Simmons v. USAble Corporation

• Court: District Court, E.D. Arkansas
• Decided: September 30, 2021
• Docket: 4:20-cv-00137
• Status: Unknown

Opinion

Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 1 of 56

THE UNITED STATES DISTRICT COURT EASTERN DISTRICT OF ARKANSAS CENTRAL DIVISION

KEVIN SIMMONS, BILLIE OVERSTREET, AND JAMES YOUNG, Each Individually and on Behalf of All Others Similarly Situated PLAINTIFFS

v. Case No. 4:20-cv-00137-KGB

USABLE CORPORATION DEFENDANT

OPINION AND ORDER

Before the Court is defendants USAble Mutual Insurance Company 1 (“USAble”) motion

for summary judgment (Dkt. No. 24). Plaintiffs Kevin Simmons, Billie Overstreet, James Young,

S. Todd Miller, Scott Cavanaugh, and Janel Broadhurst (jointly “plaintiffs”) oppose the motion

(Dkt. No. 32). For the following reasons, the Court grants USAble’s motion for summary

judgment (Dkt. No. 24).

I. Statement Of Facts

Unless otherwise stated, the facts are drawn from defendant’s statement of undisputed facts

and plaintiffs’ response to defendant’s statement of undisputed facts (Dkt. Nos. 26, 33).

USAble is an Independent Licensee of Blue Cross Blue Shield Association and offers

health and dental insurance policies for individuals and families throughout the State of Arkansas

(Dkt. No. 26, ¶ 1). USAble regularly maintains, accesses, uses, receives, and transmits the

Protected Health Information and Personal Identifiable Information (collectively, “PHI”) of its

members to assess and determine eligibility for claims of coverage and reimbursement (Id., ¶ 2).

The Enterprise Information Security Office (“EIS”), a functional department within USAble, is

1 USAble Mutual Insurance Company states that it was incorrectly named as “USAble Corporation” in the case caption (Dkt. No. 24, at 1). Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 2 of 56

responsible for the security of the enterprise’s information (Id., ¶ 3). EIS was previously

designated as the Information Security Office, and the change to EIS came early in the applicable

statutory period; the name modification did not substantively alter the information security

functions for which the department was responsible (Id., ¶ 4). EIS is, and was during the applicable

statutory period, responsible for a variety of security functions, managing security related

deployment, and developing projects and security policy that align with USAble’s enterprise

security operations with industry and regulatory compliance (Id., ¶ 5).

The Lead Information Security Analyst and Information Security Analyst positions were

located within EIS during the applicable statutory period (Id., ¶ 6). Mr. Simmons, Ms. Overstreet,

and Mr. Miller were employed as Lead Information Security Analysts at USAble (Id., ¶ 7). Ms.

Broadhurst, Mr. Cavanaugh, and Mr. Young were employed as Information Security Analysts at

USAble (Id., ¶ 8).

Both the Lead Information Security Analyst and the Information Security Analyst positions

were designated as either Level I, Level II, or Level III, each requiring progressively more

experience than the preceding “Level” (Id., ¶9). However, plaintiffs deny that the stated job

descriptions for the roles accurately reflect the job duties performed by plaintiffs (Dkt. No. 33, ¶

9).

In February 2017, Al Ross was hired by USAble as the Supervisor of EIS and immediate

supervisor of plaintiffs (Dkt. No. 26, ¶ 11). Mr. Ross was promoted to Manager of EIS in or about

September 2018 (Id., ¶ 12). Devin Shirley was the Director of EIS and Mr. Ross’s immediate

supervisor during the entire applicable statutory period and, beginning in September 2017, became

Chief 4 Information Security Officer in conjunction with his Director of EIS position (Id., ¶ 13).

2 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 3 of 56

Prior to February 2017, plaintiffs had substantial leeway in defining their work schedules,

including the liberty to work from home (Id., ¶ 14). Mr. Ross set standardized office hours for

EIS employees in order to increase their shared time in the office and, thereby, enable more

opportunities to engage each other on EIS matters (Id., ¶ 15). Plaintiffs claim, with identical

estimations, that they worked “at least 60–65 hours per week on average. However, there were

weeks that each of us [plaintiffs] had to work up to 75 hours . . .,” excluding the “5–15 extra hours

per week” plaintiffs purportedly spent “on-call.” (Id., ¶ 16). Plaintiffs complain that Mr. Ross

“shifted who was performing which job duties almost bi-weekly, as well as who would be the

back-up for each duty.” (Id., ¶ 17).

Plaintiffs identify the following as duties for which they were collectively “responsible for”

since 2017, including: (1) Policies and Procedures; (2) Business Continuity Program Management;

(3) Disaster Recovery Program Management; (4) Disaster Recovery Exercising; (5) Vulnerability

Management; (6) Patch Management; (7) Threat Hunting; (8) Threat Intelligence; (9) SIEM

(Security Information and Event Management); (10) Employee Training and Awareness; (11)

Database Activity Monitoring; (12) SDLC (System Development Lifecycle) Management; (13)

Incident Management; (14) Cap Keeper; (15) Audit Management; (16) Risk Assessment; (17) Risk

Analysis; (18) Contract Review; (19) Vendor Security Management; (20) HITRUST Compliance

Management; (21) Service Now; and (22) DLP (Data Loss Prevention) (Id., ¶ 18). Ms. Broadhurst

also includes “working on the SharePoint site which was the ‘warehouse’ of all BCBS of

Enterprise Policies and Procedures (EPP)” and, “[b]ecause [she] was the Administrator of this web

site (EPP) [she] spent approximately 20 hours on the website and 30 hours auditing.” (Id., ¶ 18).

USAble states that each plaintiff played an integral and distinctive role in safeguarding the

information of USAble (Id., ¶ 20).

3 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 4 of 56

A. Plaintiffs

1. Kevin Simmons

Prior to his employment with USAble, Mr. Simmons received a Bachelor of Business

Administration in Management and a Master of Business Administration in Information Systems

from the University of Arkansas at Little Rock (“UALR”) and held several positions at the

University of Arkansas for Medical Sciences (“UAMS”), including Systems Analyst, Instructor,

and Subject Research Educator (Id., ¶ 21). Mr. Simmons was hired by USAble on or about

September 22, 2008, in the position of “security analyst” and was subsequently promoted to—and

employed during the applicable statutory period as—Lead Information Security Analyst I (Id., ¶

23). Prior to his employment with USAble as a permanent employee, Mr. Simmons was employed

by GVH, a contractor of USAble (Id., ¶ 24).

During his employment with USAble, the company paid for Mr. Simmons to obtain certain

“security” certifications, including: Certified Information Systems Security Professional

(“CISSP”), Certified Information Security Manager (“CISM”), and HITRUST Certification (Id.,

¶ 25). Mr. Simmons continues to maintain his CISSP and CISM certifications as they are each

relevant to his career as a security professional (Id., ¶ 26).

Mr. Simmons’ role within EIS centered on regulatory compliance, consuming

approximately 30 hours per week of the 50 to 55 hours he contends that he worked each week

during the applicable statutory period (Id., ¶ 27). Mr. Simmons denies that he had any authority

to bring USAble into compliance with regulations, but rather he asserts that he used the

requirements stated in the applicable regulations to create policy language, generally in a team

setting, that was then subject to the editing and approval of Mr. Ross or Mr. Shirley followed by

editing and approval of the Security Committee before implementation (Dkt. No. 33, ¶ 27).

4 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 5 of 56

Mr. Simmons utilized his knowledge and expertise of pertinent security regulations,

framework, and requirements to perform a number of discrete functions in this position, including

drafting policies and procedures, providing insight into security requirements applicable to

USAble, evaluating new lines of business, and reviewing contracts (Dkt. No. 26, ¶ 28). Mr.

Simmons confirmed that he was in fact determining what regulations and requirements applied,

such as for endpoint security, which included researching which regulations and requirements

applied, where necessary, and familiarizing himself with what those requirements were (Dkt. No.

33, ¶ 28).

During the applicable statutory period, EIS was tasked with developing policies and

procedures for the purpose of achieving “HITRUST certification” (Dkt. No. 26, ¶ 29). The

“HITRUST certification” that USAble was seeking to achieve is distinct from the individual

HITRUST certification Mr. Simmons received (Id., ¶ 30). A company that is HITRUST certified

uses the certification as a “selling point, [a] marketing point” for their business, as it conveys that

a company has sought to ensure regulatory compliance and enhance the security of its information

(Id., ¶ 31). USAble decided to attain HITRUST certification (Id., ¶ 32). HITRUST certification

requires, inter alia, that a company maintain certain policies which, as alluded to above, Mr.

Simmons, along with his co-employees in EIS, were commissioned to develop for USAble (Id., ¶

33).

Mr. Simmons argues generally that he did not develop the requirements reflected in the

policies and procedures but rather repeated the requirements of applicable regulations to create

policy language, generally in a team setting, and subject to the editing and approval of Mr. Ross

and Mr. Shirely (Dkt. No. 33, ¶ 29).

5 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 6 of 56

USAble purchased policy templates to provide a starting point for EIS in the drafting

process, though some were unable to be utilized (Dkt. No. 26, ¶ 34). These “templates” were

inadequate, and Mr. Simmons was tasked with ensuring that each policy was in compliance with

applicable regulations (Id., ¶ 35). Policies were divided up among the Lead Information Security

Analysts and Information Security Analysts, who individually developed initial policy drafts (Id.,

¶ 36). Thereafter, the group of analysts would reconvene to collectively review and provide input

as to the policy drafts (Id., ¶ 37). Due to time constraints, this collective policy review was

eventually reduced to a review with one or two people (Id., ¶ 38). Depending on its substance,

Mr. Simmons took into consideration the input provided by his co-workers (Id., ¶ 39). In the event

that Mr. Simmons disagreed with the input, he argued his position to the group (Id., 40). Mr.

Simmons objects to this representation, adding that he made changes to the policies he drafted

based on input from his coworkers and did not have authority to resolve disagreements regarding

policy language (Dkt. No. 33, ¶ 39-40).

Policies that Mr. Simmons drafted were presented to Mr. Ross and Mr. Shirley, to whom

Mr. Simmons provided his recommendations (Dkt. No. 26, ¶ 41). Mr. Simmons recommended to

Mr. Ross that policies should more closely track the language of the applicable regulation (Id., ¶

42; Dkt. No. 33, ¶ 41). Once Mr. Ross and Mr. Shirley “agreed” with how the policy was “written

and how [it] looked,” it was forwarded to the Security Committee for approval and implementation

(Id., ¶ 43). The Security Committee was comprised of voting and non-voting members (Id., ¶ 44).

The voting members were “all executives, high level,” and would vote on whether to approve the

policy under consideration (Id., ¶ 45). Mr. Simmons was a non-voting member of the Security

Committee and, in this capacity, “volunteered information” to the voting “executives” and

provided “input” if the voting “executives” had specific inquiries (Id., ¶ 46). Throughout the entire

6 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 7 of 56

policy-development process, USAble argues that Mr. Simmons utilized his knowledge of

regulatory and security frameworks to draft policies, make recommendations or suggestions, and

provide input, toward the goal of HITRUST certification and, ultimately, information security and

regulatory compliance (Id., ¶ 47). Mr. Simmons asserts that he used the language of the regulations

to draft policies, that he had no authority to deviate from the requirements of the regulations when

drafting policies, and that his recommendations were rejected (Dkt. No. 33, ¶ 47).

Separate from the development of the HITRUST certification policies, Mr. Simmons

developed and drafted other policies and procedures, such as a (SDLC) (System Development

Lifecycle) “policy of best practices.” (Dkt. No. 26, ¶ 48). Mr. Simmons developed “guidelines”

based off “NIST [] 800–53, which is a regulation often used,” for USAble software developers to

utilize when creating computer programs (Id., ¶ 49). Employing his knowledge of regulatory

requirements, in particular SP 800–53, Mr. Simmons distilled this comprehensive set of security

controls into a “policy format” to ensure that “consistent and secure code [was] developed.” (Id.,

¶ 50). The SDLC (System Development Lifecycle) policy drafted by Mr. Simmons was submitted

to the Security Committee—of which he was a member—for approval (Id., ¶ 51). Mr. Simmons

argues that, rather than “developing” policies, he merely drafted policy language based on the

language of applicable regulations, which was then subject to review and editing by Mr. Ross and

Mr. Shirley (Dkt. No. 33, ¶ 48).

USAble asserts that Mr. Simmons further deployed his knowledge of applicable

regulations and security frameworks to provide recommendations pertaining to information

security requirements (Dkt. No. 26, ¶ 52). Drawing on his “knowledge of regulatory

requirements,” Mr. Simmons researched regulations and advised decisionmakers as to the relevant

content (Id., ¶ 53).

7 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 8 of 56

Mr. Simmons assessed for compliance a “broad spectrum of tools” that provided “endpoint

security” for USAble (Id., ¶ 54). An “endpoint” is any device that is physically at the endpoint on

a network, such as desktop computers, laptop computers, and printers (Id., ¶ 55). Through his

knowledge of the regulatory requirements applicable to USAble, Mr. Simmons determined what

the USAble’s “security requirements were for endpoint” protection (Id., ¶ 56).

