Opinion
Case No. 3:15-cv-855-SMY-RJD
04-18-2019
ORDER
DALY, Magistrate Judge :
This is a class action in which Plaintiffs, owners and lessees of Chrysler vehicles, claim there is a design flaw in the Uconnect system in certain Chrysler vehicles manufactured in 2013-2015. The Uconnect system, manufactured by Harman International Industries, Inc. ("Harman"), is an infotainment system that allows integrated control over phone, navigation, and entertainment functions in certain vehicles. Plaintiffs allege that the design and installation of the Uconnect system makes it vulnerable to hackers seeking to take remote control of the affected vehicles, as reported in a 2015 WIRED magazine article.
District Judge Reagan issued an order on Plaintiffs' motion for class certification on July 5, 2018 (Doc. 399), certifying three classes of Plaintiffs on various consumer fraud and warranty claims. On November 29, 2018, Judge Reagan entered an order allowing the parties to engage in additional merits-based discovery. On March 5, 2019, this matter was reassigned to the undersigned to address pre-trial and discovery matters and the Court was promptly made aware of a pending discovery dispute. Generally, Plaintiffs seek additional documents related to Defendant FCA US LLC's ("FCA") penetration tests, cybersecurity risk assessments, and consumer survey information. Plaintiff also contends that FCA's responses to various contention interrogatories are improper and ask that the Court order FCA to supplement the same. A discovery dispute hearing was held on March 26, 2019. The Court sets forth its rulings as follows.
DISCUSSION
I. Document Production Issues
A. Penetration Tests and Related Communications
Plaintiffs seek documents related to penetration testing conducted by or for FCA, as well as any communications related to the same. Plaintiffs contend they have only received some final reports of certain penetration tests, but have not received others, including a test conducted by Reply S.p.A. on the European version of the Uconnect, as well as a "whole vehicle" penetration test conducted by Southwest Research ("SwRI") in late 2015 or early 2016. Plaintiffs also assert that FCA has produced few communications with the companies it hired to conduct its penetration tests. Plaintiffs note that Harman produced some communications in which FCA was a party, but FCA did not produce the same communications. Plaintiffs ask that FCA be ordered to produce all penetration testing reports and communications regarding the same.
FCA asserts that the testing conducted on the European version of the Uconnect is in the control of another, separate entity (EMEA) and it is not in possession of the same. FCA further asserts that it produced a validation test conducted by Reply S.p.A. that included the findings from the European report. More generally, FCA argues that it conduced a search with the applicable ESI search terms, as well as a targeted search to obtain its penetration tests, but acknowledges that said search failed to identify the SwRI whole vehicle penetration test. FCA explains that this one test was not produced because it was not prepared by a custodian identified in this case. In any event, FCA asserts that Plaintiffs now have that test. With regard to communications related to penetration testing, FCA explains that it would not anticipate significant back-and-forth between itself and a pen tester. FCA also asserts that it conducted a search for the communications at issue using the Court-ordered search terms and then it conducted both a privilege review and a responsiveness review.
As a preliminary matter, the Court addresses the proper scope of discovery. The scope of discovery is set forth in Rule 26(b)(1) of the Federal Rules of Civil Procedure. The current language of the Rule provides:
Unless otherwise limited by court order, the scope of discovery is as follows: Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit. Information within this scope of discovery need not be admissible in evidence to be discoverable.
The Supreme Court has cautioned that the requirement under Rule 26(b)(1) that the material sought in discovery be "relevant" should be firmly applied, and the district courts should not neglect their power to restrict discovery where necessary. Herbert v. Lando, 441 U.S. 153, 177 (1979); see also Balderston v. Fairbanks Morse Engine Div. of Coltec Indus., 328 F.3d 309, 320 (7th Cir. 2003). However, "relevancy" for discovery purposes is construed broadly to encompass matters that bear on, or reasonably could lead to other matters that could bear on, any issue in the case. Oppenheimer Fund, Inc. v. Sanders, 437 U.S. 340, 351 (1978) (citing Hickman v. Taylor, 329 U.S. 495, 501 (1947)). "Relevance is not inherent in any item of evidence, but exists only as a relation between an item of evidence and the matter properly provable in the case." Miller UK Ltd. v. Caterpillar, Inc., 17 F.Supp.3d 711, 722 (N.D. Ill. Jan. 6, 2014) (citation omitted).
