Flynn et al v. FCA US LLC et al
Filing
511
ORDER re 494 Discovery Dispute Conference, 504 Discovery Dispute Conference. Signed by Magistrate Judge Reona J. Daly on 10/2/2019. (nmf)
IN THE UNITED STATES DISTRICT COURT
FOR THE SOUTHERN DISTRICT OF ILLINOIS
BRIAN FLYNN, GEORGE BROWN,
KELLY BROWN, and MICHAEL KEITH,
on behalf of themselves and all others
similarly situated,
)
)
)
)
)
Plaintiffs,
)
)
v.
)
)
FCA US LLC, f/k/a Chrysler Group LLC and )
HARMAN INTERNATIONAL
)
)
INDUSTRIES, INC.,
)
Defendants.
)
Case No. 3:15-cv-855-SMY-RJD
ORDER
DALY, Magistrate Judge:
Discovery dispute conferences were held in this matter on July 25, 2019 and August 22,
2019. During the conferences, the Court addressed various disputes brought by both Plaintiffs
and Defendant FCA US LLC (“FCA”). The parties submitted brief summaries of the disputes
ahead of the conferences. Familiarity with the background of this case is presumed1 and the
Court’s orders are set forth below.
JULY 25, 2019 DISCOVERY DISPUTE CONFERENCE
1. Purported Flaws in FCA’s Document Production
Plaintiffs contend Defendant FCA’s document production is materially incomplete because
FCA has applied an “exceedingly narrow definition of relevant” in an effort to justify withholding
critical documents. In support of their position, Plaintiffs submitted various documents that were
recently produced by FCA pursuant to this Court’s April 18, 2019 Order (see Doc. 486) that they
1
Additional background information is included in the Court’s April 18, 2019 Order (see Doc. 486).
assert should have been produced years ago.
For example, Plaintiffs refer to PowerPoint
presentations authored by Meg Novacek (the original supervisor of FCA’s Global Vehicle
Cybersecurity Group (“GCVS”)) that address cybersecurity issues, including FCA’s knowledge
of hackers’ ability to take control of certain mechanisms in the Affected Vehicles.
Plaintiffs assert there are approximately 130 documents that had not been produced
previously despite containing one or more ESI search terms. FCA contends that of the documents
Plaintiffs argue should have been produced, 91 did not hit on a search string or hit on a search
string and were previously produced. Twenty-two of the documents that hit on a search string
were duplicates.
FCA asserts there was no intentional withholding of documents and any documents that
were recently produced that included search terms had been deemed not relevant. FCA explains
that the documents Plaintiffs cite discuss future technologies, were forward looking, and were only
produced in compliance with the Court’s Order as they discussed “other manufacturers’
cybersecurity.” FCA maintains it has produced any documents that address the Affected Vehicles
and cybersecurity practices at the time the Affected Vehicles were sold. The Affected Vehicles
were last manufactured in July 2015.
Pursuant to Federal Rule of Civil Procedure 26(b)(1), parties are only entitled to discovery
of nonprivileged matter that is relevant to any party’s claim or defense and proportional to the
needs of the case. The Supreme Court has cautioned that the requirement under Rule 26(b)(1)
that the material sought in discovery be “relevant” should be firmly applied, and the district courts
should not neglect their power to restrict discovery where necessary. Herbert v. Lando, 441 U.S.
Page 2 of 12
153, 177 (1979); see also Balderston v. Fairbanks Morse Engine Div. of Coltec Indus., 328 F.3d
309, 320 (7th Cir. 2003). However, “relevancy” for discovery purposes is construed broadly to
encompass matters that bear on, or reasonably could lead to other matters that could bear on, any
issue in the case. Oppenheimer Fund, Inc. v. Sanders, 437 U.S. 340, 351 (1978) (citing Hickman
v. Taylor, 329 U.S. 495, 501 (1947)). “Relevance is not inherent in any item of evidence, but
exists only as a relation between an item of evidence and the matter properly provable in the case.”
Miller UK Ltd. v. Caterpillar, Inc., 17 F.Supp.3d 711, 722 (N.D. Ill. Jan. 6, 2014) (citation
omitted). Based on a review of the documents cited by Plaintiffs, the Court does not find evidence
of any systemic or marked issue with FCA’s document production and relevancy review to warrant
the relief Plaintiffs seek — the production of all documents previously withheld on the basis of
relevancy for review by Plaintiffs. The pending claims do not concern actions taken by FCA in
their production of vehicles after July 2015. Indeed, the claims center on the merchantability of
the vehicles at issue at the time of sale, as well as FCA’s merchandising of those vehicles. There
are limits to relevancy in discovery, and the Court finds the limits applied in this case to be
appropriate in light of the dictates of Rule 26(b)(1). Plaintiffs’ request that FCA be ordered to
produce all responsive, non-privileged documents is DENIED.