While regulatory compliance is imperative to USAble, “[r]egulations and best practices are

not always one and the same.” (Id., ¶ 57). Mr. Simmons maintained knowledge not only of

applicable regulations but also what were “best practices.” (Id., ¶ 58).

On occasion, USAble considered entering new lines of business, which would require an

assessment of what regulations USAble would be obligated to comply with should it move forward

with the new line of business (Id., ¶ 59). Mr. Ross or Mr. Shirley “would come to [Mr. Simmons]

and say, ‘Look at this and see if there would be any – – what regulations would apply? Would it

be insurance? Would it be HIPAA? Would it be PCI [Payment Card Industry Data Security

Standard]?” (Id., ¶ 60). Utilizing his knowledge of the vast number of regulatory requirements

and security frameworks, Mr. Simmons analyzed the line of business and “provide[d] information

back” to Mr. Ross and/or Mr. Shirley (Id., ¶ 61).

Mr. Simmons also reviewed select “security related” contracts to which USAble was a

party in order to assess USAble’s obligations under the particular contract with respect to security

(Id., ¶ 62). Some contracts required USAble to attest that it was “SOC2” compliant (Id., ¶ 63). If

a contract required that USAble be SOC2 compliant, Mr. Simmons had to assess USAble’s internal

controls, make a determination as to whether USAble was compliant, and report his determination

to Mr. Ross (Id., ¶ 64).

8 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 9 of 56

In order to stay abreast of the vast regulatory requirements, security frameworks,

certifications, and best practices, Mr. Simmons would nightly review “audit findings,” analyze the

“latest threat intel type information,” “[r]egulations, HITRUST requirements,” and “NIST . .

requirements.” (Id., ¶ 65). Mr. Simmons performed “training” in order to maintain his

“certifications.” (Id., ¶ 66). Mr. Simmons ensured that he was informed about security issues and

how such issues could affect USAble by, for example, reading “CNN report[s]” and reviewing

“intel reports” from the FBI that alert readers as to “potential bad actors and vulnerabilities.” (Id.,

¶ 67). He specifically looked for “bad actors” or “vulnerabilities” that targeted the healthcare

industry or pertained to technologies that USAble utilized (Id., ¶ 68). “For instance, when Anthem,

which is a BlueCross company, was hacked, wanting to know . . . what happened to them was a

major concern; because it’s a . . . sister company.” (Id., ¶ 69).

While Mr. Simmons spent substantial time on matters concerning regulatory compliance,

he considered “audits” his subject matter expertise (Id., ¶ 70). During the applicable statutory

period, the Arkansas Insurance Department (“AID”) audited USAble (Id., ¶ 71). USAble hired a

third party to perform its “risk assessment[s],” which entail the “same type of questions” as audits

but are “internal.” (Id., ¶ 72). USAble performed assessments annually (Id., ¶ 73). Where an

assessment has certified that USAble is “secure,” an external auditor may be willing to accept an

“attestation” based on the assessment results to show that USAble complied with certain portions

of the audit that overlapped with the assessment (Id., ¶ 74).

Approximately two weeks prior to an audit or assessment, Mr. Simmons would receive a

list of questions eliciting the information and documentation that the auditor was “looking for.”

(Id., ¶ 75). Mr. Simmons went “to the right person” to obtain the requisite information and ensured

that all the information and documentation sought was “pulled together” and submitted to the

9 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 10 of 56

auditor (Id., ¶ 76). The auditor spent approximately two weeks on site conducting meetings,

including with Mr. Simmons, to obtain the information he sought (Id., ¶ 77). If an employee

conveyed information to an auditor poorly, Mr. Simmons would help “guide them in a direction

on an answer,” if possible (Id., ¶ 78). If he saw that USAble was “having difficulty in an area” of

the audit, Mr. Simmons would report it to Mr. Ross or Mr. Shirley (Id., ¶ 79).

After the audit, the auditor would issue his “initial report and additional requests” before

finalizing his report (Id., ¶ 80). Some auditors would return for a “follow up three to six months

later to do the same things again . . . [,] especially if they found any potential issues.” (Id., ¶ 81).

If an audit or assessment uncovered a “serious” issue, Mr. Simmons would prepare a “write-up”

that was sent to “management” for “review” and to “take action.” (Id., ¶ 82). For example, “over

60,000 records containing PHI [and] PII information of customers” were being maintained on “file

servers” that were open to anyone within the company that had a “log in,” which was a “major

HIPAA violation.” (Id., ¶ 83 (referencing the Health Insurance Portability and Accountability Act

of 1996, 42 U.S.C. § 1320d-6 (“HIPAA”)). Mr. Simmons reported this to Mr. Ross and Mr.

Shirley and participated in a “big meeting” with Kathy Ryan, Mr. Shirley, Mr. Ross, “IT

management,” and “IBM consultants” on how to address the issue (Id., ¶ 84). Kathy Ryan is

Executive Vice President, Chief Administrative Officer and Chief Information Officer for USAble

(Id., ¶ 85).

After an audit or assessment, Mr. Simmons provided his analysis and opinion of the audit

or assessment to Mr. Ross or Mr. Shirley, which was ultimately forwarded to the auditor (Id., ¶

86). If applicable, Mr. Simmons may also advise Mr. Ross or Mr. Shirley if there was a particular

audit or assessment response that could have been clearer or place USAble in a superior position

with relation to compliance (Id., ¶ 87). USAble asserts that Mr. Simmons’ insight and expertise

10 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 11 of 56

in audits and assessment was of particular authority and influence as Mr. Ross and Mr. Shirley did

not have much knowledge of audits and assessments and were not very helpful (Id., ¶ 88). Mr.

Simmons objects to the conclusion that he had authority or influence (Dkt. No. 33, ¶ 88). Mr.

Simmons tracked audit findings in a tool called “Cap Keeper.” (Dkt. No. 26, ¶ 89). After receiving

a “final report” from the auditor, he entered the information into Cap Keeper (Id., ¶ 90). With the

Cap Keeper tool, Mr. Simmons tracked the status of audit findings and remediation of issues

identified by the findings (Id., ¶ 91).

On a rotational basis, Mr. Simmons was “on-call” to respond to “potential security

incident[s], security questions,” or other security matters “that needed to be addressed” (Id., ¶ 92).

Mr. Simmons’ rotation would last one week per month to 6 weeks (Id., ¶ 93). If a “security

incident” occurred, a “security ticket” was created, alerting Mr. Simmons to a security issue that

needed to be addressed (Id., ¶ 94). When Mr. Simmons was alerted to a security incident, he

performed a preliminary investigation of the issue (Id., ¶ 95). First, he instructed the IT department

to “run [a] scan[]” to see if there was a virus on the computer (Id., ¶ 96). “For instance, if you

thought . . . the incident was caused by a bug,” Mr. Simmons would ask “IT to isolate the machine

and then run some scans.” (Id., ¶ 97). Second, he directed IT to remove the virus and asked if they

“found anything else and . . . continue monitoring those machines to see if . . . any more computer

bugs [come up].” (Id., ¶ 98). Third, Mr. Simmons wrote a report of the incident, including the

“lessons learned,” which was provided to Mr. Ross and ultimately Mr. Shirley (Id., ¶ 99). Included

in his report was his assessment of where the virus originated, such as “an e-mail attachment that

they clicked on accidentally” or “a Web site.” (Id., ¶ 100).

USAble also asserts that another aspect of Mr. Simmons’ position with USAble was to

review software or security issues and provide his recommendation—or “suggestion”—as to what

11 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 12 of 56

software, program, or tool could be used to remedy effectively and efficiently the issue (Id., ¶ 101).

Mr. Simmons objects to that characterization, but he admits that he “was selected to organize a

group that researched possible avenues or software to disallow information from being saved

certain places but he did not select the member of his group and his role was limited to organizing

and scheduling meetings.” (Dkt. No. 33, ¶ 101). Mr. Simmons was a member of a group tasked

with researching avenues, software, programs, and tools that USAble could use to aid in

maintaining security by disallowing information like PHI to be sent in an unsecured manner (Dkt.

No. 26, ¶ 102). Mr. Simmons contributed his knowledge of information security to the

interdepartmental group (Id., ¶ 103). During the process, the group was instructed to assess a Data

Activity Monitoring tool from IBM called “Guardium.” (Id., ¶ 104). Mr. Simmons believed IBM

Guardium was a good product that did what it was assigned to do and provided his input to Mr.

Shirley (Id., ¶ 105). Mr. Simmons helped “oversee the [IBM Guardium] project” and “get it put

in place.” (Id., ¶ 106).

Mr. Simmons worked on a project to assess and select an “identity access management”

program for USAble to utilize (Id., ¶ 107). Identity access management controls how USAble

employees log into the organization’s network (Id., ¶ 108). After being narrowed down to “two

products, SailPoint and IBM,” Mr. Simmons evaluated the products and “recommend[ed] []

SailPoint . . .” (Id., ¶ 109).

2. Billie Overstreet

Prior to her employment with USAble, Ms. Overstreet received a Bachelor of Science in

Organization Management from Central Baptist College in Conway, Arkansas (Id., ¶ 110). In

1999, she was hired by USAble as a “meditech HMO claims examiner” (Id., ¶ 111). Ms. Overstreet

was subsequently eventually promoted to—and employed during the applicable statutory period

12 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 13 of 56

as—Lead Information Security Analyst III (Id., ¶ 112). During her employment with USAble, the

company paid for Ms. Overstreet to obtain certain “security” certifications, including: Certified

Business Continuity Professional (“CBCP”) through Disaster Recovery Institute International;

Global Information Assurance Certification Information Security Fundamentals (“GISF”); and

HITRUST certification (Id., ¶ 113). Ms. Overstreet continues to maintain her certifications as they

are each relevant to her career as a “business continuity” professional (Id., ¶ 114).

Business continuity is the process of creating and maintaining systems of prevention and

recovery to deal with threats to a company that encompassed, on average, 30 hours per month of

Ms. Overstreet’s purported work time (Id., ¶ 115). Ms. Overstreet estimated that she spent 30

hours on “Business Continuity Program Management.” (Id., ¶ 116). Because USAble—as a

“business”—is “ever changing,” “technology is ever changing,” and the “demand of [] vendors

were ever changing,” business continuity is “an ongoing[,] ever breathing and living process.” (Id.,

¶ 118).

Ms. Overstreet was responsible for continually verifying that proper documentation was in

place for approximately 90 USAble departments, each with individualized business continuity

plans in order to ensure that each department could respond to “any disruption to [USAble] of any

kind,” including the loss of a facility, workplace, work force, application, or vendor (Id., ¶ 119).

Disruptions could stem from, inter alia, security breaches, natural disasters, and even fire drills

(Id., ¶ 120). A “disruption” may include, “loss of facility, loss of work place, loss of work force,

loss of application, loss of vendor.” (Id., ¶ 121). 2 “[St]ate regulations, industry standards, [and]

2 The Court takes notice of the fact that paragraph 121 of the Statement of Undisputed Facts does not include a citation to the record (Dkt. No. 26, ¶ 121). However, the Court relies on Ms. Overstreet’s deposition testimony, wherein she confirms that she defined a “disruption” as any “loss of facility, loss of work place, loss of work force, loss of application, [or] loss of vendor.” Overstreet Dep. 38:4-7. 13 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 14 of 56

best practices” required or recommended that insurance companies, like USAble, maintain a

business continuity plan so that they could continue operating and recover customer data in the

event of a disruption (Id., ¶ 122). Ms. Overstreet maintained familiarity with these regulations and

standards to ensure that USAble’s departmental business continuity plans were in compliance (Id.,

¶ 123). In an effort to maintain compliance, USAble’s departments were required to update their

business continuity plans twice a year (Id., ¶ 124). On each of these semi-annual occasions, Ms.

Overstreet individually met with each of USAble’s 90 distinct departments regarding their

respective business continuity plans (Id., ¶ 125). Prior to her meetings, Ms. Overstreet answered

numerous inquiries from departmental employees making revisions to their business continuity

plans (Id., ¶ 126). During her meetings, Ms. Overstreet and the department employee responsible

for that particular department’s plan went over the plan and did “tabletop exercises.” (Id., ¶ 127). 3

Ms. Overstreet utilized her expertise in business continuity management and regulatory knowledge

to analyze each departmental business continuity plan and to provide “insight” as to its regulatory

compliance to Mr. Ross (Id., ¶ 128).

Closely related to “business continuity” is “disaster recovery,” and Ms. Overstreet spent

approximately 40 hours each month on “disaster recovery exercising.” (Id., ¶ 129). During these

weekend-long events a “critical system”—a technology that enabled USAble to meet its core

policies, such as customer service— would be taken down and shut down, moved to a backup

facility, and brought back up as seamlessly as possible in order to simulate an actual disaster (Id.,

¶ 130). Performing disaster recovery exercises is both a regulatory requirement and best practice

3 The Court takes notice of the fact that paragraph 127 of the Statement of Undisputed Facts does not support the assertion made (Dkt. No. 33 ¶ 127). Specifically, the cited material in paragraph 127 does not include the term “tabletop exercise.” (Dkt. No. 26, ¶ 127; Dkt. No. 33, ¶ 127). However, the Court relies on Ms. Overstreet’s deposition testimony, wherein she confirms the statements paragraph 127 attributes to her (Dkt. No. 26, ¶ 127). Overstreet Dep. 61:4-7. 14 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 15 of 56

(Id., ¶ 131). Both HIPAA and HITRUST require an annual disaster recovery exercise (Id., ¶ 132).

