[Editor’s Note: This article was first published August 21, 2024 and EDRM is grateful to Tom Paskowitz and Robert Keeling of our Trusted Partner, Sidley, for permission to republish. The opinions and positions are those of the author.]

This Sidley Update addresses the following recent developments and court decisions involving e-discovery issues:

1. A decision from the U.S. District Court for the Southern District of New York ordering the plaintiff to implement added data security measures to certain electronically stored information (ESI) produced by the defendant and declining to shift the costs of such added data security measures to the defendant
2. A decision from the U.S. District Court for the Southern District of New York granting so-called “copycat” or “cloned” discovery of documents produced by a party in a prior litigation but narrowing the documents to be re-produced to omit documents that would not be relevant to the current litigation
3. A ruling from the U.S. District Court for the Northern District of California requiring the defendant to include in its discovery responses text messages on the personal devices of its employees because the defendant had the legal right to obtain the text messages based on its employment agreements
4. An opinion from the U.S. District Court for the Eastern District of Ohio refusing to compel a plaintiff to produce “all documents” that hit on certain keywords the defendant had unilaterally selected because the request was overbroad in the absence of a showing that the keywords were narrowly tailored or “calibrated to address the issues in this case”

1. A decision from the U.S. District Court for the Southern District of New York ordering the plaintiff to implement added data security measures to certain electronically stored information produced by the defendant and declining to shift the costs of such added data security measures to the defendant.

In United States v. Anthem, Inc., No. 20-CV-2593 (ALC) (KHP), 2024 WL 2982908 (S.D.N.Y. June 12, 2024), U.S. Magistrate Judge Katharine H. Parker addressed the issue of data security in discovery and how costs for such security should be allocated between the parties.

In this action under the False Claims Act, the government alleged that Anthem knowingly disregarded its duty to ensure the accuracy of risk adjustment diagnosis data that it submitted to the U.S. Department of Health and Human Services. Id. at *1.

During discovery, Anthem anticipated producing to the government the medical information and records of Anthem’s members, but the parties disagreed regarding the safeguards and security that the government would apply to this data once in its possession.

The government proposed a “robust set of protections” for the data that included a “bespoke platform, not connected to the internet, accessible by only ten individuals.” The data on the platform would be “encrypted at the file level” and would be transferrable only by encrypted physical storage. The government reported that the monthly cost for this level of security was about $5,000/month.

Anthem disagreed that the government’s security procedures were sufficient and requested additional protections that Anthem claimed were “consistent with industry standards and with applicable regulatory guidance.” These included tracking and logging of all activity on the platform (not just of data moving in or out of the system); monitoring of internal activity logs; certain data loss prevention controls to mitigate potential security gaps in transfer protocols; and certain measures to address security vulnerabilities in the event of a future data breach. These additional measures would cost an additional $4,300/month.

Magistrate Judge Parker began her analysis of the parties’ dispute by explaining that “there is a presumption that the responding party bears the expense of complying with and responding to discovery requests and of preserving its own information for litigation,” but “the cost of maintaining the security of data turned over in litigation is a slightly different question.” Id. at *2. She noted that parties generally do not address “secure storage of data or who bears the costs of protecting electronically stored information produced in discovery.” However, she pointed out that her model protective order contains a provision that “[t]he producing party may specify the minimal level of protection expected in the storage and transfer of its information” and the parties’ protective order in the case incorporated this model provision.

Magistrate Judge Parker agreed that Anthem’s security concerns were valid, pointing to an American Bar Association report that 27% of law firms reported having experienced a security breach and the fact that one of the government’s vendors in this case had already experienced a ransomware attack that compromised some of Anthem’s data.

Turning to the rules applicable to the parties’ dispute, Magistrate Judge Parker began with 26(c)(1)(B) granting courts discretion to allocate expenses for disclosure or discovery upon a showing of “good cause.” Id. at *3. Referring to a prior decision, Zubulake v. UBS Warburg LLC, 217 F.R.D. 309, 323 (S.D.N.Y. 2003), she explained that the factors relevant to analyzing which party should bear the cost of electronic discovery include 1) “the extent to which the request is specifically tailored to discover the relevant information”; 2) “the availability of such information from other sources”; 3) “the total cost of production, compared to the amount in controversy”; 4) “the total cost of production, compared to the resources available to each party”; 5) “the relative ability of each party to control costs and its incentive to do so”; 6) “the importance of the issues at stake in the litigation”; and 7) “the relative benefits to the parties of obtaining information.” But Magistrate Judge Parker noted that these factors were developed “over twenty years ago in the infancy of electronic discovery” and were “informative” but “not all directly relevant to the question of whether a producing party who wishes a certain level of data security be provided for data produced in discovery can require the receiving party to bear the full cost of such data security protections for the duration of the litigation until the data is destroyed or returned.”

