ORDER

REONA J. DALY, Magistrate Judge.

Discovery dispute conferences were held in this matter on July 25, 2019 and August 22, 2019. During the conferences, the Court addressed various disputes brought by both Plaintiffs and Defendant FCA US LLC ("FCA"). The parties submitted brief summaries of the disputes ahead of the conferences. Familiarity with the background of this case is presumed1 and the Court's orders are set forth below.

JULY 25, 2019 DISCOVERY DISPUTE CONFERENCE

1. Purported Flaws in FCA's Document Production

Plaintiffs contend Defendant FCA's document production is materially incomplete because FCA has applied an "exceedingly narrow definition of relevant" in an effort to justify withholding critical documents. In support of their position, Plaintiffs submitted various documents that were recently produced by FCA pursuant to this Court's April 18, 2019 Order (see Doc. 486) that they assert should have been produced years ago. For example, Plaintiffs refer to PowerPoint presentations authored by Meg Novacek (the original supervisor of FCA's Global Vehicle Cybersecurity Group ("GCVS")) that address cybersecurity issues, including FCA's knowledge of hackers' ability to take control of certain mechanisms in the Affected Vehicles.

Plaintiffs assert there are approximately 130 documents that had not been produced previously despite containing one or more ESI search terms. FCA contends that of the documents Plaintiffs argue should have been produced, 91 did not hit on a search string or hit on a search string and were previously produced. Twenty-two of the documents that hit on a search string were duplicates.

FCA asserts there was no intentional withholding of documents and any documents that were recently produced that included search terms had been deemed not relevant. FCA explains that the documents Plaintiffs cite discuss future technologies, were forward looking, and were only produced in compliance with the Court's Order as they discussed "other manufacturers' cybersecurity." FCA maintains it has produced any documents that address the Affected Vehicles and cybersecurity practices at the time the Affected Vehicles were sold. The Affected Vehicles were last manufactured in July 2015.

Pursuant to Federal Rule of Civil Procedure 26(b)(1), parties are only entitled to discovery of nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case. The Supreme Court has cautioned that the requirement under Rule 26(b)(1) that the material sought in discovery be "relevant" should be firmly applied, and the district courts should not neglect their power to restrict discovery where necessary. Herbert v. Lando, 441 U.S. 153, 177 (1979); see also Balderston v. Fairbanks Morse Engine Div. of Coltec Indus., 328 F.3d 309, 320 (7th Cir. 2003). However, "relevancy" for discovery purposes is construed broadly to encompass matters that bear on, or reasonably could lead to other matters that could bear on, any issue in the case. Oppenheimer Fund, Inc. v. Sanders, 437 U.S. 340, 351 (1978) (citing Hickman v. Taylor, 329 U.S. 495, 501 (1947)). "Relevance is not inherent in any item of evidence, but exists only as a relation between an item of evidence and the matter properly provable in the case." Miller UK Ltd. v. Caterpillar, Inc., 17 F.Supp.3d 711, 722 (N.D. Ill. Jan. 6, 2014) (citation omitted). Based on a review of the documents cited by Plaintiffs, the Court does not find evidence of any systemic or marked issue with FCA's document production and relevancy review to warrant the relief Plaintiffs seek — the production of all documents previously withheld on the basis of relevancy for review by Plaintiffs. The pending claims do not concern actions taken by FCA in their production of vehicles after July 2015. Indeed, the claims center on the merchantability of the vehicles at issue at the time of sale, as well as FCA's merchandising of those vehicles. There are limits to relevancy in discovery, and the Court finds the limits applied in this case to be appropriate in light of the dictates of Rule 26(b)(1). Plaintiffs' request that FCA be ordered to produce all responsive, non-privileged documents is DENIED.

2. Bug Bounty Program

Plaintiffs explain they issued a series of requests for production of documents related to FCA's "bug bounty" program that was implemented in 2017. Specifically, Plaintiffs seek documents concerning the terms of the program, submissions related to the Affected Vehicles, and payouts from the program relating to the Affected Vehicles at issue in this case. FCA contends it has produced all of the documents requested.

