Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Premera Blue Cross Customer Data Security Breach Litigation

United States District Court, D. Oregon

February 6, 2019

IN RE PREMERA BLUE CROSS CUSTOMER DATA SECURITY BREACH LITIGATION

          OPINION AND ORDER

          Michael H. Simon United States District Judge

         This Document Relates to All Actions.

         Kim D. Stephens, Christopher I. Brain, and Jason T. Dennett, Tousley Brain Stephens PLLC, 1700 Seventh Avenue, Suite 2200, Seattle, WA 98101; Keith S. Dubanevich, Steve D. Larson, and Yoona Park, Stoll Stoll Berne Lokting & Shlachter PC, 209 SW Oak Street, Suite 500, Portland, OR 97204; Tina Wolfson, Ahdoot and Wolfson PC, 1016 Palm Avenue, West Hollywood, CA 90069; James Pizzirusso, Hausfeld LLP, 1700 K Street NW, Suite 650, Washington, DC 20006; and Karen Hanson Riebel and Kate M. Baxter-Kauf, Lockridge Grindal Nauen PLLP, 100 Washington Avenue South, Suite 2200, Minneapolis, MN 55401. Of Attorneys for Plaintiffs.

         Paul G. Karlsgodt, BakerHostetler LLP, 1801 California Street, Suite 4400, Denver, CO 80202; James A. Sherer, BakerHostetler LLP, 45 Rockefeller Plaza, New York, NY 10111; Daniel R. Warren and David A Carney, BakerHostetler LLP, 127 Public Square, Suite 2000, Cleveland, OH 44114; and Darin M. Sands, Lane Powell PC, 601 SW Second Avenue, Suite 2100, Portland, OR 97204. Of Attorneys for Defendant.

         Plaintiffs bring this putative class action against Defendant Premera Blue Cross (“Premera”), a healthcare benefits servicer and provider. On March 17, 2015, Premera publicly disclosed that its computer network had been breached. Plaintiffs allege that this breach compromised the confidential information of approximately 11 million current and former members, affiliated members, and employees of Premera. The compromised confidential information includes names, dates of birth, Social Security Numbers, member identification numbers, mailing addresses, telephone numbers, email addresses, medical claims information, financial information, and other protected health information (collectively, “Sensitive Information”). According to Plaintiffs, the breach began in May 2014 and went undetected for nearly a year. Plaintiffs allege that after discovering the breach, Premera unreasonably delayed in notifying all affected individuals. Based on these and other allegations, Plaintiffs bring various state common law claims and state statutory claims.

         Before the Court are Plaintiffs' motion to compel and Premera's motion to compel. Plaintiffs request an order requiring Premera to produce certain documents, described by category, that Premera has withheld based on assertions of attorney-client privilege or protection under the attorney work-product doctrine. Premera requests an order requiring Plaintiffs to produce specific devices and documents identified during depositions. For the reasons discussed below, Plaintiffs' motion is granted in part and denied in part, and Premera's motion is denied.

         A. Plaintiffs' Motion

         The Court previously set out the standards applicable to attorney-client privilege and work-product protection. See ECF 132 at 2-5; available at In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F.Supp.3d 1230, 1237-40 (D. Or. 2017) (“Privilege Opinion”). Those standards are incorporated herein.

         Plaintiffs challenge Premera's withholding of several categories of documents. Premera responds that the identification of these categories is misleading, because Premera only has withheld documents that: (1) contain the legal advice of counsel; (2) were prepared by counsel; (3) contain edits by counsel; (4) are internal Premera documents prepared at the request of counsel for the purpose of informing legal counsel; (5) were prepared by or at the direction of counsel in anticipation of litigation; (6) were prepared by or at the direction of counsel for response to a regulatory investigation or inquiry; (7) are communications with or documents prepared by a third-party vendor for the purpose of communicating with an attorney to provide legal advice; (8) are communications with or documents prepared by a third-party vendor that contain work product; (9) are communications with or documents prepared by a litigation discovery vendor or other litigation support personnel; (10) are documents subject to the common interest agreement with the Blue Cross/Blue Shield Association; or (11) are documents with no substantial non-privileged information to redact.