Many USAble customers required it, and many vendors requested that USAble both maintain a

disaster recovery plan and conduct the annual exercise (Id., ¶ 133).

Ms. Overstreet, in concert with other participants, planned the disaster scenario that would

be used in the disaster recovery exercise (Id., ¶ 134). The scenario was subject to the approval of

Mr. Ross, who would either “sit in” on the planning meetings or receive a written or oral synopsis

from Ms. Overstreet (Id., ¶ 135). In 2017, Ms. Overstreet ran the disaster recovery exercise—she

was the “command center.”(Id., ¶ 136). In 2018, Mr. Ross wanted the “entire [EIS] team . . .

running the command center all together.” (Id., ¶ 137). After an exercise concluded, the

participants would engage in a “post-mortem,” recapping the exercise and identifying strengths

and weaknesses in the disaster recovery plan (Id., ¶ 138). After the 2018 exercise, the “entire [EIS]

team” conducted their “post-mortem” with Mr. Ross (Id., ¶ 139). Approximately a week later,

Ms. Overstreet scheduled a second “post-mortem” with the participants in the data center involved

in the “hands-on” task of moving the data during the exercise (Id., ¶ 140). After the “post-

mortem,” Ms. Overstreet prepared a report on the outcome of the disaster recovery exercises,

which was subject to approval by Mr. Ross, who did not have any independent experience in

disaster recovery or business continuity (Id., ¶ 141). These disaster recovery exercise reports were

provided to USAble executives and to some customers in summary form with redactions (Id., 142).

The results of the latest disaster recovery exercise were provided to the “16ish or so audits that

c[a]me through every year.” (Id., ¶ 143).

USAble was subject to an average of 16 audits per year (Id., ¶ 144). Irrespective of the

focus of the audit or the auditing entity, “security was also a focus. It was a focus of a whole

subset of requirements that [USAble] wanted to make sure that [it] was meeting.” (Id., ¶ 145). Ms.

15 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 16 of 56

Overstreet would attend audit meetings and audit calls to supply information and documents to the

auditor’s request pertaining to “security.” (Id., ¶ 146). Auditors would frequently inquire as to

whether USAble had a specific security policy, such as a policy for data loss prevention or access

management (Id., ¶ 147). Ms. Overstreet estimated that she spent 30 hours per month on “audit

management.” (Id., ¶ 148).

Similar to audits were risk assessments, which encompassed approximately 30 hours per

month of Ms. Overstreet’s work time in addition to audits (Id., ¶ 149). USAble arranged for an

annual external risk assessment but conducted numerous internal risk assessments throughout the

year (Id., ¶ 150). An assessment is essentially an audit, in which Ms. Overstreet participated in

assessing USAble’s inherent risks, including determining what risks are acceptable and what

mitigation efforts can be undertaken (Id., ¶ 151). USAble was required by HIPAA to conduct an

annual risk assessment (Id., ¶ 152). Based on the assessments made and data collected in a risk

assessment or disaster recovery exercise, Ms. Overstreet identified any risks and determined

whether mitigation was appropriate or whether it was better for USAble to accept the risk, which

required the “right executive to sign off and accept the risk.” (Id., ¶ 153). This job duty consumed

approximately two hours per month of Ms. Overstreet’s work time (Id., ¶ 154).

HITRUST consolidates various government regulations applicable to insurance companies

into a certifiable framework with “over 2000 controls.” (Id., ¶ 155). It is a “difficult standard,”

but “paramount” for USAble because of the “PHI and PII that [it] has.” (Id., ¶ 156). Ms. Overstreet

analyzed and compared these regulatory “controls” with the information security measures

USAble was already taking in order to “help management decide” whether to make updates so

USAble “c[ould] become HITRUST compliant or say that portion we’re not going to do.” (Id., ¶

157). Ms. Overstreet assessed the controls and determined “when and where a policy or procedure,

16 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 17 of 56

. . . guidelines, [or] whatever, . . . might actually meet” HITRUST standards and “where th[e] gaps

were.” (Id., ¶ 158). Managing HITRUST compliance was a time-consuming process, consuming

an estimated 30 hours of Ms. Overstreet’s work time per month (Id., ¶ 159).

Ms. Overstreet spent approximately 15 hours per month drafting policies and procedures

for USAble (Id., ¶ 160). USAble contracted with a third-party to provide policy “templates,” each

of which required individual analysis (Id., ¶ 161). Ms. Overstreet analyzed and “worked through”

each of the policies both with her EIS co-workers and individually (Id., ¶ 162). Ms. Overstreet

provided more input for policies pertaining to subject matters with which she was more familiar

but gave some input as to “all of [the policies].” (Id., ¶ 163). Many of the templates were unable

to be utilized, and all of the policies Ms. Overstreet wrote had to be customized for USAble (Id.,

¶ 164). “[O]ne of the biggest parts” of drafting the policies was ensuring their compliance with

both USAble’s standards and applicable regulations (Id., ¶ 165). Ms. Overstreet used her

knowledge to distill the regulatory requirements into a policy that was readable to other

departments that did not specialize in information security “while [still] following . . . the

regulations.” (Id., ¶ 166). Policies were submitted to Mr. Ross for approval and ultimately

forwarded to the Security Committee for company-wide approval and implementation (Id., ¶ 167).

Drafting policies and procedures encompassed both the drafting of HITRUST compliant policies,

with the goal of attaining HITRUST certification, as well as other policies that did not pertain to

HITRUST certification (Id., ¶ 168). Ms. Overstreet was responsible for analyzing and assessing

whether, inter alia, USAble’s policies and procedures were complaint with HITRUST standards

(Id., ¶ 169).

Vulnerability management—the process of identifying, evaluating, and treating

vulnerabilities—consumed approximately 30 hours per month of Ms. Overstreet’s worktime (Id.,

17 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 18 of 56

¶ 170). An automated scan of USAble’s computer network identifies “vulnerabilities.” (Id., ¶ 171).

The scan might identify a weakness in the source code of an operating system, such as Linux, on

USAble computers (Id., ¶ 172). In coordination with the Information Technology department, Ms.

Overstreet evaluated the vulnerability to assess the type of “gap” identified by the vulnerability

scan, to what extent it affected USAble’s systems, and whether a “patch” was necessary or the

associated risk was acceptable (Id., ¶ 173).

Similar to vulnerability management, SIEM (Security Information and Event

Management), a task on which Ms. Overstreet spent an estimated five hours a month, required her

to analyze and resolve potential threats—or “intrusion[s]”— “into [USAble’s] data.” (Id., ¶ 174).

SIEM software is like a “detection system,” gathering log and event data from USAble’s

technology infrastructure and identifying potentially “nefarious” events (Id., ¶ 175). SIEM

compares these events with the aggregate data it collects to determine if an event is harmless or a

potential threat (Id., ¶ 176). Ms. Overstreet “parse[d] through” potential threats to determine

whether each was a “potential intrusion” or could be explained (Id., ¶ 178). Based on a review of

the SIEM report, Ms. Overstreet “could generally tell whether . . . it was nothing at all” or

something that was a “high-alert situation.” (Id., ¶ 179). If she could not make a definitive

determination, she treated it as “something [she] needed to investigate.” (Id., ¶ 180). The SIEM

report may indicate a potential threat originated in a particular department or with a particular

computer, in which case Ms. Overstreet may reach out to see if the potential threat could otherwise

be explained (Id., ¶ 181). Ms. Overstreet’s investigation may also include consulting with other

EIS employees (Id., ¶ 182).

The task of “Database Activity Monitoring” is similar to SIEM management and

vulnerability management and consumed an estimated 20 hours of Ms. Overstreet’s time per

18 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 19 of 56

month (Id., ¶ 183). Similar to the SIEM report and vulnerability management scan, Ms. Overstreet

analyzed the output produced by the Database Activity Monitoring program and investigated the

“anomal[y]” to make a determination as to whether it was “something that [EIS] need[ed] to

address.” (Id., ¶ 185).

Rounding out Ms. Overstreet’s responsibilities relating to threat and vulnerability analysis

are “Threat Hunting” and “Threat Intelligence,” which, collectively, encompassed approximately

16 hours of her monthly worktime (Id., ¶ 186). “Threat hunting and threat intel[ligence] is taking

time to [research] where some type of potential threat could be coming in.” (Id., ¶ 187). Ms.

Overstreet analyzed “intelligence threat reports” and “white papers,” attended “webinars,

seminars, [and] conference[s],” and consumed “whatever [information security materials] w[ere]

available” to aid her in identifying potential threats to the security of USAble’s information (Id., ¶

188). Ms. Overstreet utilized her knowledge of the information security landscape and USAble’s

technology infrastructure to assess whether a particular issue with a security protocol presented a

threat to USAble or its information (Id., ¶ 190).

To keep up with this “[ever]changing environment,” Ms. Overstreet continually updated

and improved her knowledge by participating in continuing education, analyzing “intelligence

threat reports” and “white papers,” attending “webinars, seminars, [and] conference[s],” and

consuming “whatever [information security materials] w[ere] available” to her (Id., ¶ 193). Ms.

Overstreet was responsible for researching and maintaining her knowledge of information security

threats and vulnerabilities, including current trends and issues, in order for her to analyze and make

determinations with respect to the security of USAble information using the reports she received

from vulnerability scans, SIEM software, data activity monitoring software, or threat intelligence

sources (Id., ¶ 195).

19 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 20 of 56

If Ms. Overstreet could not explain a potential threat or vulnerability then the event was

escalated to an “incident,” requiring “all hands on deck,” including Mr. Ross and Mr. Shirley (Id.,

¶ 196). All EIS team members were involved in managing incidents because each individual had

unique knowledge potentially relevant to the incident (Id., ¶ 197).

Ms. Overstreet spent an estimated eight hours per month on tasks related to “Incident

Management.” (Id., ¶ 198). While Mr. Ross or Mr. Shirley determined what the response to an

incident would be, it was investigated by Ms. Overstreet, individually, or a group of EIS team

members, depending on the severity of the threat (Id., ¶ 199). 4 Ms. Overstreet, in conjunction with

the EIS team, analyzed to the data to ascertain whether, for instance, there was an attempted breach

of USAble’s network (Id., ¶ 201). When it was her turn in the rotation, Ms. Overstreet prepared a

report based on the outcome of an investigation into an incident, which was provided to Mr. Ross

or Mr. Shirley (Id., ¶ 202). EIS then made a recommendation as a department based on the findings

of the investigation, which would filter through the “legal and communications teams” to ensure

USAble “follow[ed] all the right laws . . . and the rights words are said.” (Id., ¶ 203). Reporting

requirements mandated that USAble report security breaches or attempted breaches within a

certain timeframe (Id., ¶ 204).

For an estimated 20 hours a month, Ms. Overstreet engaged in “Employee Training and

Awareness,” which came up as “project underneath all of those umbrellas that we had as our job

duties.” (Id., ¶ 205). While there was a training department at USAble, information security

training and awareness “was all on [EIS] to do,” and Ms. Overstreet took responsibility for a “bulk”

of the work (Id., ¶ 206). During the semi-annual meetings that Ms. Overstreet conducted with

4 The Court takes note of the plaintiffs’ objection to Paragraph 199 of the Statement of Undisputed Facts (Dkt. No. 33 ¶ 199). However, the Court relies on Ms. Overstreet’s deposition testimony in which she confirms the facts stated in Paragraph 199. See Overstreet Dep. 92:1-15. 20 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 21 of 56

each department regarding updates to their business continuity plans, she took the “time to also

educate” employees on, for instance, “this is what Malware is, this is what happens when you get

an e-mail that says click on that link, let’s not do this.” (Id., ¶ 207). Ms. Overstreet also participated

in setting up booths on a quarterly basis “to help educate the general population of [USAble] []

because . . . they’re our first line of defense in protecting data . . ., by not clicking on those types

of things [an e-mail that says click on that link], or sending money to Uncle Jack in Iran.” (Id., ¶

208). Ms. Overstreet used examples of security “incidents” that actually occurred at USAble to

“educate every single employee on how they can best protect our data.” (Id., ¶ 209). Ms. Overstreet

also sent out “weekly emails . . . that said . . . don’t do these things, or here are some things that

we need to be aware [of].” (Id., ¶ 210).

“Contract Review” and “Vendor Security Management” each consumed an estimated three

hours of Ms. Overstreet’s work time per month (Id., ¶ 211). The “contract team would always

send [EIS] new contracts [and] updated contracts to look at from a security perspective.” (Id., ¶

212). Ms. Overstreet examined the contracts to assess whether any of the contractual provisions

would present a problem for USAble “security wise.” (Id., ¶ 213). After Ms. Overstreet’s

assessment, Mr. Ross would forward to USAble’s contract department (Id., ¶ 214). “Vendor

Security Management” is the “same concept[]” as “Contract Review,” but for “on[]boarding a new

vendor.” (Id., ¶ 215). If USAble wanted to engage a new vendor, Ms. Overstreet “would . . . assess

the security as a vulnerability against this vendor.” (Id., ¶ 216). That is, assessing whether the

vendor’s security presents a vulnerability for USAble (Id.).