The penetration testing contemplated by Plaintiffs is relevant to the issues in this lawsuit only insofar as they relate to, or address, the Uconnect system. Penetration testing beyond the Uconnect system, including the "whole vehicle" penetration test conducted by SwRI, is not within the relevant scope of this lawsuit. Although Plaintiffs posit that the relevancy of the "whole vehicle" penetration test is "obvious" because it would likely examine vulnerabilities throughout the Affected Vehicles "above and beyond those previously identified in the penetration tests that were limited to only the Uconnect," Plaintiffs fail to substantiate their contention. A review of the Second Amended Class Action Complaint (Doc. 246), as well as District Judge Reagan's Class Certification Order (Doc. 399), focuses on alleged defects in the Uconnect system. Indeed, the classes that Judge Reagan certified are defined as certain vehicles equipped with the Uconnect 8.4A or Uconnect 8.4AN systems, and the point of vulnerability identified by Plaintiffs is the Uconnect system. Because Plaintiffs' claims are premised on defects in the Uconnect system, the Court is unable to discern how penetration testing beyond said system is relevant to the pending claims and Plaintiffs have not met their obligation to convince the Court otherwise. See, e.g., Maui Jim, Inc. v. SmartBuy Guru Enterprises, No. 16-C-9788, 2018 WL 4356594, at *3 (N.D. Ill. Sep. 12, 2018). Insofar as FCA represents that it has produced all penetration testing reports within its control related to the Uconnect system, it is not required to supplement its production.
The Court next considers communications related to penetration testing. It appears there are some documents that were produced by Harman that included FCA as a party, but were not produced by FCA. FCA acknowledges that once it conducted a search of custodians' communications using the court-approved search terms, it completed a privilege review and a responsiveness review. Because it appears this review may have resulted in the omission of certain documents that Plaintiff is entitled to under Rule 26, the Court ORDERS Defendant FCA to provide any communications related to penetration testing identified through the use of the designated search terms, limiting its withholding of communications to those in which it is asserting privilege. The Court notes that any documents withheld on the basis of privilege should be documented in a privilege log. Said supplementation shall be completed by May 3, 2019. The Court notes that it will not revisit the search terms that the parties have used since the inception of this lawsuit, or require FCA to conduct a search beyond the previously agreed-upon search terms in regards to this issue, as Plaintiffs failed to notify the Court about any issue concerning the same in a timely manner and, moreover, Plaintiffs have failed to articulate a particular inadequacy with the agreed-upon terms in this instance. Notably, a review of the search terms demonstrates that documents related to penetration testing were clearly within the scope of the same.
B. Cybersecurity Risk Assessments
Plaintiffs ask that FCA be ordered to provide its vehicle threat and risk assessments that it maintains on a dedicated repository. At the hearing, FCA represented that counsel recently discovered that such a repository exists, but was not sure if it contains any documents that have not yet been produced. FCA represented that it would produce documents that had not yet been produced, but indicated there is a dispute concerning the scope of relevant documents. Plaintiffs posit that they are entitled to information concerning the Affected Vehicles and their components, as well as any information concerning potential threats to any vehicles because there may be something in common with the Affected Vehicles. The Court is not convinced that the appropriate scope should be threats to any vehicles. Said scope is not appropriately limited to the claims at issue in this lawsuit and the Court finds that production of such a wide breadth of documents is not proportional to the needs of this case. However, FCA shall produce documents discussing its risk and threat assessments related to the Affected Vehicles by May 3, 2019.
C. Meg Novacek Emails
Plaintiffs seek all communications of Meg Novacek leading up to the formation of FCA's Global Vehicle Cybersecurity Group ("GCVS") in late 2014 until her departure from the company in 2016. Plaintiffs explain that when they asked for a search of Ms. Novacek's emails they agreed to apply the same search terms that have been used in the course of this litigation because they did not recognize what they now see to be deficiencies with the utilization of the terms. In support of their request, Plaintiffs assert they have only received a total of 53 emails strings with Ms. Novacek as the author. Plaintiffs contend the amount of emails received is clearly inadequate and not representative of the amount of emails they would anticipate given Ms. Novacek's role at FCA. Plaintiffs explain that she was the original supervisor of FCA's GCVS, which was responsible for cybersecurity; thus, Plaintiffs posit that Ms. Novacek was uniquely positioned between the GCVS and management. Plaintiffs also note that she drafted presentations and documents setting cybersecurity strategy.
