BOSTON (LN) — A federal magistrate judge overseeing the MOVEit data-breach MDL on Thursday denied plaintiffs' motion to compel discovery into the internal cybersecurity practices of so-called Vendor Contracting Entity defendants, ruling the theory of relevance too attenuated to survive Rule 26's proportionality filter. The court separately ordered a narrow response on whether those defendants hold documents bearing on the economic value of compromised data.
U.S. Magistrate Judge Paul G. Levenson, writing MDL Order No. 34, rejected the argument that evidence of lax internal cyber hygiene at the VCEs — businesses that did not themselves contract with Progress Software or operate the MOVEit servers that were breached — could shed meaningful light on whether those companies adequately vetted and supervised the vendors whose systems were actually compromised.
Plaintiffs had pressed for network diagrams, records of cybersecurity tools and standards, PII and PHI retention practices, and histories of prior breaches suffered by the VCEs themselves. The core theory, as Levenson described it, was that if the VCEs were careless in their own housekeeping, that general slovenliness might have carried over to their selection and supervision of vendors.
Levenson was unpersuaded. The discovery rules, he wrote, are designed to assist a party to prove a claim it reasonably believes to be viable without discovery, not to find out if it has any basis for a claim — citing Micro Motion, Inc. v. Kane Steel Co., 894 F.2d 1318, 1327 (Fed. Cir. 1990), for a principle he noted survives even as the rules have evolved. The VCEs' own practices, he concluded, are at best a very indirect proxy for the vetting-and-oversight conduct that the complaint actually puts at issue, and the causal chain connecting internal security posture to the MOVEit breach is too thin to justify the breadth of discovery sought.
He was equally skeptical of the defendants' burden arguments, noting that their elaborate effort to show how a maximalist reading of plaintiffs' requests could yield absurd results was not the right analytical frame. The question, he wrote, is not whether a request can be read to produce absurd results but whether a fair and proportional approach to discovery exists. He also pushed back on the timeliness defense, warning that rewarding resistance to disclosure would only incentivize parties seeking discovery to rush into court rather than work through disputes by consultation and compromise.
On the data-valuation question — whether VCEs derived economic value from the compromised data, and whether that value is relevant to damages — Levenson declined to resolve the underlying legal theory but refused to let the dispute die on the vine. Plaintiffs had pointed to Smallman v. MGM Resorts International and the In re Marriott International data-breach litigation as support for measuring harm by reference to the market value of stolen personal information. Levenson concluded that neither case accepted the specific methodology plaintiffs proposed, and that the Marriott court had actually described a similar approach as disconnected from plaintiffs' own loss-of-market-value theory.
Still, he declined to foreclose the theory entirely. Rather than decide whether data that may not exist would theoretically be relevant under legal theories that have not yet been fully articulated, he ordered the VCE defendants to confirm whether they possess any documents responsive to the data-valuation request — leaving the harder questions of inference and legal sufficiency for a later stage.
The motion to compel was denied on the cybersecurity-practices requests and allowed only to the extent of requiring defendants to respond to the data-valuation document request.
Parties have 14 days to seek review by a district judge under Rule 72(a), and the MDL's bellwether structure means the ruling will shape discovery across the PBI and Welltok tracks — cases involving defendants whose data was handled by vendors that used MOVEit, not by the defendants themselves.