3. James Young

Mr. Young began his employment with USAble on or about November 24, 2003, in the

position of “Help Desk Analyst.” (Id., ¶ 236). In the “early 2010s,” Mr. Young earned his

21 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 22 of 56

PowerShell Administration Certificate (Id., ¶ 237). In 2014, Mr. Young attained a Certified Ethical

Hacker certification and, subsequently, an updated version of the same certification (Id., ¶ 239).

“As a certified ethical hacker,” Mr. Young had to “find every way in and constantly try to fill those

voids of . . . capability or lack of training.” (Id., ¶ 241). In January 2017, Mr. Young joined EIS

as an Information Security Analyst II and was promoted to an Information Security Analyst III

prior to his termination on or about October 2, 2018 (Id., ¶ 243). Given Mr. Young’s training as a

certified ethical hacker, he “leaned more towards vulnerability management.” (Id., ¶ 244).

Mr. Young spent an estimated 30 hours per week engaging in vulnerability management

and five hours per week on patch management—a natural concomitant of vulnerability

management (Id., ¶ 245). 5 “[A]ny type of patch or vulnerability that was disclosed in the

community” was assessed in-house and, if USAble had any of those vulnerabilities, Mr. Young

found “a way to remediate and/or contain it.” (Id., ¶ 248). Mr. Young identified vulnerabilities

emanating from users by conducting phishing exercises, in which EIS “sen[t] out those e-mails

that tried to get people to click on things randomly.” (Id., ¶ 249). If a USAble employee clicked

on the link imbedded in the “phishing” e-mail, Mr. Young knew to “single that individual out and

train them.” (Id., ¶ 250).

Mr. Young identified vulnerabilities inherent in software or a system through a variety of

means (Id., ¶ 252). “[B]ig companies” are constantly seeking to identify vulnerabilities in their

applications and software (Id.). Rapid7 was an application that Mr. Young ran which scanned for

vulnerabilities and produced a report that he could review (Id., ¶ 255). Once vulnerabilities were

5 The Court takes note of the plaintiffs’ objection to paragraph 245 of the Statement of Undisputed Facts (Dkt. No. 33, ¶ 245). However, the Court relies upon Mr. Young’s deposition testimony, wherein he confirmed that he spent 30 hours a week on vulnerability management and five hours a week on patch management. Young Dep. 87:17-23. 22 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 23 of 56

identified, it was Mr. Young’s task to fix them within USAble’s system (Id., ¶ 256). Mr. Young

made recommendations to Mr. Ross regarding a patch to a vulnerability he had identified, and Mr.

Ross relayed this information to the IT department for application (Id., ¶ 257). When a patch was

not available or exposed other vulnerabilities, Mr. Young had to develop new methods to

remediate the vulnerability as best as possible (Id., ¶ 262). When the vulnerability itself could not

be remediated, Mr. Young had to “find new ways to” protect the information housed by USAble,

such as PHI (Id., ¶ 264). In the healthcare industry, protecting information is paramount (Id., ¶

265). Mr. Young was responsible for managing vulnerabilities and patches while ensuring that

the process complied with the vast number of regulations guarding the PHI maintained by USAble

(Id., ¶ 267).

Mr. Young was also “one of the fortunate two people . . . that [] had direct ties with the

BlueCross Association and . . . their threat community.” (Id., ¶ 268). Blue Cross Association was

an interstate association of BlueCross organizations that identified threats and vulnerabilities (Id.,

¶ 269). Mr. Young “was the only one that actually had the direct communication and IM [instant

messenger] with the [BlueCross] [A]ssociation.” (Id., ¶ 270). The IM was “considered a war

room” and was “a[n] alert system to get information out there and disseminate it very, very, very

rapidly.” (Id., ¶ 271).

SIEM (Security Information and Event Management) encompassed approximately five

hours of Mr. Young’s weekly time (Id., ¶ 273). The SIEM, which was managed by IBM, would

provide a report of “event log” information to EIS that Mr. Young had to analyze and determine

if it was “normal.” (Id., ¶ 275). Mr. Young would assess whether a breach of USAble’s network

had occurred by reviewing the SIEM report for “indicators of compromise,” which segues into

threat intelligence (Id., ¶ 276).

23 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 24 of 56

Threat hunting and threat intelligence, each of which consumed an estimated eight hours

Mr. Young’s weekly work time, is the process of identifying and locating those “indictors of

compromise.” (Id., ¶ 277). Part of threat intelligence is “getting with other security professionals.”

(Id., ¶ 278). Mr. Young further worked with the BlueCross Association, read white papers,

monitored new reports, and reviewed SIEM reports themselves to identify data in USAble’s event

log entries or in other areas of its network systems that may be indicative of potentially malicious

activity—or “indicators of compromise.” (Id., ¶ 280).

One mechanism Mr. Young used to “hunt” threats was to “pass[] [indicators of

compromise] over to the SIEM.” (Id., ¶ 281). Mr. Young investigated indicators of compromise

to determine what systems they came from and whether the indicator could be explained by

legitimate activity (Id., ¶ 282). Mr. Young looked at the information, deciphered the information,

and passed it to the IT department to be worked on (Id., ¶ 283). Mr. Young cooperated with the

IT department to verify whether an indicator of compromise was explained by legitimate activity

or whether it was nefarious activity (Id., ¶ 284). Mr. Young provided his assessment to Mr. Ross

or Mr. Shirley (Id., ¶ 285).

Mr. Young documented all steps of incident investigations for regulatory reasons (Id., ¶

289). Mr. Young was very familiar with the regulations that governed security issues with respect

to entities like USAble (Id., ¶ 290).

Mr. Young spent approximately 20 hours per week on database activity monitoring, which

was “a lot like the SIEM.” (Id., ¶ 291). “[E]very time [someone] run[s] a query or someone logs

onto it [the database], it accesses several tables to get that information.” (Id., ¶ 293). Mr. Young

analyzed this data to determine what could be explained as “normal activities”—what “are not

threats or vulnerabilities or concerns.” (Id., ¶ 294). Based on his analysis of what constituted

24 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 25 of 56

normal activity, he made recommendations to the “database guys” before information was passed

back through the SIEM (Security Information and Event Management) (Id., ¶ 295). This

information could be fed into the SIEM in order to focus the SIEM reports on the activity that EIS

should look into (Id., ¶ 296). USAble was charged based on how many events the SIEM read (Id.,

¶297). Therefore, the more events that Mr. Young could identify as “normal” activities, “that’s

more money back in the pockets of [USAble].” (Id., ¶ 298). Mr. Young was essentially “train[ing]”

the database activity monitoring system to send only the important information to SIEM (Id., ¶

299).

Mr. Young spent an estimated 30 hours per week on HITRUST compliance management

(Id., ¶ 300). Mr. Young had to be familiar with the regulations to know when a regulation required

more of USAble than a HITRUST standard may require (Id., ¶ 304). It was a necessity that Mr.

Young spent ample time educating himself on regulatory and HITRUST requirements (Id., ¶ 305).

Mr. Young had to assess USAble’s current enterprise standards and identify any differences

between those standards and “where we [USAble] needed to be” under HITRUST (Id., ¶ 306).

This task was further complicated by the fact that he had to determine whether a particular

HITRUST requirement was derived from a regulatory mandate that was not applicable to USAble

(Id., ¶ 307). Mr. Young’s conclusions were conveyed to the appropriate USAble personnel (Id., ¶

309).

Mr. Young was “backup” for the entire policy drafting project, which he worked on for

approximately 15 hours per week (Id., ¶ 310). In January 2017, EIS “was having daily

conversations” pertaining to the policy project (Id., ¶ 311). Though EIS paid for policy templates,

Mr. Young participated in “comb[ing] through them” and revising the language to account for

updated HITRUST controls and procedural changes (Id., ¶ 315). Mr. Young and the EIS team

25 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 26 of 56

went through each template to assess whether a particular provision in the policy derived from a

regulation with which USAble was obligated to comply (Id., ¶ 318). Mr. Young spent time

individually researching, devising language, and developing a policy, which the EIS team would

collectively analyze, break down, and provide input on before being put in a form ready to be sent

to Mr. Ross or Mr. Shirley (Id., ¶ 319). “[I]t was a balancing act” of Mr. Young and EIS team

members negotiating policy wording and obligations that were compliant with applicable

regulations, meeting as many HITRUST controls as possible, and that were acceptable to the

relevant department (Id., ¶ 322).

Mr. Young was also a “backup in business continuity,” which encompassed an estimated

30 hours per week of his work time (Id., ¶ 323). Mr. Young worked with Ms. Overstreet on

auditing departmental business continuity plans on either a quarterly or biannual basis (Id., ¶ 324).

Mr. Young and Ms. Overstreet spent several weeks going over documentation with the various

USAble departments, ensuring that each business continuity plan met the requirements both of

USAble and USAble’s clients (Id., ¶ 329). If USAble needed a particular service to be “up and

running within 72 hours” to prevent “deep financial or reputational risk,” Mr. Young worked with

the department providing that service to ensure that USAble’s standards could be achieved under

its business continuity plan (Id., ¶ 330). In these meetings, he also went over the business

continuity plans line by line to identify any deficiencies or cracks in the plan and worked with the

departments to address these deficiencies or unaddressed issues (Id., ¶ 331).

Mr. Young spent an estimated five hours per week engaged in disaster recovery

management, which involves the development or creation of manmade scenarios that would cause

outages or interruptions in order to test the business continuity plans (Id., ¶ 334). These

“manmade” scenarios were tested in disaster recovery exercises, a job duty which encompassed

26 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 27 of 56

40 or more hours per week of Mr. Young’s work time during the period in which EIS was preparing

for, conducting, and concluding these exercises (Id., ¶ 335).

Mr. Young spent an estimated 30 hours per week on audit management during the period

of time he was preparing for and in the midst of an audit (Id., ¶ 337). Mr. Young’s responsibility

with respect to audits was to identify the controlling question, contact the control owner, and relay

the information back to the auditor or client (Id., ¶ 339). Mr. Young consulted with the

employee(s) responsible for performing the relevant task, confirmed that the employee(s)

performed the task consistently, obtained proof that the employee(s) performed the task

consistently, and relayed that evidence to the auditor (Id., ¶ 341).

Mr. Young used CAP Keeper, an in-house program, to monitor testing exceptions from

audits (Id., ¶ 344). He entered testing exceptions in CAP Keeper to track and ensure that the

deficiencies identified in the audit were corrected by appropriate USAble personnel (Id., ¶ 345).

Mr. Young spent approximately five hours per week in CAP Keeper monitoring, tracking, and

ensuring audit deficiencies were corrected (Id., ¶ 347).

As a certified ethical hacker, Mr. Young was also proficient in risk analysis, which

consumed an estimated three hours per week of Mr. Young’s work time (Id., ¶ 348). 6 Mr. Young

gathered all the data and advised leadership of the likelihood of a security breach happening and

the impact on USAble if the breach occurred (Id., ¶ 350). Mr. Young had to consider finances in

conjunction with the ability of USAble to continue functioning (Id., ¶ 352). Based on his risk

analysis, Mr. Young produced “recommendation[s] to [] leadership.” (Id., ¶ 356). A risk

6 Though the Statement of Undisputed Facts states that Mr. Young worked for three hours on risk analysis, the Court relies on Mr. Young’s deposition testimony wherein he confirmed that he worked on risk analysis for two hours a week. Young Dep. 98:1-3. 27 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 28 of 56

assessment had to be conducted at least annually pursuant to HIPAA because USAble maintained

PHI (Id., ¶ 359).

Mr. Young spent an estimated eight hours per week on his incident management duties,

which involved “preparing for an incident.” (Id., ¶ 361). Mr. Young had to plan and document

what was going to happen in the event of a security incident and what EIS would “like to happen.”

(Id., ¶ 363). Mr. Young was continuingly reworking these incident plans and processes

based off everchanging technology and threat landscapes and to account for security incidents that

occurred (Id., ¶ 364).

Mr. Young spent approximately three hours per week reviewing contracts (Id., ¶ 365). Mr.

Young analyzed the contract to ensure that the other party “met those . . . minimum requirements

. . . for [USAble] to maintain HITRUST certification.” (Id., ¶ 367). Depending on whether the

contract met USAble’s requisite security standards, Mr. Young would approve or reject it from an

information security standpoint (Id., ¶ 368). Vendor security management was, in essence, a

continuation of Mr. Young’s initial contract review and encompassed an estimated seven hours of

Mr. Young’s weekly work time (Id., ¶ 369). Managing vendor security required Mr. Young to

ensure that a vendor’s security posture does not change over time so as to fall out of compliance

with the regulatory requirements, security frameworks, and internal standards applicable to

USAble (Id., ¶ 370).

Mr. Young also tested software that EIS needed to secure the information of USAble (Id.,

¶ 371). Mr. Young needed to test the software to ensure that using would “break something” else

(Id., ¶ 373). During the testing period, Mr. Young generally “had a work licensed copy of the

application for 90 days . . . to successfully deploy and test” the software to see if it fit USAble’s

needs (Id., ¶ 374). Mr. Young tested the software to determine whether he “liked it, it worked,

28 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 29 of 56

[and] it did what [he] needed it to do from a security perspective.” (Id., ¶ 376). Mr. Young provided

his assessment of the product to USAble so that it could determine whether it should proceed with

purchasing these multi-million-dollar software applications (Id., ¶ 377).

