exercise-she was the “command center.” (Id., ¶ 136). In 2018, Mr. Ross wanted the “entire [EIS] team . . . running the command center all together.” (Id., ¶ 137). After an exercise concluded, the participants would engage in a “post-mortem, ” recapping the exercise and identifying strengths and weaknesses in the disaster recovery plan (Id., ¶ 138). After the 2018 exercise, the “entire [EIS] team” conducted their “post-mortem” with Mr. Ross (Id., ¶ 139). Approximately a week later, Ms. Overstreet scheduled a second “post-mortem” with the participants in the data center involved in the “hands-on” task of moving the data during the exercise (Id., ¶ 140). After the “postmortem, ” Ms. Overstreet prepared a report on the outcome of the disaster recovery exercises, which was subject to approval by Mr. Ross, who did not have any independent experience in disaster recovery or business continuity (Id., ¶ 141). These disaster recovery exercise reports were provided to USAble executives and to some customers in summary form with redactions (Id., 142). The results of the latest disaster recovery exercise were provided to the “16ish or so audits that c[a]me through every year.” (Id., ¶ 143).
USAble was subject to an average of 16 audits per year (Id., ¶ 144). Irrespective of the focus of the audit or the auditing entity, “security was also a focus. It was a focus of a whole subset of requirements that [USAble] wanted to make sure that [it] was meeting.” (Id., ¶ 145). Ms. Overstreet would attend audit meetings and audit calls to supply information and documents to the auditor's request pertaining to “security.” (Id., ¶ 146). Auditors would frequently inquire as to whether USAble had a specific security policy, such as a policy for data loss prevention or access management (Id., ¶ 147). Ms. Overstreet estimated that she spent 30 hours per month on “audit management.” (Id., ¶ 148).
Similar to audits were risk assessments, which encompassed approximately 30 hours per month of Ms. Overstreet's work time in addition to audits (Id., ¶ 149). USAble arranged for an annual external risk assessment but conducted numerous internal risk assessments throughout the year (Id., ¶ 150). An assessment is essentially an audit, in which Ms. Overstreet participated in assessing USAble's inherent risks, including determining what risks are acceptable and what mitigation efforts can be undertaken (Id., ¶ 151). USAble was required by HIPAA to conduct an annual risk assessment (Id., ¶ 152). Based on the assessments made and data collected in a risk assessment or disaster recovery exercise, Ms. Overstreet identified any risks and determined whether mitigation was appropriate or whether it was better for USAble to accept the risk, which required the “right executive to sign off and accept the risk.” (Id., ¶ 153). This job duty consumed approximately two hours per month of Ms. Overstreet's work time (Id., ¶ 154).
HITRUST consolidates various government regulations applicable to insurance companies into a certifiable framework with “over 2000 controls.” (Id., ¶ 155). It is a “difficult standard, ” but “paramount” for USAble because of the “PHI and PII that [it] has.” (Id., ¶ 156). Ms. Overstreet analyzed and compared these regulatory “controls” with the information security measures USAble was already taking in order to “help management decide” whether to make updates so USAble “c[ould] become HITRUST compliant or say that portion we're not going to do.” (Id., ¶ 157). Ms. Overstreet assessed the controls and determined “when and where a policy or procedure,
. . . guidelines, [or] whatever, . . . might actually meet” HITRUST standards and “where th[e] gaps were.” (Id., ¶ 158). Managing HITRUST compliance was a time-consuming process, consuming an estimated 30 hours of Ms. Overstreet's work time per month (Id., ¶ 159).
Ms. Overstreet spent approximately 15 hours per month drafting policies and procedures for USAble (Id., ¶ 160). USAble contracted with a third-party to provide policy “templates, ” each of which required individual analysis (Id., ¶ 161). Ms. Overstreet analyzed and “worked through” each of the policies both with her EIS co-workers and individually (Id., ¶ 162). Ms. Overstreet provided more input for policies pertaining to subject matters with which she was more familiar but gave some input as to “all of [the policies].” (Id., ¶ 163). Many of the templates were unable to be utilized, and all of the policies Ms. Overstreet wrote had to be customized for USAble (Id., ¶ 164). “[O]ne of the biggest parts” of drafting the policies was ensuring their compliance with both USAble's standards and applicable regulations (Id., ¶ 165). Ms. Overstreet used her knowledge to distill the regulatory requirements into a policy that was readable to other departments that did not specialize in information security “while [still] following . . . the regulations.” (Id., ¶ 166). Policies were submitted to Mr. Ross for approval and ultimately forwarded to the Security Committee for company-wide approval and implementation (Id., ¶ 167). Drafting policies and procedures encompassed both the drafting of HITRUST compliant policies, with the goal of attaining HITRUST certification, as well as other policies that did not pertain to HITRUST certification (Id., ¶ 168). Ms. Overstreet was responsible for analyzing and assessing whether, inter alia, USAble's policies and procedures were complaint with HITRUST standards (Id., ¶ 169).
Vulnerability management-the process of identifying, evaluating, and treating vulnerabilities-consumed approximately 30 hours per month of Ms. Overstreet's worktime (Id., ¶ 170). An automated scan of USAble's computer network identifies “vulnerabilities.” (Id., ¶ 171). The scan might identify a weakness in the source code of an operating system, such as Linux, on USAble computers (Id., ¶ 172). In coordination with the Information Technology department, Ms. Overstreet evaluated the vulnerability to assess the type of “gap” identified by the vulnerability scan, to what extent it affected USAble's systems, and whether a “patch” was necessary or the associated risk was acceptable (Id., ¶ 173).
Similar to vulnerability management, SIEM (Security Information and Event Management), a task on which Ms. Overstreet spent an estimated five hours a month, required her to analyze and resolve potential threats-or “intrusion[s]”- “into [USAble's] data.” (Id., ¶ 174). SIEM software is like a “detection system, ” gathering log and event data from USAble's technology infrastructure and identifying potentially “nefarious” events (Id., ¶ 175). SIEM compares these events with the aggregate data it collects to determine if an event is harmless or a potential threat (Id., ¶ 176). Ms. Overstreet “parse[d] through” potential threats to determine whether each was a “potential intrusion” or could be explained (Id., ¶ 178). Based on a review of the SIEM report, Ms. Overstreet “could generally tell whether . . . it was nothing at all” or something that was a “high-alert situation.” (Id., ¶ 179). If she could not make a definitive determination, she treated it as “something [she] needed to investigate.” (Id., ¶ 180). The SIEM report may indicate a potential threat originated in a particular department or with a particular computer, in which case Ms. Overstreet may reach out to see if the potential threat could otherwise be explained (Id., ¶ 181). Ms. Overstreet's investigation may also include consulting with other EIS employees (Id., ¶ 182).
The task of “Database Activity Monitoring” is similar to SIEM management and vulnerability management and consumed an estimated 20 hours of Ms. Overstreet's time per month (Id., ¶ 183). Similar to the SIEM report and vulnerability management scan, Ms. Overstreet analyzed the output produced by the Database Activity Monitoring program and investigated the “anomal[y]” to make a determination as to whether it was “something that [EIS] need[ed] to address.” (Id., ¶ 185).
Rounding out Ms. Overstreet's responsibilities relating to threat and vulnerability analysis are “Threat Hunting” and “Threat Intelligence, ” which, collectively, encompassed approximately 16 hours of her monthly worktime (Id., ¶ 186). “Threat hunting and threat intel[ligence] is taking time to [research] where some type of potential threat could be coming in.” (Id., ¶ 187). Ms. Overstreet analyzed “intelligence threat reports” and “white papers, ” attended “webinars, seminars, [and] conference[s], ” and consumed “whatever [information security materials] w[ere] available” to aid her in identifying potential threats to the security of USAble's information (Id., ¶ 188). Ms. Overstreet utilized her knowledge of the information security landscape and USAble's technology infrastructure to assess whether a particular issue with a security protocol presented a threat to USAble or its information (Id., ¶ 190).
To keep up with this “[ever]changing environment, ” Ms. Overstreet continually updated and improved her knowledge by participating in continuing education, analyzing “intelligence threat reports” and “white papers, ” attending “webinars, seminars, [and] conference[s], ” and consuming “whatever [information security materials] w[ere] available” to her (Id., ¶ 193). Ms. Overstreet was responsible for researching and maintaining her knowledge of information security threats and vulnerabilities, including current trends and issues, in order for her to analyze and make determinations with respect to the security of USAble information using the reports she received from vulnerability scans, SIEM software, data activity monitoring software, or threat intelligence sources (Id., ¶ 195).
If Ms. Overstreet could not explain a potential threat or vulnerability then the event was escalated to an “incident, ” requiring “all hands on deck, ” including Mr. Ross and Mr. Shirley (Id., ¶ 196). All EIS team members were involved in managing incidents because each individual had unique knowledge potentially relevant to the incident (Id., ¶ 197).
Ms. Overstreet spent an estimated eight hours per month on tasks related to “Incident Management.” (Id., ¶ 198). While Mr. Ross or Mr. Shirley determined what the response to an incident would be, it was investigated by Ms. Overstreet, individually, or a group of EIS team members, depending on the severity of the threat (Id., ¶ 199). Ms. Overstreet, in conjunction with the EIS team, analyzed to the data to ascertain whether, for instance, there was an attempted breach of USAble's network (Id., ¶ 201). When it was her turn in the rotation, Ms. Overstreet prepared a report based on the outcome of an investigation into an incident, which was provided to Mr. Ross or Mr. Shirley (Id., ¶ 202). EIS then made a recommendation as a department based on the findings of the investigation, which would filter through the “legal and communications teams” to ensure USAble “follow[ed] all the right laws . . . and the rights words are said.” (Id., ¶ 203). Reporting requirements mandated that USAble report security breaches or attempted breaches within a certain timeframe (Id., ¶ 204).