         Plaintiffs rely heavily on the Court's Privilege Opinion in arguing the pending motion to compel. That Privilege Opinion, however, expressly did not involve any communications sent to or from counsel. Many of the documents at issue in the pending motion have been sent to or from either in-house or outside counsel. The Court will discuss general principles involved when a document is sent to or from an attorney or is prepared at the request of counsel. The Court will then apply these principles to representative samples from each of the categories identified by Plaintiffs to provide guidance to the parties. Based on this guidance, Premera then can reconsider its assertions of privilege, and revise and update its privilege log as needed, including by providing more detailed descriptions of its assertions of privilege. This Opinion and Order also will provide Plaintiffs with further information from which to determine whether they are entitled to additional documents. After Premera has updated its privilege log and production or notified Plaintiffs that it does not intend to make any further changes, if Plaintiffs continue to believe that certain documents are being improperly withheld, Plaintiffs have leave to renew their motion to compel.

         1. General Standards

         As the Court previously discussed, the attorney-client privilege is limited only “to information related to obtaining [legal] advice” and “a document prepared for a purpose other than or in addition to obtaining legal advice and intended to be seen by persons other than the attorney, does not become subject to the privilege merely by being shown to the attorney.” Mechling v. City of Monroe, 152 Wash.App. 830, 853 (2009) (emphasis added). Moreover, the attorney-client privilege is a “narrow privilege, ” it “does not shield facts from discovery, even if transmitted in communications between attorney and client, ” and it “must be strictly limited to the purpose for which it exists.” Newman v. Highland Sch. Dist. No. 203, 186 Wash.2d 769, 777-78 (2016). The privilege does, however, apply “to any information generated by a request for legal advice, including documents created by clients with the intention of communicating with their attorneys.” Doehne v. EmpRes Healthcare Mgmt., LLC, 190 Wash.App. 274, 281 (2015). This can include reports and other documents generated at the request of in-house counsel or risk management if done for the purpose of assisting to address issues of liability or to avoid or prepare for litigation. Id. at 282-83.

         a. Email communications

          In considering emails sent to and from counsel, the emails must request or provide legal advice, as opposed to containing merely a factual discussion, to be entitled to attorney-client protection. See Newman, 186 Wash.2d at 778 (“The attorney-client privilege does not shield facts from discovery, even if transmitted in communications between attorney and client.”); Doehne, 190 Wash.App. at 282-83 (noting that the focus of the privilege analysis must be the purpose for which a document was created). An exception to this is facts transmitted to counsel so that counsel can provide adequate legal representation. See Upjohn Co. v. United States, 449 U.S. 383, 390 (1981) (noting that attorney-client privilege extends to “the giving of information to the lawyer to enable him to give sound and informed advice”). This exception, however, should not be allowed to swallow the rule that facts are not shielded from discovery even if transmitted to an attorney.

         Directly seeking legal advice is privileged, even if it relates to a business function. See In re Premera, 296 F.Supp.3d at 1244 (“If, however, communications were sent to or from counsel seeking or providing actual legal advice, such as about possible legal consequences of proposed text or an action being contemplated by Premera, then such communications would be privileged.”). Companies regularly seek legal advice from attorneys relating to business functions. See Upjohn, 449 U.S. at 392 (“In light of the vast and complicated array of regulatory legislation confronting the modern corporation, corporations, unlike most individuals, ‘constantly go to lawyers to find out how to obey the law.'” (quoting Burnham, The Attorney-Client Privilege in the Corporate Arena, 24 Bus. Law. 901, 913 (1969)).

         b. Draft documents

          Draft documents prepared by attorneys, at the request of attorneys, or otherwise prepared by Premera employees or third-party vendors, and sent to and from attorneys for legal advice relating to those drafts, are likely subject to the attorney-client privilege or work-product protection. This is a different situation than the Court previously addressed, because those were documents prepared by Premera employees who were not attorneys and sent to and from employees who were not attorneys.