Magistrate Judge Parker identified a list of “non-exclusive factors as relevant to determining whether there is good cause to shift all or a portion of costs of data security measures from the receiving party to the producing party,” which included 1) “the nature of the information to be protected and risks and costs associated with unauthorized disclosure of such information”; 2) “the reasonableness of the security measures requested by the producing party (which can include an evaluation of the degree of risk mitigated by the security requested relative to less costly security measures)”; 3) “the cost of the data security requested relative to the overall costs of discovery and amount in controversy”; and 4) “relative ability of the parties to pay the costs of the security requested by the producing party”.

Addressing each of these factors in turn, Magistrate Judge Parker found that the first factor, the nature of the information to be protected and risks and costs associated with unauthorized disclosure, weighed against shifting the costs of that security to Anthem. She reasoned that the medical information at issue was often the subject of cyberattacks, and the costs associated with compromise of the information were high. As a result, Anthem’s concern for the security of the data was reasonable.

Magistrate Judge Parker found that the second factor, the reasonableness of the security measures requested, also weighed against shifting the costs of data security to Anthem. Id. at *4. She explained that while the system proposed by the government was already secure and took into account health industry standards for protection of information, Anthem was the only party to submit a technical opinion regarding the safeguards offered by the parties. She concluded that she could not “rely on the representations of lawyers for the government to conclude that their proposed safeguards are sufficient.”

Magistrate Judge Parker found that the third factor, the cost of the data security requested relative to the overall costs of discovery and amount in controversy, also weighed against shifting the costs of data security to Anthem. She reasoned that the annual costs of Anthem’s proposed additional security measures ($60,000 per year) were a “rounding error” relative to the entire amount in controversy.

Finally, Magistrate Judge Parker found that the fourth factor, the relative ability of the parties to pay the costs of the security requested, weighed “slightly in favor of shifting the costs of data security to Anthem.” While both sides had the ability to pay the cost of the additional security, she noted that the government was funded by tax dollars whereas Anthem “generates billions of dollars in revenues and has significant resources to defend this action.” However, Magistrate Judge Parker stated that “the disparity in resources and source of those resources is not so great, especially in light of the total cost of litigation and amount in controversy, as to raise concerns that [Anthem] is seeking to make prosecuting the case against it financially untenable.”

After balancing these factors, Magistrate Judge Parker held that the additional security measures requested by Anthem were proportionate to the nature of the information sought to be protected, reasonable in light of the only evidence provided on the level of security required, and proportionate to the total amount in controversy and the overall costs of litigation. She therefore ordered the government to implement the added data security measures and concluded that the government had not shown good cause to shift the burden to Anthem to pay for the added measures.

2. A decision from the U.S. District Court for the Southern District of New York granting so-called “copycat” or “cloned” discovery of documents produced by a party in a prior litigation but narrowing the documents to be re-produced to omit documents that would not be relevant to the current litigation.

In another opinion from United States v. Anthem, Inc., 20-CV-2593 (ALC) (KHP), 2024 WL 1116276 (S.D.N.Y. Mar. 13, 2024), Magistrate Judge Parker addressed the standards applicable to requests for wholesale reproduction of documents produced by a party in a prior litigation.

At issue in this decision was Anthem’s first request for production to the government in discovery, which sought so-called “copycat” or “clone” production of all discovery previously produced in a prior litigation involving similar claims against one of Anthem’s competitors, United States ex rel. Poehling v. UnitedHealth Group. Id. at *2. Specifically, Anthem sought production of “all documents that the government produced in response to any discovery requests served on the government in the Poehling litigation, regardless of time period,” as well as information about discovery in the Poehling matter, including information about the discovery requests, custodians, discovery negotiations, and the government’s privilege log.

Discovery in the Poehling litigation involved collection from 187 custodians for the time period 2000 to 2019, after which the government applied broad search terms (some of which were specific to the defendant in the case) and applied technology-assisted review to a subset of the documents collected. Approximately 3 million documents were produced in the Poehling litigation, and Magistrate Judge Parker stated that many of those documents would be relevant in this action but not all (including because the Poehling litigation involved a much longer time period).