The Court takes note of the plaintiffs' objection to Paragraph 199 of the Statement of Undisputed Facts (Dkt. No. 33 ¶ 199). However, the Court relies on Ms. Overstreet's deposition testimony in which she confirms the facts stated in Paragraph 199. See Overstreet Dep. 92:1-15.
For an estimated 20 hours a month, Ms. Overstreet engaged in “Employee Training and Awareness, ” which came up as “project underneath all of those umbrellas that we had as our job duties.” (Id., ¶ 205). While there was a training department at USAble, information security training and awareness “was all on [EIS] to do, ” and Ms. Overstreet took responsibility for a “bulk” of the work (Id., ¶ 206). During the semi-annual meetings that Ms. Overstreet conducted with each department regarding updates to their business continuity plans, she took the “time to also educate” employees on, for instance, “this is what Malware is, this is what happens when you get an e-mail that says click on that link, let's not do this.” (Id., ¶ 207). Ms. Overstreet also participated in setting up booths on a quarterly basis “to help educate the general population of [USAble] [] because . . . they're our first line of defense in protecting data . . ., by not clicking on those types of things [an e-mail that says click on that link], or sending money to Uncle Jack in Iran.” (Id., ¶ 208). Ms. Overstreet used examples of security “incidents” that actually occurred at USAble to “educate every single employee on how they can best protect our data.” (Id., ¶ 209). Ms. Overstreet also sent out “weekly emails . . . that said . . . don't do these things, or here are some things that we need to be aware [of].” (Id., ¶ 210).
“Contract Review” and “Vendor Security Management” each consumed an estimated three hours of Ms. Overstreet's work time per month (Id., ¶ 211). The “contract team would always send [EIS] new contracts [and] updated contracts to look at from a security perspective.” (Id., ¶ 212). Ms. Overstreet examined the contracts to assess whether any of the contractual provisions would present a problem for USAble “security wise.” (Id., ¶ 213). After Ms. Overstreet's assessment, Mr. Ross would forward to USAble's contract department (Id., ¶ 214). “Vendor Security Management” is the “same concept[]” as “Contract Review, ” but for “on[]boarding a new vendor.” (Id., ¶ 215). If USAble wanted to engage a new vendor, Ms. Overstreet “would . . . assess the security as a vulnerability against this vendor.” (Id., ¶ 216). That is, assessing whether the vendor's security presents a vulnerability for USAble (Id.).
3.James Young
Mr. Young began his employment with USAble on or about November 24, 2003, in the position of “Help Desk Analyst.” (Id., ¶ 236). In the “early 2010s, ” Mr. Young earned his PowerShell Administration Certificate (Id., ¶ 237). In 2014, Mr. Young attained a Certified Ethical Hacker certification and, subsequently, an updated version of the same certification (Id., ¶ 239). “As a certified ethical hacker, ” Mr. Young had to “find every way in and constantly try to fill those voids of . . . capability or lack of training.” (Id., ¶ 241). In January 2017, Mr. Young joined EIS as an Information Security Analyst II and was promoted to an Information Security Analyst III prior to his termination on or about October 2, 2018 (Id., ¶ 243). Given Mr. Young's training as a certified ethical hacker, he “leaned more towards vulnerability management.” (Id., ¶ 244).
Mr. Young spent an estimated 30 hours per week engaging in vulnerability management and five hours per week on patch management-a natural concomitant of vulnerability management (Id., ¶ 245). “[A]ny type of patch or vulnerability that was disclosed in the community” was assessed in-house and, if USAble had any of those vulnerabilities, Mr. Young found “a way to remediate and/or contain it.” (Id., ¶ 248). Mr. Young identified vulnerabilities emanating from users by conducting phishing exercises, in which EIS “sen[t] out those e-mails that tried to get people to click on things randomly.” (Id., ¶ 249). If a USAble employee clicked on the link imbedded in the “phishing” e-mail, Mr. Young knew to “single that individual out and train them.” (Id., ¶ 250).
The Court takes note of the plaintiffs' objection to paragraph 245 of the Statement of Undisputed Facts (Dkt. No. 33, ¶ 245). However, the Court relies upon Mr. Young's deposition testimony, wherein he confirmed that he spent 30 hours a week on vulnerability management and five hours a week on patch management. Young Dep. 87:17-23.
Mr. Young identified vulnerabilities inherent in software or a system through a variety of means (Id., ¶ 252). “[B]ig companies” are constantly seeking to identify vulnerabilities in their applications and software (Id.). Rapid7 was an application that Mr. Young ran which scanned for vulnerabilities and produced a report that he could review (Id., ¶ 255). Once vulnerabilities were identified, it was Mr. Young's task to fix them within USAble's system (Id., ¶ 256). Mr. Young made recommendations to Mr. Ross regarding a patch to a vulnerability he had identified, and Mr. Ross relayed this information to the IT department for application (Id., ¶ 257). When a patch was not available or exposed other vulnerabilities, Mr. Young had to develop new methods to remediate the vulnerability as best as possible (Id., ¶ 262). When the vulnerability itself could not be remediated, Mr. Young had to “find new ways to” protect the information housed by USAble, such as PHI (Id., ¶ 264). In the healthcare industry, protecting information is paramount (Id., ¶ 265). Mr. Young was responsible for managing vulnerabilities and patches while ensuring that the process complied with the vast number of regulations guarding the PHI maintained by USAble (Id., ¶ 267).
Mr. Young was also “one of the fortunate two people . . . that [] had direct ties with the BlueCross Association and . . . their threat community.” (Id., ¶ 268). Blue Cross Association was an interstate association of BlueCross organizations that identified threats and vulnerabilities (Id., ¶ 269). Mr. Young “was the only one that actually had the direct communication and IM [instant messenger] with the [BlueCross] [A]ssociation.” (Id., ¶ 270). The IM was “considered a war room” and was “a[n] alert system to get information out there and disseminate it very, very, very rapidly.” (Id., ¶ 271).
SIEM (Security Information and Event Management) encompassed approximately five hours of Mr. Young's weekly time (Id., ¶ 273). The SIEM, which was managed by IBM, would provide a report of “event log” information to EIS that Mr. Young had to analyze and determine if it was “normal.” (Id., ¶ 275). Mr. Young would assess whether a breach of USAble's network had occurred by reviewing the SIEM report for “indicators of compromise, ” which segues into threat intelligence (Id., ¶ 276).
Threat hunting and threat intelligence, each of which consumed an estimated eight hours Mr. Young's weekly work time, is the process of identifying and locating those “indictors of compromise.” (Id., ¶ 277). Part of threat intelligence is “getting with other security professionals.” (Id., ¶ 278). Mr. Young further worked with the BlueCross Association, read white papers, monitored new reports, and reviewed SIEM reports themselves to identify data in USAble's event log entries or in other areas of its network systems that may be indicative of potentially malicious activity-or “indicators of compromise.” (Id., ¶ 280).
One mechanism Mr. Young used to “hunt” threats was to “pass[] [indicators of compromise] over to the SIEM.” (Id., ¶ 281). Mr. Young investigated indicators of compromise to determine what systems they came from and whether the indicator could be explained by legitimate activity (Id., ¶ 282). Mr. Young looked at the information, deciphered the information, and passed it to the IT department to be worked on (Id., ¶ 283). Mr. Young cooperated with the IT department to verify whether an indicator of compromise was explained by legitimate activity or whether it was nefarious activity (Id., ¶ 284). Mr. Young provided his assessment to Mr. Ross or Mr. Shirley (Id., ¶ 285).
Mr. Young documented all steps of incident investigations for regulatory reasons (Id., ¶ 289). Mr. Young was very familiar with the regulations that governed security issues with respect to entities like USAble (Id., ¶ 290).
Mr. Young spent approximately 20 hours per week on database activity monitoring, which was “a lot like the SIEM.” (Id., ¶ 291). “[E]very time [someone] run[s] a query or someone logs onto it [the database], it accesses several tables to get that information.” (Id., ¶ 293). Mr. Young analyzed this data to determine what could be explained as “normal activities”-what “are not threats or vulnerabilities or concerns.” (Id., ¶ 294). Based on his analysis of what constituted normal activity, he made recommendations to the “database guys” before information was passed back through the SIEM (Security Information and Event Management) (Id., ¶ 295). This information could be fed into the SIEM in order to focus the SIEM reports on the activity that EIS should look into (Id., ¶ 296). USAble was charged based on how many events the SIEM read (Id., ¶297). Therefore, the more events that Mr. Young could identify as “normal” activities, “that's more money back in the pockets of [USAble].” (Id., ¶ 298). Mr. Young was essentially “train[ing]” the database activity monitoring system to send only the important information to SIEM (Id., ¶ 299).
