In In re Marriott Int’l Customer Sec. Breach Litig., No. 19-MD-2879, 2021 U.S. Dist. LEXIS 48477, at *57-68 (D. Md. Mar. 15, 2021), the Court recommended that although the class representative’s device could be examined for other malware, the device could not be examined for whether the representative had good cyber-security habits.
Marriott’s protocol seeks inadmissible evidence and that even if that evidence is admissible, the demand for the information Marriott seeks is premature in certain respects and disproportionate in others. The evidence sought by Marriott’s demand is inadmissible. When I first saw Marriott’s proposed protocol at a conference with counsel, I told Marriott’s counsel that I was concerned that the demand was based on an incorrect premise. In my view, its theory of the admissibility of Plaintiffs’ use of the internet was flawed. Marriott was trying to elicit evidence of Plaintiffs’ character or a character trait to establish a propensity to be negligent in their use of the internet. Marriott would then argue that it was Plaintiffs’ negligence that caused the breach. Unfortunately, counsel for both parties have ignored the question that I find most troubling: Isn’t Marriott attempting to find evidence that is not admissible based on the prohibition against Fed. R. Evid. 404(a)? . . . Marriott is saying that Plaintiffs carelessly shared their email addresses with their friends in unencrypted text messages or emails or provided their PPI to providers of goods and services on the internet. From that use, Marriott will ask the jury to find that the Plaintiffs were equally careless and negligent in 2014-2018, and therefore the Plaintiffs, not Marriott, caused the data breach. However, this argument claims that Plaintiffs have what the Rule calls “the character trait” of being negligent and careless, and therefore, they must have been just as negligent and careless in 2014-2018 and caused the breach. That, however, is precisely the inference the Rule prohibits. Take a simple car accident case. Driver A and driver B collide at an intersection. A says B was negligent. At trial, A offers into evidence B’s prior traffic violations for reckless driving to show that B is a terrible driver. Assume that Judge Grimm used that hypothetical in his Evidence class and asked a student whether the evidence of the violations for reckless driving is admissible. If the student said yes, you could offer the violations to show what kind of a driver B is, I am certain the judge would flunk him on the spot because that is exactly what the Rule prohibits. However, in my view, that is what Marriott is seeking to do by drawing a propensity from a party’s prior [*60] behavior to prove that she acted in accordance with that trait. Even if the evidence was admissible, the demands made by Marriott’s protocol are premature and disproportionate. I also appreciate that Fed. R. Civ. P. 26(b)(1) provides that “[i]nformation within the scope of discovery need not be admissible in evidence to be discoverable.” This does not mean that the court cannot consider the inadmissibility of evidence in determining whether the evidence is within the scope of discovery. Rather, the contrary is true. . . .Nevertheless, I am obliged to be comprehensive in this Report and allow for the possibility that Judge Grimm will disagree with my opinion that Marriott seeks inadmissible evidence. I will therefore assume the contrary—the evidence may be admissible—and indicate why Marriott’s demands are premature and disproportionate. Relevance to causality Marriott argues that Plaintiffs’ present use of Plaintiffs’ digital devices to interface with the internet may show that their profligate disclosure of their PPI to others on the internet may permit the jury to conclude that there was another cause for the breach that is the subject of this case. Letter of March 8, 2021, at 3 (“Moreover, the less securely and sensitively Plaintiffs treat their personal information—e.g., by not securing it on their electronic devices and by providing to other third parties—the less likely a juror is to believe Plaintiffs claim that Marriott caused fraud or the risk of fraud.”) First, as to causation, Marriott does not explain how Plaintiffs’ use of their digital devices in, let us say, 2020 could bear on the cause of a breach that occurred no later than 2018. Thus, Marriott has to be once again suggesting that Plaintiffs’ present use of the internet is evidence of how they used the internet in 2014-2018. In that case, we are back to the issue of the admissibility of character evidence. In any event, there is, at most, a theoretical possibility that, for example, Plaintiffs’ indicating their names and credit card numbers to buy something from an internet vendor or their visiting a particular website might have caused a subsequent breach. But that possibility cannot justify the extensive demand that Marriott makes to have a third party see (1) every website Plaintiffs visited and (2) every text message or email they sent that contained their PPI. As Justice Frankfurter once put it, albeit in a different context: “Surely, this is to burn the house to roast the pig.” Butler v. Michigan, 353 U.S. 383 (1957). I should note that, in this context of proportionality, courts have permitted such forensic screening, and Marriott indicates that Plaintiffs agree to its legitimacy here. Letter of March 8, 2021, at 5. No matter how those courts use the words “forensic screening,” I