Plaintiffs assert, however, that they also sought "communications regarding consideration of the establishment of the bug bounty program," that FCA refuses to produce. FCA did not produce these documents because Plaintiffs' request was not limited to the vehicles, components, or timeframe reasonably at issue and such production would be disproportional to the needs of this case. Plaintiffs assert such documents are relevant to their position that the defects in the Affected Vehicles are largely attributable to FCA's attempts to cut costs, including irresponsible failures to invest in the type of internal group with responsibility for product cybersecurity that is universally considered essential. Plaintiffs posit that documents concerning the establishment of the "bug bounty" program would likely address whether FCA believed it could "outsource" functions that should have been handled internally.

Plaintiffs' request to compel the production of such documents is DENIED. The documents Plaintiffs seek are beyond the scope allowed under Federal Rule of Civil Procedure 26(b)(1). Indeed, although the documents concerning the implementation of the "bug bounty" program may have some relevance to the claims or defenses in this case, any such relevance is minimal and only tangentially related to the issues being litigated, and certainly not proportional to the needs of this case.

3. Survey Documents

In this Court's April 18, 2019 Order, FCA was directed to produce consumer survey information addressing the importance of safety to consumers or potential purchasers by May 3, 2019, in response to certain requests for production of documents. Plaintiffs assert that FCA produced a single, 16-page PowerPoint presentation discussing one survey FCA conducted. Plaintiffs contend Meg Novacek testified in her July 18, 2019 deposition that it is her understanding FCA has an internal group dedicated to performing surveys and market research and that those surveys often addressed features relating to safety.

FCA contends it produced all survey documents that could be located that related to cybersecurity or safety for the vehicles at issue. FCA explains it searched general survey information in the timeframe the vehicles at issue were being manufactured and sold and produced the relevant documents in its possession. FCA explains it does not have raw survey data in its possession related to the survey PowerPoint presentation it produced. FCA also explained surveys are typically conducted in relation to features and consumer preferences.

Although the Court is mindful of Plaintiff's position, it finds that Plaintiffs have based their request for additional survey information on speculation. Novacek's testimony, wherein she spoke generally about FCA's performance of surveys and market research, does not substantiate Plaintiffs' claims that there are relevant documents being withheld by FCA. Because "[c]ourts need not authorize additional discovery based on nothing more than `mere speculation' that would `amount to a fishing expedition'," Illinois Extension Pipeline Co., LLC v. Thomas, No. 15-3052, 2016 WL 1259379, at *5 (C.D. Ill. Mar. 1, 2016) (citing Davis v. G.N. Mortgage Co., 396 F.3d 869, 885 (7th Cir. 2005)), the Court DENIES Plaintiff's request to compel additional survey information.

4. Documents and Video relating to SwRI's "Whole Vehicle" Penetration Testing

Plaintiffs ask the Court to order FCA to produce the following categories of documents relating to the "whole vehicle penetration testing" conducted by SwRI in 2015 and 2016:

Plaintiffs acknowledge that SwRI's penetration testing was determined to be beyond the scope of the claims in this lawsuit, but argue the Court's interpretation of the issues was too narrow given the three defects alleged in the operative complaint. More specifically, Plaintiffs explain that the Remote Control Defect alleged in their complaint is not limited to the Uconnect System for said defect alleges hackers could gain access beyond the infotainment system and remotely take control of the vehicles' acceleration, braking, steering, ignition, and other operational and safety functions.

FCA asserts the Court previously made it clear the "whole vehicle" penetration testing conducted by SwRI was not relevant to the issues in this case. FCA also asserts that Plaintiffs' request is not tethered to any actual RFP.