Mr. Young spent an estimated 30 hours per week on HITRUST compliance management (Id., ¶ 300). Mr. Young had to be familiar with the regulations to know when a regulation required more of USAble than a HITRUST standard may require (Id., ¶ 304). It was a necessity that Mr. Young spent ample time educating himself on regulatory and HITRUST requirements (Id., ¶ 305). Mr. Young had to assess USAble's current enterprise standards and identify any differences between those standards and “where we [USAble] needed to be” under HITRUST (Id., ¶ 306). This task was further complicated by the fact that he had to determine whether a particular HITRUST requirement was derived from a regulatory mandate that was not applicable to USAble (Id., ¶ 307). Mr. Young's conclusions were conveyed to the appropriate USAble personnel (Id., ¶ 309).
Mr. Young was “backup” for the entire policy drafting project, which he worked on for approximately 15 hours per week (Id., ¶ 310). In January 2017, EIS “was having daily conversations” pertaining to the policy project (Id., ¶ 311). Though EIS paid for policy templates, Mr. Young participated in “comb[ing] through them” and revising the language to account for updated HITRUST controls and procedural changes (Id., ¶ 315). Mr. Young and the EIS team went through each template to assess whether a particular provision in the policy derived from a regulation with which USAble was obligated to comply (Id., ¶ 318). Mr. Young spent time individually researching, devising language, and developing a policy, which the EIS team would collectively analyze, break down, and provide input on before being put in a form ready to be sent to Mr. Ross or Mr. Shirley (Id., ¶ 319). “[I]t was a balancing act” of Mr. Young and EIS team members negotiating policy wording and obligations that were compliant with applicable regulations, meeting as many HITRUST controls as possible, and that were acceptable to the relevant department (Id., ¶ 322).
Mr. Young was also a “backup in business continuity, ” which encompassed an estimated 30 hours per week of his work time (Id., ¶ 323). Mr. Young worked with Ms. Overstreet on auditing departmental business continuity plans on either a quarterly or biannual basis (Id., ¶ 324). Mr. Young and Ms. Overstreet spent several weeks going over documentation with the various USAble departments, ensuring that each business continuity plan met the requirements both of USAble and USAble's clients (Id., ¶ 329). If USAble needed a particular service to be “up and running within 72 hours” to prevent “deep financial or reputational risk, ” Mr. Young worked with the department providing that service to ensure that USAble's standards could be achieved under its business continuity plan (Id., ¶ 330). In these meetings, he also went over the business continuity plans line by line to identify any deficiencies or cracks in the plan and worked with the departments to address these deficiencies or unaddressed issues (Id., ¶ 331).
Mr. Young spent an estimated five hours per week engaged in disaster recovery management, which involves the development or creation of manmade scenarios that would cause outages or interruptions in order to test the business continuity plans (Id., ¶ 334). These “manmade” scenarios were tested in disaster recovery exercises, a job duty which encompassed 40 or more hours per week of Mr. Young's work time during the period in which EIS was preparing for, conducting, and concluding these exercises (Id., ¶ 335).
Mr. Young spent an estimated 30 hours per week on audit management during the period of time he was preparing for and in the midst of an audit (Id., ¶ 337). Mr. Young's responsibility with respect to audits was to identify the controlling question, contact the control owner, and relay the information back to the auditor or client (Id., ¶ 339). Mr. Young consulted with the employee(s) responsible for performing the relevant task, confirmed that the employee(s) performed the task consistently, obtained proof that the employee(s) performed the task consistently, and relayed that evidence to the auditor (Id., ¶ 341).
Mr. Young used CAP Keeper, an in-house program, to monitor testing exceptions from audits (Id., ¶ 344). He entered testing exceptions in CAP Keeper to track and ensure that the deficiencies identified in the audit were corrected by appropriate USAble personnel (Id., ¶ 345). Mr. Young spent approximately five hours per week in CAP Keeper monitoring, tracking, and ensuring audit deficiencies were corrected (Id., ¶ 347).
As a certified ethical hacker, Mr. Young was also proficient in risk analysis, which consumed an estimated three hours per week of Mr. Young's work time (Id., ¶ 348). Mr. Young gathered all the data and advised leadership of the likelihood of a security breach happening and the impact on USAble if the breach occurred (Id., ¶ 350). Mr. Young had to consider finances in conjunction with the ability of USAble to continue functioning (Id., ¶ 352). Based on his risk analysis, Mr. Young produced “recommendation[s] to [] leadership.” (Id., ¶ 356). A risk assessment had to be conducted at least annually pursuant to HIPAA because USAble maintained PHI (Id., ¶ 359).
Though the Statement of Undisputed Facts states that Mr. Young worked for three hours on risk analysis, the Court relies on Mr. Young's deposition testimony wherein he confirmed that he worked on risk analysis for two hours a week. Young Dep. 98:1-3.
Mr. Young spent an estimated eight hours per week on his incident management duties, which involved “preparing for an incident.” (Id., ¶ 361). Mr. Young had to plan and document what was going to happen in the event of a security incident and what EIS would “like to happen.” (Id., ¶ 363). Mr. Young was continuingly reworking these incident plans and processes based off everchanging technology and threat landscapes and to account for security incidents that occurred (Id., ¶ 364).
Mr. Young spent approximately three hours per week reviewing contracts (Id., ¶ 365). Mr. Young analyzed the contract to ensure that the other party “met those . . . minimum requirements . . . for [USAble] to maintain HITRUST certification.” (Id., ¶ 367). Depending on whether the contract met USAble's requisite security standards, Mr. Young would approve or reject it from an information security standpoint (Id., ¶ 368). Vendor security management was, in essence, a continuation of Mr. Young's initial contract review and encompassed an estimated seven hours of Mr. Young's weekly work time (Id., ¶ 369). Managing vendor security required Mr. Young to ensure that a vendor's security posture does not change over time so as to fall out of compliance with the regulatory requirements, security frameworks, and internal standards applicable to USAble (Id., ¶ 370).
Mr. Young also tested software that EIS needed to secure the information of USAble (Id., ¶ 371). Mr. Young needed to test the software to ensure that using would “break something” else (Id., ¶ 373). During the testing period, Mr. Young generally “had a work licensed copy of the application for 90 days . . . to successfully deploy and test” the software to see if it fit USAble's needs (Id., ¶ 374). Mr. Young tested the software to determine whether he “liked it, it worked, [and] it did what [he] needed it to do from a security perspective.” (Id., ¶ 376). Mr. Young provided his assessment of the product to USAble so that it could determine whether it should proceed with purchasing these multi-million-dollar software applications (Id., ¶ 377).
4.Janel Broadhurst
Prior to her employment with USAble, Ms. Broadhurst studied Computer Science at Texarkana College for two years and UALR for another year (Id., ¶ 380). Ms. Broadhurst subsequently earned certification in local area networking (Id., ¶ 381). Ms. Broadhurst began as an employee of a contractor for USAble in 2005 before being hired by USAble in April 2006 as a Mircrosecurity Analyst III (Id., ¶ 382). While at USAble, she took a number of “auditing and security classes” through “SANS” and obtained her HITRUST certification (Id., ¶ 383). SANS Institute is a private company specializing in information security and cybersecurity training and certifications (Id., ¶ 384). During the applicable statutory period, Ms. Broadhurst was employed by USAble in the position of Information Security Analyst III (Id., ¶ 385).
Ms. Broadhurst spent approximately 25 hours per week working “with Policies and Procedures and . . . working on the SharePoint site which was the ‘warehouse' of all [USAble's] Enterprise Policies and Procedures (“EPP”).” (Id., ¶ 386). Ms. Broadhurst “oversaw” the policy drafting project from late 2016 through late 2017 (Id., ¶ 387). Ms. Broadhurst assigned policies and regularly consulted with the “project manager” to review deadlines and discuss the project's progress (Id., ¶ 388). To facilitate the drafting of discrete policies, Ms. Broadhurst drafted an “information security . . . company policy, ” which instructed policy drafters on the EIS team as to “how to write a policy” that was assigned to them (Id., ¶ 390). Ms. Broadhurst and the EIS team met and collaborated on the wording of each policy (Id., ¶ 392). In these group meetings, the EIS team members, including Ms. Broadhurst, would debate and provide input on the content of the policies, including whether the policy language complied with HITRUST requirements and USAble's expectations (Id., ¶ 393). Once the EIS team finalized the policy draft, Ms. Broadhurst submitted the policy to Mr. Ross, then Mr. Shirley, and then Ms. Ryan to finalize the policy (Id., ¶ 394). The policy draft may be returned to Ms. Broadhurst so that the EIS team could incorporate changes, such “legal verbiage” added by a separate department (Id., 395).
Ms. Broadhurst spent an estimated 30 hours per week on HITRUST compliance management, which USAble was “working towards getting.” (Id., ¶ 396). Ms. Broadhurst and the EIS team met and parsed through the comprehensive HITRUST requirements “line by line” and assessed what standards USAble had to meet and what standards were applicable to the various USAble departments (Id., ¶ 402). After performing their analysis, the EIS team advised Mr. Ross and Mr. Shirley of the standards various USAble departments had to meet in order comply with HITRUST requirements, and Mr. Ross would relay these standards recommended by the EIS team to the various departments (Id., ¶ 404). Ms. Broadhurst was required to maintain her HITRUST certification to ensure that she was always knowledgeable of the complex HITRUST requirements (Id., ¶ 405).
