From Casetext: Smarter Legal Research

In re Anthem, Inc. Data Breach Litig.

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
Feb 21, 2017
236 F. Supp. 3d 150 (D.D.C. 2017)

Opinion

Case No. 16–mc–02210 (APM)

02-21-2017

IN RE: ANTHEM, INC. DATA BREACH LITIGATION


MEMORANDUM OPINION

Amit P. Mehta, United States District Judge

Anthem, Inc., a health benefits and health insurance company, suffered a massive cyberattack on its computer systems sometime between December 2014 and January 2015. The hackers stole personally identifiable information and personal health information of approximately 80 million people. Amongst those whose information was compromised were federal employees who receive their health insurance through the Federal Employee Health Benefits Program. Some individuals whose information was compromised filed suit against Anthem, Inc., its affiliates, and involved third-party corporations, ultimately leading to consolidation of those cases in the form of a class-action, multidistrict litigation in the United States District Court for the Northern District of California.

On May 13, 2016, Lead Plaintiffs in the multidistrict litigation issued a subpoena for documents to the United States Office of Personnel Management ("OPM"), the agency responsible for negotiating and administering the federal government's health insurance contracts with Anthem, Inc., and its affiliates. Those contracts authorize OPM to conduct audits of the insurance carriers' information technology systems ("IT systems"). Lead Plaintiffs' subpoena seeks records relating to OPM's IT systems audits of Anthem, Inc., and its affiliates, both before and after the cyberattack. The agency released a portion of the documents responsive to the subpoena but withheld others, claiming that the deliberative process privilege protected all the withheld documents from disclosure and the law enforcement privilege also protected certain of those documents. Lead Plaintiffs then filed, in this court, a Motion to Compel OPM to disclose the withheld records.

After the benefit of substantial briefing, oral argument, and in camera review of the documents in question, the court finds that most of documents withheld by OPM are protected by the deliberative process privilege. Some of the withheld documents or portions thereof, however, contain only factual information. As to those records or portions of records, the court concludes that neither the deliberative process nor the law enforcement privilege applies. Accordingly, the court grants in part and denies in part the Lead Plaintiffs' Motion to Compel.

I. BACKGROUND

A. Anthem's Contract with the Office of Personnel Management

Anthem, Inc. ("Anthem") provides health benefits and health insurance services to millions of individuals through a nationwide network of affiliate and third-party entities. See In re Anthem, Inc. Data Breach Litig. , No. 15-2617, 2016 WL 3029783, at *2 (N.D. Cal. May 27, 2016) ; Pls.' Mot. to Compel Compliance with Subpoena Duces Tecum, ECF No. 1 [hereinafter Pls.' Mot.], at 1–2 & n.3. To provide these services, Anthem, its affiliates, and the third-party entities maintain a common computer database of current and former members' personal information. See In re Anthem , 2016 WL 3029783, at *2. This information includes, but is not limited to, individuals' Social Security numbers, home addresses, and confidential medical information. See Pls.' Mot. at 2.

The court notes that from 2004 to December 2014, the entity now known as Anthem, Inc., was called WellPoint, Inc. See Pls.' Mot. to Compel Compliance with Subpoena Duces Tecum, ECF No. 1, at 1. For ease of reference and consistent with the parties' practice, the court does not distinguish between "WellPoint" and "Anthem" in this opinion.
Anthem provides its services through a number of affiliate and third-party entities. The Third Consolidated Amended Class Action Complaint in the multidistrict litigation named as defendants not only Anthem, but also 27 Anthem affiliates, the Blue Cross Blue Shield Association, and 14 non-Anthem Blue Cross Blue Shield companies. See Redacted Version of Third Am. Compl., In re Anthem, Inc. Data Breach Litig., No. 15–2617 (N.D. Cal. July 11, 2016), ECF No. 537–3, ¶¶ 123–51, 153–66. Lead Plaintiffs' subpoena directed OPM to release documents pertaining to its audit of "Anthem," which the subpoena defined to include Anthem and the 27 Anthem affiliates. See Pls. Mot., Ex. A [hereinafter Subpoena], Sched. A, at 1–2. This opinion's use of "Anthem" collectively refers to Anthem, Inc., and all those affiliated entities directed to respond to Lead Plaintiffs' subpoena; it does not encompass any entity not listed in the subpoena, even if a party to the multidistrict litigation.

All pin citations in this opinion are to the cited document's original pagination or numbered paragraphs, where available.

Amongst those Anthem serves are federal employees. The United States Office of Personnel Management ("OPM") negotiates and administers the federal government's contracts with insurance providers, including Anthem. See Non–Party Resp't's Mem. in Opp'n to Pls.' Mot. to Compel, ECF No. 5 [hereinafter Gov't's Opp'n], at 2. By statute, OPM's Office of the Inspector General ("OIG") has authority to periodically conduct audits of entities receiving OPM funds or benefits, such as insurance carriers that contract to provide services to federal employees. See 5 U.S.C. app. 3 § 2(1) ; Gov't's Opp'n at 2–3; Gov't's Opp'n, Decl. of Norbert E. Vint, ECF No. 5–2 [hereinafter Vint Decl.], ¶ 3. Consistent with that statute, Anthem's contract with OPM authorizes OIG to audit Anthem's IT systems. See Pls.' Mot. at 3.

