1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 AFFINITY CREDIT UNION, et al., Case No. 22-cv-04174-JSW
8 Plaintiffs, ORDER RESOLVING DISCOVERY 9 v. DISPUTES
10 APPLE INC., Re: Dkt. No. 72 Defendant. 11
12 13 Now before the Court for consideration is the Joint Letter Brief regarding Disputed 14 Provisions of Proposed Protective Order and Protocol for Electronically Stored Information (“ESI 15 Protocol”). (Dkt. No. 72.) The Court finds the matter appropriate for resolution without further 16 briefing or telephone conference. See Civ. L.R. 7-1(b); Civil Standing Order No. 7. 17 Plaintiffs Affinity Credit Union, Greenstate Credit Union, and Consumers Co-Op Credit 18 Union (“Plaintiffs”) and Defendant Apple Inc. (“Apple”) have submitted competing proposed 19 Protective Orders and ESI Protocols. Although the competing proposed orders are substantially 20 identical, Plaintiffs believe Apple’s desired security and confidentiality measures go too far. 21 Apple counters that stringent measures are necessary because hackers increasingly target law firms 22 to access confidential information, and it fears that certain documents could be used by Plaintiffs 23 to gain commercial advantage in future negotiations. 24 The parties’ dispute seemingly places in conflict two important concerns: on the one hand, 25 expeditiously litigating this putative class action, and, on the other, safeguarding the parties (and 26 innocent non-parties) from disclosure and misuse of their private information. Resolution is much 27 simpler than this dispute would suggest because the least restrictive measures proposed by 1 enters the final Protective Order and ESI Protocol in subsequent docket entries. 2 A. The Court Adopts Provisions from Each of the Proposed Protective Orders. 3 The parties disagree regarding one issue in Section 9 and two issues in Section 11 of the 4 proposed Protective Orders. As discussed below, the Court adopts language from each of the 5 parties’ proposals. 6 1. The Court Approves Apple’s Language Regarding Discovery Material Designated As “Highly Confidential – Attorneys’ Eyes Only.” 7 8 The parties agree to include a category of confidential document production for “Highly 9 Confidential” information that “is extremely confidential and/or sensitive in nature and [that] the 10 Producing Party reasonably believes . . . is likely to (1) cause economic harm or significant 11 competitive disadvantage to the Producing Party or (2) reveal personal identifiable information.” 12 (Dkt. No. 72-1, at 1.) Apple seeks to make this category “Attorneys’ Eyes Only,” meaning that no 13 client representatives may view the information. Plaintiffs propose permitting up to three client 14 representatives and their immediate staff to access Highly Confidential materials. 15 Apple argues that Plaintiffs may use the Highly Confidential materials for improper 16 purposes, including in future negotiations with Apple. Plaintiffs contend that Apple’s concern 17 lacks a reasonable basis because Plaintiffs and Apple are not competitors and because Apple uses 18 standardized terms for all issuer banks. 19 While Plaintiffs’ position has merit, the proposed “Highly Confidential” definition only 20 relates to materials that could “cause economic harm or significant competitive disadvantage.” 21 Because Plaintiffs and Apple are not competitors, and because Apple uses standardized terms, this 22 definition cannot realistically cover a significant number of materials that impact Plaintiffs’ ability 23 to assess the strengths and weaknesses of their case. The Court would be skeptical if the “Highly 24 Confidential” designation were used more than sparingly to shield competitive information. 25 The Court thus adopts Apple’s proposed language limiting this category to Attorneys’ 26 Eyes Only. Plaintiffs may challenge the designation of some or all of the materials as Highly 27 Confidential at a later date if Plaintiffs have a good faith basis to believe the designations are 1 2. The Court Approves Plaintiffs’ Language Regarding Data Security. 