Ms. Broadhurst spent an estimated 20 hours per week on SharePoint and 30 hours auditing policies (Id., ¶ 406). Working on the SharePoint website, she ensured “existing policies, ” which were housed on different websites, were moved into SharePoint (Id., ¶ 407). Ms. Broadhurst was responsible for appropriately categorizing policies in SharePoint and designating the “main person to review” those policies (Dkt. No. 33, ¶ 408). She advised departmental employees, those working outside of EIS, responsible for particular policies when it was time to update those policies, either confirming that content of the policies was still accurate or ensuring appropriate revisions were completed (Dkt. No. 26, ¶ 409). The policy was then returned to Ms. Broadhurst to review and “ma[k]e sure everything was okay” and then put it back onto SharePoint (Id., ¶ 410). SharePoint was not just for IT policies and procedures-it was a centralized repository for policies from other departments that auditors would regularly ask for when conducting an audit (Id., ¶ 411).
The Court acknowledges the plaintiffs' denial of paragraph 408 of the Statement of Undisputed Facts (Dkt. No. 33, ¶ 408). The Court relies on Ms. Broadhurst's deposition testimony, wherein she stated that she “had to pick who was the main person to review” the above-mentioned policies. Broadhurst Dep. 31:1-7.
Ms. Broadhurst regularly consulted with two other departments outside of EIS whose work impacted the security of USAble (Id., ¶ 412). Ms. Broadhurst reviewed their policies and procedures as she consolidated them into SharePoint (Id., ¶ 413). Ms. Broadhurst advised them on particular aspects of the policies that needed to be revised in order to provide the information for which auditors were looking (Id., ¶ 415).
For her database activity monitoring and vulnerability management responsibilities, Ms. Broadhurst utilized a program called “Vericept.” (Id., ¶ 416). Vericept monitored Internet activity for indicators of hacking or attacks (Id., ¶ 419). The program produced a report that Ms. Broadhurst would check on a daily basis (Id., ¶ 420). For database activity monitoring, Ms. Broadhurst analyzed the Vericept report to determine whether PHI was being securely transmitted (Id., ¶ 421). Ms. Broadhurst would counsel the USAble employees on the proper manner to transmit PHI securely (Id., ¶ 425). Ms. Broadhurst reviewed all vulnerabilities that were identified by the Vericept report (Id., ¶ 426). Ms. Broadhurst made a determination as to whether the vulnerability could be explained as a simple mistake, in which case she counseled the individual on proper procedure, or whether it was an actual vulnerability (Id., ¶ 427).
If vulnerabilities or threats were identified in Vericept, Ms. Broadhurst had to “hunt down” each potential threat (Id., ¶ 428). Ms. Broadhurst spent approximately eight hours per week threat hunting (Id., ¶ 429). This threat hunting responsibility included, among other responsibilities, reviewing white papers and researching information security issues so that Ms. Broadhurst could maintain her knowledge base of the everchanging threat landscape (Id., ¶ 431). Ms. Broadhurst spent approximately five hours per week on data loss protection, which was “another program [like Vericept] that . . . helped” Ms. Broadhurst “mak[e] sure that [USAble] didn't lose any data, at least as far as [she] could see from the Internet side.” (Id., ¶ 432). For example, Ms. Broadhurst ensured that PHI was on a secure line when it was transmitted so that it was not vulnerable to hackers (Id., ¶ 433). Ms. Broadhurst tracked the data to a particular IP address, ensured that it was secure, and confirmed “there was no data loss.” (Id., ¶ 434).
The Court takes note that the Statement of Undisputed Facts claims that “[t]o aid in making these assessments and determinations, Ms. Broadhurst spent approximately eight hours per week reviewing white papers and researching information security issues to maintain her knowledge base of the everchanging threat landscape.” (Dkt. No. 26, ¶ 431). However, the Court relies on Ms. Broadhurst's deposition testimony. In her deposition, Ms. Broadhurst admits to reviewing white papers and researching information security issues. Broadhurst Dep. 49:3-7. However, she does not assign a specified number of hours to those activities in the cited testimony based upon the Court's review. Id.
The Court takes note that the Statement of Undisputed Facts claims that Ms. Broadhurst worked eight hours on data loss protection (Dkt. No. 26, ¶ 432). However, the Court relies on Ms. Broadhurst's deposition testimony. In her deposition, Ms. Broadhurst admits to spending five hours per week on data loss protection. Broadhurst Dep. 70:2-3.
Ms. Broadhurst spent an estimated eight hours per week on incident management (Id., ¶ 435). Ms. Broadhurst was the “point person” for incident management for a week at a time approximately every five weeks (Id., ¶ 436). If a security incident involved a certain program, Ms. Broadhurst would request that program administrator “check and see if there's been vulnerabilities to this program” or if “anybody that's not authorized . . . [had] been on there.” (Id., ¶ 438). Ms. Broadhurst would resolve or continue investigating the incident pursuant to a particular protocol (Id., ¶ 439). Ms. Broadhurst had to “document every single step”-“[e]very minute had to be detailed”-and, once the incident was resolved, she prepared a comprehensive report (Id., ¶ 440).
Ms. Broadhurst spent two hours per week on business continuity program management (Id., ¶ 441). Ms. Broadhurst worked with the EIS team to develop and maintain business continuity policies (Id., ¶ 442). Ms. Broadhurst's responsibilities with respect to risk assessments went “along with [] business continuity.” (Id., ¶ 443). Ms. Broadhurst and the EIS team reviewed “information and analysis” from other USAble departments, took into consideration security guidelines, and analyzed and made an assessment of the risk and security concerns from an information security standpoint of the activities of those other departments and whether that risk was acceptable (Id., ¶ 444). Based on their analysis, EIS would present their risk assessment and make recommendations to Mr. Ross or Mr. Shirley as to whether USAble should address the risk or it should be accepted by the company (Id., ¶ 445).
Ms. Broadhurst also participated in disaster recovery exercises conducted by the EIS team which encompassed an estimated 40 hours per week when she was over that function (Id., ¶ 446). Ms. Broadhurst, with everyone on the EIS team, gave her input and suggestions on how the disaster recovery plan, including how it was carried out, could be altered to result in a different outcome (Id., ¶ 453).
Ms. Broadhurst dedicated approximately 20 hours per week to employee training and awareness (Id., ¶ 455). When her work with Vericept revealed that an employee was engaging in risky behavior with regard to his or her Internet usage, she would take the opportunity to “let[] them know how to safely get on the Internet using HTTPS.” (Id., ¶ 456).
Ms. Broadhurst also maintained a “blog” on USAble's intranet that included both awareness and educational topics (Id., ¶ 457). Additionally, Ms. Broadhurst provided information to USAble's Training Department so that the Training Department had the requisite knowledge needed to train employees on information security (Dkt. No. 26, ¶ 459; Dkt No. 33 ¶ 459).
SDLC (System Development Lifecycle) management) consumed approximately five hours per week of Ms. Broadhurst's work time (Dkt. No. 26, ¶ 463). Older equipment and applications present security concerns because they inherently have more vulnerabilities (Id., ¶ 465). Ms. Broadhurst and the EIS team developed an SDLC (System Development Lifecycle) policy used to assess when a PC, software, or hardware needs to be updated and/or when an entire new system is necessary (Id., ¶ 466). Then, the EIS team made recommendations to Mr. Ross or Mr. Shirley as to whether a particular “lifecycle” was appropriate from a security perspective (Id., ¶ 468).
Ms. Broadhurst spent an estimated three hours per week reviewing contracts for USAble (Id., ¶ 469).
5.Scott Cavanaugh
Mr. Cavanaugh was enlisted in the United States Navy from on or about 1984 until 2001, during which time he was involved in “security in some fashion or form, ” even working inside a sensitive compartmented information facility for a number of years (Id., ¶ 474). While in the Navy, Mr. Cavanaugh studied Mathematics at Hawaii Pacific University for two years (Id., ¶ 475). Subsequently, Mr. Cavanaugh was an Army Reservist in Illinois (Id., ¶ 476). In the private sector, Mr. Cavanaugh accrued approximately three years of experience working in cybersecurity at Afni, Inc. (Id., ¶ 477). Mr. Cavanaugh earned the following certifications prior to his employment with USAble: Certified Protection Specialist (“CPS”) and CISSP (Dkt. No. 26, ¶ 478; Dkt No. 33 ¶ 478). After leaving USAble, Mr. Cavanaugh earned a certification as a Certified Data Privacy Solutions Engineer (“CDPSE”) (Dkt No. 33 ¶ 478).
Mr. Cavanaugh was hired by USAble in August 2017 as an Information Security Analyst III (Dkt. No. 26, ¶ 479). During his employment, USAble sent him to HCISSP (Healthcare Certified Information Systems Securities Professional) training, but Mr. Cavanaugh resigned in August 2018 prior to earning the certification (Id., ¶ 480).
Mr. Cavanaugh spent approximately 30 hours per week on vulnerability management when he started the program (Dkt. No. 26, ¶ 482; Dkt No. 33 ¶ 482). Mr. Cavanaugh testified that he worked four to six hours per day on vulnerability management for the first three to four months of his employment with USAble (Id., ¶ 483). Mr. Cavanaugh testified that worked 30 hours per week for approximately six to eight weeks of his employment with USAble (Id., ¶ 484).