         A draft document prepared by outside counsel and emailed to its client Premera for review is protected by the attorney-client privilege and work-product protection. See, e.g., Roth v. Aon Corp., 254 F.R.D. 538, 541 (N.D. Ill. 2009) (“Indeed, most courts have found that even when a final product is disclosed to the public, the underlying privilege attached to drafts of the final product remains intact.”). An exception to this would be if counsel is drafting the document as a delegatee of Premera's business function. Brawner v. Allstate Indem. Co., 2007 WL 3229169, at *4 (E.D. Ark. Oct. 29, 2007) (noting that defendants “may not generally assert a blanket privilege as to those facts that were generated by its investigation merely because . . . they elected to delegate their ordinary business obligations to legal counsel” (quotation marks omitted)); Lumber v. PPG Indus., Inc., 168 F.R.D. 641, 646 (D. Minn. 1996) (noting that the plaintiffs could not “shield their investigation . . . merely because they elected to delegate their ordinary business obligations to legal counsel”). A draft prepared at the request of counsel or otherwise prepared by Premera or a third-party vendor and sent to counsel for review and legal advice is subject to the attorney-client privilege. See In re Banc of California Sec. Litig., 2018 WL 6167907, at *2 (C.D. Cal. Nov. 26, 2018) (“When a client sends a draft disclosure document to an attorney for comment or input, the attorney-client privilege attaches to the draft and remains intact even after the final document is disclosed.”). The fact that a document may be prepared for a business purpose does not preclude it from being privileged if it is sent to an attorney for the purpose of receiving legal advice relating to that document. If, however, a draft document that is prepared for a business purpose (such as a breach notification letter or press release) is merely sent to an attorney for the attorney's file or information, and not for the purpose of receiving legal advice, or is distributed among Premera employees or to third-party vendors for general discussion and an attorney is merely copied, then the document is not privileged merely because it is sent to an attorney.

         2. Press Releases, Notices to Customers, and Documents Relating to Remediation

         Plaintiffs argue that Premera improperly is withholding 21 documents relating to news articles, public relations, and press releases simply because an attorney is either on the communication or the document was prepared at the request of counsel. Plaintiffs add that Premera wrongfully is withholding 436 documents or communications concerning notices to customers and others relating to the data breach. Finally, in this category, Plaintiffs contend that Premera improperly is withholding 74 documents relating to remediation. Premera asserts that these documents properly are withheld because they fall within one of the eleven enumerated categories identified by Premera as the only types of documents they withheld.

         a. Press releases

         A review of the privilege log relating to the challenged “press” documents reveals potentially different privilege issues. For email communications, attorneys are included on all the challenged documents. It is unclear from the privilege log descriptions, however, that legal advice is the purpose of all the communications, as opposed to a merely factual discussion. For example, many of the communications are identified simply as “discussing” published articles about different topics (Premera's data breach, cybersecurity, etc.). If this discussion involves seeking legal advice about how that particular article might affect Premera or litigation, or how from a legal perspective Premera should comment on the article, it is privileged. See In re Premera, 296 F.Supp.3d at 1244 (“If, however, communications were sent to or from counsel seeking or providing actual legal advice, such as about possible legal consequences of proposed text or an action being contemplated by Premera, then such communications would be privileged.”). If that discussion merely involves the facts in the article or facts about how others are responding to the article, and does not contain a request for legal advice or the provision of any legal advice from attorneys, then merely because attorneys are included on the email does not render the email privileged.

         There are also emails that appear to be communications back-and-forth between Premera employees and counsel relating to an article Premera's Chief Executive Officer was drafting. These appear more likely to include privileged communications-Premera asking for and receiving legal advice about how the article should be written to minimize legal exposure, whether its contents could impact Premera's risk of liability, and the like. Again, based on the privilege log description, it is difficult to ascertain whether that is in fact what the communications contain, but the subject line of the emails and the overall log entries supports such an inference.

         Finally, there are two entries that include an attachment apparently sent to counsel[1] titled “Premera Monitoring Report 8am.” These entries state that the attachment involves “public relations issues” and is privileged because it is from a third-party vendor (Edelman) and contains work product. In the Privilege Opinion the Court found that having an attorney hire a third-party vendor to perform business functions, including conducting investigations, preparing reports, or performing other duties (expressly including public relations), does not serve to convert the business function into a legal function or make any resulting documents work product or related communications subject to the attorney-client privilege. In re Premera, 296 F.Supp.3d at 1242-44 (citing cases). Indeed, the Court expressly found public relations relating to the data breach to be a business function Premera would have had to perform regardless of any litigation, and specifically mentioned Edelman as a vendor performing a business function. Id. at 1242. Premera's privilege log entry does not explain how Edelman is performing a legal function and not a business function in ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.