FCA explained at the hearing that it produced 1,300 documents that were either to, from, or included Ms. Novacek and reiterated that it applied the same ESI search terms to her emails as were applied throughout this case.
The Court finds that Plaintiffs have based their request for another, broader search of Ms. Novacek's communications on mere speculation. Plaintiffs have not pointed to any particular document or type of documents they are missing, nor have they cited any evidence demonstrating the existence of relevant documents that were not obtained in FCA's initial search. "Courts need not authorize additional discovery based on nothing more than 'mere speculation' that would 'amount to a fishing expedition'." Illinois Extension Pipeline Co., LLC v. Thomas, No. 15-3052, 2016 WL 1259379, at *5 (C.D. Ill. Mar. 1, 2016) (citing Davis v. G.N. Mortgage Co., 396 F.3d 869, 885 (7th Cir. 2005)). Because Plaintiffs can only speculate as to the existence of additional communications in which Ms. Novacek was a party, the Court denies Plaintiffs' request for an additional search and production of Ms. Novacek's communications.
D. Consumer Survey Information
Plaintiffs seek documents related to consumer survey information sought in Plaintiff's requests for production numbers 6 and 22. In these requests, Plaintiffs seek documents relating to consumers' or potential purchasers' consideration of safety or cybersecurity. FCA objected to the requests as being overbroad and not properly limited to cybersecurity. Because FCA objected to Plaintiffs' survey requests, no search of the same was conducted. The Court finds that safety is the relevant scope for production of consumer survey information insofar as Plaintiffs are contending that a hacker can cause various safety issues, including issues with braking, steering, or acceleration, which may affect demand for vehicles. Accordingly, FCA is ordered to produce documents addressing the importance of safety to consumers or potential purchasers by May 3, 2019.
E. Documents Related to Other Manufacturers' Cybersecurity
Plaintiffs ask that FCA produce documents to support their response to certain interrogatories that the Affected Vehicles' Uconnect systems were "state of the art." Plaintiffs contend that in order to make such a contention FCA must have information evidencing other manufacturers' cybersecurity, yet, FCA has produced little in the way of such information. Plaintiffs posit that because the search terms designated in this case were not designed to necessarily target this information, new, targeted search terms should be used to capture the same.
FCA asserts that it has produced the documents it has in its possession that were captured using the agreed-upon ESI search terms. FCA argues that both Neil Borkowicz and Laith Shina testified at their depositions that FCA does not collect competitors' information, but rather, gathers it "here and there" and it may receive "tidbits." Thus, this information does not exist in one place, and the custodians have testified to what they know or do not know. FCA asserts that there is simply nothing more.
The Court agrees with Plaintiffs. The search terms utilized by the parties in this case do not adequately address, or provide a search for, documents related to other manufacturers' cybersecurity. This information appears to be relevant under Rule 26 and, therefore, Plaintiffs are entitled to the same. Moreover, based on documents already produced by Defendants, including FCA's Vehicle Cybersecurity & EE Architecture Strategy PowerPoint, Plaintiffs have sufficiently supported their request for an additional, targeted search of documents, as it appears FCA may have further information concerning competitors' cybersecurity methods and systems.
The parties are ORDERED to meet and confer for the purpose of agreeing on additional, limited search terms to implement for the purpose of discovering additional documentation regarding other manufacturers' cybersecurity. The search must be properly limited in time and scope. The parties must notify the Court by May 3, 2019 if they are unable to agree on proposed search terms and time limitations. If there is no dispute concerning the terms, any additional documents culled from the search must be produced by May 17, 2019.
F. Responses to Plaintiff's Sixth Set of Requests for Production of Documents Nos. 44, 45, 47, and 48
In these requests, Plaintiffs seek documents concerning FCA's rules, policies, procedures, and processes for authorized dealers. Plaintiffs argue that the critical link for their implied warranty claims is the relationship between FCA and its authorized dealers. Plaintiffs assert that they have only received three documents in response to these requests, including two extensive manuals directing how to handle warranty claims and detailing the relationship between dealers and FCA, as well as contracts between FCA and some dealers. Plaintiffs contend that the few documents that have been produced are not sufficient to evidence the full extent of the control and influence that FCA exercises over its authorized dealers.