4. Janel Broadhurst

Prior to her employment with USAble, Ms. Broadhurst studied Computer Science at

Texarkana College for two years and UALR for another year (Id., ¶ 380). Ms. Broadhurst

subsequently earned certification in local area networking (Id., ¶ 381). Ms. Broadhurst began as

an employee of a contractor for USAble in 2005 before being hired by USAble in April 2006 as a

Mircrosecurity Analyst III (Id., ¶ 382). While at USAble, she took a number of “auditing and

security classes” through “SANS” and obtained her HITRUST certification (Id., ¶ 383). SANS

Institute is a private company specializing in information security and cybersecurity training and

certifications (Id., ¶ 384). During the applicable statutory period, Ms. Broadhurst was employed

by USAble in the position of Information Security Analyst III (Id., ¶ 385).

Ms. Broadhurst spent approximately 25 hours per week working “with Policies and

Procedures and . . . working on the SharePoint site which was the ‘warehouse’ of all [USAble’s]

Enterprise Policies and Procedures (“EPP”).” (Id., ¶ 386). Ms. Broadhurst “oversaw” the policy

drafting project from late 2016 through late 2017 (Id., ¶ 387). Ms. Broadhurst assigned policies

and regularly consulted with the “project manager” to review deadlines and discuss the project’s

progress (Id., ¶ 388). To facilitate the drafting of discrete policies, Ms. Broadhurst drafted an

“information security . . . company policy,” which instructed policy drafters on the EIS team as to

“how to write a policy” that was assigned to them (Id., ¶ 390). Ms. Broadhurst and the EIS team

met and collaborated on the wording of each policy (Id., ¶ 392). In these group meetings, the EIS

team members, including Ms. Broadhurst, would debate and provide input on the content of the

29 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 30 of 56

policies, including whether the policy language complied with HITRUST requirements and

USAble’s expectations (Id., ¶ 393). Once the EIS team finalized the policy draft, Ms. Broadhurst

submitted the policy to Mr. Ross, then Mr. Shirley, and then Ms. Ryan to finalize the policy (Id.,

¶ 394). The policy draft may be returned to Ms. Broadhurst so that the EIS team could incorporate

changes, such “legal verbiage” added by a separate department (Id., 395).

Ms. Broadhurst spent an estimated 30 hours per week on HITRUST compliance

management, which USAble was “working towards getting.” (Id., ¶ 396). Ms. Broadhurst and the

EIS team met and parsed through the comprehensive HITRUST requirements “line by line” and

assessed what standards USAble had to meet and what standards were applicable to the various

USAble departments (Id., ¶ 402). After performing their analysis, the EIS team advised Mr. Ross

and Mr. Shirley of the standards various USAble departments had to meet in order comply with

HITRUST requirements, and Mr. Ross would relay these standards recommended by the EIS team

to the various departments (Id., ¶ 404). Ms. Broadhurst was required to maintain her HITRUST

certification to ensure that she was always knowledgeable of the complex HITRUST requirements

(Id., ¶ 405).

Ms. Broadhurst spent an estimated 20 hours per week on SharePoint and 30 hours auditing

policies (Id., ¶ 406). Working on the SharePoint website, she ensured “existing policies,” which

were housed on different websites, were moved into SharePoint (Id., ¶ 407). Ms. Broadhurst was

responsible for appropriately categorizing policies in SharePoint and designating the “main person

to review” those policies (Dkt. No. 33, ¶ 408). 7 She advised departmental employees, those

7 The Court acknowledges the plaintiffs’ denial of paragraph 408 of the Statement of Undisputed Facts (Dkt. No. 33, ¶ 408). The Court relies on Ms. Broadhurst’s deposition testimony, wherein she stated that she “had to pick who was the main person to review” the above-mentioned policies. Broadhurst Dep. 31:1-7. 30 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 31 of 56

working outside of EIS, responsible for particular policies when it was time to update those

policies, either confirming that content of the policies was still accurate or ensuring appropriate

revisions were completed (Dkt. No. 26, ¶ 409). The policy was then returned to Ms. Broadhurst

to review and “ma[k]e sure everything was okay” and then put it back onto SharePoint (Id., ¶ 410).

SharePoint was not just for IT policies and procedures—it was a centralized repository for policies

from other departments that auditors would regularly ask for when conducting an audit (Id., ¶ 411).

Ms. Broadhurst regularly consulted with two other departments outside of EIS whose work

impacted the security of USAble (Id., ¶ 412). Ms. Broadhurst reviewed their policies and

procedures as she consolidated them into SharePoint (Id., ¶ 413). Ms. Broadhurst advised them

on particular aspects of the policies that needed to be revised in order to provide the information

for which auditors were looking (Id., ¶ 415).

For her database activity monitoring and vulnerability management responsibilities, Ms.

Broadhurst utilized a program called “Vericept.” (Id., ¶ 416). Vericept monitored Internet activity

for indicators of hacking or attacks (Id., ¶ 419). The program produced a report that Ms.

Broadhurst would check on a daily basis (Id., ¶ 420). For database activity monitoring, Ms.

Broadhurst analyzed the Vericept report to determine whether PHI was being securely transmitted

(Id., ¶ 421). Ms. Broadhurst would counsel the USAble employees on the proper manner to

transmit PHI securely (Id., ¶ 425). Ms. Broadhurst reviewed all vulnerabilities that were identified

by the Vericept report (Id., ¶ 426). Ms. Broadhurst made a determination as to whether the

vulnerability could be explained as a simple mistake, in which case she counseled the individual

on proper procedure, or whether it was an actual vulnerability (Id., ¶ 427).

If vulnerabilities or threats were identified in Vericept, Ms. Broadhurst had to “hunt down”

each potential threat (Id., ¶ 428). Ms. Broadhurst spent approximately eight hours per week threat

31 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 32 of 56

hunting (Id., ¶ 429). This threat hunting responsibility included, among other responsibilities,

reviewing white papers and researching information security issues so that Ms. Broadhurst could

maintain her knowledge base of the everchanging threat landscape (Id., ¶ 431). 8 Ms. Broadhurst

spent approximately five hours per week on data loss protection, which was “another program

[like Vericept] that . . . helped” Ms. Broadhurst “mak[e] sure that [USAble] didn’t lose any data,

at least as far as [she] could see from the Internet side.” (Id., ¶ 432). 9 For example, Ms. Broadhurst

ensured that PHI was on a secure line when it was transmitted so that it was not vulnerable to

hackers (Id., ¶ 433). Ms. Broadhurst tracked the data to a particular IP address, ensured that it was

secure, and confirmed “there was no data loss.” (Id., ¶ 434).

Ms. Broadhurst spent an estimated eight hours per week on incident management (Id., ¶

435). Ms. Broadhurst was the “point person” for incident management for a week at a time

approximately every five weeks (Id., ¶ 436). If a security incident involved a certain program, Ms.

Broadhurst would request that program administrator “check and see if there’s been vulnerabilities

to this program” or if “anybody that’s not authorized . . . [had] been on there.” (Id., ¶ 438). Ms.

Broadhurst would resolve or continue investigating the incident pursuant to a particular protocol

8 The Court takes note that the Statement of Undisputed Facts claims that “[t]o aid in making these assessments and determinations, Ms. Broadhurst spent approximately eight hours per week reviewing white papers and researching information security issues to maintain her knowledge base of the everchanging threat landscape.” (Dkt. No. 26, ¶ 431). However, the Court relies on Ms. Broadhurst’s deposition testimony. In her deposition, Ms. Broadhurst admits to reviewing white papers and researching information security issues. Broadhurst Dep. 49:3-7. However, she does not assign a specified number of hours to those activities in the cited testimony based upon the Court’s review. Id. 9 The Court takes note that the Statement of Undisputed Facts claims that Ms. Broadhurst worked eight hours on data loss protection (Dkt. No. 26, ¶ 432). However, the Court relies on Ms. Broadhurst’s deposition testimony. In her deposition, Ms. Broadhurst admits to spending five hours per week on data loss protection. Broadhurst Dep. 70:2-3.

32 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 33 of 56

(Id., ¶ 439). Ms. Broadhurst had to “document every single step”—“[e]very minute had to be

detailed”—and, once the incident was resolved, she prepared a comprehensive report (Id., ¶ 440).

Ms. Broadhurst spent two hours per week on business continuity program management

(Id., ¶ 441). Ms. Broadhurst worked with the EIS team to develop and maintain business continuity

policies (Id., ¶ 442). Ms. Broadhurst’s responsibilities with respect to risk assessments went

“along with [] business continuity.” (Id., ¶ 443). Ms. Broadhurst and the EIS team reviewed

“information and analysis” from other USAble departments, took into consideration security

guidelines, and analyzed and made an assessment of the risk and security concerns from an

information security standpoint of the activities of those other departments and whether that risk

was acceptable (Id., ¶ 444). Based on their analysis, EIS would present their risk assessment and

make recommendations to Mr. Ross or Mr. Shirley as to whether USAble should address the risk

or it should be accepted by the company (Id., ¶ 445).

Ms. Broadhurst also participated in disaster recovery exercises conducted by the EIS team

which encompassed an estimated 40 hours per week when she was over that function (Id., ¶ 446).

Ms. Broadhurst, with everyone on the EIS team, gave her input and suggestions on how the disaster

recovery plan, including how it was carried out, could be altered to result in a different outcome

(Id., ¶ 453).

Ms. Broadhurst dedicated approximately 20 hours per week to employee training and

awareness (Id., ¶ 455). When her work with Vericept revealed that an employee was engaging in

risky behavior with regard to his or her Internet usage, she would take the opportunity to “let[]

them know how to safely get on the Internet using HTTPS.” (Id., ¶ 456).

Ms. Broadhurst also maintained a “blog” on USAble’s intranet that included both

awareness and educational topics (Id., ¶ 457). Additionally, Ms. Broadhurst provided information

33 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 34 of 56

to USAble’s Training Department so that the Training Department had the requisite knowledge

needed to train employees on information security (Dkt. No. 26, ¶ 459; Dkt No. 33 ¶ 459).

SDLC (System Development Lifecycle) management) consumed approximately five hours

per week of Ms. Broadhurst’s work time (Dkt. No. 26, ¶ 463). Older equipment and applications

present security concerns because they inherently have more vulnerabilities (Id., ¶ 465). Ms.

Broadhurst and the EIS team developed an SDLC (System Development Lifecycle) policy used to

assess when a PC, software, or hardware needs to be updated and/or when an entire new system is

necessary (Id., ¶ 466). Then, the EIS team made recommendations to Mr. Ross or Mr. Shirley as

to whether a particular “lifecycle” was appropriate from a security perspective (Id., ¶ 468).

Ms. Broadhurst spent an estimated three hours per week reviewing contracts for USAble

(Id., ¶ 469).

5. Scott Cavanaugh

Mr. Cavanaugh was enlisted in the United States Navy from on or about 1984 until 2001,

during which time he was involved in “security in some fashion or form,” even working inside a

sensitive compartmented information facility for a number of years (Id., ¶ 474). While in the

Navy, Mr. Cavanaugh studied Mathematics at Hawaii Pacific University for two years (Id., ¶ 475).

Subsequently, Mr. Cavanaugh was an Army Reservist in Illinois (Id., ¶ 476). In the private sector,

Mr. Cavanaugh accrued approximately three years of experience working in cybersecurity at Afni,

Inc. (Id., ¶ 477). Mr. Cavanaugh earned the following certifications prior to his employment with

USAble: Certified Protection Specialist (“CPS”) and CISSP (Dkt. No. 26, ¶ 478; Dkt No. 33 ¶

478). After leaving USAble, Mr. Cavanaugh earned a certification as a Certified Data Privacy

Solutions Engineer (“CDPSE”) (Dkt No. 33 ¶ 478).

34 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 35 of 56

Mr. Cavanaugh was hired by USAble in August 2017 as an Information Security Analyst

III (Dkt. No. 26, ¶ 479). During his employment, USAble sent him to HCISSP (Healthcare

Certified Information Systems Securities Professional) training, but Mr. Cavanaugh resigned in

August 2018 prior to earning the certification (Id., ¶ 480).

Mr. Cavanaugh spent approximately 30 hours per week on vulnerability management when

he started the program (Dkt. No. 26, ¶ 482; Dkt No. 33 ¶ 482). Mr. Cavanaugh testified that he

worked four to six hours per day on vulnerability management for the first three to four months of

his employment with USAble (Id., ¶ 483). Mr. Cavanaugh testified that worked 30 hours per week

for approximately six to eight weeks of his employment with USAble (Id., ¶ 484).

When Mr. Cavanaugh was hired by USAble, EIS was using a tool for vulnerability

management called “Tenable.” (Id., ¶ 485). Mr. Cavanaugh recommended to Mr. Ross and Mr.

Shirley that USAble bring in a product called “InsightVM by a company called Rapid7.” (Id., ¶

487). Mr. Cavanaugh explained the many advantages of Insight VM over Tenable (Id., ¶ 489).

