In re Target Corp. Customer Data Security Breach Litigation, No. 0:14-md-02522 (D. Minn.).
In re Target Corp. Customer Data Security Breach Litigation, No. 3:14-mc-80302 (N.D. Cal.).

Symantec Corporation, the data security software provider, filed a motion to quash the plaintiffs’ third-party subpoena in the consolidated class action over Target Corporation’s massive customer data breach in late 2013. In the lawsuit pending in the District of Minnesota, the plaintiffs allege that Target used security software made by Symantec, that Symantec’s software detected and notified Target of the breach, but that Target took no action until after (1) the hackers began harvesting customer credit card information from Target’s cash registers, and (2) the Justice Department notified them of the breach.

In its October 30 motion, filed in federal court in San Francisco, Symantec argued that the subpoena was premature, served three weeks after the plaintiffs filed suit and before they had received any discovery from Target. Further, Symantec asserted, the plaintiffs’ subpoena was grossly overbroad in that it sought all information and communications concerning “every single product and service ever provided to Target by Symantec and all of Symantec’s interactions with Target on any subject connected thereto.”  If the court did not quash the subpoena, Symantec argued that it should drastically narrow its scope to (i) whether Target used Symantec antivirus software in November 2013, (ii) whether that software detected any suspicious activity at the time of the breach, and (iii) the content and nature of any alert Symantec provided to Target. Symantec also argued that any cost of compliance with and costs of challenging the subpoena should be shifted to the plaintiffs.

The plaintiffs responded on November 17, arguing that Symantec’s motion should be transferred to the District of Minnesota or, in the alternative, that the court order the parties to continue to negotiate. The plaintiffs argued that the subpoena is necessary to “determine whether Symantec’s cybersecurity products and services provided Target with notices of harmful viruses or malware that could have caused the breach and whether Target disregarded Symantec’s warnings.”  The plaintiffs also argued that Symantec had not shown what its costs of compliance would be or why a company of its stature could not bear them.

On November 24, Symantec replied that transferring the motion to quash to Minnesota would unfairly burden it as a nonparty and that the plaintiffs failed to point to any “extraordinary” circumstances that would warrant a change of venue. Symantec argued that cost-shifting would be appropriate where, as here, costs to comply with the subpoena would be more than $50,000, and that Symantec’s financial condition should be irrelevant to the analysis. (The parties’ briefs indicate that Symantec’s counsel asked to record the parties’ meet-and-confer using an iPhone when the plaintiffs’ counsel allegedly “became abusive.”)

The motion is scheduled to be heard before Judge James Donato of the U.S. District Court for the Northern District of California on December 19, 2014.