Civil practice – Discovery – Cybersecurity

Listen to this article

Where plaintiffs have moved to compel various “vendor contracting entity defendants” (VCEs) to provide information regarding the VCEs’ own cybersecurity practices, the plaintiffs’ theory of relevance is too attenuated to warrant the range of discovery they seek.

“The VCEs’ core assertion is that their own cybersecurity measures are irrelevant because it’s not their systems that were breached. …

“… At bottom, Plaintiffs’ theory of relevance is too attenuated to warrant the range of discovery they seek. …

“I have considered Plaintiffs’ particular demands individually. None of these has the kind of special relevance that could overcome the broad point discussed above. The core problem is that the VCEs’ own cybersecurity practices are insufficiently relevant to the claims in this case to warrant further discovery. …

“In RFP N, Plaintiffs seek discovery regarding the economic value, to VCEs, of data that may have been stolen or compromised in the MOVEit breach. … While one VCE has apparently responded to the request, others have objected. … Plaintiffs contend that such information is at least potentially relevant to the consideration of damages. … Defendants contest the relevance of such data since, in the circumstances of this case, there is nothing to suggest that any harms to Plaintiffs will correspond to the economic value that the VCEs may have derived from the data that was ultimately compromised. …

“… It appears from the cases that no one has yet successfully threaded the needle in connecting market valuations of stolen PII to loss computations in a data breach case. There are thorny legal issues here. If, ultimately, those issues need to be sorted out, it will make sense to do so with a developed factual record. It seems foolish to try to resolve the issues a priori on the record as it now stands. At the discovery phase, it makes more sense to find out whether any responsive documents exist, and to leave for a later stage of litigation the sorting of inferences and legal conclusions that the parties might draw from such documents.

“This entire dispute may be moot, in any event. … Rather than decide whether data that may not exist would theoretically be relevant, depending on the validity of one or more legal theories that have not yet been articulated, I will order Defendants to respond to RFP N by confirming whether or not they have any responsive documents. To this extent only, Plaintiffs’ Motion to Compel is allowed. …

“For the foregoing reasons, Plaintiffs’ Motion to Compel is denied with respect to information about VCEs’ own cybersecurity measures, and allowed with respect to requiring Defendants to respond, to the extent described supra, to RFP N.”

In Re: MOVEit Customer Data Security Breach Litigation (Lawyers Weekly No. 02-254-26) (13 pages) (Levenson, U.S.M.J.) MDL No. 1:23-md-03083-ADB-PGL) (May 8, 2026).

Click here to read the full text of the opinion.