Massachusetts Superior Court Rejects Equifax's Protective Order in Data Breach Case
In November the Superior Court of Massachusetts issued a decision, Commonwealth v. Equifax, Inc., No. 1784-CV-3009 BLS2, 2018 Mass. Super. LEXIS 547 (Nov. 28, 2018), denying the Defendant's Motion for a Protective Order. In this case, the Massachusetts Attorney General sued Equifax on behalf of citizens of the Commonwealth whose personal data was disclosed in a data breach. The Commonwealth alleged that adequate measures were not taken to protect the data, and customers were not informed about the breach quickly enough. Equifax moved for a protective order to prevent the production of information about its cyber-security program, which it claims was necessary to prevent another data breach. Judge Janet L. Sanders found that the restrictions of the proposed order would restrict the Commonwealth's ability to prosecute a complex case. Equifax did not show good cause existed for the protective order where the data would be given to a law enforcement agency that regularly handles sensitive data.
Equifax's protective order would have imposed five conditions, and Judge Sanders rejected each of them:
1. Certain materials were to be reviewed only in a virtual data room, where the Commonwealth was not to take notes or prepare or download summaries of the data. The Court found the restriction on note taking and summarizing information to be an undue burden on the Commonwealth.
2. Equifax sought to impose two confidentiality categories: 'Confidential Secure Documents' and a more restrictive 'Confidential Secure Data'. Judge Sanders ruled that this would allow the Defendant to over designate data with the more restrictive confidentiality status. Documents of special concern can be addressed on a case by case basis.
3. Equifax also wanted to require the Commonwealth to get its permission for copies of documents in the virtual data room, and allow it to redact those documents. Judge Sanders found that, "[r]equiring the Commonwealth to alert Equifax to which documents it views as important also intrudes on the work product privilege." Id. at *5. She pointed out the Attorney General's office kept scanned documents on encrypted computers.
4. The proposed protective order would have limited access to confidential secure materials to the two attorneys who have entered appearances in this case. Judge Sanders rejected this condition because it would impose a burden on the Commonwealth to work without the assistance of staff members that would not be shared by the law firm representing Equifax.
5. Confidential Secure data was not to be produced in its native form. Equifax argued that native files were not needed in a case about a failure to notify about a data breach. Judge Sanders observed this argument construed the Commonwealth's claims too narrowly, and no saw no basis to withhold native files. "[T]he rules require that documents be produced in native form—and for good reason. In such a format, they are searchable and the viewer has access to metadata." Id. at *7.
The Court adopted a modified protective order proposed by the Commonwealth.