In the litigation between Equifax and Massachusetts Office of the Attorney General, Judge Sanders rejected certain provisions of Equifax’s proposed protective order for the production of sensitive discovery materials, including documents about Equifax’s network and cybersecurity program. Equifax moved for the protective order in Commonwealth of Massachusetts v. Equifax, a case arising from the 2017 Equifax data breach that affected roughly 143 million U.S. consumers. Judge Sanders’ ruling on the protective order follows Judge Salinger’s denial of Equifax’s motion to dismiss on April 2, 2018.
While the Mass AG conceded on some issues (for example, the Mass AG agreed to use secure virtual-data rooms to review documents), it contested several Equifax’s security-protocol requests. Judge Sanders ruled in favor of the Mass AG:
Equifax’s proposed order is unique in the restrictions that it places on the Commonwealth, both in its ability to access materials which are concededly discoverable and also in its ability to analyze and synthesize them. Some of these restrictions not only intrude on attorney work product privilege; they also place real obstacles in the way of the Commonwealth’s attorneys in preparing and prosecuting what will prove to be a complex case . . . . Equifax’s argument in support of its proposal also presumes a lack of internal procedures within the Office of the Attorney General, but that office is regularly charged with handling and protecting highly sensitive and personal information. That it will violate its duty to safeguard this information is not something this Court is prepared to assume.
Judge Sanders rejected these elements of Equifax’s proposed protective order:
- Prohibiting the Mass AG from preparing notes, summaries, or analyses of materials in the data room.
- Designating a second category of materials in the data room with heightened confidentially restrictions.
- Restricting access to hard copies of documents (which Equifax could redact before producing) without permission from Equifax.
- Restricting access to documents to only two attorneys at the Mass AG’s office.
- Removing the requirement to produce documents in native form.
Massachusetts v. Equifax (November 27, 2018)