2. Bug Bounty Program
Plaintiffs explain they issued a series of requests for production of documents related to
FCA’s “bug bounty” program that was implemented in 2017.
Specifically, Plaintiffs seek
documents concerning the terms of the program, submissions related to the Affected Vehicles, and
payouts from the program relating to the Affected Vehicles at issue in this case. FCA contends it
Page 3 of 12
has produced all of the documents requested.
Plaintiffs assert, however, that they also sought “communications regarding consideration
of the establishment of the bug bounty program,” that FCA refuses to produce. FCA did not
produce these documents because Plaintiffs’ request was not limited to the vehicles, components,
or timeframe reasonably at issue and such production would be disproportional to the needs of this
case. Plaintiffs assert such documents are relevant to their position that the defects in the Affected
Vehicles are largely attributable to FCA’s attempts to cut costs, including irresponsible failures to
invest in the type of internal group with responsibility for product cybersecurity that is universally
considered essential. Plaintiffs posit that documents concerning the establishment of the “bug
bounty” program would likely address whether FCA believed it could “outsource” functions that
should have been handled internally.
Plaintiffs’ request to compel the production of such documents is DENIED.
The
documents Plaintiffs seek are beyond the scope allowed under Federal Rule of Civil Procedure
26(b)(1). Indeed, although the documents concerning the implementation of the “bug bounty”
program may have some relevance to the claims or defenses in this case, any such relevance is
minimal and only tangentially related to the issues being litigated, and certainly not proportional
to the needs of this case.
3. Survey Documents
In this Court’s April 18, 2019 Order, FCA was directed to produce consumer survey
information addressing the importance of safety to consumers or potential purchasers by May 3,
2019, in response to certain requests for production of documents. Plaintiffs assert that FCA
Page 4 of 12
produced a single, 16-page PowerPoint presentation discussing one survey FCA conducted.
Plaintiffs contend Meg Novacek testified in her July 18, 2019 deposition that it is her
understanding FCA has an internal group dedicated to performing surveys and market research
and that those surveys often addressed features relating to safety.
FCA contends it produced all survey documents that could be located that related to
cybersecurity or safety for the vehicles at issue.
FCA explains it searched general survey
information in the timeframe the vehicles at issue were being manufactured and sold and produced
the relevant documents in its possession. FCA explains it does not have raw survey data in its
possession related to the survey PowerPoint presentation it produced.
FCA also explained
surveys are typically conducted in relation to features and consumer preferences.
Although the Court is mindful of Plaintiff’s position, it finds that Plaintiffs have based their
request for additional survey information on speculation. Novacek’s testimony, wherein she
spoke generally about FCA’s performance of surveys and market research, does not substantiate
Plaintiffs’ claims that there are relevant documents being withheld by FCA. Because “[c]ourts
need not authorize additional discovery based on nothing more than ‘mere speculation’ that would
‘amount to a fishing expedition’,” Illinois Extension Pipeline Co., LLC v. Thomas, No. 15-3052,
2016 WL 1259379, at *5 (C.D. Ill. Mar. 1, 2016) (citing Davis v. G.N. Mortgage Co., 396 F.3d
869, 885 (7th Cir. 2005)), the Court DENIES Plaintiff’s request to compel additional survey
information.
4. Documents and Video relating to SwRI’s “Whole Vehicle” Penetration Testing
Plaintiffs ask the Court to order FCA to produce the following categories of documents
Page 5 of 12
relating to the “whole vehicle penetration testing” conducted by SwRI in 2015 and 2016:
1. Video mentioned in Exhibit 13.
2. PowerPoint presentations made by SwRI to FCA relating to testing of any aspect of the
Affected Vehicles (Exhibit 14).
3. The Statement of Work and written materials FCA provided to SwRI.
4. All communications with SwRI relating to its work with any Affected Vehicles.
Plaintiffs acknowledge that SwRI’s penetration testing was determined to be beyond the
scope of the claims in this lawsuit, but argue the Court’s interpretation of the issues was too narrow
given the three defects alleged in the operative complaint. More specifically, Plaintiffs explain
that the Remote Control Defect alleged in their complaint is not limited to the Uconnect System
for said defect alleges hackers could gain access beyond the infotainment system and remotely
take control of the vehicles’ acceleration, braking, steering, ignition, and other operational and
safety functions.
FCA asserts the Court previously made it clear the “whole vehicle” penetration testing
conducted by SwRI was not relevant to the issues in this case. FCA also asserts that Plaintiffs’
request is not tethered to any actual RFP.