Magistrate Judge Parker noted that Anthem had already received a substantial set of core documents and testimony from the Poehling litigation because she had previously ordered the government to produce “certain documents from the Poehling litigation to allow the parties to benefit from work done in Poehling and tailor discovery in this action to information that was specific to Anthem and not redundant of key information that could be learned from Poehling.” Id. at *3. This resulted in the government’s producing 55,000 documents from the Poehling litigation. As a result of this production, Anthem narrowed its request for copycat discovery to seek 2.2 million additional documents produced in Poehling from only 40 out of the total 187 custodians.

Magistrate Judge Parker began her analysis with a discussion of the relevant rules. She explained that Rule 26(b)(3) specified that “[p]arties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case.” She further explained that in assessing proportionality, the court considers “the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties’ resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit.”

Magistrate Judge Parker also discussed Rule 34, which requires a party to “describe with reasonable particularity each item or category of items requested.” She noted that Rule 34 prohibits “overly broad, non-particularized discovery requests that reflexively sought all documents, overuse of boilerplate objections that provided insufficient information about why a party was objecting to producing requested documents, and responses that failed to clarify whether responsive documents were being withheld on the basis of objections.” Id. at *4 (quoting The Sedona Conference Federal Rule of Civil Procedure 34(b)(2) Primer: Practice Pointers for Responding to Discovery Requests, Sedona Conference Journal Vol 19, pp. 452-53 (2018)) (internal quotations omitted).

Magistrate Judge Parker highlighted a “best practice tip offered by the Sedona Conference” that she “fully endorses,” which was “that requesting parties should tailor their requests to minimize objections and facilitate substantive responses.” She further noted that “[a]ny increase in scope gained by overbroad requests is likely offset by wasted time spent resolving objections or narrowing the scope of the request, or by motion practice in which the request may be viewed as overbroad.”

As related to “copycat” or “clone” discovery requests, Magistrate Judge Parker stated that numerous courts have found that requests for “all” documents produced in another litigation are “inherently overbroad requests requiring the Court to considerably scale back the information that a producing party must produce from another litigation or deny it entirely on the ground that a party must do its own work.” Id. at *4 (surveying cases).

Applying these principles to Anthem’s request for discovery from the Poehling litigation, Magistrate Judge Parker decided on “a middle approach that it believes is consistent with Rule 1 and 26(b)(3), minimizes the burdens on both parties and capitalizes on the work already done by the parties in Poehling.” Specifically, she ordered the government to produce documents from the 40 custodians in Anthem’s limited request for Poehling documents but only for limited time periods applicable to this case; eliminate documents related to the defendant in Poehling; and eliminate other documents related to issues not relevant in this litigation or that were withheld as being subject to the deliberative process privilege in Poehling. Id. at *5.

3. A ruling from the U.S. District Court for the Northern District of California requiring the defendant to include in its discovery responses text messages on the personal devices of its employees, because the defendant had the legal right to obtain the text messages based on its employment agreements.

In Westin v. Docusign, Inc., No. 22-cv-00824-WHO, 2024 WL 3446924 (N.D. Cal. July 15, 2024), U.S. District Judge William H. Orrick addressed the standards regarding when an employer has possession, custody, or control over information on an employee’s personal mobile device.

In this securities fraud class action, Plaintiff claimed that Docusign made misrepresentations regarding its projected postpandemic performance. Id. at *1.

Among other discovery disputes, Plaintiff sought production of text messages from nonparty custodians who were employees of Docusign. Judge Orrick noted that Plaintiff had shown that Docusign employees conducted some business by text, and he stated that text messages are discoverable materials. Id. at *2. Docusign opposed Plaintiff’s motion, arguing that it did not have “possession, custody, or control over the devices used to send the text messages” and that the discovery was disproportionate to the needs of the case.

In addressing Plaintiff’s motion, Judge Orrick started with the terms of Rule 26(b)(1), pursuant to which “Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties’ resources, the importance of the discovery in resolving the issues and whether the burden or expense of the proposed discovery outweighs its likely benefit.” He noted, however, that “the scope of discovery is not unlimited” and a court “must limit any discovery that it determines to be outside the scope permitted by Rule 26(b)(1).” Id. (quoting Rule 26(b)(2)(C)(iii)).

Turning to the merits of Plaintiff’s motion, Judge Orrick stated that “[a] company has control over text messages if it has the legal right to obtain them upon demand, even if it does not currently possess them.” Id. (internal quotations omitted). Applying that standard, he found that Docusign had that legal right and therefore had control over the text messages at issue. In particular, Judge Orrick relied on Docusign’s employment agreements with the custodians, which mandated that “if [employees] used any personal [device] … to … transmit any Company information, [they] agree to make a prompt and reasonable search for such information,” and Docusign “may have access to such personal [devices] … to retrieve” it.