When Mr. Cavanaugh was hired by USAble, EIS was using a tool for vulnerability management called “Tenable.” (Id., ¶ 485). Mr. Cavanaugh recommended to Mr. Ross and Mr. Shirley that USAble bring in a product called “InsightVM by a company called Rapid7.” (Id., ¶ 487). Mr. Cavanaugh explained the many advantages of Insight VM over Tenable (Id., ¶ 489). InsightVM required nearly constant monitoring by Mr. Cavanaugh (Id., 492). Mr. Cavanaugh reviewed all the information acquired by InsightVM and assessed how to remediate any vulnerabilities (Id., ¶ 496-7). After analyzing that data and assessing the vulnerability, Mr. Cavanaugh coordinated with the IT department to apply a “patch” to remediate the vulnerability (Id., ¶ 498). Once a patch was applied, Mr. Cavanaugh ran a follow-up scan to ensure that the patch worked and the vulnerability was remediated (Id., ¶ 499). Mr. Cavanaugh spent an estimated five hours per week working on “patch management.” (Id., ¶ 501).
Business continuity management and disaster recovery management, collectively, consumed an estimated 35 hours of Mr. Cavanaugh's weekly work time (Id., ¶ 504). Mr. Cavanaugh worked with Ms. Overstreet to review these individual departmental plans to determine if they fit within USAble's security requirements (Id., ¶ 508). Disaster recovery exercising required Mr. Cavanaugh to apply the disaster recovery plans to disaster scenarios and encompassed approximately 40 hours per week of Mr. Cavanaugh's work time for the “last couple months” of his employment with USAble (Id., ¶ 511). Disaster recovery exercising is further complicated by “tiering applications.” (Id., ¶ 516).
During Mr. Cavanaugh's employment with USAble, the company was striving for HITRUST certification, managing compliance of which encompassed an estimated 30 hours per week (Id., ¶ 518). He made “multiple suggestions” to Mr. Ross and Mr. Shirley regarding how to meet HITRUST requirements that were “promptly authorized.” (Id., ¶ 519). Further, when advising and working with other USAble departments on their business continuity and disaster recovery plans, he made recommendations based on HITRUST requirements and best practices, which is required by the CISSP code of ethics (Id., ¶ 522). Mr. Cavanaugh also ensured that policies drafted by USAble were complaint with HITRUST standards (Id., ¶ 524).
Mr. Cavanaugh spent approximately 30 hours per week on risk assessment and risk analysis (Id., ¶ 526). Any time a USAble employee told Mr. Cavanaugh he or she wanted to perform any task, he had to assess it and “figure out . . . [i]f it fit inside that [security] framework.” (Id., ¶ 531). Risk assessment also included third party risk assessments (Id., ¶ 533). Mr. Cavanaugh and the EIS team would review those questions and provide their “suggestions” to Mr. Ross and Mr. Shirley (Id., ¶ 536).
Mr. Cavanaugh spent an estimated 15 to 20 hours per week drafting policies (Id., ¶ 537). Mr. Cavanaugh recalled drafting the “Clean Desk Top” Policy and three to four others he could not specify (Id., ¶ 541).
Mr. Cavanaugh spent approximately eight hours a day helping Mr. Young with threat intelligence and threat hunting but only “for a short time.” (Id., ¶ 543). However, the eight hours of work time did not include the time he “spent making [him]self smart and keeping ahead.” (Id., ¶ 544). Mr. Cavanaugh's responsibilities included “looking for any of those gaps in [] security. Not only logically, but physical . . . controls.” (Id., ¶ 545).
Employee training and awareness, which consumed about 20 hours per week of Mr. Cavanaugh's work time, included the time he “spent making [him]self smart and keeping ahead.” (Id., ¶ 546). When USAble was considering implementing a new anti-virus solution, Mr. Cavanaugh “s[a]t there and read what does Crowdstrike do that McAfee doesn't that maybe Carbon Black Defense does. . .” (Id., ¶ 548).
Mr. Cavanaugh worked on the SIEM (Security Information and Event Management) project for no more than six to eight weeks (Id., ¶ 553). Mr. Cavanaugh could spend “hours and hours” investigating to determine if the “one thing that's out of place” is a “false positive, . . . a hiccup, maybe a switch went down, ” or an “internal or external actor” on USAble's network (Id., ¶ 557).
Mr. Cavanaugh spent approximately three hours on contract review and three hours on vendor security management, which went hand-in-hand with contract review (Id., ¶ 559). Generally, Mr. Cavanaugh reviewed potential contracts to determine if it is “good for USAble or it not, [d]o we need to change . . . this little section or not.” (Id., ¶ 560).
If Mr. Cavanaugh was “on call, ” he could spend “hours and hours” mitigating an “incident.” (Id., ¶ 566). In general, Mr. Cavanaugh spent an estimated eight hours per week performing “incident management” duties (Id., ¶ 567). If there was a reported breach and EIS had a “policy and procedure in place” for that particular suspected breach, Mr. Cavanaugh “would follow that until mitigation.” (Id., ¶ 568). Absent a policy, Mr. Cavanaugh used his experience and knowledge about HITRUST requirements and best practices to ensure that investigations into security incidents were conducted appropriately (Id., ¶ 572). Depending on the circumstances, he may also consult with the EIS team member with the most subject matter expertise to provide insight into his incident investigation (Id., ¶ 573). After the incident was concluded, Mr. Cavanaugh wrote a report outlining the security issues, how it was handled, and if it was resolved (Id., ¶ 574).
6.S. Todd Miller
Prior to his employment with USAble, Mr. Miller attended the University of Arkansas at Fayetteville and UALR, earning a degree in Criminal Justice from the latter (Id., ¶ 577). Mr. Miller worked at GVH Consulting prior to being hired by USAble as Microservices Analyst (Id., ¶ 578). Mr. Miller was promoted late 2016 or early 2017 to a Lead Information Security Analyst I and remained in the position until his separation of employment on August 9, 2018 (Id., ¶ 579). During the applicable statutory period, Mr. Miller maintained CISSP (Certified Information Systems Security Professional) and HITRUST certifications (Id., ¶ 580). Also while employed at USAble, Mr. Miller attended SANS training and various annual conferences pertinent to his position (Id., ¶ 582).
Mr. Miller spent approximately five hours per month performing SIEM (Security Information and Event Management) and eight hours per month each on threat hunting and threat analysis (Id., ¶ 583). Mr. Miller used the SIEM tool, which at the time was a “new system, ” to monitor internal and external security threats (Id., ¶ 584). Mr. Miller reviewed these security logs looking for “[f]ailed log-in attempts; lockouts, use lockouts; anomalous activity from certain systems or inside [or] outside threats, ” and, generally, to ensure “everything's in order with security.” (Id., ¶ 588). Once Mr. Miller located this information, he consolidated it into “weekly reports.” (Id., ¶ 589). Mr. Miller provided these reports to Mr. Ross or Mr. Shirley, and if anything “rose to the level of an incident, ” the EIS team “would go through an Incident Response Plan.” (Id., ¶ 590). Threat intelligence required Mr. Miller to “verify[] or tak[e] in security alert information, ” which “could be from Cisco, Microsoft, [or] security bulletins and advisories, ” and integrat[e] those with the SIEM (Id., ¶ 591).
Mr. Miller spent an estimated 30 hours per month on HITRUST compliance management and another 15 hours per month on “working on policies and procedures, ” which had to comply with HITRUST requirements (Id., ¶ 594). Mr. Miller and the EIS team would review each template “the consulting firm gave [them], ” and “list out” the HITRUST guidelines (Id., ¶ 601). Generally, the policies Mr. Miller was assigned to draft were in his areas of expertise or at least a subject matter with which he had some knowledge base, including “[b]aseline configuration, vulnerability management, [and] security log management.” (Id., ¶ 604). Mr. Miller also participated in the Security Committee meetings that discussed the proposed policies (Id., ¶ 608).
Audit management and risk assessments each encompassed approximately 30 hours per month of Mr. Miller's work time (Id., ¶ 609). Audits generally required responses from other USAble departments, and Mr. Miller and the EIS team would help them prepare for audits and, during the audit process, “give them guidance on how they need to answer.” (Id., ¶ 615). Mr. Miller utilized adverse audit findings as “information security guidance” on how EIS “need[ed] to remedy and correct whatever [USAble] [was] doing wrong.” (Id., ¶ 616). Mr. Miller coordinated with other departments that were needed for third-party risk assessments to advise them of the risk assessment, scheduling meetings, and monitored the process (Id., ¶ 618). Risk analysis could also be part of his risk assessment duties and encompassed an estimated two hours per month of his work time (Id., ¶ 619). Mr. Miller's duties included the “daily monitoring of systems” that were identified in the risk assessments (Id., ¶ 620).
Mr. Miller spent approximately 30 hours per month on business continuity program management, five hours per month on disaster recovery program management, and 40 hours per month on disaster recovery exercising (Id., ¶ 621). Mr. Miller assisted with the development and maintenance of business continuity and disaster recovery plan policies including assessing whether the plans were compliant with applicable controlling regulations (Id., ¶ 624). Mr. Miller had to periodically revise the company's business continuity and disaster recovery plans and procedures to address new and different security threats that arise (Id., ¶ 627). Disaster recovery exercises were something on which Mr. Miller was constantly working (Id., ¶ 633). In addition to recurring disaster recovery tabletop exercises, Mr. Miller worked on a business continuity and disaster recovery exercise in 2018 in which USAble systems were actually taken down and brought back up (Id., ¶ 634).
Mr. Miller spent an estimated three hours per month reviewing contracts and three hours per month on vendor security management (Id., ¶ 640). Mr. Miller was responsible for ensuring that USAble's security measures were in compliance with the terms and provisions of contracts to which USAble was a party (Id., ¶ 641). Mr. Miller worked with the Contracts department to review contracts for the purchase of new computer systems for USAble to ensure that “everything's in order.” (Id., ¶ 642).