2 Apple seeks an order requiring the parties to comply with one of three strict security 3 protocols, reasoning that the trend in recent years has been for firms and courts to require stricter 4 measures. Apple also requests language requiring multi-factor authentication for access to 5 confidential materials. Plaintiffs argue that Apple’s cybersecurity protocols are impractical and 6 expensive. They point out that, in the only identified similar case involving Apple’s proposed 7 protocols, the plaintiffs and their experts spent 250 hours over the course of eight weeks to 8 implement the protocols. (Dkt. No. 72, at 3.) Finally, Plaintiffs assert that Apple’s proposed 9 language regarding multi-factor authentication is overbroad and ambiguous. 10 Apple’s proposed language is a departure from the Model Protective Order for this 11 District. Although the trend may be to adopt increasingly strict cybersecurity protocols, the Court 12 finds that Plaintiffs’ proposed language is more than sufficient. Where the Model Protective 13 Order requires Protected Material to be “stored and maintained. . . in a secure manner,” (see 14 “Model Protective Order for Standard Litigation,” ¶ 7.1, available at 15 https://www.cand.uscourts.gov/forms/model-protective-orders/), Plaintiff’s proposed language 16 goes above and beyond: It requires the Receiving Party to “implement an information security 17 management system (“ISMS”), including reasonable and appropriate administrative, physical, and 18 technical safeguards and network security and encryption technologies governed by written 19 policies and procedures, designed to protect against any reasonably anticipated threats or hazards 20 to the security of such Protected Material and to protect against unauthorized access to Protected 21 Material.” (Dkt. No. 72-1, at 3.) This is more than sufficient. 22 The Court also finds Plaintiffs’ language regarding multi-factor authentication to be 23 sufficient. Apple’s proposed language of “for any access” is vague, and it is unclear how the 24 Court would enforce the provision. It is unclear to the Court if, for example, authentication would 25 be required when opening every draft of a brief or letter, or if authentication when logging into 26 one’s computer is sufficient. Plaintiffs’ language of “to prevent unauthorized access” is judicially 27 administrable: if a breach occurs because an access point lacked multi-factor authentication, the 1 3. The Court Adopts Plaintiffs’ Language Regarding Data Breach Discovery. 2 The parties define a “Data Breach” as including “any cyberattack or other deliberate 3 security breach. . . including as a result of or following an inadvertent disclosure.” (Dkt. No. 72-1, 4 at 4.) In the event of a Data Breach, “the Parties shall meet and confer in good faith regarding any 5 adjustments that should be made to the discovery process and discovery schedule in this action.” 6 (Id. at 5.) Apple seeks the following language be added: “Further, the Receiving Party shall 7 submit to reasonable discovery concerning the Data Breach.” (Id.) 8 Apple contends that its proposed language is reasonable, appropriate, and fulfills the 9 purpose of the protective order. Plaintiffs respond that it is unreasonable to mandate data breach 10 discovery and assert that a party can make an application for discovery if a breach occurs. 11 The Court is concerned that Apple’s language would invite satellite disputes unrelated to 12 resolution of this action. Moreover, Section 11(c) of the proposed Protective Orders requires 13 compliance with “reasonable request(s) that Receiving Party investigate, remediate, and mitigate 14 the effects of a Data Breach. . . [and] promptly provide any information that is reasonably 15 requested by Producing Party and that relates to any such Data Breach. . . .” (Id.