The Court is not inclined to reconsider its previous decision concerning the production of SwRI penetration testing. District Judge Reagan's class certification order clearly contemplates that the alleged defects on which Plaintiff's claims were certified stemmed from the Uconnect system (see Doc. 399 at 7, "Plaintiffs provide evidence that the design and installation of the Uconnect devices themselves, rather than the software operating the devices, is defective and that fixing the software may not have fixed the alleged defects."); (see id at 10, "Plaintiffs provide evidence that suggests that the Uconnect integration in their vehicles is flawed such that the defect exists regardless of whether they, personally have had their vehicles hacked."); (see id. at 25, "the named Plaintiffs' claims arise from the same practice or course of conduct (Defendants actions related to cybersecurity defects in the Uconnect devices installed in certain Chrysler vehicles) that gives rise to the claims of other potential class members ..."). Moreover, Judge Reagan's Order specifically defined the certified classes as vehicles manufactured with the "Uconnect 8.4A or Uconnect 8.4AN systems." Accordingly, documents related to whole vehicle penetration testing are not relevant and the Court declines to reconsider its previous decision. Plaintiffs' request for SwRI's penetration testing is DENIED.

5. FCA's Request for Sanctions

FCA contends it is entitled to its fees and costs as Plaintiffs are engaging in bad faith discovery tactics. The Court notes that although it would like the parties to work cooperatively in discovery, the disputes brought by Plaintiffs have not been wholly frivolous and there is no evidence of bad faith. However, if FCA seeks fees and costs, it should file a motion and the Court will consider the same after the parties have the opportunity to fully brief the issue.

AUGUST 22, 2019 DISCOVERY DISPUTE CONFERENCE2

1. Plaintiffs' Request for Leave to Conduct Second 30(b)(6) Deposition of FCA

Plaintiff served a notice for a FRCP 30(b)(6) deposition of FCA on June 25, 2019, listing seven topics they contend were not at issue during the class certification phase of discovery and/or relating to documents FCA had previously withheld, but which the Court recently ordered FCA to produce. FCA objects to said request, arguing Plaintiffs must seek leave under Rule 30(a)(2)(A)(ii)3. The Court agrees. See In re Sulfuric Acid Antitrust Litigation, No. 03-C-4576, 2005 WL 1994105, *2 (Aug. 19, 2005 N.D. Ill.). Plaintiffs are directed to file a motion for leave to take a second Rule 30(b)(6) deposition of FCA. The Court encourages the parties to meet and confer to address the scope of the topics set forth in the deposition notice as it appears some topics may be inconsistent with the scope and limits set forth in Rules 26(b)(1) and (2).

2. Dispute regarding FCA's Responses to Plaintiffs' Requests for Admissions

Plaintiffs assert that many of FCA's objections to its requests for admissions are not justified, and they ask the Court to direct FCA to respond substantively and in a manner that "fairly meets the substance of the requested admission."

The following requests are at issue:

a. RFA Nos. 40-65

In these requests, Plaintiffs ask FCA to admit that for each model of the Affected Vehicles there is not a hardware trust anchor between the Uconnect system and the vehicle's CAN bus, nor is there a hardware trust anchor anywhere in the vehicle. FCA objects to the requests on the basis of relevancy. FCA further objects because the phrase "hardware trust anchor" is vague and confusing. FCA asserts that Plaintiffs' attempt to define "hardware trust anchor" by reference to certain documents (albeit documents produced by FCA) is insufficient as the documents refer to many different things as a "hardware trust anchor" and refer to many different functionalities.

The Court OVERRULES FCA's objections. The requests seek relevant information that has been adequately defined. Insofar as FCA believes Plaintiffs' definition of "hardware trust anchor" is vague or ambiguous, it should set forward how it would define "hardware trust anchor" in response to Plaintiffs' requests. FCA shall respond to these requests by October 16, 2019.

b. RFA Nos. 79-104

In these requests, Plaintiffs ask FCA to admit that for each model of the Affected Vehicles that (a) the vehicles have two primary segments or networks on their CAN bus, the CAN-BH (or "BH-CAN") and CAN-C (or "C-CAN"), and (b) that the Uconnect system is connected to both the CAN-C and CAN-BH CAN bus segments. FCA objects to the requests on the basis of relevancy. FCA further objects because the phrases "primary segments or networks" and "connected to both" is vague and confusing.