InsightVM required nearly constant monitoring by Mr. Cavanaugh (Id., 492). Mr. Cavanaugh

reviewed all the information acquired by InsightVM and assessed how to remediate any

vulnerabilities (Id., ¶ 496-7). After analyzing that data and assessing the vulnerability, Mr.

Cavanaugh coordinated with the IT department to apply a “patch” to remediate the vulnerability

(Id., ¶ 498). Once a patch was applied, Mr. Cavanaugh ran a follow-up scan to ensure that the

patch worked and the vulnerability was remediated (Id., ¶ 499). Mr. Cavanaugh spent an estimated

five hours per week working on “patch management.” (Id., ¶ 501).

Business continuity management and disaster recovery management, collectively,

consumed an estimated 35 hours of Mr. Cavanaugh’s weekly work time (Id., ¶ 504). Mr.

Cavanaugh worked with Ms. Overstreet to review these individual departmental plans to determine

35 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 36 of 56

if they fit within USAble’s security requirements (Id., ¶ 508). Disaster recovery exercising

required Mr. Cavanaugh to apply the disaster recovery plans to disaster scenarios and encompassed

approximately 40 hours per week of Mr. Cavanaugh’s work time for the “last couple months” of

his employment with USAble (Id., ¶ 511). Disaster recovery exercising is further complicated by

“tiering applications.” (Id., ¶ 516).

During Mr. Cavanaugh’s employment with USAble, the company was striving for

HITRUST certification, managing compliance of which encompassed an estimated 30 hours per

week (Id., ¶ 518). He made “multiple suggestions” to Mr. Ross and Mr. Shirley regarding how to

meet HITRUST requirements that were “promptly authorized.” (Id., ¶ 519). Further, when

advising and working with other USAble departments on their business continuity and disaster

recovery plans, he made recommendations based on HITRUST requirements and best practices,

which is required by the CISSP code of ethics (Id., ¶ 522). Mr. Cavanaugh also ensured that

policies drafted by USAble were complaint with HITRUST standards (Id., ¶ 524).

Mr. Cavanaugh spent approximately 30 hours per week on risk assessment and risk

analysis (Id., ¶ 526). Any time a USAble employee told Mr. Cavanaugh he or she wanted to

perform any task, he had to assess it and “figure out . . . [i]f it fit inside that [security] framework.”

(Id., ¶ 531). Risk assessment also included third party risk assessments (Id., ¶ 533). Mr.

Cavanaugh and the EIS team would review those questions and provide their “suggestions” to Mr.

Ross and Mr. Shirley (Id., ¶ 536).

Mr. Cavanaugh spent an estimated 15 to 20 hours per week drafting policies (Id., ¶ 537).

Mr. Cavanaugh recalled drafting the “Clean Desk Top” Policy and three to four others he could

not specify (Id., ¶ 541).

36 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 37 of 56

Mr. Cavanaugh spent approximately eight hours a day helping Mr. Young with threat

intelligence and threat hunting but only “for a short time.” (Id., ¶ 543). However, the eight hours

of work time did not include the time he “spent making [him]self smart and keeping ahead.” (Id.,

¶ 544). Mr. Cavanaugh’s responsibilities included “looking for any of those gaps in [] security.

Not only logically, but physical . . . controls.” (Id., ¶ 545).

Employee training and awareness, which consumed about 20 hours per week of Mr.

Cavanaugh’s work time, included the time he “spent making [him]self smart and keeping ahead.”

(Id., ¶ 546). When USAble was considering implementing a new anti-virus solution, Mr.

Cavanaugh “s[a]t there and read what does Crowdstrike do that McAfee doesn’t that maybe

Carbon Black Defense does. . .” (Id., ¶ 548).

Mr. Cavanaugh worked on the SIEM (Security Information and Event Management)

project for no more than six to eight weeks (Id., ¶ 553). Mr. Cavanaugh could spend “hours and

hours” investigating to determine if the “one thing that’s out of place” is a “false positive, . . . a

hiccup, maybe a switch went down,” or an “internal or external actor” on USAble’s network (Id.,

¶ 557).

Mr. Cavanaugh spent approximately three hours on contract review and three hours on

vendor security management, which went hand-in-hand with contract review (Id., ¶ 559).

Generally, Mr. Cavanaugh reviewed potential contracts to determine if it is “good for USAble or

it not, [d]o we need to change . . . this little section or not.” (Id., ¶ 560).

If Mr. Cavanaugh was “on call,” he could spend “hours and hours” mitigating an

“incident.” (Id., ¶ 566). In general, Mr. Cavanaugh spent an estimated eight hours per week

performing “incident management” duties (Id., ¶ 567). If there was a reported breach and EIS had

a “policy and procedure in place” for that particular suspected breach, Mr. Cavanaugh “would

37 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 38 of 56

follow that until mitigation.” (Id., ¶ 568). Absent a policy, Mr. Cavanaugh used his experience

and knowledge about HITRUST requirements and best practices to ensure that investigations into

security incidents were conducted appropriately (Id., ¶ 572). Depending on the circumstances, he

may also consult with the EIS team member with the most subject matter expertise to provide

insight into his incident investigation (Id., ¶ 573). After the incident was concluded, Mr.

Cavanaugh wrote a report outlining the security issues, how it was handled, and if it was resolved

(Id., ¶ 574).

6. S. Todd Miller

Prior to his employment with USAble, Mr. Miller attended the University of Arkansas at

Fayetteville and UALR, earning a degree in Criminal Justice from the latter (Id., ¶ 577). Mr. Miller

worked at GVH Consulting prior to being hired by USAble as Microservices Analyst (Id., ¶ 578).

Mr. Miller was promoted late 2016 or early 2017 to a Lead Information Security Analyst I and

remained in the position until his separation of employment on August 9, 2018 (Id., ¶ 579). During

the applicable statutory period, Mr. Miller maintained CISSP (Certified Information Systems

Security Professional) and HITRUST certifications (Id., ¶ 580). Also while employed at USAble,

Mr. Miller attended SANS training and various annual conferences pertinent to his position (Id., ¶

582).

Mr. Miller spent approximately five hours per month performing SIEM (Security

Information and Event Management) and eight hours per month each on threat hunting and threat

analysis (Id., ¶ 583). Mr. Miller used the SIEM tool, which at the time was a “new system,” to

monitor internal and external security threats (Id., ¶ 584). Mr. Miller reviewed these security logs

looking for “[f]ailed log-in attempts; lockouts, use lockouts; anomalous activity from certain

systems or inside [or] outside threats,” and, generally, to ensure “everything’s in order with

38 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 39 of 56

security.” (Id., ¶ 588). Once Mr. Miller located this information, he consolidated it into “weekly

reports.” (Id., ¶ 589). Mr. Miller provided these reports to Mr. Ross or Mr. Shirley, and if anything

“rose to the level of an incident,” the EIS team “would go through an Incident Response Plan.”

(Id., ¶ 590). Threat intelligence required Mr. Miller to “verify[] or tak[e] in security alert

information,” which “could be from Cisco, Microsoft, [or] security bulletins and advisories,” and

integrat[e] those with the SIEM (Id., ¶ 591).

Mr. Miller spent an estimated 30 hours per month on HITRUST compliance management

and another 15 hours per month on “working on policies and procedures,” which had to comply

with HITRUST requirements (Id., ¶ 594). Mr. Miller and the EIS team would review each template

“the consulting firm gave [them],” and “list out” the HITRUST guidelines (Id., ¶ 601). Generally,

the policies Mr. Miller was assigned to draft were in his areas of expertise or at least a subject

matter with which he had some knowledge base, including “[b]aseline configuration, vulnerability

management, [and] security log management.” (Id., ¶ 604). Mr. Miller also participated in the

Security Committee meetings that discussed the proposed policies (Id., ¶ 608).

Audit management and risk assessments each encompassed approximately 30 hours per

month of Mr. Miller’s work time (Id., ¶ 609). Audits generally required responses from other

USAble departments, and Mr. Miller and the EIS team would help them prepare for audits and,

during the audit process, “give them guidance on how they need to answer.” (Id., ¶ 615). Mr.

Miller utilized adverse audit findings as “information security guidance” on how EIS “need[ed] to

remedy and correct whatever [USAble] [was] doing wrong.” (Id., ¶ 616). Mr. Miller coordinated

with other departments that were needed for third-party risk assessments to advise them of the risk

assessment, scheduling meetings, and monitored the process (Id., ¶ 618). Risk analysis could also

be part of his risk assessment duties and encompassed an estimated two hours per month of his

39 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 40 of 56

work time (Id., ¶ 619). Mr. Miller’s duties included the “daily monitoring of systems” that were

identified in the risk assessments (Id., ¶ 620).

Mr. Miller spent approximately 30 hours per month on business continuity program

management, five hours per month on disaster recovery program management, and 40 hours per

month on disaster recovery exercising (Id., ¶ 621). Mr. Miller assisted with the development and

maintenance of business continuity and disaster recovery plan policies including assessing whether

the plans were compliant with applicable controlling regulations (Id., ¶ 624). Mr. Miller had to

periodically revise the company’s business continuity and disaster recovery plans and procedures

to address new and different security threats that arise (Id., ¶ 627). Disaster recovery exercises

were something on which Mr. Miller was constantly working (Id., ¶ 633). In addition to recurring

disaster recovery tabletop exercises, Mr. Miller worked on a business continuity and disaster

recovery exercise in 2018 in which USAble systems were actually taken down and brought back

up (Id., ¶ 634).

Mr. Miller spent an estimated three hours per month reviewing contracts and three hours

per month on vendor security management (Id., ¶ 640). Mr. Miller was responsible for ensuring

that USAble’s security measures were in compliance with the terms and provisions of contracts to

which USAble was a party (Id., ¶ 641). Mr. Miller worked with the Contracts department to review

contracts for the purchase of new computer systems for USAble to ensure that “everything’s in

order.” (Id., ¶ 642).

Employee awareness and training consumed approximately 20 hours per month of Mr.

Miller’s work time (Id., ¶ 644).

40 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 41 of 56

Mr. Miller spent approximately eight hours per month on incident management (Id., ¶ 650).

Mr. Miller was trained on how to differentiate these “false positives” from the legitimate breaches,

which occurred “almost every other week and even sometimes . . . weekly.” (Id., ¶ 656).

Mr. Miller spent an estimated five to ten hours per month on DLP (Data Loss Prevention),

and approximately 20 hours per month on database activity monitoring, which was part of DLP

(Id., ¶ 662). DLP is a “file-monitoring system,” looking for sensitive information, such as Social

Security numbers, stored on servers and identifying when that data is transmitted (Id., ¶ 663).

When Mr. Miller discovered sensitive data being transmitted to, for example, “private e-mail

accounts,” he “would have to put security controls” to block unsecure transmission (Id., ¶ 664).

Database activity monitoring was a “big project” under the umbrella of DLP that he spent “a lot

of time on.” (Id., ¶ 665).

Mr. Miller spent approximately five hours per month on SDLC (System Development

Lifecycle) management (Id., ¶ 666). SDLC management required Mr. Miller to monitor a system

from the time it is installed until the end of its life (Id., ¶ 667). Mr. Miller scanned systems to

determine which ones were at the end of their lives so those could be securely taken offline (Id., ¶

669).

Mr. Miller’s job duties also included vetting, assessing, and “demo-ing” systems to

determine which “vendor [USAble] [was] going to go with” and which type of system would be

chosen (Id., ¶ 671). Mr. Miller would choose the top three options that fit USAble’s needs, then

“demo” the products, installing it and testing it within USAble’s technology infrastructure (Id., ¶

674-5). After testing the product, Mr. Miller made his recommendations to Mr. Ross and Mr.

Shirley as to which product USAble should utilize (Id., ¶ 677).

B. Supervision, Salary, And Structure

41 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 42 of 56

Mr. Ross was hired by USAble in February 2017 as Supervisor of Enterprise Information

Security and was promoted to my current position, Manager of Enterprise Information Security in

July 2018 (Id., ¶ 681). Mr. Shirley was employed as Director of Enterprise Information Security.

Since September 2017, he was employed as Chief Information Security Officer while still

maintaining his title and job duties as Director of Enterprise Information Security (Id., ¶ 682).

From February 2017, each plaintiff was compensated on a salary basis, receiving a

predetermined sum on a biweekly basis, at an equivalent weekly rate in excess of $455.00, which

was not subject to reduction because of variations in the quality or quantity of the work performed

(Id., ¶ 683).

Upon being hired by USAble in February 2017, Mr. Ross became the immediate supervisor

of all Lead Information Security Analysts and Information Security Analysts, including plaintiffs

for all periods of time they were employed by USAble in EIS (Id., ¶ 684). Accordingly, he is

thoroughly familiar with the nature of plaintiffs’ jobs and the work they performed at USAble

(Id.). Beginning in February 2017, Mr. Shirley was Mr. Ross’s immediate supervisor, but Mr.

Shirley still maintained involvement in EIS (Id., ¶ 685). Accordingly, he is thoroughly familiar

with the nature of plaintiffs’ jobs and the work they performed at USAble (Id.).