OIG's IT systems audits benefit both OPM and the audited entity. The audits "are designed to identify weaknesses [in the audited entity's IT systems] so that the audited entity may institute appropriate safeguards against threats." Gov't's Opp'n, Decl. of Nicholas Hoyle, ECF No. 5–3 [hereinafter Hoyle Decl.], ¶ 4. The overarching goal is for OIG to "evaluate the effectiveness of the entity's preventive measures and recommend remedies as needed" so as to "assist the audited entity with preventing criminal actors from stealing and exploiting [the] personal identifiable information and protected health information" of federal employee-enrollees. Id. The audit has the simultaneous effect of keeping OPM abreast of the audited entity's present compliance with its federal contract and federal law. Generally speaking, the audit assesses several "general IT security controls: security management, physical access controls; logical access controls; network security; business continuity; configuration management; and segregation of duties." Id. ¶ 7.

OIG's audit takes several steps to complete. The process begins with two on-site investigations, after which OIG discusses its "preliminary concerns" with the audited entity and ensures it has all the information it needs to proceed with the audit. See id. ¶¶ 11–12. Next, equipped with the necessary information, OIG analyzes vulnerabilities in the IT system and produces a draft audit report, which it releases to the audited entity for response and factual corrections. See id. ¶¶ 13, 21; Vint Decl. ¶ 7. Finally, OIG publishes a final audit report, which takes account of any corrections the audited entity made to the draft audit report, the audited entity's written response to the draft audit report, and OIG's "final determination regarding its findings and recommendations." Hoyle Decl. ¶ 13; accord Vint Decl. ¶ 7.

B. OIG's Audits of Anthem's IT Systems

In 2013, OIG audited Anthem's IT systems ("the 2013 Audit") and generated a report with findings and recommendations for addressing identified weaknesses in Anthem's systems. See Pls.' Mot. at 3; Gov't's Opp'n at 3; Pls.' Mot., Ex. D [hereinafter 2013 Final Audit Report]. OPM's internal discussions regarding Anthem continued after the 2013 Audit concluded. OPM's Audit Resolution Branch reviewed the recommendations in the 2013 Final Audit Report and evaluated whether Anthem had appropriately implemented them—a process known as "closing out" a recommendation. See Gov't's Opp'n at 3–4.

One of the key issues that arose during the 2013 Audit was that Anthem, citing company policy, refused to allow OIG auditors to connect their equipment to Anthem's network to conduct a configuration compliance test. See 2013 Final Audit Report at 9–10; see also Pls.' Mot. at 4. As a result, the auditors were prevented from conducting as thorough an audit as they had planned and believed necessary. Consequently, after the 2013 Audit concluded, OPM staff discussed whether and in what ways to amend Anthem's federal contract "to ensure that OIG audit staff has sufficient access to contractor systems and materials, to prevent a recurrence of issues encountered by OIG during the 2013 Audit." Gov't's Opp'n at 3–4; accord Gov't's Opp'n, Decl. of Alan Spielman, ECF No. 5–1 [hereinafter Spielman Decl.], at 2.

In February 2015, Anthem announced that its centralized database had been hacked, compromising the security of approximately 80 million individuals' sensitive personal information. See Pls.' Mot. at 3; Gov't's Opp'n at 2; Pls.' Mot., Ex. C. Following the cyberattack, OIG conducted another audit of Anthem's IT systems, including preparation of draft and final audit reports. See Gov't's Opp'n at 4. Although the 2015 Final Audit Report is now complete and OPM has shared that report with Anthem, OPM has not yet made the report available to the public. See id. (stating that the 2015 Final Audit Report has not yet been published); Pls.' Reply, ECF No. 6 [hereinafter Pls.' Reply], at 1 & n.2 (explaining that the 2015 Draft Audit Report and 2015 Final Audit Report are no longer at issue in this litigation because the Government has provided them to Lead Plaintiffs).

C. The Subpoena to OPM

Following the cyberattack, a number of Anthem customers filed class action claims in various jurisdictions, generally asserting that Anthem and other involved entities "(1) fail[ed] to adequately protect Anthem's data systems, (2) fail[ed] to disclose to customers that Anthem did not have adequate security practices, and (3) fail[ed] to timely notify customers of the data breach." In re Anthem, Inc. Data Breach Litig. , 162 F.Supp.3d 953, 968 (N.D. Cal. 2016). Shortly thereafter, several plaintiffs moved to consolidate the cases, and the United States Judicial Panel on Multidistrict Litigation transferred all cases "arising out of the Anthem data breach" to the Northern District of California to proceed as a single action before The Honorable Lucy H. Koh. See id. One of the claims advanced in the multidistrict litigation is a third-party beneficiary claim for breach of contract on behalf of those federal employees who were enrolled in the Federal Employee Health Benefits Plan at the time of the cyberattack, received their health insurance and related benefits from Anthem, and whose personal information was compromised as a result. See Redacted Version of Third Am. Compl., In re Anthem , No. 15–2617 (N.D. Cal. July 11, 2016), ECF No. 537–3, ¶¶ 434, 517–33.

Fact discovery in that proceeding closed, with stipulated exceptions, on December 1, 2016. See In re Anthem, No. 15–2617 (N.D. Cal. Oct. 26, 2016), ECF No. 609.

For purposes of ruling on Lead Plaintiffs' Motion, the court does not treat the federal employee-enrollees as situated differently than any other plaintiff in the multidistrict litigation because Lead Plaintiffs represent that they intend to use the withheld documents on behalf of all members of the overarching plaintiff-class, rather than restrict their use to the benefit of the federal employee-enrollees whose personal information was compromised. See Pls.' Mot. at 9–10.