Employee awareness and training consumed approximately 20 hours per month of Mr. Miller's work time (Id., ¶ 644).
Mr. Miller spent approximately eight hours per month on incident management (Id., ¶ 650). Mr. Miller was trained on how to differentiate these “false positives” from the legitimate breaches, which occurred “almost every other week and even sometimes . . . weekly.” (Id., ¶ 656).
Mr. Miller spent an estimated five to ten hours per month on DLP (Data Loss Prevention), and approximately 20 hours per month on database activity monitoring, which was part of DLP (Id., ¶ 662). DLP is a “file-monitoring system, ” looking for sensitive information, such as Social Security numbers, stored on servers and identifying when that data is transmitted (Id., ¶ 663). When Mr. Miller discovered sensitive data being transmitted to, for example, “private e-mail accounts, ” he “would have to put security controls” to block unsecure transmission (Id., ¶ 664). Database activity monitoring was a “big project” under the umbrella of DLP that he spent “a lot of time on.” (Id., ¶ 665).
Mr. Miller spent approximately five hours per month on SDLC (System Development Lifecycle) management (Id., ¶ 666). SDLC management required Mr. Miller to monitor a system from the time it is installed until the end of its life (Id., ¶ 667). Mr. Miller scanned systems to determine which ones were at the end of their lives so those could be securely taken offline (Id., ¶ 669).
Mr. Miller's job duties also included vetting, assessing, and “demo-ing” systems to determine which “vendor [USAble] [was] going to go with” and which type of system would be chosen (Id., ¶ 671). Mr. Miller would choose the top three options that fit USAble's needs, then “demo” the products, installing it and testing it within USAble's technology infrastructure (Id., ¶ 674-5). After testing the product, Mr. Miller made his recommendations to Mr. Ross and Mr. Shirley as to which product USAble should utilize (Id., ¶ 677).
B. Supervision, Salary, And Structure
Mr. Ross was hired by USAble in February 2017 as Supervisor of Enterprise Information Security and was promoted to my current position, Manager of Enterprise Information Security in July 2018 (Id., ¶ 681). Mr. Shirley was employed as Director of Enterprise Information Security. Since September 2017, he was employed as Chief Information Security Officer while still maintaining his title and job duties as Director of Enterprise Information Security (Id., ¶ 682).
From February 2017, each plaintiff was compensated on a salary basis, receiving a predetermined sum on a biweekly basis, at an equivalent weekly rate in excess of $455.00, which was not subject to reduction because of variations in the quality or quantity of the work performed (Id., ¶ 683).
Upon being hired by USAble in February 2017, Mr. Ross became the immediate supervisor of all Lead Information Security Analysts and Information Security Analysts, including plaintiffs for all periods of time they were employed by USAble in EIS (Id., ¶ 684). Accordingly, he is thoroughly familiar with the nature of plaintiffs' jobs and the work they performed at USAble (Id.). Beginning in February 2017, Mr. Shirley was Mr. Ross's immediate supervisor, but Mr. Shirley still maintained involvement in EIS (Id., ¶ 685). Accordingly, he is thoroughly familiar with the nature of plaintiffs' jobs and the work they performed at USAble (Id.).
EIS is and was when plaintiffs were employed at USAble a department within USAble that is responsible for the security and protection of USAble's information transmitted using or stored on USAble's computer systems (Id., ¶ 686). As a health insurance company, USAble receives, maintains, stores, transmits, and uses, as appropriate, a variety of personal information of its customers, including personal health information (“PHI”) (Id., ¶ 687). The storage and use of PHI, as well as the procedures and protocols implemented by USAble to secure that information and ensure its availability, is heavily regulated (Id.). Therefore, securing of the information USAble possesses at any given time, which the parties and the Court hereinafter refer to as “Enterprise Information, ” is directly related to the operation of USAble as a health insurer (Id.).
To facilitate EIS's overarching mandate to protect Enterprise Information, plaintiffs performed a variety of discrete job functions, including, but not limited to: (i) analyzing complex data to determine whether vulnerabilities or threats to Enterprise Information were present in computer, network, or Internet systems; (ii) assessing the risk associated with identified threats and vulnerabilities; (iii) working inside USAble's technology infrastructure to mitigate and/or remediate, consulting and coordinating with the Information Technology Department where appropriate; (iv) developing security policies in compliance with HITRUST's complex security framework, which incorporated a variety of regulatory requirements; (v) making recommendations to Mr. Ross or to Mr. Shirley directly regarding steps USAble could take to attain HITRUST certification, including analyzing regulatory requirements to determine whether an integrated HITRUST control stemmed from a regulatory requirements that USAble was not required to follow; (vi) developing and maintaining departmental business continuity and disaster recovery plans, in conjunction with individual departments, each of which had individualized plans, including ensuring that the plans were compliant with HIPAA's regulatory requirements; (vii) creating, coordinating, and conducting disaster recovery exercises in compliance with HIPAA's regulatory requirements; (viii) researching and advising Mr. Ross and/or Mr. Shirley as to regulatory requirements applicable to USAble; (ix) coordinating and managing audits and tracking adverse audit findings and ensuring the identified deficiency was corrected; and (x) reviewing potential USAble contracts from a security perspective to ensure the contractual provisions met USAble's security standards and that nothing in the contract presented an issue from a security perspective (Id., ¶ 688). Each of these duties were integral to the security of USAble's Enterprise Information (Id.).
USAble asserts that Mr. Ross and Mr. Shirley relied on plaintiffs' recommendations, suggestions, insight, and/or advice to make decisions (Id., ¶ 693). USAble also asserts that Mr. Ross and Mr. Shirley rarely rejected plaintiffs' substantive recommendations or reviewed the daily work plaintiffs performed (Id., ¶ 694). When Mr. Ross made recommendations to Mr. Shirley, Mr. Shirley understood Mr. Ross's recommendations to be based on the recommendations, suggestions, insight, and/or advice of plaintiffs (Id., ¶ 695).
C. Procedural History
On February 7, 2020, separate plaintiffs Mr. Simmons, Ms. Overstreet, and Mr. Young, each individually and on behalf of all others similarly situated, filed their original complaint- collective action with this Court, seeking relief under the Fair Labor Standards Act, 29 U.S.C. § 201, et seq. (“FLSA”), and the Arkansas Minimum Wage Act, § 11-4-201, et seq. (“AMWA”), for overtime compensation, including monetary and liquidated damages, due to the purported misclassification of plaintiffs and a collective class of similarly situated employees (Dkt. No. 1). On February 24, 2020, plaintiff Mr. Miller filed his consent to join the collective action (Dkt. No. 2). On April 24, 2020, the parties jointly stipulated to the conditional certification and distribution of notice to the opt-in class: “Salaried Information Security Analysts I-III and Lead Information Security Analysts I-III employed by USAble Corporation after February 7, 2017.” (Dkt. No. 11). The parties stipulated to a 60-day opt-in period during the pendency of which opt-in plaintiffs Ms. Broadhurst and Mr. Cavanaugh each filed consents to join the collective action (Dkt. Nos. 13, 14).
USAble filed its motion for summary judgment on February 25, 2021 (Dkt. No. 24). Plaintiffs opposed the motion (Dkt. No. 32).
II. Legal Standard For Summary Judgment
Pursuant to the Federal Rules of Civil Procedure, the Court may grant summary judgment “if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(a). A dispute is genuine if a reasonable jury could render its verdict for the non-moving party. See Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). “The mere existence of a factual dispute is insufficient alone to bar summary judgment; rather, the dispute must be outcome determinative under prevailing law.” Holloway v. Pigman, 884 F.2d 365, 366 (8th Cir. 1989). Mere denials or allegations are insufficient to defeat an otherwise properly supported motion for summary judgment. See Miner v. Local 373, 513 F.3d 854, 860 (8th Cir. 2008); Com. Union Ins. Co. v. Schmidt, 967 F.2d 270, 271-72 (8th Cir. 1992).
First, the burden is on the party seeking summary judgment to demonstrate an absence of a genuine issue of material fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986); Farver v. McCarthy, 931 F.3d 808, 811 (8th Cir. 2019). If the moving party satisfies its burden, the burden then shifts to the non-moving party to establish the presence of a genuine issue that must be determined at trial. See Prudential Ins. Co. v. Hinkel, 121 F.3d 364, 366 (8th Cir. 1997); Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986). The non-movant “‘must do more than simply show that there is some metaphysical doubt as to the material facts,' and must come forward with ‘specific facts showing that there is a genuine issue for trial.'” Torgerson v. City of Rochester, 643 F.3d 1031, 1042 (8th Cir. 2011) (en banc) (quoting Matsushita, 475 U.S. at 586-87). “The evidence of the non-movant is to be believed, and all justifiable inferences are to be drawn in his favor.” Anderson, 477 U.S. at 255. “[I]n an FLSA exemption case such as this, the employer . . . has the burden of proving the employee fits within one of the FLSA exemptions. Grage v. N. States Power Co.-Minnesota, 813 F.3d 1051, 1054 (8th Cir. 2015) (citing Fife v. Harmon, 171 F.3d 1173, 1174 (8th Cir.1999)). “[W]hether [employees'] particular activities excluded them from the overtime benefits of the FLSA is a question of law.” Grage, 813 F.3d at 1054 (citing Spinden v. GS Roofing Prods. Co., 94 F.3d 421, 426 (8th Cir.1996)).