In response, FCA asserts that it produced its contracts with every dealership in Illinois, as well as the documents that govern those relationships and tell the authorized dealers what FCA can and cannot control. FCA contends that certain incentive programs it utilizes with its dealers for advertising or the like were not necessarily produced because such programs are not relevant to the issue of control, are not contained within FCA's contracts with dealers and, in some instances, are informal emails memorializing an incentive agreement.
The Court finds that FCA's production of documents responsive to Plaintiffs' requests 44, 45, 47, and 48 is sufficient. FCA has produced the documents that govern the relationship between itself and its dealers. The information Plaintiffs now seek is beyond what was requested by Plaintiffs.
II. Contention Interrogatory Responses
A. Interrogatory #32
Interrogatory #32 reads as follows:
If you contend that dealerships that sold the Affected Vehicles are not in privity with FCA, or that Harman is not in privity with FCA, then state the facts on which you base that contention.
FCA objected on various bases, including relevancy. FCA asserts that the interrogatory is not relevant to any claim or defense in this case, explaining that to the extent privity is relevant, it is privity between Plaintiffs and FCA, not privity between dealerships or Harman and FCA. The Court agrees and SUSTAINS FCA's relevancy objection.
Here, it is clear that privity is relevant; however, FCA is correct in that the pertinent question is privity between the consumer and FCA. In District Judge Reagan's Order, he explains that privity inquiries into the relationship between a purchaser, a seller, and a manufacturer are fact-intensive and, based on the evidence presented, there is a genuine question of material fact as to whether privity exists. Judge Reagan's Order makes clear, however, that the fact-intensive inquiry is central to determining whether a manufacturer is in privity with a consumer, as this is the essential question. Thus, while it may be appropriate for Plaintiffs to seek discovery concerning FCA's relationship with its dealers (which documents have been produced, as discussed above), a contention interrogatory concerning privity between FCA and its dealers is not relevant.
B. Interrogatories #27, #28, #29, #31, #34, and #35 (pg. 90)
Plaintiffs assert that FCA's responses to contention interrogatories 27, 28, 29, 31, 34, and 35 are insufficient insofar as FCA has failed to articulate their position on crucial issues in this case.
"Contention interrogatories require the answering party to commit to a position and give factual specifics supporting its claims." Ziemack v. Centel Corp., No. 92-C-3551, 1995 WL 729295, at *2 (N.D. Ill. Dec. 7, 1995). Contention interrogatories "serve a proper purpose of narrowing the issues for litigation." Commerce Bank, N.A. v. Widger, No. 06-CV-1103, 2008 WL 630611, at *1 (C.D. Ill. Mar. 5, 2008). However, courts have determined that a party need not respond to contention interrogatories that would be an unduly burdensome task requiring a party to "produce veritable narratives of their entire case." Gregg v. Local 305 Ibew, 2009 WL 1325103, at *6 (N.D. Ind. May 13, 2009) (citing IBP, Inc. v. Mercantile Bank, 179 F.R.D. 316, 321 (D.Kan. 1998) ("To the extent [the requests] ask for every fact and every application of law to fact which supports the identified allegations, the court finds them overly broad and unduly burdensome. An interrogatory may reasonably ask for the material or principal facts which support a contention.").
The interrogatories at issue here are clearly broad in scope as said requests seek, in effect, all of the facts FCA is relying on to support its defense in this case. Thus, the Court finds that although FCA points to a number of documents and depositions, its responses are sufficient. It is reasonable that FCA identified voluminous materials that it will be using to support its position to defend the crux of the claims in this lawsuit, particularly given the state of expert discovery (FCA's expert disclosure is not yet due). It would be unreasonable to require FCA to further respond to the requests or provide any analysis or narrative concerning how it plans to apply the law to the facts. For these reasons, the Court denies Plaintiffs' request to compel FCA to supplement its responses to interrogatories 27, 28, 29, 31, 34, and 35
SCHEDULING ORDER
Based on the foregoing, the Scheduling Order is AMENDED as follows:
1. Plaintiffs' expert(s) shall be disclosed by June 14, 2019.
2. Plaintiffs' expert(s) shall be produced for deposition by June 28, 2019.
3. Defendants' expert(s) shall be disclosed by July 12, 2019.
4. Defendants' expert(s) shall be produced for deposition by July 26, 2019.
5. Merits discovery must be completed by August 9, 2019.
6. Dispositive motions must be filed by August 23, 2019.
IT IS SO ORDERED.
DATED: April 18, 2019
/s/ _________
Hon. Reona J. Daly
United States Magistrate Judge