On May 13, 2016, Lead Plaintiffs' counsel in the multidistrict litigation submitted a request to OPM's General Counsel for 17 categories of documents related to the agency's 2013 and 2015 audits of Anthem. Pls.' Mot. at 9; see also 5 C.F.R. § 295.203. Counsel simultaneously served OPM with a subpoena, demanding production of the same 17 categories of documents. See Pls.' Mot. at 9; Pls. Mot., Ex. A [hereinafter Subpoena]. Pursuant to Rule 45 of the Federal Rules of Civil Procedure, the Department of Justice, acting on OPM's behalf, objected to the subpoena. Pls.' Mot., Ex. M; see Fed. R. Civ. P. 45(d)(2)(B).

After several discussions between Lead Plaintiffs' counsel and the Department of Justice, Lead Plaintiffs narrowed their demand for documents, and OPM released various documents but continued to withhold others. See Pls.' Mot. at 11–12. OPM asserts that the documents it has not released to Lead Plaintiffs are protected under the deliberate process and law enforcement privileges. See Pls.' Mot. at 12; Gov't's Opp'n at 4–5. The withheld documents fall into three categories:

1. Audit workpapers pertaining to (i) Anthem's refusal to permit OPM to conduct certain audit testing, and (ii) auditor reviews and conclusions about Anthem's information system security measures and practices;

2. Meeting write-ups, which document meetings between auditors and Anthem

representatives regarding, amongst other things, Anthem's network configuration management, security, and risk assessment; and

3. E-mails between and amongst federal employees discussing (i) potential changes to federal contracts, including Anthem's contract, and (ii) whether Anthem successfully implemented certain recommendations that OIG made as part of the 2013 Audit.

See Gov't's Opp'n at 5; Pls.' Mot. at 12–23; see also Pls.' Reply at 1. The Government contends that all the documents in these categories are protected from disclosure by the deliberative process privilege and that the law enforcement privilege also applies to prevent disclosure of the audit workpapers and meeting write-ups. See Gov't's Opp'n at 5.

These categories reflect an amalgam of the parties' descriptions of the documents currently being withheld. Per Lead Plaintiffs' representation, the 2015 Draft Audit Report and 2015 Final Audit Report are no longer at issue. See Pls.' Reply at 1 n.2.

Lead Plaintiffs' counsel subsequently filed a Motion to Compel Compliance with the Subpoena, which the Government opposed. The court held oral argument on the motion and subsequently ordered OPM to submit the withheld materials to the court for in camera inspection. See Minute Order (Jan. 9, 2017). OPM provided an unredacted, Bates-stamped copy of the withheld documents to the court. See Notice of Submission of Docs. for In Camera Inspection, ECF No. 10.

The pages of the withheld documents are identified as Anthem_ 00001 through Anthem_00267.

II. LEGAL PRINCIPLES

The Government may object to a subpoena for records on the basis that the materials sought are protected from disclosure. See Tuite v. Henry , 98 F.3d 1411, 1416–17 (D.C. Cir. 1996). In doing so, however, the Government bears the burden of proving each element of the privilege it asserts. See In re Sealed Case , 737 F.2d 94, 99 (D.C. Cir. 1984). If the Government raises a qualified privilege, then the burden shifts to the party seeking disclosure to show that its need for the privileged material outweighs the Government's interest in withholding it. See Hinckley v. United States , 140 F.3d 277, 285–86 (D.C. Cir. 1998) ; In re Sealed Case , 121 F.3d 729, 737–38 (D.C. Cir. 1997) (per curiam).

A. Deliberative Process Privilege

The deliberative process privilege permits the Executive Branch to shields from disclosure those materials "that would reveal advisory opinions, recommendations[,] and deliberations comprising part of a process by which governmental decisions and policies are formulated."See In re Sealed Case , 121 F.3d at 737 (internal quotation marks omitted). The privilege embodies "the commonsense notion that agencies craft better rules when their employees can spell out in writing the pitfalls as well as strengths of policy options, coupled with the understanding that employees would be chilled from such rigorous deliberation if they feared it might become public." Judicial Watch, Inc. v. U.S. Dep't of Def. , 847 F.3d 735, 739, 2017 WL 490417, at *3 (D.C. Cir. 2017) (citing N.L.R.B. v. Sears, Roebuck & Co. , 421 U.S. 132, 150, 95 S.Ct. 1504, 44 L.Ed.2d 29 (1975) ). Additionally, it guards against "premature disclosure of ideas that are not—or not yet—final policy." Judicial Watch , 847 F.3d at 739, 2017 WL 490417, at *3.The Government routinely raises the deliberative process privilege in response to requests made pursuant to the Freedom of Information Act, see 5 U.S.C. § 552(b)(5), but the privilege's application is not limited to that context, see In re Sealed Case , 121 F.3d at 737. The privilege may be invoked in response to a subpoena for records. See id. Any material that the Government shows to be both "predecisional" and "deliberative" falls within the ambit of the privilege. Judicial Watch, Inc. v. Food & Drug Admin. , 449 F.3d 141, 151 (D.C. Cir. 2006). "[A] document [is] predecisional if it was generated before the adoption of an agency policy and deliberative if it reflects the give-and-take of the consultative process." Id. (internal quotation marks omitted).