The Court OVERRULES FCA's objections. The requests seek relevant information and the Court does not find the phrases "primary segments or networks" and "connected to both" vague and confusing in light of the history of this litigation and the parties' familiarity with the issues. Insofar as FCA believes the phrases are vague or ambiguous, it should set forward how it is defining such phrases in response to Plaintiffs' requests. FCA shall respond to these requests by October 16, 2019.

c. RFA Nos. 113-116

In these requests, Plaintiffs ask FCA to admit that it did not notify consumers that a cybersecurity attack or hack could allow an attacker to affect certain components (e.g., braking, steering) in any Affected Vehicle. FCA objected to the requests, asserting they "wrongfully assume that it has been demonstrated that a cybersecurity attack or hack can affect the ability of a driver to control" the component at issue in the request. Plaintiffs contend these objections are evasive and improper. The Court agrees. The Court OVERRULES FCA's objections. FCA shall respond to these requests by October 16, 2019.

d. RFA Nos. 105-106

In these requests, Plaintiffs ask FCA to admit that some model 2018 and later model year FCA vehicles have hardware gateways between the vehicles' infotainment systems and CAN buses, and hardware trust anchors between the vehicles' infotainment systems and CAN buses. FCA objects to these requests on the basis of relevancy. The Court agrees. The requests seek information not relevant to the Affected Vehicles that is beyond the scope of the claims pending in this lawsuit. FCA's objections are SUSTAINED.

e. RFA No. 112

Plaintiffs ask FCA to admit that each Affected Vehicle has multiple attack surfaces. FCA's relevancy objection is SUSTAINED.

f. RFA No. 118

Plaintiffs ask FCA to admit that connected vehicles are potential targets for malicious hackers. FCA objects, asserting the phrase "potential targets" is vague and ambiguous. FCA's objection is OVERRULED. FCA shall respond to this request by October 16, 2019.

g. RFA No. 119

Plaintiffs ask FCA to admit there was no group within FCA with dedicated responsibility for vehicle cybersecurity until at least April 2014. FCA objected on the basis of relevancy. Although the Court acknowledges the relevancy of this request is limited, it is proportional to the needs of the case and FCA's objection is OVERRULED. FCA shall respond to this request by October 16, 2019.

h. RFA Nos. 120-121

In these requests, Plaintiffs ask FCA to admit that it did not conduct a cybersecurity risk assessment as part of the design process for the Affected Vehicles (RFA 120) or the Uconnect systems in the Affected Vehicles (RFA 121). FCA objected on the basis of relevancy. FCA's objections are OVERRULED. FCA shall respond to these requests by October 16, 2019.

i. RFA Nos. 122-124

In these requests, Plaintiffs ask FCA to admit that it did not conduct certain penetration tests on the Affected Vehicles. FCA objected on the basis of relevancy. FCA's objections are OVERRULED. FCA shall respond to these requests by October 16, 2019.

j. RFA Nos. 125-127

In these requests, Plaintiffs ask FCA to admit that it was aware of the possibility that vehicles with Internet connectivity could be hacked by January 1, 2010 (RFA 125), January 1, 2011 (RFA 126), and January 1, 2012 (RFA 127). FCA objected on the basis of relevancy. FCA's objections are OVERRULED. FCA shall respond to these requests by October 16, 2019.

3. Plaintiffs' Supplemental Discovery Responses

FCA asks that Plaintiffs be required to supplement their responses to written discovery. In particular, FCA asserts Plaintiffs have failed to properly supplement requests for production numbers 22, 23, 25, 28, 32, and 33 seeking documents related to the maintenance, repairs, inspections, and use of their vehicles. FCA's request is GRANTED IN PART. Plaintiffs shall produce to FCA a list of locations where they have taken their vehicles for maintenance, inspection and repairs by October 16, 2019. Further, Plaintiff Keith is ORDERED to supplement his response to interrogatory 1 by October 16, 2019 by providing documentation related to the disposals and the dates on which the vehicles were disposed. FCA has not set forth any other particularized issue with Plaintiffs' supplementation of their discovery responses. Insofar as there are other responses that Plaintiffs have not supplemented, Plaintiffs are reminded of their obligation to do so under Federal Rule of Civil Procedure 26(e), which provides that supplementation is mandatory and must be completed in a timely manner.

IT IS SO ORDERED.