The Court is not inclined to reconsider its previous decision concerning the production of
SwRI penetration testing. District Judge Reagan’s class certification order clearly contemplates
that the alleged defects on which Plaintiff’s claims were certified stemmed from the Uconnect
system (see Doc. 399 at 7, “Plaintiffs provide evidence that the design and installation of the
Uconnect devices themselves, rather than the software operating the devices, is defective and that
fixing the software may not have fixed the alleged defects.”); (see id at 10, “Plaintiffs provide
evidence that suggests that the Uconnect integration in their vehicles is flawed such that the defect
Page 6 of 12
exists regardless of whether they, personally have had their vehicles hacked.”); (see id. at 25, “the
named Plaintiffs’ claims arise from the same practice or course of conduct (Defendants actions
related to cybersecurity defects in the Uconnect devices installed in certain Chrysler vehicles) that
gives rise to the claims of other potential class members …”). Moreover, Judge Reagan’s Order
specifically defined the certified classes as vehicles manufactured with the “Uconnect 8.4A or
Uconnect 8.4AN systems.” Accordingly, documents related to whole vehicle penetration testing
are not relevant and the Court declines to reconsider its previous decision. Plaintiffs’ request for
SwRI’s penetration testing is DENIED.
5. FCA’s Request for Sanctions
FCA contends it is entitled to its fees and costs as Plaintiffs are engaging in bad faith
discovery tactics. The Court notes that although it would like the parties to work cooperatively
in discovery, the disputes brought by Plaintiffs have not been wholly frivolous and there is no
evidence of bad faith. However, if FCA seeks fees and costs, it should file a motion and the Court
will consider the same after the parties have the opportunity to fully brief the issue.
AUGUST 22, 2019 DISCOVERY DISPUTE CONFERENCE2
1. Plaintiffs’ Request for Leave to Conduct Second 30(b)(6) Deposition of FCA
Plaintiff served a notice for a FRCP 30(b)(6) deposition of FCA on June 25, 2019, listing
seven topics they contend were not at issue during the class certification phase of discovery and/or
relating to documents FCA had previously withheld, but which the Court recently ordered FCA to
2
The Court addressed the parties’ dispute concerning the deadline to complete depositions of Defendants’ experts in
its August 22, 2019 Order (Doc. 504).
Page 7 of 12
produce.
FCA objects to said request, arguing Plaintiffs must seek leave under Rule
30(a)(2)(A)(ii)3. The Court agrees. See In re Sulfuric Acid Antitrust Litigation, No. 03-C-4576,
2005 WL 1994105, *2 (Aug. 19, 2005 N.D. Ill.). Plaintiffs are directed to file a motion for leave
to take a second Rule 30(b)(6) deposition of FCA. The Court encourages the parties to meet and
confer to address the scope of the topics set forth in the deposition notice as it appears some topics
may be inconsistent with the scope and limits set forth in Rules 26(b)(1) and (2).
2. Dispute regarding FCA’s Responses to Plaintiffs’ Requests for Admissions
Plaintiffs assert that many of FCA’s objections to its requests for admissions are not
justified, and they ask the Court to direct FCA to respond substantively and in a manner that “fairly
meets the substance of the requested admission.”
The following requests are at issue:
a. RFA Nos. 40-65
In these requests, Plaintiffs ask FCA to admit that for each model of the Affected Vehicles
there is not a hardware trust anchor between the Uconnect system and the vehicle’s CAN bus, nor
is there a hardware trust anchor anywhere in the vehicle. FCA objects to the requests on the basis
of relevancy. FCA further objects because the phrase “hardware trust anchor” is vague and
confusing. FCA asserts that Plaintiffs’ attempt to define “hardware trust anchor” by reference to
certain documents (albeit documents produced by FCA) is insufficient as the documents refer to
many different things as a “hardware trust anchor” and refer to many different functionalities.
3
FCA cites to Rule 30(a)(2)(B) in their position summary letter dated August 21, 2019; however, the reference
appears to be in error.
Page 8 of 12
The Court OVERRULES FCA’s objections. The requests seek relevant information that
has been adequately defined. Insofar as FCA believes Plaintiffs’ definition of “hardware trust
anchor” is vague or ambiguous, it should set forward how it would define “hardware trust anchor”
in response to Plaintiffs’ requests. FCA shall respond to these requests by October 16, 2019.
b. RFA Nos. 79-104
In these requests, Plaintiffs ask FCA to admit that for each model of the Affected Vehicles
that (a) the vehicles have two primary segments or networks on their CAN bus, the CAN-BH (or
“BH-CAN”) and CAN-C (or “C-CAN”), and (b) that the Uconnect system is connected to both
the CAN-C and CAN-BH CAN bus segments. FCA objects to the requests on the basis of
relevancy.
