Motion to Compel Granted in Part in Federal Employee Class Action Data Breach Litigation
Customers brought separate actions against Anthem, a health insurance company, after the company’s computer systems were compromised by a cyberattack.
Those actions were consolidated, and as part of the litigation, federal employees moved to compel the United States Office of Personnel Management (“OPM”) to produce records of OPM’s audits of Anthem. On February 28, 2017, the United States District Court of the District of Columbia granted the motion in part, and denied the motion in part.
Because OPM negotiates and administers the federal government’s contracts with insurance providers, including Anthem, OPM’s Office of Inspector General has authority to conduct audits of insurance providers that contract to provide services to federal employees, by way of that insurance provider receiving OPM funds or benefits. In 2013, OIG audited Anthem’s IT systems and “generated a report with findings and recommendations for addressing identified weaknesses in Anthem’s systems.” According to the district court, one of the key issues that arose during the 2013 audit was that Anthem refused to allow OIG auditors to link up to the company’s network in order to conduct a configuration compliance test despite auditors believing it necessary to complete.
In February 2015, Anthem’s centralized database was hacked. The hack comprised the security of around 80 million individuals’ sensitive personal information, including federal employees who were insured through the Federal Employee Health Benefit (“FEHB”) program. Following the attack, another OIG audit was conducted. That audit report was shared with Anthem, but has not been made public. It was, however, provided to plaintiffs in this litigation.
After the hack, many Anthem customers filed claims in various jurisdictions claiming that Anthem failed to adequately protect its data systems, failed to disclose that it did not have adequate security practices, and failed to timely notify customers of the breach. These claims were consolidated. One of the claims advanced in what is now multidistrict litigation is a “third-party beneficiary” claim for breach of contract on behalf of federal employees who were enrolled in FEHB at the time of the hack. These employees requested a number of categories of documents. After discussion with OPM, the requests were narrowed and some documents were released. The remaining categories at issue were:
“1) Audit workpapers pertaining to (i) Anthem’s refusal to permit OPM to conduct certain audit testing, and (ii) auditor reviews and conclusions about Anthem’s information system security measures and practices;
2) Meeting write-ups, which document meetings between auditors and Anthem representatives regarding, amongst other things, Anthem’s network configuration management, security, and risk assessment; and
3) E-mails between and amongst federal employees discussing (i) potential changes to federal contracts, including Anthem’s contract, and (ii) whether Anthem successfully implemented certain recommendations that OIG made as part of the 2013 audit.”
OPM argued that the documents in all three categories were protected from disclosure by the deliberative process privilege, and that audit workpapers and meeting write-ups were additionally protected from disclosure by the law enforcement privilege.
The deliberative process privilege “permits the Executive Branch to shields [sic] from disclosure those materials ‘that would reveal advisory opinions, recommendations, and deliberations comprising part of a process by which governmental decisions and policies are formulated.’” The privilege reflects the notion that agencies can craft better rules when they feel free to deliberate both the strengths and weaknesses of those rules without fear of disclosure of said weaknesses to the public. According to the district court, “[a]ny material that the Government shows to be both ‘predecisional’ and ‘deliberative’ falls within the ambit of the [deliberative process] privilege.” But even if a document falls within the scope of the deliberative process, the court may order otherwise privileged documents disclosed “if the private need for disclosure outweighs the public interest in non-disclosure.” In making such a determination, the court weighs factors such as “the relevance of the evidence, the availability of other evidence, the seriousness of the litigation, the role of the government, and the possibility of future timidity by government employees should the materials be released.” If the court concludes that the factors do not compel disclosure, factual (rather than deliberative) material within otherwise privileged documents must be disclosed barring inextricable intertwinement with the deliberative sections.
The law enforcement privilege may be raised by the Executive Branch to prevent disclosure of materials that are part of law enforcement investigations, such as investigations by an Agency’s Office of Inspector General. To protect against disclosure under this privilege, the Government must establish “that (1) the head of the department, who had some control over the information, made a formal claim of privilege; (2) that individual had personally considered the basis for raising the privilege; and (3) the information for which the privilege is claimed, described in detail, properly falls within the scope of the privilege. Like the deliberative process privilege, it is a qualified privilege, meaning that even if the Government meets its burden, the court will weigh the public interest in non-disclosure versus the private need for the information using a set of factors spelled out in In re Sealed Case, 856 F.2d 268, 271 (D.C. Cir. 1988).
Lead Plaintiff’s counsel filed a Motion to Compel on the three categories of documents, and the district court held oral argument on the motion. A subsequent in camera inspection was ordered and OPM provided unredacted copies of the withheld documents to the court for inspection.
Ultimately, the district court concluded that documents claimed to be under the deliberative process were pre-decisional, and that portions of those documents were deliberative. The district court also concluded that the federal employees did not demonstrate their need of documents subject to deliberative privilege outweighed the Government’s interest in non-disclosure, finding that the full disclosure of deliberations “too greatly risks thwarting employees’ ability to freely communicate and exchange ideas.” The district court noted that substantial portions of the withheld e-mails regarding contract modification in the wake of Anthem’s refusal to let OIG complete its 2013 audit are of “no obvious relevance in the underlying litigation, but are of great importance to the Government, given that they reflect employees’ back-and-forth discussions over the proper character and content of federal contracts.” However, the court found that portions of documents that had deliberative portions also had portions that were merely factual. For example, the “audit workpapers” had two pages that qualified as deliberative, but the remaining pages did not qualify, and should be disclosed if not subject to a separate privilege.
The Government argued that the documents not subject to the deliberative process privilege should be withheld under the law enforcement privilege. But the court noted that the documents do not pertain to an ongoing or closed criminal or civil investigation of a particular law violation, and “therefore, fall outside the heartland of the types of records the privilege is designed to protect.” The district court also noted that even if the audit was designed to “ferret out unknown, potential system weaknesses,” the weaknesses are now known and were publicly disclosed. The court concluded that, even assuming the law enforcement privilege was “broad enough to encompass the materials in this litigation that are not protected by the deliberative process privilege, the balance of interests warrants disclosure.”
For the above stated reasons, the district court granted in part and denied in part Lead Plaintiffs’ Motion to Compel.
The lawsuit referenced above is In re: Anthem Inc. Data Breach Litigation, Case No. 1:16-cv-02210. It is being litigated in the U.S. District Court for the District of Columbia.
This case law update was written by Conor D. Dirks, Associate Attorney, Shaw Bransford & Roth, PC.
For thirty years, Shaw Bransford & Roth P.C. has provided superior representation on a wide range of federal employment law issues, from representing federal employees nationwide in administrative investigations, disciplinary and performance actions, and Bivens lawsuits, to handling security clearance adjudications and employment discrimination cases.