EIS is and was when plaintiffs were employed at USAble a department within USAble that

is responsible for the security and protection of USAble’s information transmitted using or stored

on USAble’s computer systems (Id., ¶ 686). As a health insurance company, USAble receives,

maintains, stores, transmits, and uses, as appropriate, a variety of personal information of its

customers, including personal health information (“PHI”) (Id., ¶ 687). The storage and use of

PHI, as well as the procedures and protocols implemented by USAble to secure that information

and ensure its availability, is heavily regulated (Id.). Therefore, securing of the information

42 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 43 of 56

USAble possesses at any given time, which the parties and the Court hereinafter refer to as

“Enterprise Information,” is directly related to the operation of USAble as a health insurer (Id.).

To facilitate EIS’s overarching mandate to protect Enterprise Information, plaintiffs

performed a variety of discrete job functions, including, but not limited to: (i) analyzing complex

data to determine whether vulnerabilities or threats to Enterprise Information were present in

computer, network, or Internet systems; (ii) assessing the risk associated with identified threats

and vulnerabilities; (iii) working inside USAble’s technology infrastructure to mitigate and/or

remediate, consulting and coordinating with the Information Technology Department where

appropriate; (iv) developing security policies in compliance with HITRUST’s complex security

framework, which incorporated a variety of regulatory requirements; (v) making recommendations

to Mr. Ross or to Mr. Shirley directly regarding steps USAble could take to attain HITRUST

certification, including analyzing regulatory requirements to determine whether an integrated

HITRUST control stemmed from a regulatory requirements that USAble was not required to

follow; (vi) developing and maintaining departmental business continuity and disaster recovery

plans, in conjunction with individual departments, each of which had individualized plans,

including ensuring that the plans were compliant with HIPAA’s regulatory requirements; (vii)

creating, coordinating, and conducting disaster recovery exercises in compliance with HIPAA’s

regulatory requirements; (viii) researching and advising Mr. Ross and/or Mr. Shirley as to

regulatory requirements applicable to USAble; (ix) coordinating and managing audits and tracking

adverse audit findings and ensuring the identified deficiency was corrected; and (x) reviewing

potential USAble contracts from a security perspective to ensure the contractual provisions met

USAble’s security standards and that nothing in the contract presented an issue from a security

43 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 44 of 56

perspective (Id., ¶ 688). Each of these duties were integral to the security of USAble’s Enterprise

Information (Id.).

USAble asserts that Mr. Ross and Mr. Shirley relied on plaintiffs’ recommendations,

suggestions, insight, and/or advice to make decisions (Id., ¶ 693). USAble also asserts that Mr.

Ross and Mr. Shirley rarely rejected plaintiffs’ substantive recommendations or reviewed the daily

work plaintiffs performed (Id., ¶ 694). When Mr. Ross made recommendations to Mr. Shirley,

Mr. Shirley understood Mr. Ross’s recommendations to be based on the recommendations,

suggestions, insight, and/or advice of plaintiffs (Id., ¶ 695).

C. Procedural History

On February 7, 2020, separate plaintiffs Mr. Simmons, Ms. Overstreet, and Mr. Young,

each individually and on behalf of all others similarly situated, filed their original complaint—

collective action with this Court, seeking relief under the Fair Labor Standards Act, 29 U.S.C. §

201, et seq. (“FLSA”), and the Arkansas Minimum Wage Act, § 11–4–201, et seq. (“AMWA”),

for overtime compensation, including monetary and liquidated damages, due to the purported

misclassification of plaintiffs and a collective class of similarly situated employees (Dkt. No. 1).

On February 24, 2020, plaintiff Mr. Miller filed his consent to join the collective action (Dkt. No.

2). On April 24, 2020, the parties jointly stipulated to the conditional certification and distribution

of notice to the opt-in class: “Salaried Information Security Analysts I–III and Lead Information

Security Analysts I–III employed by USAble Corporation after February 7, 2017.” (Dkt. No. 11).

The parties stipulated to a 60-day opt-in period during the pendency of which opt-in plaintiffs Ms.

Broadhurst and Mr. Cavanaugh each filed consents to join the collective action (Dkt. Nos. 13, 14).

USAble filed its motion for summary judgment on February 25, 2021 (Dkt. No. 24).

Plaintiffs opposed the motion (Dkt. No. 32).

44 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 45 of 56

II. Legal Standard For Summary Judgment

Pursuant to the Federal Rules of Civil Procedure, the Court may grant summary judgment

“if the movant shows that there is no genuine dispute as to any material fact and the movant is

entitled to judgment as a matter of law.” Fed. R. Civ. P. 56(a). A dispute is genuine if a reasonable

jury could render its verdict for the non-moving party. See Anderson v. Liberty Lobby, Inc., 477

U.S. 242, 248 (1986). “The mere existence of a factual dispute is insufficient alone to bar summary

judgment; rather, the dispute must be outcome determinative under prevailing law.” Holloway v.

Pigman, 884 F.2d 365, 366 (8th Cir. 1989). Mere denials or allegations are insufficient to defeat

an otherwise properly supported motion for summary judgment. See Miner v. Local 373, 513 F.3d

854, 860 (8th Cir. 2008); Com. Union Ins. Co. v. Schmidt, 967 F.2d 270, 271-72 (8th Cir. 1992).

First, the burden is on the party seeking summary judgment to demonstrate an absence of

a genuine issue of material fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986); Farver v.

McCarthy, 931 F.3d 808, 811 (8th Cir. 2019). If the moving party satisfies its burden, the burden

then shifts to the non-moving party to establish the presence of a genuine issue that must be

determined at trial. See Prudential Ins. Co. v. Hinkel, 121 F.3d 364, 366 (8th Cir. 1997);

Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986). The non-movant

“‘must do more than simply show that there is some metaphysical doubt as to the material facts,’

and must come forward with ‘specific facts showing that there is a genuine issue for trial.’”

Torgerson v. City of Rochester, 643 F.3d 1031, 1042 (8th Cir. 2011) (en banc) (quoting Matsushita,

475 U.S. at 586-87). “The evidence of the non-movant is to be believed, and all justifiable

inferences are to be drawn in his favor.” Anderson, 477 U.S. at 255. “[I]n an FLSA exemption

case such as this, the employer . . . has the burden of proving the employee fits within one of the

FLSA exemptions. Grage v. N. States Power Co.-Minnesota, 813 F.3d 1051, 1054 (8th Cir. 2015)

45 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 46 of 56

(citing Fife v. Harmon, 171 F.3d 1173, 1174 (8th Cir.1999)). “[W]hether [employees’] particular

activities excluded them from the overtime benefits of the FLSA is a question of law.” Grage,

813 F.3d at 1054 (citing Spinden v. GS Roofing Prods. Co., 94 F.3d 421, 426 (8th Cir.1996)).

III. Legal Standards Under The FLSA

In their complaint, plaintiffs argue that USAble incorrectly classified them as exempt from

the overtime requirements of the FLSA and AMWA and did not pay each of them an overtime

premium for the hours worked in excess of 40 hours in a week.

“The FLSA requires employers to pay overtime of at least one and one-half times the

regular pay rate for employees who work over forty hours in one workweek.” Grage, 813 F.3d at

1054 (citing 29 U.S.C. § 207(a)(2)). Some employees are exempt from the FLSA’s overtime

requirements. Id. § 213(a)(1). Such exempt employees include “any employee employed in a

bona fide executive, administrative, or professional capacity. . . .” 29 U.S.C. § 213(a)(1).

“The FLSA and the AMWA impose similar minimum wage and overtime requirements on

employers and, in cases involving claims brought under both acts, the courts have concluded that

their parallel provisions should be interpreted in the same manner.” Cummings v. Bost, Inc., 218

F. Supp. 3d 978, 985 (W.D. Ark. 2016) (quoting Carter v. Primary Home Care of Hot Springs,

Inc., Case No. 6:14-cv-6092, 2015 WL 11120563, at *2 (W.D. Ark. May 14, 2015)).

“[W]hether an employee is exempt under the FLSA is an issue of law.” Jarrett v. ERC

Props., Inc., 211 F.3d 1078, 1081 (8th Cir. 2000) (citing Icicle Seafoods, Inc. v. Worthington, 475

U.S. 709, 714 (1986)). The Eighth Circuit has held that “[c]ourts should broadly interpret and

apply the FLSA to effectuate its goals because it is remedial and humanitarian in purpose.” Specht

v. City of Sioux Falls, 639 F.3d 814, 819 (8th Cir. 2011) (internal quotation omitted). To promote

this goal, the Department of Labor (“DOL”) has provided regulations that include factors to guide

46 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 47 of 56

the Court in determining whether an employee qualifies for an exemption. See Fife v. Bosley, 100

F.3d 87, 89 (8th Cir. 1996) (citing 29 C.F.R. § 541).

With regard to the “administrative exemption,” these regulations state in pertinent part:

(a) The term “employee employed in a bona fide administrative capacity” in section 13(a)(1) of the Act shall mean any employee:

(1) Compensated on a salary or fee basis pursuant to § 541.600 at a rate of not less than $684 per week . . . exclusive of board, lodging or other facilities;

(2) Whose primary duty is the performance of office or non-manual work directly related to the management or general business operations of the employer or the employer’s customers; and

(3) Whose primary duty includes the exercise of discretion and independent judgment with respect to matters of significance.

29 C.F.R. § 541.200.

Work directly related to management or general business operations includes but is not

limited to: “auditing,” “computer network, internet and database administration,” “legal and

regulatory compliance,” “and similar activities.” 29 C.F.R. § 541.201(b).

“The term ‘primary duty’ means the principal, main, major or most important duty that the

employee performs. Determination of an employee’s primary duty must be based on all the facts

in a particular case, with the major emphasis on the character of the employee’s job as a whole.”

29 C.F.R. § 541.700.

With regard to discretion and independence under the administrative exemption:

The phrase “discretion and independent judgment” must be applied in the light of all the facts involved in the particular employment situation in which the question arises. Factors to consider when determining whether an employee exercises discretion and independent judgment with respect to matters of significance include, but are not limited to: whether the employee has authority to formulate, affect, interpret, or implement management policies or operating practices; whether the employee carries out major assignments in conducting the operations of the business; whether the employee performs work that affects business operations to a substantial degree, even if the employee’s assignments are related to operation of

47 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 48 of 56

a particular segment of the business; whether the employee has authority to commit the employer in matters that have significant financial impact; whether the employee has authority to waive or deviate from established policies and procedures without prior approval; whether the employee has authority to negotiate and bind the company on significant matters; whether the employee provides consultation or expert advice to management; whether the employee is involved in planning long- or short-term business objectives; whether the employee investigates and resolves matters of significance on behalf of management; and whether the employee represents the company in handling complaints, arbitrating disputes or resolving grievances.

29 C.F.R. § 541.202 (b)

The exercise of discretion and independent judgment implies that the employee has authority to make an independent choice, free from immediate direction or supervision. However, employees can exercise discretion and independent judgment even if their decisions or recommendations are reviewed at a higher level. Thus, the term “discretion and independent judgment” does not require that the decisions made by an employee have a finality that goes with unlimited authority and a complete absence of review. The decisions made as a result of the exercise of discretion and independent judgment may consist of recommendations for action rather than the actual taking of action. The fact that an employee's decision may be subject to review and that upon occasion the decisions are revised or reversed after review does not mean that the employee is not exercising discretion and independent judgment.

29 C.F.R. § 541.202 (c)

The exercise of discretion and independent judgment must be more than the use of skill in applying well-established techniques, procedures or specific standards described in manuals or other sources . . .The exercise of discretion and independent judgment also does not include clerical or secretarial work, recording or tabulating data, or performing other mechanical, repetitive, recurrent or routine work. An employee who simply tabulates data is not exempt, even if labeled as a “statistician.”

29 C.F.R. § 541.202 (e)

The Eighth Circuit has made clear that “[t]he employer has the burden to prove that its

employee is an executive and therefore exempt from the FLSA’s overtime pay requirements.”

Madden v. Lumber One Home Ctr., Inc., 745 F.3d 899, 903 (8th Cir. 2014) (citing Fife, 171 F.3d

at 1174. Furthermore, the Supreme Court has rejected the principle that the FLSA’s exemptions

48 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 49 of 56

should be construed narrowly and instead determined that they are to be given a “fair reading.”

Encino Motorcars, LLC v. Navarro, 138 S. Ct. 1134, 1142 (2018).

Plaintiffs bring claims under both the FLSA and the AMWA. USAble moves for summary

judgment on all claims, FLSA and AMWA. In their briefing, the parties do not argue to the Court

any differences in interpreting these laws or their exemptions. Generally, “[t]he FLSA and the

AMWA impose similar minimum wage and overtime requirements on employers and, in cases

involving claims brought under both acts, the courts have concluded that their parallel provisions

should be interpreted in the same manner.” Cummings, 218 F. Supp. 3d at 985 (quoting Carter,

2015 WL 11120563, at *2). 10

In making its determinations in this case, the Court has reviewed all of the record evidence

presented as to each named plaintiff. While disputes regarding the nature of an employee’s duties

are questions of fact, the “ultimate question [of] whether an employee is exempt under the FLSA

is an issue of law.” Jarrett, 211 F.3d at 1081 (citing Icicle Seafoods, Inc. 475 U.S. at 714). The

Court determines that, on the record evidence before it, self-serving declarations cannot be used

to create a question of fact at the summary judgment stage. See Marathon Ashland Petroleum,

LLC v. Intern. Broth. Of Teamsters, Chauffeurs, Warehousemen, Helpers of America, General

Drivers, Helpers and Truck Terminal Employee Union, Local No. 120, 300 F.3d 945, 951 (8th Cir.