That a document falls within the scope of the deliberative process privilege is not dispositive of whether the Government ultimately can withhold that document in full or in part. The privileged is qualified. Otherwise privileged materials may be ordered disclosed if the court concludes the private need for disclosure outweighs the public interest in non-disclosure. In re Sealed Case , 121 F.3d at 737. When balancing those interests, the court must consider such factors as "the relevance of the evidence, the availability of other evidence, the seriousness of the litigation, the role of the government, and the possibility of future timidity by government employees" should the materials be released. Id. at 737–38 (internal quotation marks omitted). The party seeking the documents bears the burden of demonstrating that the balance of interests tips in his or her favor. See id. at 737. However, even when the court concludes the scales do not tilt towards disclosure, factual material in privileged documents must be disclosed unless that material is "so inextricably intertwined with the deliberative sections of documents that its disclosure would inevitably reveal the government's deliberations." Id.

B. Law Enforcement Privilege

The Executive Branch may raise the law enforcement privilege to prevent disclosure of materials that are part of law enforcement investigations. This privilege aims to protect the integrity of law enforcement techniques, sources, and investigations—disclosure of which would be "contrary to the public interest in the effective functioning of law enforcement." See Tuite v. Henry , 181 F.R.D. 175, 176–77 (D.D.C. 1998), aff'd per curiam , 203 F.3d 53 (D.C. Cir. 1999). To prevent a document's disclosure under this privilege, the Executive Branch must establish that (1) the head of the department, who had some control over the information, made a formal claim of privilege; (2) that individual had personally considered the basis for raising the privilege; and (3) the information for which the privilege is claimed, described in detail, properly falls within the scope of the privilege. In re Sealed Case , 856 F.2d 268, 271 (D.C. Cir. 1988).

This privilege, too, is qualified. In determining whether to order disclosure of privileged materials, the court must weigh the public interest in non-disclosure against the private need for the information. Id. at 272. The D.C. Circuit has identified a number of factors for the court to consider when assessing these competing interests:

(1) the extent to which disclosure will thwart governmental processes by discouraging citizens from giving the government information; (2) the impact upon persons who have given information of having their identities disclosed; (3) the degree to which governmental self-evaluation and consequent program improvement will be chilled by disclosure;

(4) whether the information sought is factual data or evaluative summary; (5) whether the party seeking discovery is an actual or potential defendant in any criminal proceeding either pending or reasonably likely to follow from the incident in question; (6) whether the police investigation has been completed; (7) whether any interdepartmental disciplinary proceedings have arisen or may arise from the investigation; (8) whether the plaintiff's suit is non-frivolous and brought in good faith; (9) whether the information sought is available through other discovery or from other sources[;] [and] (10) the importance of the information sought to the plaintiff's case.

Id. (quoting Frankenhauser v. Rizzo , 59 F.R.D. 339, 344 (E.D. Pa. 1973) ). No single factor is dispositive. Additionally, in the context of the law enforcement privilege, "need" is "an elastic concept that does not turn only on the availability of the information from an alternative source." Tuite , 98 F.3d at 1417.

III. DISCUSSION

The Government submits that the deliberative process privilege protects all three categories of documents withheld from disclosure—the audit workpapers, meeting write-ups, and e-mails. See Gov't's Opp'n at 8, 16. Further, according to the Government, none of the factual material within the audit workpapers and meeting write-ups can be disclosed without revealing OIG's deliberative process. See id. at 12. Additionally, the Government contends that the law enforcement privilege protects the audit workpapers and meeting write-ups from disclosure. See id. at 22. Lead Plaintiffs respond that neither the deliberative process privilege nor the law enforcement privilege applies to any document currently withheld, but even if one or both privileges apply, Lead Plaintiffs' need for the materials outweighs any interest the Government has in withholding them. See Pls.' Mot. at 28–29, 38.

The court begins its analysis by determining which documents are eligible for protection under the deliberate process privilege and assessing whether the balance of interests weighs in favor of allowing the Government to withhold those documents. Next, the court evaluates whether those documents ineligible for protection under the deliberative process privilege are eligible for protection under the law enforcement privilege. Lastly, the court weighs the competing interests to determine whether the Government should be required to disclose those documents otherwise covered by the law enforcement privilege.

A. Which Documents are Subject to the Deliberative Process Privilege

After carefully reviewing the documents in camera, the court concludes that all the withheld e-mails, but only a portion of the audit workpapers and meeting write-ups, are subject to the deliberative process privilege.

1. Whether the Materials are "Predecisional"

The parties disagree as to whether the withheld materials are "predecisional" and whether they are "deliberative." The Government believes that the audit workpapers, meeting write-ups, and e-mails are predecisional because they "contain[ ] specific analysis and recommendations regarding vulnerabilities" in Anthem's IT systems that informed the content of the 2013 Final Audit Report, modifications to Anthem's contract, and conclusions regarding Anthem's compliance with OPM's recommendations. See Gov't's Opp'n at 8, 16.Lead Plaintiffs disagree that the materials are predecisional because "[t]here is no reference anywhere in the 2013 [Final] Audit Report to any decisionmaker to whom the Audit will be submitted, or any decision in which the Audit will be considered." See Pls.' Mot. at 30. Moreover, Lead Plaintiffs contend, the 2013 Final Audit Report does not contain a recommendation to an agency decisionmaker—instead, it directs its recommendations to Anthem itself—which undercuts the Government's representation that the 2013 Final Audit Report is a final agency decision within the meaning of the deliberative process privilege. See id.