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 AFFINITY CREDIT UNION, et al., Case No. 22-cv-04174-JSW
8 Plaintiffs, ORDER RESOLVING DISCOVERY 9 v. DISPUTES
10 APPLE INC., Re: Dkt. No. 72 Defendant. 11
12 13 Now before the Court for consideration is the Joint Letter Brief regarding Disputed 14 Provisions of Proposed Protective Order and Protocol for Electronically Stored Information (“ESI 15 Protocol”). (Dkt. No. 72.) The Court finds the matter appropriate for resolution without further 16 briefing or telephone conference. See Civ. L.R. 7-1(b); Civil Standing Order No. 7. 17 Plaintiffs Affinity Credit Union, Greenstate Credit Union, and Consumers Co-Op Credit 18 Union (“Plaintiffs”) and Defendant Apple Inc. (“Apple”) have submitted competing proposed 19 Protective Orders and ESI Protocols. Although the competing proposed orders are substantially 20 identical, Plaintiffs believe Apple’s desired security and confidentiality measures go too far. 21 Apple counters that stringent measures are necessary because hackers increasingly target law firms 22 to access confidential information, and it fears that certain documents could be used by Plaintiffs 23 to gain commercial advantage in future negotiations. 24 The parties’ dispute seemingly places in conflict two important concerns: on the one hand, 25 expeditiously litigating this putative class action, and, on the other, safeguarding the parties (and 26 innocent non-parties) from disclosure and misuse of their private information. Resolution is much 27 simpler than this dispute would suggest because the least restrictive measures proposed by 1 enters the final Protective Order and ESI Protocol in subsequent docket entries. 2 A. The Court Adopts Provisions from Each of the Proposed Protective Orders. 3 The parties disagree regarding one issue in Section 9 and two issues in Section 11 of the 4 proposed Protective Orders. As discussed below, the Court adopts language from each of the 5 parties’ proposals. 6 1. The Court Approves Apple’s Language Regarding Discovery Material Designated As “Highly Confidential – Attorneys’ Eyes Only.” 7 8 The parties agree to include a category of confidential document production for “Highly 9 Confidential” information that “is extremely confidential and/or sensitive in nature and [that] the 10 Producing Party reasonably believes . . . is likely to (1) cause economic harm or significant 11 competitive disadvantage to the Producing Party or (2) reveal personal identifiable information.” 12 (Dkt. No. 72-1, at 1.) Apple seeks to make this category “Attorneys’ Eyes Only,” meaning that no 13 client representatives may view the information. Plaintiffs propose permitting up to three client 14 representatives and their immediate staff to access Highly Confidential materials. 15 Apple argues that Plaintiffs may use the Highly Confidential materials for improper 16 purposes, including in future negotiations with Apple. Plaintiffs contend that Apple’s concern 17 lacks a reasonable basis because Plaintiffs and Apple are not competitors and because Apple uses 18 standardized terms for all issuer banks. 19 While Plaintiffs’ position has merit, the proposed “Highly Confidential” definition only 20 relates to materials that could “cause economic harm or significant competitive disadvantage.” 21 Because Plaintiffs and Apple are not competitors, and because Apple uses standardized terms, this 22 definition cannot realistically cover a significant number of materials that impact Plaintiffs’ ability 23 to assess the strengths and weaknesses of their case. The Court would be skeptical if the “Highly 24 Confidential” designation were used more than sparingly to shield competitive information. 25 The Court thus adopts Apple’s proposed language limiting this category to Attorneys’ 26 Eyes Only. Plaintiffs may challenge the designation of some or all of the materials as Highly 27 Confidential at a later date if Plaintiffs have a good faith basis to believe the designations are 1 2. The Court Approves Plaintiffs’ Language Regarding Data Security. 2 Apple seeks an order requiring the parties to comply with one of three strict security 3 protocols, reasoning that the trend in recent years has been for firms and courts to require stricter 4 measures. Apple also requests language requiring multi-factor authentication for access to 5 confidential materials. Plaintiffs argue that Apple’s cybersecurity protocols are impractical and 6 expensive. They point out that, in the only identified similar case involving Apple’s proposed 7 protocols, the plaintiffs and their experts spent 250 hours over the course of eight weeks to 8 implement the protocols. (Dkt. No. 72, at 3.) Finally, Plaintiffs assert that Apple’s proposed 9 language regarding multi-factor authentication is overbroad and ambiguous. 