The Allstate Internal DNC Story is Even Worse Than it First Appears
So people are absolutely freaking out about this Allstate story I broke yesterday.
And they should be.
But seriously, I haven’t seen traffic like this since that time hackers started promoting my website because they thought it was cool. (That was weird.)
And although I’m sitting in a hotel room in Vegas right now I always strive to give the people what they want. So here’s some more coverage.
First, notice what the demand actually asks for and what Allstate was ordered to produce:
Allstate’s “internal Do Not Call list, and all data associated therewith (e.g., dates numbers were added, by whom, etc.).”
You see that?
It isn’t just the internal DNC list. Its “all data associated therewith.”
What does that even mean?
One of the best (worst?) things about being the big-boss-above-all-on-high Czar is that I get to train other people how to do things like respond to discovery demands.
Whereas Allstate’s counsel focused its fire–probably rightly–on why the internal DNC list ought not be produced, there was no apparent fight over whether the much much scarier “all data associated therewith” may also need to be produced. (The Order compelling production is a little unclear, however, so Allstate may have dodged a bullet there.
And whereas the objections my team would have served to this demand would have been about 4 pages long–just think about how hard it would be to find “all data associated with” each and every DNC request over the last 5 years–Allstate’s objections were apparently about 4 lines long, boilerplate in nature, and focused almost exclusively on the fact that not every number on the list was called:
RESPONSE: Allstate objects to this Request as overbroad, unduly burdensome, and seeking information that is irrelevant to any party’s claim or defense in that it seeks Allstate’s entire Do No Call list, when this lawsuit only (allegedly) involves a portion of the numbers on that list. Allstate further objects to this Request to the extent it seeks confidential and proprietary information.
Anyway, I also wanted to chat about the privacy issues here.
Companies go through tremendous lengths to protect privacy–particularly personal identifying information like names and phone numbers. Companies like Allstate undoubtedly have massive data protection regimes in place and vendor protocols assuring, inter alia, encryption in transit and physical security measures.
For that reason, whenever one of my clients faces a motion to compel data discovery I will usually present a declaration from a Chief Privacy Officer or Chief Information Officer (or their designee) to really hammer home the privacy concerns.
I mean, requiring Allstate to turn over “all data” related to its DNC list going back five years could plainly lead to a data breach cataclysm. There’s no evidence in the record in terms of who precisely is going to take possession of these records and how they will be protected. No limitation on re-production on to hard drives or thumb drives. Heck, this data could end up on some “expert’s” laptop connected to a coffee shop wifi network next week.
Which means your data could end up where it shouldn’t be.
This is particularly problematic as most of these folks are not going to be class members–so this is third-party data being spilled all over the streets of Chicago. (Figuratively.)
Yet the Court seems unconcerned about these absolutely critical issues:
Allstate’s second objection to producing its internal DNC list is based on privacy concerns because the list contains identifying information regarding persons who are potential class members. However, Allstate has failed to articulate how these privacy interests outweigh Hossfeld’s need for disclosure of relevant information.
I mean, let’s see. Index numbers could be used to pertain to each record in the DNC list to make sure no actual names and addresses were turned over. Plaintiff could provide Allstate with TK’s list and Allstate could perform the scrub–with Plaintiff’s expert watching–on Allstate’s servers so that there is no chance of a leak.
Or Allstate could just stipulate to numerosity and avoid the whole issue until certification is decided and then produce then…
Anyway, I always marvel–just marvel–at the fact that courts seem to pay so little heed to privacy concerns when it comes to civil discovery. Then again it is the Defendant’s job to make sure the Court fully “gets it” so I guess fault doesn’t belong on the Court’s shoulders.
I mean considering the fact that TCPA suits are purportedly about protecting consumer privacy I once argued that a class action lawyer that demands the production of so much data invading consumer privacy is actually inadequate to represent a class in a privacy class action.
The court disagreed. But also granted my request for a protective order.
One last note, Allstate was apparently just ordered to make another impossibly difficult production–all “document concerning prior complaints, investigations, and audits” regarding “telemarketing calls: (1) made by third-party vendors to individuals that were on Allstate’s internal do not call list; or (2) where the call did not inform the recipient that the call was made in order to sell Allstate goods and services.”
Don’t get me started on all the things wrong with this demand. How in the world would you even go about crafting a search for responsive records?
But Allstate will have to respond by November 18, 2021, nonetheless.
Real dogfight out there in Chicago. And remember–this guy was pretending to be interested in the calls like Mr. Johansen. Yet, here he is. Turning Allstate inside out.
Don’t let it happen to you.