The court concludes that Lead Plaintiffs' conception of predecisional materials is far too narrow. Predecisional materials are those that predate an agency's decision or adoption of a policy and which comprise part of a process by which the Government reached that decision or policy. See Judicial Watch , 449 F.3d at 151 ; In re Sealed Case , 121 F.3d at 737. There can be little doubt that the audit workpapers and meeting write-ups are predecisional in nature. The Government represents that OPM's final "decision" with respect to the audit workpapers and meeting write-ups is its 2013 Final Audit Report, which results from the collection and review of the interim materials the audit team generates in the process of making its findings and recommendations. See Oral Argument Tr. (rough draft), at 25. The audit workpapers and meeting write-ups currently withheld all predate and contributed to the 2013 Final Audit Report. Therefore, they are "predecisional" within the meaning of the deliberative process privilege. See, e.g. , Hamilton Secs. Grp., Inc. v. Dep't of Housing & Urban Dev. , 106 F.Supp.2d 23, 29–31 (D.D.C. 2000) (concluding draft audit report was predecisional because it predated and contributed to the final audit report), aff'd , No. 00-5331, 2001 WL 238162 (D.C. Cir. 2001) (per curiam) (mem.); see also Moye, O'Brien, O'Rourke, Hogan & Pickert v. Nat'l R.R. Passenger Corp. , 376 F.3d 1270, 1279 (11th Cir. 2004) (concluding audit workpapers and internal memoranda were predecisional because they predated and contributed to the final audit report).

A final transcript of the Oral Argument held on January 6, 2017, is not yet available.

The withheld emails are equally predecisional. "Developing a ‘position’ on actions that another decision-maker might take is workaday agency business, not nefarious government activity, and opinions meant to contribute towards that deliberative process" are privileged. ICM Registry, LLC v. U.S. Dep't of Commerce , 538 F.Supp.2d 130, 135 (D.D.C. 2008). The withheld e-mails document "workaday agency business" concerning (1) whether and how to modify OPM's contracts with Anthem and other health insurers, and (2) whether to close out audit recommendations made in connection with the 2013 Audit. The former category of e-mails comprises part of OPM's process of amending carrier contracts to ensure that auditors are able to carry out their statutory duties by optimizing their access to health insurers' systems. The latter category of e-mails comprises part of OPM's process of evaluating whether Anthem has the ability to comply and is complying with its federal contract. See Spielman Decl. at 2 (explaining that the e-mails and their attachments "are utilized to make complicated and sensitive decisions related to OPM's contracts with health benefits carriers"); cf. Hoyle Decl. ¶ 4 (explaining that the very purpose of the audit is to "evaluate the effectiveness of the entity's preventive measures and recommend remedies as needed"). These are precisely the types of agency decision- making processes that the courts should carefully avoid exposing to the public or to private parties. See Sears , 421 U.S. at 151 n.18, 95 S.Ct. 1504 ("Agencies are, and properly should be, engaged in a continuing process of examining their policies; this process will generate memoranda containing recommendations which do not ripen into agency decisions; and the lower courts should be wary of interfering with this process.").

Consequently, the audit workpapers, meeting write-ups, and e-mails comprise a part of the decisional processes that resulted in the 2013 Final Audit Report and inform whether and under what terms the Government contracts with Anthem and others in the future. Accordingly, those materials are "predecisional" within the meaning of the deliberative process privilege.

2. Whether the Materials are Deliberative

Predecisional materials are not inherently "deliberative." To be "deliberative," a document must reflect "part of the agency give-and-take by which the decision itself is made." Hinckley , 140 F.3d at 284 (internal quotation marks omitted). The Government submits that the materials it has withheld are deliberative because they contain federal employees' preliminary notes, thoughts, and opinions regarding the content in the 2013 Final Audit Report, modifications to health insurers' contracts, and Anthem's compliance with OPM's recommendations. See Gov't's Opp'n at 11–12, 16–17. Lead Plaintiffs fundamentally disagree that the withheld materials relate to the agency's ultimate adoption of any policy or implicate any high-level decisions and, accordingly, contend that the withheld documents cannot be considered deliberative. Pls.' Mot. at 34–35.

a. Audit Workpapers

Two pages of the audit workpapers qualify as "deliberative." The withheld materials include two computer screenshots (Anthem_00023, Anthem_ 00024) that reveal specific sub-components of OIG's audit procedure, convey auditors' progress in their audit of Anthem, and contain notes and preliminary recommendations concerning the Anthem audit. These materials plainly reflect sensitive, internal deliberations that are quintessentially "deliberative" within the meaning of the privilege. Cf. Hamilton Secs. Grp. , 106 F.Supp.2d at 32 (holding draft audit report was deliberative because it "d[id] not merely involve the collection and compilation of publicly available data," but rather, "judgments about what to collect, how to collect, and how to present it"); Moye , 376 F.3d at 1279 (holding that audit workpapers that "document the entire body of collaborative work performed by the auditors" in the process of performing the audit are deliberative).

The remaining pages of the audit workpapers, however, do not qualify as "deliberative." The withheld materials contain two sign-in sheets for meetings conducted in connection with the 2013 Audit (Anthem_00005, Anthem_ 00017). These pages reflect only who attended the meeting, the topic of the meeting, and the date and time of the meeting; not the productive content of the meeting. Those materials are not deliberative. See, e.g. , MacNamara v. City of New York , 249 F.R.D. 70, 81 (S.D.N.Y. 2008) (holding that documents listing individuals in attendance at meetings of the municipal Civil Disturbance Subcommittee were not deliberative). Additionally, the Government withheld an e-mail chain containing OPM's request for Anthem's official policy statement as to why OPM was not permitted to perform its own vulnerability scans on Anthem's network (Anthem_00018–Anthem_00020), as well as two memoranda from OPM to Anthem requesting actions by Anthem that served as an alternate to an auditor-performed vulnerability scan (Anthem_00007, Anthem_ 00008). Neither the e-mail request for a policy statement nor either memorandum is deliberative. Each conveys purely factual information. Moreover, these documents do not contain auditors' internal discussions; they reflect discussions between agency auditors and non-agency actors, i.e., Anthem employees. In short, these materials do not "reflect[ ] the give-and-take of the consultative process." See Judicial Watch , 449 F.3d at 151 (internal quotation marks omitted).