10 Apple’s proposed language is a departure from the Model Protective Order for this 11 District. Although the trend may be to adopt increasingly strict cybersecurity protocols, the Court 12 finds that Plaintiffs’ proposed language is more than sufficient. Where the Model Protective 13 Order requires Protected Material to be “stored and maintained. . . in a secure manner,” (see 14 “Model Protective Order for Standard Litigation,” ¶ 7.1, available at 15 https://www.cand.uscourts.gov/forms/model-protective-orders/), Plaintiff’s proposed language 16 goes above and beyond: It requires the Receiving Party to “implement an information security 17 management system (“ISMS”), including reasonable and appropriate administrative, physical, and 18 technical safeguards and network security and encryption technologies governed by written 19 policies and procedures, designed to protect against any reasonably anticipated threats or hazards 20 to the security of such Protected Material and to protect against unauthorized access to Protected 21 Material.” (Dkt. No. 72-1, at 3.) This is more than sufficient. 22 The Court also finds Plaintiffs’ language regarding multi-factor authentication to be 23 sufficient. Apple’s proposed language of “for any access” is vague, and it is unclear how the 24 Court would enforce the provision. It is unclear to the Court if, for example, authentication would 25 be required when opening every draft of a brief or letter, or if authentication when logging into 26 one’s computer is sufficient. Plaintiffs’ language of “to prevent unauthorized access” is judicially 27 administrable: if a breach occurs because an access point lacked multi-factor authentication, the 1 3. The Court Adopts Plaintiffs’ Language Regarding Data Breach Discovery. 2 The parties define a “Data Breach” as including “any cyberattack or other deliberate 3 security breach. . . including as a result of or following an inadvertent disclosure.” (Dkt. No. 72-1, 4 at 4.) In the event of a Data Breach, “the Parties shall meet and confer in good faith regarding any 5 adjustments that should be made to the discovery process and discovery schedule in this action.” 6 (Id. at 5.) Apple seeks the following language be added: “Further, the Receiving Party shall 7 submit to reasonable discovery concerning the Data Breach.” (Id.) 8 Apple contends that its proposed language is reasonable, appropriate, and fulfills the 9 purpose of the protective order. Plaintiffs respond that it is unreasonable to mandate data breach 10 discovery and assert that a party can make an application for discovery if a breach occurs. 11 The Court is concerned that Apple’s language would invite satellite disputes unrelated to 12 resolution of this action. Moreover, Section 11(c) of the proposed Protective Orders requires 13 compliance with “reasonable request(s) that Receiving Party investigate, remediate, and mitigate 14 the effects of a Data Breach. . . [and] promptly provide any information that is reasonably 15 requested by Producing Party and that relates to any such Data Breach. . . .” (Id. at 4.) If this 16 informal discovery is insufficient, the Producing Party can seek leave to conduct formal discovery 17 from the Court. 18 4. Leave of Court Is Required to File Documents Under Seal. 19 The Court sua sponte modifies Section 1 and Section 13 of the Protective Order. No 20 documents may be filed under seal without prior authorization from the Court, consistent with the 21 Civil Local Rules. 22 B. The Court Approves Plaintiffs’ ESI Protocol. 23 Apple seeks to add language to the ESI Protocol as follows: “With respect to privileged or 24 work-product information involving in-house or outside litigation counsel in this action and 25 generated after the filing of the complaint, parties are not required to include any such information 26 in privilege logs.” (Dkt. No. 72-1 at 7, proposed language in bold.) Apple argues that there is no 27 principled distinction between in-house and outside communications because Apple employs in- 1 would be unduly burdensome and have a “chilling effect” on attorney-client communications. 2 Plaintiffs argue that Apple has no basis to unilaterally designate in-house counsel as 3 litigation counsel. Plaintiffs assert that Apple has a history of including in-house counsel on 4 business emails to create a false appearance of privilege, and they argue that requiring a privilege 5 log would protect against excessive claims of privilege and would not be unduly burdensome. 6 Plaintiffs also point out that they attempted to reach compromise with Apple by seeking the names 7 of in-house litigation counsel whose communications and work product could properly be 8 withheld from the privilege log, and Apple refused. 