Judge Orrick concluded that this language in Docusign’s employment agreements gave Docusign “the legal right to obtain text messages exchanged by the custodians that concerned Docusign information” regardless of whether Docusign had control over the custodians’ personal devices.

Judge Orrick also found that Plaintiff’s request for the text messages was proportionate to the needs of the case. Id. at *3. He noted that Plaintiff provided more than 20 examples of employees, including custodians, using texts for work and that Plaintiff limited his requests to texts that relate to Docusign information from 25 custodians. Accordingly, he ordered Docusign to obtain those text messages and produce them to Plaintiff.

4. An opinion from the U.S. District Court for the Eastern District of Ohio refusing to compel a plaintiff to produce “all documents” that hit on certain keywords the defendant had unilaterally selected because the request was overbroad in the absence of a showing that the keywords were narrowly tailored or “calibrated to address the issues in this case.”

In Ravin Crossbows, LLC v. Hunter’s Manufacturing Company, Inc., No. 5:23-cv-598, 2024 WL 3253265 (E.D. Ohio July 1, 2024), Chief U.S. District Court Judge Sara Lioi addressed the standards for compelling responses to document requests based solely on keywords.

Plaintiff sued Defendant for infringement of several patents involving crossbow configurations. One of Defendant’s requests for production in discovery sought production of “all documents, things and [ESI] having any of the following keywords, including any misspellings,” including 38 keywords mainly describing parts of a crossbow, Plaintiff’s technology, and certain inventors. Id. at *2.

A magistrate judge had denied Defendant’s motion to compel a response to this request because “it was overly broad and amounted to a fishing expedition” in light of the lack of narrowing criteria. Defendant sought reconsideration of the magistrate judge’s order, offering to reduce the number of terms and misspellings, and arguing that keyword searches are “useful tools for search and retrieval of ESI.” Plaintiff opposed the motion for reconsideration, arguing that the requests, even as amended, were overbroad and duplicative of other requested discovery.

Chief Judge Lioi began with a discussion of Rule 26, which “permits parties to discover any relevant, unprivileged information” while giving courts discretion to limit the scope of discovery where the information sought is overly broad. Id. at *3 (citing Rule 26(b)(2)). She explained that a request for discovery is overly broad where “it seeks irrelevant information, lacks sufficient limitations, or otherwise seeks information that is not “proportional to the needs of the case.” Id. (quoting Rule 26(b)(1)).

Chief Judge Lioi noted that “[k]eyword searches in particular carry special hazards” because while they may be useful in some contexts, “there are well-known limitations and risks associated with them.” Relying on materials from the Sedona Conference, she explained that one such risk is “the tendency of keyword searches to produce results that are both overbroad and underinclusive.” Id. (citing The Sedona Conference Best Practices Commentary on the Use of Search & Information Retrieval Methods in E–Discovery, 8 SEDONA CONF. J. 189, 194–95 (2007)). She noted that keyword searches are often most useful “when they are the product of a cooperative effort between counsel” who “carefully craft the appropriate keywords, with input from the ESI’s custodians [and] quality-control tested to assure accuracy in retrieval and elimination of false positives.” Id. (internal quotations omitted).

Chief Judge Lioi found that cooperation among the parties was “non-existent” in this case and there was no showing from Defendant that any testing had been done to ensure the keywords would be effective search terms. In addition, she found Defendant’s request “flawed from the beginning” because it was not limited to “a particular source, time, subject matter, or custodian” but rather asked for “all documents, things and electronically stored information” containing any of the terms at issue. Id. at *3-4.

Chief Judge Lioi found that other of Defendant’s document requests would likely produce many of the same documents that would be produced by a broader keyword search and would “do so in a manner better calibrated to address the issues in this case.” For example, Defendant claimed certain of its terms were directed to the novelty of Plaintiff’s patents, Defendant’s invalidity defense, and prior art, but Plaintiff had already produced documents in response to more targeted requests concerning novelty, invalidity, and prior art.

Accordingly, Chief Judge Lioi held that Defendant had not met its “heavy burden” to show that the magistrate judge committed clear error or abused her discretion in denying its motion to compel responses to Defendant’s request for keyword terms. She affirmed the magistrate judge’s order denying the motion to compel.

Read the original update here.