III. Legal Standards Under The FLSA
In their complaint, plaintiffs argue that USAble incorrectly classified them as exempt from the overtime requirements of the FLSA and AMWA and did not pay each of them an overtime premium for the hours worked in excess of 40 hours in a week.
“The FLSA requires employers to pay overtime of at least one and one-half times the regular pay rate for employees who work over forty hours in one workweek.” Grage, 813 F.3d at 1054 (citing 29 U.S.C. § 207(a)(2)). Some employees are exempt from the FLSA's overtime requirements. Id. § 213(a)(1). Such exempt employees include “any employee employed in a bona fide executive, administrative, or professional capacity. . . .” 29 U.S.C. § 213(a)(1). “The FLSA and the AMWA impose similar minimum wage and overtime requirements on employers and, in cases involving claims brought under both acts, the courts have concluded that their parallel provisions should be interpreted in the same manner.” Cummings v. Bost, Inc., 218 F.Supp.3d 978, 985 (W.D. Ark. 2016) (quoting Carter v. Primary Home Care of Hot Springs, Inc., Case No. 6:14-cv-6092, 2015 WL 11120563, at *2 (W.D. Ark. May 14, 2015)).
“[W]hether an employee is exempt under the FLSA is an issue of law.” Jarrett v. ERC Props., Inc., 211 F.3d 1078, 1081 (8th Cir. 2000) (citing Icicle Seafoods, Inc. v. Worthington, 475 U.S. 709, 714 (1986)). The Eighth Circuit has held that “[c]ourts should broadly interpret and apply the FLSA to effectuate its goals because it is remedial and humanitarian in purpose.” Specht v. City of Sioux Falls, 639 F.3d 814, 819 (8th Cir. 2011) (internal quotation omitted). To promote this goal, the Department of Labor (“DOL”) has provided regulations that include factors to guide the Court in determining whether an employee qualifies for an exemption. See Fife v. Bosley, 100 F.3d 87, 89 (8th Cir. 1996) (citing 29 C.F.R. § 541).
With regard to the “administrative exemption, ” these regulations state in pertinent part:
(a) The term “employee employed in a bona fide administrative capacity” in section 13(a)(1) of the Act shall mean any employee:
(1) Compensated on a salary or fee basis pursuant to § 541.600 at a rate of not less than $684 per week . . . exclusive of board, lodging or other facilities;
(2) Whose primary duty is the performance of office or non-manual work directly related to the management or general business operations of the employer or the employer's customers; and
(3) Whose primary duty includes the exercise of discretion and independent judgment with respect to matters of significance.29 C.F.R. § 541.200.
Work directly related to management or general business operations includes but is not limited to: “auditing, ” “computer network, internet and database administration, ” “legal and regulatory compliance, ” “and similar activities.” 29 C.F.R. § 541.201(b).
“The term ‘primary duty' means the principal, main, major or most important duty that the employee performs. Determination of an employee's primary duty must be based on all the facts in a particular case, with the major emphasis on the character of the employee's job as a whole.” 29 C.F.R. § 541.700.
With regard to discretion and independence under the administrative exemption:
The phrase “discretion and independent judgment” must be applied in the light of all the facts involved in the particular employment situation in which the question arises. Factors to consider when determining whether an employee exercises discretion and independent judgment with respect to matters of significance include, but are not limited to: whether the employee has authority to formulate, affect, interpret, or implement management policies or operating practices; whether the employee carries out major assignments in conducting the operations of the business; whether the employee performs work that affects business operations to a substantial degree, even if the employee's assignments are related to operation of
a particular segment of the business; whether the employee has authority to commit the employer in matters that have significant financial impact; whether the employee has authority to waive or deviate from established policies and procedures without prior approval; whether the employee has authority to negotiate and bind the company on significant matters; whether the employee provides consultation or expert advice to management; whether the employee is involved in planning long- or short-term business objectives; whether the employee investigates and resolves matters of significance on behalf of management; and whether the employee represents the company in handling complaints, arbitrating disputes or resolving grievances.29 C.F.R. § 541.202 (b)
The exercise of discretion and independent judgment implies that the employee has authority to make an independent choice, free from immediate direction or supervision. However, employees can exercise discretion and independent judgment even if their decisions or recommendations are reviewed at a higher level. Thus, the term “discretion and independent judgment” does not require that the decisions made by an employee have a finality that goes with unlimited authority and a complete absence of review. The decisions made as a result of the exercise of discretion and independent judgment may consist of recommendations for action rather than the actual taking of action. The fact that an employee's decision may be subject to review and that upon occasion the decisions are revised or reversed after review does not mean that the employee is not exercising discretion and independent judgment.
The exercise of discretion and independent judgment must be more than the use of skill in applying well-established techniques, procedures or specific standards described in manuals or other sources . . .The exercise of discretion and independent judgment also does not include clerical or secretarial work, recording or tabulating data, or performing other mechanical, repetitive, recurrent or routine work. An employee who simply tabulates data is not exempt, even if labeled as a “statistician.”29 C.F.R. § 541.202 (e)
The Eighth Circuit has made clear that “[t]he employer has the burden to prove that its employee is an executive and therefore exempt from the FLSA's overtime pay requirements.” Madden v. Lumber One Home Ctr., Inc., 745 F.3d 899, 903 (8th Cir. 2014) (citing Fife, 171 F.3d at 1174. Furthermore, the Supreme Court has rejected the principle that the FLSA's exemptions should be construed narrowly and instead determined that they are to be given a “fair reading.” Encino Motorcars, LLC v. Navarro, 138 S.Ct. 1134, 1142 (2018).
Plaintiffs bring claims under both the FLSA and the AMWA. USAble moves for summary judgment on all claims, FLSA and AMWA. In their briefing, the parties do not argue to the Court any differences in interpreting these laws or their exemptions. Generally, “[t]he FLSA and the AMWA impose similar minimum wage and overtime requirements on employers and, in cases involving claims brought under both acts, the courts have concluded that their parallel provisions should be interpreted in the same manner.” Cummings, 218 F.Supp.3d at 985 (quoting Carter, 2015 WL 11120563, at *2).
The Court notes that the AMWA states that its overtime requirements “shall not apply to any employee exempt from the overtime requirements of the federal [FLSA] pursuant to the provisions of 29 U.S.C. § 213(b)(1)-(24) and (b)(28)-(30), as they existed on March 1, 2006.” Ark. Code Ann. § 11-4-211(d). Furthermore, the Arkansas Department of Labor “may rely on the interpretations of the U.S. Department of Labor and federal precedent established under the [FLSA] in interpreting and applying the provisions of the Act and Rule 010.14-100 through -113, except to the extent a different interpretation is clearly required.” Ark. Admin. Code § 010-14.1-112.
In making its determinations in this case, the Court has reviewed all of the record evidence presented as to each named plaintiff. While disputes regarding the nature of an employee's duties are questions of fact, the “ultimate question [of] whether an employee is exempt under the FLSA is an issue of law.” Jarrett, 211 F.3d at 1081 (citing Icicle Seafoods, Inc. 475 U.S. at 714). The Court determines that, on the record evidence before it, self-serving declarations cannot be used to create a question of fact at the summary judgment stage. See Marathon Ashland Petroleum, LLC v. Intern. Broth. Of Teamsters, Chauffeurs, Warehousemen, Helpers of America, General Drivers, Helpers and Truck Terminal Employee Union, Local No. 120, 300 F.3d 945, 951 (8thCir. 2002) (internal citations omitted). The Court has considered all record evidence presented as to each named plaintiff, construing all reasonable inferences from that evidence in favor of plaintiffs who are the non-moving parties, as is required at this stage of the litigation. For the following reasons, the Court grants summary judgment in favor of USAble.
IV. Analysis
Plaintiffs seek purportedly unpaid overtime wages due to the alleged misclassification of their positions as exempt from the minimum wage requirements of the FLSA. USAble argues that plaintiffs were properly classified as exempt because they “were well-compensated information security professionals who analyzed data and made recommendations based on their experience and knowledge with regulatory requirements and cybersecurity frameworks.” (Dkt. No. 25, at 1).
A. Rate Of Compensation
It is undisputed that all plaintiffs were compensated on a salary basis at a rate in excess of $455.00 per week exclusive of board, lodging or other facilities. The first element of the administrative exemption is not in dispute. See 29 U.S.C. § 541.200(a)(1).
The minimum weekly salary rate was raised from $455.00 per week to $684.00 per week effective January 1, 2020. See Dept. of Lab., Wage & Hour Div., Final Rule, Defining and Delimiting the Exemptions for Executive, Administrative, Professional, Outside Sales and Computer Employees, 84 FR 51230-01, 2019 WL 4690536 (Sept. 27, 2019). Thus, the minimum weekly salary rate during the applicable statutory period was $455.00 per week.
B. Primary Duties: Office Or Non-Manual Work Directly Related To The Management Or General Business Operations Of the Employer Or the Employer's Customers
To meet the second element of the administrative exemption, an employee's primary duty must be “the performance of office or non-manual work directly related to the management or general business operations of the employer or the employer's customers.” 29 C.F.R. § 541.200(a)(2). This requires an employee to perform work directly related to assisting with the running or servicing of the business, as distinguished from working on a manufacturing production line or selling a product in a retail or service establishment. 29 C.F.R. § 541.201(a).
