THOMAS S. HIXSON, Magistrate Judge.
Pending before the Court is the parties' September 10, 2018 joint letter brief regarding the production of Bitdefender's source code, ECF No. 95. The Court held a telephonic hearing in this matter on September 20, 2018, and now issues this order.
The Protective Order in this action states that "[i]f the production of Source Code is to occur in this litigation, after reasonable notice to the Receiving Party, a single electronic copy of any such Source Code shall be made available for inspection on a non-networked standalone computer at a mutually agreeable location and at mutually agreeable times during normal business hours . . ." ECF No. 69 at 11. "The Receiving Party shall make any request to inspect the Producing Party's Source Code a reasonable time in advance of its desired inspection, and in no event less than two (2) court-days' notice . . ." Id. The principal dispute raised by the parties' letter is that there is no "mutually agreeable location." Finjan also contends that Bitdefender is inappropriately limiting how often it can review the source code, at least in California.
Bitdefender initially made its source code available for Finjan's review from June 4-8, 2018 at Bitdefender's office in Santa Clara, California. Subsequently, it transported the computer to Romania and stated that any further review would have to be there. In the letter brief, Finjan argues that it needs continuous access to Bitdefender's source code throughout discovery and that source code review is labor intensive and can take hundreds of hours. Finjan says it cannot right now estimate how many more days of source code review it will need, but it will need at least several non-consecutive weeks during fact discovery, additional weeks for expert review and additional weeks leading up to and during trial. Forcing Finjan's reviewers to travel to Romania every time they review Bitdefender's source code, Finjan reasons, would be unduly burdensome given the amount of review Finjan needs to undertake. Finjan seeks an order compelling Bitdefender to make its source code available in the United States.
Bitdefender responds that it has already made its source code available for a full week in California and that the code has been available since June for Finjan's unlimited review in Bucharest, Romania, where the code is located in the ordinary course of business. Bitdefender offers a compromise that it would pay up to $5,000 for Finjan's experts' travel expenses to Romania and bring the source code to California for one more week-long session at Bitdefender's expense. Finjan has rejected this compromise.
The Court appreciates Bitdefender's justified concerns about the security of its source code. See Apple Inc. v. Samsung Elecs. Co., Ltd., 2012 WL 1595784, *1 (N.D. Cal. May 4, 2012) ("[F]ew tasks excite a defendant less than a requirement that it produce source code.") "There is, however, no source code exception to the production requirements of Fed.R.Civ.P. 34." Id. Bitdefender's refusal to make its source code available for further review in the United States beyond the additional week offered in its proposed compromise is unreasonable. Finjan's reviewers need the ability to review Bitdefender's source code at least through the close of expert discovery, and Finjan's estimate that its reviewers may need to spend hundreds of hours reviewing that code is reasonable. This review cannot be done in a single week, and the number of trips to Romania that would be necessary to perform review there would impose an unreasonable and disproportionate expense on Finjan, vastly exceeding the $5,000 in travel expenses that Bitdefender has offered to reimburse.
In addition, Bitdefender has articulated no harm that making the source code available in its Santa Clara office would entail. Bitdefender argues that such availability is inconsistent with its security protocols. Of course it is. No company has a security protocol that provides for making its source code available to a competitor's reviewers for inspection. Yet, subject to proportionality constraints, Rule 34 requires this where source code is relevant to the litigation. At the hearing, Bitdefender confirmed that it has control over its Santa Clara office, so it is in a position to maintain security there. Bitdefender argues that making its source code available in Santa Clara would require continuous travel to the United States for its CIO, or possibly even his relocation to California for the duration of this litigation, but that argument is not persuasive because Bitdefender can authorize one of its U.S. employees to have access to the source code for the purpose of making it available for Finjan's review in Santa Clara. At the hearing, Bitdefender stated that in practical terms, once the source code is set up on a computer in the Santa Clara office, the only things an employee in that office would need to do to make the source code available for inspection by Finjan's reviewers, while keeping it secure, are entering a password and safeguarding the computer from theft. Thus, although the initial setup of the source code may require a technical person from outside the United States (and therefore imposes some burden on Bitdefender), the ongoing availability of the source code for inspection does not require any specialized tasks.
Accordingly, the Court