Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Sonic Corp. Customer Data Security Breach Lititgation

United States District Court, N.D. Ohio

January 13, 2018

IN RE SONIC CORPORATION CUSTOMER DATA SECURITY BREACH LITITGATION

          OPINION AND ORDER [RESOLVING DOC. 14]

          JAMES S. GWIN, UNITED STATES DISTRICT JUDGE.

         In these consolidated cases, a number of individual plaintiffs on behalf of themselves and all those similarly situated seek to hold Defendant Sonic Corporation liable for damages stemming from a breach of its point-of-sale computer systems. In furtherance of those efforts, Plaintiffs have moved the Court to authorize expedited discovery.[1] With their motion for expedited discovery, Plaintiffs seek to compel Sonic to divulge “the identities of third parties with knowledge of Sonic's point-of-sale . . . system and the data breach that is the subject of this litigation.”[2] Sonic opposes.[3]

         In most instances, it makes little sense for the Court to intervene in discovery matters before the parties have exchanged initial disclosures under Rule 26(a)(1) of the Federal Rules of Civil Procedure. Nevertheless, “[a] district court enjoys broad discretion in managing discovery, ”[4] and a departure from this general rule may be warranted in some circumstances.[5]

         Here, Plaintiffs express concern that third parties might have information about Sonic's point-of-sale system and the data breach that are not subject to the strictures of the Federal Rules of Evidence or Civil Procedure or Sonic's own internal litigation holds.[6] They fear that, whether as a result of malice or the routine deletion of outdated data in the ordinary course of business, the relevant information those third parties possess may be lost.[7] They would like Sonic to provide a list of third parties who might have such information so that Plaintiffs can serve subpoenas that would impose a duty to preserve information relevant to these lawsuits.[8]

         Sonic responds that it has no obligation to provide that information, that the Plaintiffs have no evidence that destruction of relevant information is imminent, and that Plaintiffs should await initial disclosures under Rule 26(a).[9] While the Court sympathizes to some extent with Sonic's position, the Plaintiffs' concerns are valid.

         Data is routinely deleted in the ordinary course of business. And it is difficult to see how Plaintiffs could make a specific showing of a risk of information loss when Sonic refuses to even inform them of the identities of the third parties who might possess relevant information. Moreover, Sonic's opposition to Plaintiffs' motion suggests that-for reasons of privilege-it might not disclose the names of all relevant third parties even in its Rule 26(a) disclosures and plans to strictly construe its obligations under the Rule.[10] So it is conceivable that, even after those disclosures, Plaintiffs will still lack adequate means to prevent the loss of valuable information.

         Given that initial disclosures in this case are set to be exchanged on January 30, [11] the risk of information loss is small (assuming that Sonic reveals all relevant third parties in its initial disclosures). But it is real. The Court therefore finds that there is good reason to enter a precautionary order in this case, notwithstanding the Court's reluctance to intervene in discovery at this early stage.

         For those reasons, the Court GRANTS IN PART and DENIES IN PART the Plaintiffs' motion. The Court ORDERS that, on or before January 26, 2018, Sonic either:

(1) obtain written assurance from all third parties who might possess information related to its point-of-sale system or the data breach at issue in this litigation that the third parties have put in place litigation holds to protect any such information; or
(2) provide Plaintiffs with a list of those third parties so that they may issue subpoenas that would impose a duty to preserve relevant information.

         The Court also notes that, should Plaintiffs propound an interrogatory requesting a list of third parties possessing point-of-sale or data breach information, Sonic would likely be required to provide one.

         IT IS SO ORDERED.

---------


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.