take them to mean, in the context of this case, a scientific exploration to detect the presence of a virus, malware, or any other tool designed to capture data from a device without the knowledge of its owner. While that kind of examination may or may not prove causality in any given case, it is light years away from Marriott’s proposal that a third party read, for example, every one of Plaintiffs’ email and text messages to search for their disclosure of their PPI. Prematurity of the demand Marriott also argues that it should be able to show that Plaintiffs’ negligent use of the internet, thereby jeopardizing Plaintiffs’ PPI, would contradict and weaken the claim that their PPI has a value. Thus, Marriott asks why the jury should award Plaintiffs’ damages for the loss of their PPI when Plaintiffs have shown so little interest in safeguarding it from being hacked and stolen. Letter of March 8, 2021, at 4. During our discovery conferences, Plaintiffs have explained that they will make the information bearing on the loss of their PPI value available to their experts. Those experts will, in turn, create a damages model supporting the claim that there is a monetary value to their PPI and that the breach has deprived them of that value. Whether Plaintiffs’ PPI has value and the related questions of what will or will not diminish that value will be addressed by Judge Grimm. Judge Grimm has indicated that he intends to subject Plaintiffs’ experts’ opinions to rigorous analysis under Fed. R. Evid. 702 to the point of hiring a technical expert to guide him on the science underlying those opinions. His resolution of whether Plaintiffs’ experts can present a damages model that attributes, for example, a value to Plaintiffs’ PPI or their ability to use credit cards to make purchases will clarify whether evidence of Plaintiffs’ present use of their computers diminishing the value of their PPI is admissible. Moreover, if Marriott succeeds in having Judge Grimm reject the experts’ damage model, the jury will never consider the value of Plaintiffs’ PPI. The issue of whether Plaintiffs’ behavior on the internet diminished the value of their PPI will be irrelevant if Judge Grimm rejects as unfounded Plaintiffs’ theory that Plaintiffs’ PPI has a monetary value. Marriott would counter that Plaintiffs could prevail, and their need for the information would then ripen, but fact discovery will be closed. I appreciate that and would recommend that Judge Grimm revisit (or direct me to revisit) this issue after he has resolved whether he will permit expert testimony on the Plaintiffs’ damage model. The alternative—permitting the extraordinary disclosure to a third person of every email or text message containing PPI the Plaintiffs wrote or every website they visited when the evidence yielded by that disclosure may never be relevant—makes no sense at all. Relevance to injunctive relief Marriott, noting that Plaintiffs seek injunctive relief, argues: “Plaintiffs also seek injunctive relief, arguing that an injunction is necessary to prevent them from injury due to further cyber-attacks. (See, e.g., id. ¶ 352.) Whether the Court issues an injunction should turn, in part, on the degree to which Plaintiffs protect their own information. If, for example, Plaintiffs do not protect their information, then an injunction would do nothing to prevent the harm they argue an injunction would protect against.” Letter of March 8, 2021, at 8. The Fourth Circuit, quoting a Supreme Court decision, has identified the factors that bear on the award of injunctive relief . . . Plaintiffs’ use of their computers and their access is not one of these [*67] factors, nor does it relate to any of them. First, Plaintiffs’ negligent use of their devices does not render whatever damages they win an inadequate remedy for the harm done them by the breach. Additionally, the existence of those damages militates against a finding that they are threatened with irreparable harm. . . . [M]the award of those damages means that Plaintiffs are not threatened with irreparable harm post-verdict. “[G]enerally ‘irreparable injury is suffered when monetary damages are difficult to ascertain or are inadequate.'” Multi-Channel TV Cable Co. v. Charlottesville Quality Cable Operating Co., 22 F.3d 546, 551 (4th Cir. 1994.) “Irreparable,” after all, means “impossible to rectify or repair.” Compact Oxford English Dictionary 592 (2d rev. ed 2003). The availability of the damages Plaintiffs may win indicates that the harm to them from another breach is not irreparable. Finally, there may be a profound public interest in how Marriott, one of the largest hoteliers in the world, manages the PPI that its guests make available to Marriott when they make a reservation or check into their room. Whether that interest is served by an injunction ordering Marriott to do or not do something to safeguard that PPI will require a careful, scientific evaluation of the state of Marriott’s cybersecurity protection system when the injunction is sought. That Plaintiffs are not as careful as they should be in using the interne has nothing to do with the Marriott cybersecurity system’s strength or weakness when Judge Grimm may have to determine whether the public interest in cybersecurity will be advanced or retarded by an injunction. Therefore, I conclude that Marriott’s demand for the information has nothing to do with Plaintiffs’ potential demand for injunctive relief, even if that demand was not premature.