One memorandum contains bolded language updating the information request to include Anthem's responses. This language, however, is Anthem's informal response to OPM's information request, not government auditors' internal annotations. See Vint Decl. ¶ 13(b).

b. Meeting Write–Ups

The court finds that portions of three of the five meeting write-ups are "deliberative" within the meaning of the deliberative process privilege. The withheld materials include five report-like summaries of topics discussed during meetings between the OIG auditors and Anthem representatives. Each report identifies the topic of the meeting and contains an auditor-drafted summary of facts presented by Anthem representatives. The reports cover the following topics: configuration management, enterprise security, logical access, network security, and special investigations and fraud. See Vint Decl. ¶ 13(a); Hoyle Decl. ¶ 14(a). Two reports—one on enterprise security (Anthem_00006), the other on logical access (Anthem_00009–Anthem_00010)—contain only factual information, without any annotations that reflect auditor deliberations or thought processes. For the reasons discussed above, these meeting write-ups are not deliberative and, therefore, are not protected by the privilege. See Judicial Watch , 449 F.3d at 151 .

The court has identified which portions of these materials should be disclosed in the Order that accompanies this Memorandum Opinion.

Although the Government represented that the withheld materials included "[s]even ‘Meeting Write-up’ workpapers," see Vint Decl. ¶ 13(a); Hoyle Decl. ¶ 14(a), the materials submitted to the court in camera contained only five meeting write-ups. Accordingly, the court passes no judgment on meeting write-ups purportedly regarding "physical access" and "risk assessment." See Vint Decl. ¶ 13(a)(v)–(vi); Hoyle Decl. ¶ 14(a)(v)–(vi). If those two additional meeting write-ups were inadvertently excluded from OPM's in camera submission, then OPM should submit those records to the court for review.

The other three reports—on configuration management (Anthem_ 00001–Anthem_00004), network security (Anthem_00011–Anthem_00016), and special investigations and fraud (Anthem_00021–Anthem_00022)—contain mostly factual information, but also include some subjective impressions of the auditors regarding pertinent points raised at the meetings and subsequent steps to be taken in response to meeting discussions. The auditors' subjective impressions reflect the agency's internal thoughts and considerations and are protected by the privilege. See id. The factual information contained adjacent to those subjective impressions, however, is plainly separate from those subjective impressions. The court is satisfied that the factual material is not presented in a way that "distill[s] or highlight[s] particular facts," but rather, simply reflects information that Anthem provided OPM as part of the audit. Contra Gov't's Opp'n at 12–14. Accordingly, because this factual information is not "inextricably intertwined" with those portions of the documents that contain auditors' notes and internal debates, and disclosure of that information would not compromise privileged deliberations contained elsewhere, those portions of the reports containing factual information are not covered by the privilege. See In re Sealed Case , 121 F.3d at 737.

c. E-mail Correspondence

Lastly, the court concludes that the withheld e-mails (Anthem_00025–Anthem_00267) between and amongst federal employees are uniformly deliberative. These e-mails present written evidence of agency "brainstorming," encompassing a wide range of suggestions, opinions, productive disagreements, and preliminary conclusions involving revisions to OPM's standard federal contracts; recommendations for modifications to Anthem's contract following the cyberattack; and discussions over whether to accept Anthem's responses to audit recommendations. These materials are, at their core, the back-and-forth deliberative process required for an agency to reach a decision. See id. ; see also Moye , 376 F.3d at 1278 (explaining that "materials embodying officials' opinions are ordinarily exempt from disclosure"). They do not contain segregable factual information. Accordingly, the withheld e-mails are "deliberative" within the meaning of the deliberative process privilege.

* * *

In sum, only a portion of the withheld materials are subject to the deliberative process privilege. Of the audit workpapers, only the two screenshots (Anthem_000023, Anthem_00024) are subject to the deliberative process privilege. In contrast, the sign-in sheets (Anthem_00005, Anthem_ 00017); e-mail request for a policy statement from Anthem (Anthem_00018–Anthem_00020); and information request memoranda between OPM and Anthem (Anthem_00007, Anthem_00008) are not subject to the deliberative process privilege. With respect to the meeting write-ups, the enterprise security and logical access reports (Anthem_00006, Anthem_00009–10) contain only factual material and are not subject to the privilege, but the configuration management, network security, and special investigations and fraud reports (Anthem_00001–Anthem_00004, Anthem_00011–Anthem–00016, Anthem_00021–Anthem–00022) contain certain material that is both predecisional and deliberative, rendering those portions of the documents subject to the privilege. Lastly, all the withheld electronic correspondence between and amongst government actors (Anthem_00025–Anthem_00267) is subject to the deliberative process privilege.