FCA further objects because the phrases “primary segments or networks” and
“connected to both” is vague and confusing.
The Court OVERRULES FCA’s objections. The requests seek relevant information and
the Court does not find the phrases “primary segments or networks” and “connected to both” vague
and confusing in light of the history of this litigation and the parties’ familiarity with the issues.
Insofar as FCA believes the phrases are vague or ambiguous, it should set forward how it is
defining such phrases in response to Plaintiffs’ requests. FCA shall respond to these requests by
October 16, 2019.
c. RFA Nos. 113-116
In these requests, Plaintiffs ask FCA to admit that it did not notify consumers that a
cybersecurity attack or hack could allow an attacker to affect certain components (e.g., braking,
steering) in any Affected Vehicle. FCA objected to the requests, asserting they “wrongfully
Page 9 of 12
assume that it has been demonstrated that a cybersecurity attack or hack can affect the ability of a
driver to control” the component at issue in the request. Plaintiffs contend these objections are
evasive and improper. The Court agrees. The Court OVERRULES FCA’s objections. FCA
shall respond to these requests by October 16, 2019.
d. RFA Nos. 105-106
In these requests, Plaintiffs ask FCA to admit that some model 2018 and later model year
FCA vehicles have hardware gateways between the vehicles’ infotainment systems and CAN
buses, and hardware trust anchors between the vehicles’ infotainment systems and CAN buses.
FCA objects to these requests on the basis of relevancy. The Court agrees. The requests seek
information not relevant to the Affected Vehicles that is beyond the scope of the claims pending
in this lawsuit. FCA’s objections are SUSTAINED.
e. RFA No. 112
Plaintiffs ask FCA to admit that each Affected Vehicle has multiple attack surfaces.
FCA’s relevancy objection is SUSTAINED.
f. RFA No. 118
Plaintiffs ask FCA to admit that connected vehicles are potential targets for malicious
hackers. FCA objects, asserting the phrase “potential targets” is vague and ambiguous. FCA’s
objection is OVERRULED. FCA shall respond to this request by October 16, 2019.
g. RFA No. 119
Plaintiffs ask FCA to admit there was no group within FCA with dedicated responsibility
for vehicle cybersecurity until at least April 2014. FCA objected on the basis of relevancy.
Page 10 of 12
Although the Court acknowledges the relevancy of this request is limited, it is proportional to the
needs of the case and FCA’s objection is OVERRULED. FCA shall respond to this request by
October 16, 2019.
h. RFA Nos. 120-121
In these requests, Plaintiffs ask FCA to admit that it did not conduct a cybersecurity risk
assessment as part of the design process for the Affected Vehicles (RFA 120) or the Uconnect
systems in the Affected Vehicles (RFA 121). FCA objected on the basis of relevancy. FCA’s
objections are OVERRULED. FCA shall respond to these requests by October 16, 2019.
i. RFA Nos. 122-124
In these requests, Plaintiffs ask FCA to admit that it did not conduct certain penetration
tests on the Affected Vehicles. FCA objected on the basis of relevancy. FCA’s objections are
OVERRULED. FCA shall respond to these requests by October 16, 2019.
j. RFA Nos. 125-127
In these requests, Plaintiffs ask FCA to admit that it was aware of the possibility that
vehicles with Internet connectivity could be hacked by January 1, 2010 (RFA 125), January 1,
2011 (RFA 126), and January 1, 2012 (RFA 127). FCA objected on the basis of relevancy.
FCA’s objections are OVERRULED. FCA shall respond to these requests by October 16, 2019.
3. Plaintiffs’ Supplemental Discovery Responses
FCA asks that Plaintiffs be required to supplement their responses to written discovery.
In particular, FCA asserts Plaintiffs have failed to properly supplement requests for production
numbers 22, 23, 25, 28, 32, and 33 seeking documents related to the maintenance, repairs,
Page 11 of 12
inspections, and use of their vehicles. FCA’s request is GRANTED IN PART. Plaintiffs shall
produce to FCA a list of locations where they have taken their vehicles for maintenance, inspection
and repairs by October 16, 2019. Further, Plaintiff Keith is ORDERED to supplement his
response to interrogatory 1 by October 16, 2019 by providing documentation related to the
disposals and the dates on which the vehicles were disposed. FCA has not set forth any other
particularized issue with Plaintiffs’ supplementation of their discovery responses. Insofar as there
are other responses that Plaintiffs have not supplemented, Plaintiffs are reminded of their
obligation to do so under Federal Rule of Civil Procedure 26(e), which provides that
supplementation is mandatory and must be completed in a timely manner.
IT IS SO ORDERED.
DATED: October 2, 2019
s/ Reona J. Daly
Hon. Reona J. Daly
United States Magistrate Judge
Page 12 of 12
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?