Work directly related to management or general business operations includes, but is not limited to, work in functions and areas such as:
Tax; finance; accounting; budgeting; auditing; insurance; quality control; purchasing; procurement; advertising; marketing; research; safety and health; personnel management; human resources; employee benefits; labor relations; public relations; government relations; computer network; internet and database administration; legal and regulatory compliance; and similar activities.29 C.F.R. § 541.201(b). The list is not exhaustive and “administrative work” could also include “‘advising the management, planning, negotiating, representing the company, purchasing, promoting sales, and business research and control.'” Grage, 813 F.3d at 1055 (quoting Renfro v. Ind. Mich. Power Co., 370 F.3d 512, 517 (6th Cir. 2004)). To determine whether an employee is an administrative or production worker, it is appropriate to consider the nature of the employer's business. Martin v. Cooper Elec. Supply Co., 940 F.2d 896, 899 (3d Cir. 1991).
An employee's “primary duty” is the “principal, main, major or most important duty that the employee performs. Determination of an employee's primary duty must be based on all of the facts in a particular case, with the major emphasis on the character of the employee's job as a whole.” 29 C.F.R. § 541.700(a). The following factors may be considered: “relative importance of the exempt duties as compared with other types of duties; the amount of time spent performing exempt work; the employee's relative freedom from direct supervisions; and the relationship between the employee's salary and the wages paid to other employees for the kind of nonexempt work performed.” 29 C.F.R. § 541.700(a); see also Grage, 813 F.3d at 1055. “[A]n employee's primary duty is that which is of principal importance to the employer, rather than collateral tasks which may take up more than fifty percent of his or her time.” Spinden, 94 F.3d at 427 (citation omitted).
As a “health insurer, ” USAble receives, maintains, and transmits PHI of its members in the regular course of business to assess and determine eligibility for claims of coverage and reimbursement (Dkt. No. 25, at 81 (including cites to record evidence)). USAble is subject to certain regulatory requirements promulgated pursuant to HIPAA, see 45 C.F.R. §§ 160.102, 160. 103, which requires USAble to implement certain safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosure that may be made of such information without patient authorization. See 45 C.F.R. §§ 160.101 et seq., 164.102 to 164.106, 164.500 to 164.534 (Dkt. No. 25, at 81 (citing to record evidence)).
EIS during the relevant period was responsible for the protection of the confidential information maintained by USAble, including PHI and other sensitive information, and each plaintiff worked in EIS during the relevant period (Dkt. No. 25, at 81-82 (citing to record evidence)). EIS was responsible for a variety of security functions, managing security related deployment, and developing projects and security policies that align USAble's enterprise security operations with industry and regulatory compliance (Dkt. No. 25, at 117 (citing to record evidence)). Each plaintiff performed duties to ensure that EIS secured the information utilized, maintained, and transmitted by USAble to the maximum extent possible (Dkt. No. 25, at 117 (citing to record evidence)). The discrete job duties performed by each plaintiff as testified to at deposition by each plaintiff demonstrates that no reasonable factfinder could conclude that each plaintiff did not spend the majority of his or her time performing “exempt” duties. See 29 C.F.R. § 541.700(b).
Having reviewed the record evidence and construing all reasonable inferences from it in favor of plaintiffs, the Court concludes that no reasonable fact finder could conclude that, in their capacities as either Lead Information Security Analysts or Information Security Analysts, each plaintiff's primary duties did not consist of “office or non-manual work.” 29 C.F.R. § 541.200(a)(2) (Dkt. No. 25, at 82 (citing to record evidence)). Further, no reasonable factfinder could conclude that each plaintiff's role as Lead Information Security Analyst or Information Security Analyst was not directly related to the management and/or general business operations of USAble. See 29 C.F.R. §§ 541.200(a)(2), 541.201(a); see also Grage, 813 F.3d at 1056; Ahle v. Veracity Rsch. Co., 738 F.Supp.2d 896, 903 (D. Minn. 2010).
C. Primary Duties: Exercise Of Discretion And Independent Judgment With Respect To Matters Of Significance
To meet the third requirement of the administrative exemption, an “employee's primary duty must include the exercise of discretion and independent judgment with respect to matters of significance.” 29 C.F.R. § 541.202(a). “In general, the exercise of discretion and independent judgment involves the comparison and the evaluation of possible courses of conduct, and acting or making decisions after the various possibilities have been considered.” Id. The term “matters of significance” refers to the level of importance or consequence of the work performed. Id.
“Mere denials” by each plaintiff that his or her primary duties did not include the exercise of discretion are insufficient. Com. Union Ins. Co., 967 F.2d at 271-72. Plaintiffs do not deny performing many of the actions attributed to them by USAble, but plaintiffs in response to summary judgment attempt to argue in declarations prepared and submitted after they each provided detailed deposition testimony that they were merely copying policies or following orders. Their declarations are belied by their deposition testimony, which is available for the Court's review and consideration in the summary judgment record and further was parsed through by USAble in its reply (Dkt. No. 38). The record evidence in this case reviewed by the Court and upon which the Court bases its decision distinguishes this case from Chicca v. St. Luke's Episcopal Health System, 858 F.Supp.2d 777 (S.D. Tex. 2012), the non-controlling case cited by plaintiffs in their response (Dkt. No. 32). The descriptions provided by plaintiffs of their job duties under oath in their deposition testimony are not “broad and vague, ” leave no room for doubt, and confirm those matters of significance on which each plaintiff exercised independent discretion and judgment. Cf. Chicca, 858 F.Supp.2d at 790.
In their declarations, each plaintiff attempts to argue to a certain extent that he or she did not draft policies but instead merely pulled regulatory language into a format. The record evidence which is comprised of plaintiffs' deposition testimony leaves a factfinder with the firm impression that such was not the case with respect to any plaintiff and the drafting of policies. Regardless, even if that were the case, that review of regulatory language and splicing it together to make it relevant for USAble seems inherently to involve discretion and independent judgment in this context when all facts and circumstances as presented in the record evidence are considered.
The same is true with respect to audits to the extent plaintiffs were involved in audits. In their declarations, plaintiffs generally seek to minimize their roles with respect to audits. The record evidence including plaintiffs' deposition testimony provides clear descriptions in plaintiffs' own words of the work each did. While plaintiffs had to communicate the audit requirements to the different departments, plaintiffs made the determination which department to contact for information, received the information, organized the information, and presented it in a way that fit the requests, and then plaintiffs had to report on any shortcomings and address those shortcomings, too. This conduct involved discretion and independent judgment in this context when all facts and circumstances as presented in the record evidence are considered.
Plaintiffs also advised under certain circumstances on which programs to use and how to adapt policies to contracts. In their deposition testimonies, they describe those tasks and use language that affirms the use of discretion and independent judgment while performing these tasks. Again, the record evidence, even with all reasonable inferences drawn in plaintiffs' favor, results in the Court's determination that no reasonable factfinder could conclude otherwise, the language used in plaintiffs' more recent declarations notwithstanding.
In their response to USAble's motion for summary judgment, plaintiffs repeatedly point this Court to reviews performed by Mr. Ross and Mr. Shirley in an effort to suggest that plaintiffs did not exercise discretion and independent judgment (Dkt. No. 32). The Department of Labor has explicitly stated that “the term ‘discretion and independent judgment' does not require that the decisions made by an employee have a finality that goes with unlimited authority and a complete absence of review.” 29 C.F.R. § 541.202. Through developing policies, trainings, and protocols, coordinating audits, reviewing potential contracts, and advising on the management and organization of security information technology, plaintiffs were able to exercise discretion and judgment in the ways that PHI was managed and protected at USAble. The fact the Mr. Ross or Mr. Shirley were involved in reviewing decisions, or even had the final say over outcomes, does not strip plaintiffs of their independent judgment for purposes of this analysis.
Regarding plaintiffs' arguments that their work did not involve “matters of significance” - on the record evidence before it with all reasonable inferences drawn in favor of plaintiffs, the Court determines that no reasonable factfinder could conclude that maintaining the security of highly regulated PHI for a health insurance company is not a matter of significance. While the Court acknowledges that cost alone is not determinative, if this information was lost or was not protected, it is undisputed in the record evidence that USAble would lose money, goodwill, and business, and face regulatory issues (see generally Dkt. No. 26, ¶¶ 92, 101-02, 115, 119, 298, 318, 323, 326, 330, 419, 428-33, 498, 568, 590, 616).
The Court determines on the record evidence before it, even with all reasonable inferences drawn in favor of plaintiffs, that no reasonable factfinder could conclude that each plaintiff did not exercise discretion and independent judgment with respect to matters of significance by: (1) comparing and evaluating possible courses of action after considering complex data, even if their decisions and recommendation were subject to review at a higher level; (2) formulating operating policies on behalf of U.S. Able; (3) performing work that affected U.S. Able's business operations to a substantial degree through assignments carried out within EIS; and (4) providing consultation and expert advice to U.S. Able's management (Dkt. No. 25, at 119).
D. Ms. Overstreet's Bankruptcy
Because the Court concludes that USAble is entitled to summary judgment in its favor on each plaintiffs FLSA and AMWA claims, the Court does not reach the parties' arguments with respect to Ms. Overstreet's bankruptcy, her failure to disclose her FLSA and AMWA claims during the course of her bankruptcy, and the resulting effect of that failure to disclose on her ability to recover on her claims.
V. Conclusion
For the foregoing reasons, the Court grants USAble's motion for summary judgment (Dkt. No. 24) and enters judgment in favor of USAble on plaintiffs' FLSA and AMWA claims. The relief requested is denied.
It is ORDERED this 30th day of September, 2021.