B. Whether Documents Protected Under the Deliberate Process Privilege Should be Disclosed in Light of Lead Plaintiffs' Demonstrated Need

Documents, or portions thereof, that are subject to the deliberative process privilege may nonetheless be disclosed if Lead Plaintiffs' demonstrated need for the document outweighs the Government's interest in withholding it. Lead Plaintiffs assert that they need all the withheld materials in order to effectively support their position in the multidistrict litigation in California. See Pls.' Mot. at 38–39. They contend that the materials are not only relevant to that serious litigation, but also that OPM is the only source on which they can depend to obtain the materials. Id. at 38–40. Moreover, they submit, these materials were intended to benefit the very people who now seek to use them—federal employee-enrollees who are plaintiffs in the multidistrict litigation. Id. at 40. Lastly, Lead Plaintiffs suggest that any collateral possibility of government timidity or harm resulting from the materials' disclosure is mild, at worst, because the documents were prepared by lower-level government staff members and could be released under a protective order for use only in the multidistrict litigation, after which they would be returned to OPM. Id. at 40–41. The Government responds that several factors indicate Lead Plaintiffs have not met their burden of showing their need justifies disclosure of the privileged materials: (1) a blanket assertion of "relevance" to the multidistrict litigation is too vague; (2) some of the information Lead Plaintiffs seek is available from Anthem itself; (3) though the multidistrict litigation is serious, the Government has an equal, if not more, serious interest in maintaining the confidentiality of its audit procedures and methods; (4) OPM and OIG are not parties to the litigation; and (5) most importantly, disclosure of these materials would prevent employees, of all levels, from engaging in the " ‘open and frank’ assessment that leads to better quality decision-making in government." See Gov't's Opp'n at 24–28.

The court agrees with the Government. Lead Plaintiffs have not sufficiently shown that their need to use documents and portions of documents protected by the deliberative process privilege outweighs the Government's interest in withholding those documents.

The only audit workpapers the deliberative privilege process protects in full—the two screenshots—reveal information at the center of the audit process and the auditor's notations. Lead Plaintiffs' need to understand the audit process does not logically extend to an image of the software used to conduct that audit. Moreover, the screenshots contain auditors' subjective impressions that, if disclosed, would risk chilling the critical eye with which auditors must perform their duties. Indeed, the honesty and forthrightness of the entire audit process could be compromised or diminished if government employees undertook the steps of an audit believing their contemporaneous annotations would be subject to disclosure in later litigation.

Similar considerations lead the court to conclude that the internal agency e-mails concerning audit close-out issues and potential contract modifications, as well as those portions of the meeting write-ups subject to the deliberative process privilege, also should not be disclosed. While these categories of documents may be available only from OPM, see Pls.' Mot. at 39, their disclosure too greatly risks thwarting employees' ability to freely communicate and exchange ideas. See Judicial Watch , 847 F.3d at 739–40, 2017 WL 490417, at *3. Furthermore, substantial portions of the withheld e-mails regarding contract modification are of limited or no relevance to the underlying multidistrict litigation. Many pertain to OPM's development of future federal benefits and insurance contracts, generally, without any reference to Anthem, specifically. These e-mails are of no obvious relevance in the underlying litigation, but are of great importance to the Government, given that they reflect employees' back-and-forth discussions over the proper character and content of federal contracts. To the extent other e-mails are specific to Anthem, either regarding contract modification or the closing out of particular recommendations, none pertain specifically to the data breach or its causes. Therefore, what minimal interest, if any, Lead Plaintiffs have in those records is still outweighed by the substantial risk of chilling government actors' ability to communicate effectively during the audit process. See id.

Overall, although the scope and allegations of the underlying litigation plainly are serious, maintaining the confidentiality of the withheld information is of equal, if not greater, import. Under these circumstances, on the record presented and with the benefit of having reviewed the materials in camera, the court cannot say Lead Plaintiffs have carried their burden of proving the balance of interests tips in favor of disclosure.

C. Which Documents Not Subject to the Deliberative Process Privilege are Protected Under the Law Enforcement Privilege and Whether those Documents Should be Disclosed in Light of Lead Plaintiffs' Demonstrated Need

Because the court concludes that several audit workpapers, two meeting write-ups, and portions of three other meeting write-ups are not subject to the deliberative process privilege, the court must reach the Government's secondary argument that those materials are protected from disclosure under the law enforcement privilege. The Government bears the burden of proving the information for which the law enforcement privilege is claimed falls within the scope of the privilege. See In re Sealed Case , 856 F.2d at 271.

Lead Plaintiffs maintain that the privilege cannot apply to the audit workpapers and meeting write-ups because these materials were not created for and do not otherwise relate to an ongoing criminal investigation—rather, in Lead Plaintiffs' view, the audit was a routine government act. See Pls.' Mot. at 28–29. The Government submits that OPM's audits are conducted, in part, for law enforcement purposes, as part of the OIG's statutory duty to "prevent and detect fraud and abuse." See Gov't's Opp'n at 20 (alterations omitted) (quoting 5 U.S.C. app. 3 § 2 ). Consequently, the Government's argument continues, the audit workpapers and meeting write-ups at issue here are subject to the privilege because they are written evidence of law enforcement techniques the agency uses "to uncover weaknesses and potential violations of law or practice, should they exist," and, therefore, are protected from disclosure by the law enforcement privilege. Id. at 21; see also id. at 20–22.

The Government advances three additional arguments against disclosure. First, the Government represents that revelation of these materials would impair OPM's ability to conduct future investigations because companies would become aware of how OPM conducts its audits. See id. at 22. Second, and relatedly, the Government believes disclosing the audit workpapers and meeting write-ups would inappropriately make public what federal auditors found significant about Anthem's audit, thereby encouraging companies to tailor their responses to OIG audits and, correlatively, jeopardizing the accuracy of OIG's audit findings and recommendations. See id. at 23. Third, the Government fears that disclosing these materials will also have the effect of chilling auditors' candidness in describing the issues they encounter. See id.

