SAN FRANCISCO (CN) - Uber overreached in seeking access to the emails and web-browsing history of a high-ranking Lyft employee, a federal judge has ruled.
The ride-hailing service sought the data as evidence in a class action - Antman v. Uber - over a May 2014 data breach that exposed the private information of 50,000 Uber drivers.
Uber said it needed the information to find out if Lyft or its unnamed employee were involved in the breach.
In February, Lyft filed a motion accusing Uber of orchestrating a "witch hunt" to snatch its trade secrets under the guise of legitimate discovery.
"The court in no way authorizes discovery of Lyft's proprietary, confidential information and instead limits the discovery to jurisdictional discovery about the data breach in aid of illuminating the plaintiff's standing to pursue his claims," U.S. Magistrate Judge Laurel Beeler wrote in her April 2 ruling.
The disputed discovery requests first surfaced in October last year after Beeler dismissed the Antman suit with leave to amend and granted limited discovery in the case.
Uber has filed a separate lawsuit against an unnamed Doe defendant it says was responsible for the breach. A subpoena issued in that case compelled Comcast to reveal the unknown hacker's IP address.
Reuters reported this past October that two anonymous sources identified the user of that IP address as Lyft technology chief Chris Lambert. But Lyft said it investigated those claims and found Lambert had nothing to do with the breach.
"The discovery is not meant to definitively prove Uber's case in the related litigation against Doe," Beeler stated in her 6-page ruling.
She allowed Uber to share any "relevant" details it learns on the identity of the hacker that caused the breach with attorneys at Perkins Coie, who represent Uber in both the Antman and Uber v. Doe suits.
Beeler denied Uber's request to peek at the unnamed employee's computer and mobile devices or conduct a deposition of the employee, finding the deposition request premature at this stage in the litigation.
She also found the unnamed Lyft employee's response to one of Uber's sealed discovery requests was sufficient. Thirteen other requests for information were not "sufficiently limited to the data breach" in time or scope, she ruled.
Beeler ordered the unnamed employee to preserve all his data, to produce all responsive documents that relate to the data breach and to clearly indicate why any disputed information falls outside the scope of limited discovery or is privileged material exempt from disclosure.
"The scope of the subpoenas was meant to encompass the possibility that even if X had no relationship to the data breach, he might have information about it," Beeler wrote. "Some information might demonstrate that X was not involved in the breach."
Uber and Lyft must meet and confer to resolve any remaining disputes over discovery requests, the judge ruled.Follow @NicholasIovino
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.