9 1. Legal Standards Pertaining to Attorney-Client Communications. 10 The attorney-client privilege protects confidential communications made by clients to their 11 attorneys to obtain legal advice and the attorneys’ advice in response. United States v. Ruehle, 12 583 F.3d 600, 607 (9th Cir. 2009). “The fact that a person is a lawyer does not make all 13 communications with that person privileged.” Id. (quoting United States v. Martin, 278 F.3d 988, 14 999 (9th Cir. 2002)). 15 “In the corporate context, courts have recognized that in-house counsel is often involved in 16 the day-to-day operation of the company.” L.D. v. United Behav. Health, No. 17 20CV02254YGRJCS, 2022 WL 3139520, at *13 (N.D. Cal. Aug. 5, 2022). “Because 18 communications with in-house counsel relating only to the business operations of the company are 19 not protected by attorney-client privilege, a client seeking to protect communications between a 20 corporate client and in-house counsel must ‘make a clear showing that in-house counsel’s advice 21 was given in a professional legal capacity.’” Id. (quoting United States v. Chevron Corp., No. C- 22 94-1885 SBA, 1996 WL 264769, at *4 (N.D. Cal. Mar. 13, 1996)). 23 The Ninth Circuit has articulated an eight-part test to determine whether information is 24 covered by the privilege: 25 (1) Where legal advice of any kind is sought (2) from a professional legal adviser in his capacity as such, (3) the communications relating to that purpose, (4) made in confidence 26 (5) by the client, (6) are at his instance permanently protected (7) from disclosure by himself or by the legal adviser, (8) unless the protection be waived. 27 1 Cir. 1992)). The party asserting the privilege has the burden of establishing that the 2 communications are privileged “and, if necessary, to segregate the privileged information from the 3 non-privileged information.” Id. at 609. The production of a privilege log is a well-established 4 means by which a party asserting privilege can make a prima facie showing that the information is 5 protected. In re Grand Jury Investigation, 974 F.2d at 1070-71. 6 Courts in this circuit typically do not require litigants to produce a privilege log for 7 communications and work product made after litigation commences. In re Snap Inc. Sec. Litig., 8 No. CV1703679SVWAGRX, 2018 WL 7501294, at *1 (C.D. Cal. Nov. 29, 2018). However, 9 there is no consensus on whether such logs are required by Federal Rule of Civil Procedure 10 26(b)(5)(A) and whether a distinction between in-house counsel and outside counsel is warranted. 11 See Weiland Sliding Doors & Windows, Inc. v. Panda Windows & Doors, LLC, No. 10CV0677 12 JLS (MDD), 2011 WL 13100735, at *3 (S.D. Cal. June 23, 2011) (noting lack of consensus and 13 declining to require privilege logs for post-litigation communications where continuing conduct 14 was not at issue). 15 2. Apple Has Not Made a “Clear Showing” That In-House Counsel Communications Would Be Made in Furtherance of Providing Legal Advice. 16 17 Apple has not met its burden to make a prima facie showing that communications with its 18 in-house counsel may be withheld without logging. It fails to meet prongs (2) and (3) of the 19 privilege test, because it is unclear that in-house counsel for Apple are acting “in their capacity” as 20 legal advisors or that the withheld communications “relate to that purpose.” See Ruehle, 583 F.3d 21 at 607. As Apple recognizes, there may be a “general practice,” not specific to Apple, “of 22 business people including a lawyer in an email chain in the incorrect belief that doing so makes 23 the email privileged.” (Dkt. No. 72, at 8 (internal quotations omitted).) Providing a privilege log 24 will permit Plaintiffs to assess whether communications are made for legal advice or pursuant to 25 Apple’s ordinary business practice. 26 The Court further agrees with Plaintiffs that a compromise to ease the burden of producing 27 a privilege log is possible in the event Apple identifies specific in-house litigation counsel whose ] would not, as Apple claims, “restrict [its] ability to assess documents individually” or 2 || “presuppose[ Apple’s] wrongdoing.” (/d. at 8 n.38.) Apple has the same obligation to assess 3 || responsive communications with or without such a list; the sole difference the list would provide 4 || is that Apple would not have the burden of including privileged communications from the listed 5 individuals in the privilege log. 6 Accordingly, the Court adopts Plaintiff's ESI Protocol in full. Apple may move to enter an 7 || amended ESI protocol in the event the parties reach a compromise regarding the privilege log. 8 IT IS SO ORDERED. a | 9 Dated: March 29, 2024 ff | ; f i □ 10 JEFFREYS. WH (rites pies Dis#rict Judge x 12 j i i
«14
Oo Z 18 19 20 21 22 23 24 25 26 27 28