The court assumes, without deciding, that the law enforcement privilege applies to these materials because the court ultimately finds that the balance of interests tips in favor of disclosing them to Lead Plaintiffs. First and foremost, these audit workpapers and meeting write-ups do not pertain to an ongoing or closed criminal or civil investigation of a particular law violation and, therefore, fall outside the heartland of the types of records the privilege is designed to protect. Even if the court were to accept the Government's position that an audit designed to ferret out unknown, potential system weaknesses or law violations is entitled to some protection, OPM's 2013 investigation of Anthem's IT systems is now complete, and OPM has publicly disclosed the weaknesses it identified in Anthem's systems by publishing the 2013 Final Audit Report. See, e.g. , 2013 Final Audit Report at 9–10 (evaluating Anthem's configuration compliance auditing and stating that Anthem was "unable to provide any evidence that a configuration compliance program had ever been in place at the company"). Thus, the need for continued secrecy of the records informing OPM's assessment is diminished. Additionally, the information to be disclosed in the sign-in sheets, e-mail request for a policy statement, information requests, and write-ups on the enterprise security and logical access meetings is purely factual. As these documents contain no deliberative content, they cannot reasonably risk chilling government self-evaluation or internal efforts to improve the audit process. Although certain materials are of greater significance and relevance to Lead Plaintiffs' lawsuit—e.g., the court presumes the sign-in sheets are of somewhat lesser value to Lead Plaintiffs' breach of contract claims than is OPM's request for Anthem to send an official policy statement pertaining to why it would not allow OPM to run a vulnerability scan on Anthem's network—the court accepts that all these materials may reasonably assist Lead Plaintiffs in their underlying efforts to establish that "Anthem failed to take even the most basic security precautions" that could have protected personal information. See Pls.' Mot. at 2.

The court also notes that it has no reason to believe Lead Plaintiffs' lawsuit is frivolous or brought in bad faith.

Furthermore, disclosure of these materials simply does not carry the risks the Government anticipates. First and foremost, all the materials to be disclosed will be covered by the protective order in the underlying litigation. See Proposed Stipulated Protective Order, In re Anthem , No. 15–2617 (N.D. Cal. Sept. 18, 2015), ECF No. 292; Order Granting Stipulated Protective Order, In re Anthem , No. 15–2617 (N.D. Cal. Sept. 21, 2015), ECF No. 293. Additionally, with respect to the Government's fears that disclosure will cause companies like Anthem to be less candid with OIG auditors in the future, those fears are mitigated by the fact that the companies are contractually obligated to cooperate during OIG's IT systems audits. The companies also are incentivized to supply requested information to auditors to promote renewal of their federal contract. Moreover, given that OPM posts redacted final audit reports on OIG's website, see Vint Decl. ¶ 9, companies are further incentivized to cooperate with government auditors to avoid the public embarrassment of their non-cooperation coming to light.

Although the Government does not make the argument, the court also has considered the extent to which disclosure of the sign-in sheets would affect those whose names, work telephone numbers, and/or employment titles appear therein. The court concludes that release of this personal information will have little to no effect on these individuals' privacy, as this personal information will be subject to the protective order.
--------

Therefore, the court concludes that, even assuming the law enforcement privilege is broad enough to encompass the materials in this litigation that are not protected by the deliberative process privilege, the balance of interests warrants disclosure. IV. CONCLUSION

In light of the foregoing, the court grants in part and denies in part Lead Plaintiffs' Motion to Compel. The court concludes the audit workpapers that are screenshots of internal auditing procedures (Anthem_000023, Anthem_00024) and the e-mails between and amongst OPM employees (Anthem_00025–Anthem_00267) are privileged and shall not be disclosed. The court orders partial disclosure, in accordance with the Order accompanying this Memorandum Opinion, of the three meeting write-ups pertaining to Anthem's configuration management (Anthem_ 00001–Anthem_00004), network security (Anthem_00011–Anthem_00016), and special investigations and fraud (Anthem_00021–Anthem_00022). Further, the Government shall disclose in full the written reports pertaining to meetings on Anthem's "enterprise security" and "logical access" (Anthem_00006, Anthem_00009–10). Lastly, the court orders disclosure in full of the audit workpapers comprising the sign-in sheets (Anthem_00005, Anthem_00017); e-mail request for a policy statement from Anthem (Anthem_00018–Anthem_00020); and information request memoranda between OPM and Anthem (Anthem_00007, Anthem_00008).

A separate Order accompanies this Memorandum Opinion.


Summaries of

In re Anthem, Inc. Data Breach Litig.

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
Feb 21, 2017
236 F. Supp. 3d 150 (D.D.C. 2017)
Case details for

In re Anthem, Inc. Data Breach Litig.

Case Details

Full title:IN RE: ANTHEM, INC. DATA BREACH LITIGATION

Court:UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

Date published: Feb 21, 2017

Citations

236 F. Supp. 3d 150 (D.D.C. 2017)

Citing Cases

Sourgoutsis v. U.S. Capitol Police

To qualify for the privilege, documents must be both " predecisional" and " deliberative." In re …

Breiterman v. U.S. Capitol Police

To qualify for the privilege, documents must be both " predecisional" and " deliberative." In re …