2002) (internal citations omitted). The Court has considered all record evidence presented as to

10 The Court notes that the AMWA states that its overtime requirements “shall not apply to any employee exempt from the overtime requirements of the federal [FLSA] pursuant to the provisions of 29 U.S.C. § 213(b)(1)-(24) and (b)(28)-(30), as they existed on March 1, 2006.” Ark. Code Ann. § 11-4-211(d). Furthermore, the Arkansas Department of Labor “may rely on the interpretations of the U.S. Department of Labor and federal precedent established under the [FLSA] in interpreting and applying the provisions of the Act and Rule 010.14-100 through -113, except to the extent a different interpretation is clearly required.” Ark. Admin. Code § 010-14.1- 112. 49 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 50 of 56

each named plaintiff, construing all reasonable inferences from that evidence in favor of plaintiffs

who are the non-moving parties, as is required at this stage of the litigation. For the following

reasons, the Court grants summary judgment in favor of USAble.

IV. Analysis

Plaintiffs seek purportedly unpaid overtime wages due to the alleged misclassification of

their positions as exempt from the minimum wage requirements of the FLSA. USAble argues that

plaintiffs were properly classified as exempt because they “were well-compensated information

security professionals who analyzed data and made recommendations based on their experience

and knowledge with regulatory requirements and cybersecurity frameworks.” (Dkt. No. 25, at 1).

A. Rate Of Compensation

It is undisputed that all plaintiffs were compensated on a salary basis at a rate in excess of

$455.00 per week exclusive of board, lodging or other facilities. 11 The first element of the

administrative exemption is not in dispute. See 29 U.S.C. § 541.200(a)(1).

B. Primary Duties: Office Or Non-Manual Work Directly Related To The Management Or General Business Operations Of the Employer Or the Employer’s Customers

To meet the second element of the administrative exemption, an employee’s primary duty

must be “the performance of office or non-manual work directly related to the management or

general business operations of the employer or the employer’s customers.” 29 C.F.R. §

541.200(a)(2). This requires an employee to perform work directly related to assisting with the

11 The minimum weekly salary rate was raised from $455.00 per week to $684.00 per week effective January 1, 2020. See Dept. of Lab., Wage & Hour Div., Final Rule, Defining and Delimiting the Exemptions for Executive, Administrative, Professional, Outside Sales and Computer Employees, 84 FR 51230–01, 2019 WL 4690536 (Sept. 27, 2019). Thus, the minimum weekly salary rate during the applicable statutory period was $455.00 per week. 50 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 51 of 56

running or servicing of the business, as distinguished from working on a manufacturing production

line or selling a product in a retail or service establishment. 29 C.F.R. § 541.201(a).

Work directly related to management or general business operations includes, but is not

limited to, work in functions and areas such as:

Tax; finance; accounting; budgeting; auditing; insurance; quality control; purchasing; procurement; advertising; marketing; research; safety and health; personnel management; human resources; employee benefits; labor relations; public relations; government relations; computer network; internet and database administration; legal and regulatory compliance; and similar activities.

29 C.F.R. § 541.201(b). The list is not exhaustive and “administrative work” could also include

“‘advising the management, planning, negotiating, representing the company, purchasing,

promoting sales, and business research and control.’” Grage, 813 F.3d at 1055 (quoting Renfro v.

Ind. Mich. Power Co., 370 F.3d 512, 517 (6th Cir. 2004)). To determine whether an employee is

an administrative or production worker, it is appropriate to consider the nature of the employer’s

business. Martin v. Cooper Elec. Supply Co., 940 F.2d 896, 899 (3d Cir. 1991).

An employee’s “primary duty” is the “principal, main, major or most important duty that

the employee performs. Determination of an employee’s primary duty must be based on all of the

facts in a particular case, with the major emphasis on the character of the employee’s job as a

whole.” 29 C.F.R. § 541.700(a). The following factors may be considered: “relative importance

of the exempt duties as compared with other types of duties; the amount of time spent performing

exempt work; the employee’s relative freedom from direct supervisions; and the relationship

between the employee’s salary and the wages paid to other employees for the kind of nonexempt

work performed.” 29 C.F.R. § 541.700(a); see also Grage, 813 F.3d at 1055. “[A]n employee’s

primary duty is that which is of principal importance to the employer, rather than collateral tasks

51 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 52 of 56

which may take up more than fifty percent of his or her time.” Spinden, 94 F.3d at 427 (citation

omitted).

As a “health insurer,” USAble receives, maintains, and transmits PHI of its members in the

regular course of business to assess and determine eligibility for claims of coverage and

reimbursement (Dkt. No. 25, at 81 (including cites to record evidence)). USAble is subject to

certain regulatory requirements promulgated pursuant to HIPAA, see 45 C.F.R. §§ 160.102, 160.

103, which requires USAble to implement certain safeguards to protect the privacy of PHI and sets

limits and conditions on the uses and disclosure that may be made of such information without

patient authorization. See 45 C.F.R. §§ 160.101 et seq., 164.102 to 164.106, 164.500 to 164.534

(Dkt. No. 25, at 81 (citing to record evidence)).

EIS during the relevant period was responsible for the protection of the confidential

information maintained by USAble, including PHI and other sensitive information, and each

plaintiff worked in EIS during the relevant period (Dkt. No. 25, at 81-82 (citing to record

evidence)). EIS was responsible for a variety of security functions, managing security related

deployment, and developing projects and security policies that align USAble’s enterprise security

operations with industry and regulatory compliance (Dkt. No. 25, at 117 (citing to record

evidence)). Each plaintiff performed duties to ensure that EIS secured the information utilized,

maintained, and transmitted by USAble to the maximum extent possible (Dkt. No. 25, at 117

(citing to record evidence)). The discrete job duties performed by each plaintiff as testified to at

deposition by each plaintiff demonstrates that no reasonable factfinder could conclude that each

plaintiff did not spend the majority of his or her time performing “exempt” duties. See 29 C.F.R.

§ 541.700(b).

52 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 53 of 56

Having reviewed the record evidence and construing all reasonable inferences from it in

favor of plaintiffs, the Court concludes that no reasonable fact finder could conclude that, in their

capacities as either Lead Information Security Analysts or Information Security Analysts, each

plaintiff’s primary duties did not consist of “office or non-manual work.” 29 C.F.R. §

541.200(a)(2) (Dkt. No. 25, at 82 (citing to record evidence)). Further, no reasonable factfinder

could conclude that each plaintiff’s role as Lead Information Security Analyst or Information

Security Analyst was not directly related to the management and/or general business operations of

USAble. See 29 C.F.R. §§ 541.200(a)(2), 541.201(a); see also Grage, 813 F.3d at 1056; Ahle v.

Veracity Rsch. Co., 738 F. Supp. 2d 896, 903 (D. Minn. 2010).

C. Primary Duties: Exercise Of Discretion And Independent Judgment With Respect To Matters Of Significance

To meet the third requirement of the administrative exemption, an “employee’s primary

duty must include the exercise of discretion and independent judgment with respect to matters of

significance.” 29 C.F.R. § 541.202(a). “In general, the exercise of discretion and independent

judgment involves the comparison and the evaluation of possible courses of conduct, and acting

or making decisions after the various possibilities have been considered.” Id. The term “matters

of significance” refers to the level of importance or consequence of the work performed. Id.

“Mere denials” by each plaintiff that his or her primary duties did not include the exercise

of discretion are insufficient. Com. Union Ins. Co., 967 F.2d at 271-72. Plaintiffs do not deny

performing many of the actions attributed to them by USAble, but plaintiffs in response to

summary judgment attempt to argue in declarations prepared and submitted after they each

provided detailed deposition testimony that they were merely copying policies or following orders.

Their declarations are belied by their deposition testimony, which is available for the Court’s

review and consideration in the summary judgment record and further was parsed through by

53 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 54 of 56

USAble in its reply (Dkt. No. 38). The record evidence in this case reviewed by the Court and

upon which the Court bases its decision distinguishes this case from Chicca v. St. Luke’s Episcopal

Health System, 858 F.Supp.2d 777 (S.D. Tex. 2012), the non-controlling case cited by plaintiffs in

their response (Dkt. No. 32). The descriptions provided by plaintiffs of their job duties under oath

in their deposition testimony are not “broad and vague,” leave no room for doubt, and confirm

those matters of significance on which each plaintiff exercised independent discretion and

judgment. Cf. Chicca, 858 F.Supp.2d at 790.

In their declarations, each plaintiff attempts to argue to a certain extent that he or she did

not draft policies but instead merely pulled regulatory language into a format. The record evidence

which is comprised of plaintiffs’ deposition testimony leaves a factfinder with the firm impression

that such was not the case with respect to any plaintiff and the drafting of policies. Regardless,

even if that were the case, that review of regulatory language and splicing it together to make it

relevant for USAble seems inherently to involve discretion and independent judgment in this

context when all facts and circumstances as presented in the record evidence are considered.

The same is true with respect to audits to the extent plaintiffs were involved in audits. In

their declarations, plaintiffs generally seek to minimize their roles with respect to audits. The

record evidence including plaintiffs’ deposition testimony provides clear descriptions in plaintiffs’

own words of the work each did. While plaintiffs had to communicate the audit requirements to

the different departments, plaintiffs made the determination which department to contact for

information, received the information, organized the information, and presented it in a way that fit

the requests, and then plaintiffs had to report on any shortcomings and address those shortcomings,

too. This conduct involved discretion and independent judgment in this context when all facts and

circumstances as presented in the record evidence are considered.

54 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 55 of 56

Plaintiffs also advised under certain circumstances on which programs to use and how to

adapt policies to contracts. In their deposition testimonies, they describe those tasks and use

language that affirms the use of discretion and independent judgment while performing these tasks.

Again, the record evidence, even with all reasonable inferences drawn in plaintiffs’ favor, results

in the Court’s determination that no reasonable factfinder could conclude otherwise, the language

used in plaintiffs’ more recent declarations notwithstanding.

In their response to USAble’s motion for summary judgment, plaintiffs repeatedly point

this Court to reviews performed by Mr. Ross and Mr. Shirley in an effort to suggest that plaintiffs

did not exercise discretion and independent judgment (Dkt. No. 32). The Department of Labor

has explicitly stated that “the term ‘discretion and independent judgment’ does not require that the

decisions made by an employee have a finality that goes with unlimited authority and a complete

absence of review.” 29 C.F.R. § 541.202. Through developing policies, trainings, and protocols,

coordinating audits, reviewing potential contracts, and advising on the management and

organization of security information technology, plaintiffs were able to exercise discretion and

judgment in the ways that PHI was managed and protected at USAble. The fact the Mr. Ross or

Mr. Shirley were involved in reviewing decisions, or even had the final say over outcomes, does

not strip plaintiffs of their independent judgment for purposes of this analysis.

Regarding plaintiffs’ arguments that their work did not involve “matters of significance” –

on the record evidence before it with all reasonable inferences drawn in favor of plaintiffs, the

Court determines that no reasonable factfinder could conclude that maintaining the security of

highly regulated PHI for a health insurance company is not a matter of significance. While the

Court acknowledges that cost alone is not determinative, if this information was lost or was not

protected, it is undisputed in the record evidence that USAble would lose money, goodwill, and

55 Case 4:20-cv-00137-KGB Document 40 Filed 09/30/21 Page 56 of 56

business, and face regulatory issues (see generally Dkt. No. 26, ¶¶ 92, 101-02, 115, 119, 298, 318,

323, 326, 330, 419, 428-33, 498, 568, 590, 616).

The Court determines on the record evidence before it, even with all reasonable inferences

drawn in favor of plaintiffs, that no reasonable factfinder could conclude that each plaintiff did not

exercise discretion and independent judgment with respect to matters of significance by: (1)

comparing and evaluating possible courses of action after considering complex data, even if their

decisions and recommendation were subject to review at a higher level; (2) formulating operating

policies on behalf of USAble; (3) performing work that affected USAble’s business operations to

a substantial degree through assignments carried out within EIS; and (4) providing consultation

and expert advice to USAble’s management (Dkt. No. 25, at 119).

D. Ms. Overstreet’s Bankruptcy

Because the Court concludes that USAble is entitled to summary judgment in its favor on

each plaintiff’s FLSA and AMWA claims, the Court does not reach the parties’ arguments with

respect to Ms. Overstreet’s bankruptcy, her failure to disclose her FLSA and AMWA claims during

the course of her bankruptcy, and the resulting effect of that failure to disclose on her ability to

recover on her claims.

V. Conclusion

For the foregoing reasons, the Court grants USAble’s motion for summary judgment (Dkt.

No. 24) and enters judgment in favor of USAble on plaintiffs’ FLSA and AMWA claims. The

relief requested is denied.

It is so ordered this 30th day of September, 2021.

_________________________________ Kristine G. Baker United States District Judge