Attorneys for Blackbaud and the putative class action plaintiffs allegedly impacted by the publicly-traded software company’s data breach last year were scheduled to meet last month to discuss a possible resolution of the remaining claims in the multi-district litigation. But the only filings in the case since then concern a contemplated amended complaint, suggesting the MDL is entering a new phase rather than nearing a conclusion.
The planned mediation and order regarding the expected new pleading came several days after Blackbaud announced, along with strong third-quarter financial results, that it has nearly exhausted its $50 million in relevant insurance coverage.
“Based on our review of expenses incurred to date, and upon consideration of the number of matters outstanding,” the company reported, referring to hundreds of customer requests for reimbursement in addition to the putative consumer class actions in the U.S. and Canada, “we believe that total costs related to the Security Incident will exceed the limits of our insurance coverage during the fourth quarter of 2021.” The company, whose fundraising and constituent-relationship software is widely used by nonprofits, noted that breach-related costs would “negatively impact our [Generally Accepted Accounting Principles] profitability and cash flow for the foreseeable future.”
Also influencing the latest developments in the case was an October ruling that allowed the plaintiffs’ negligence and gross negligence claims against Blackbaud to proceed.
Blackbaud had argued that there is generally no duty to prevent the criminal acts of third parties, and that, as constituents of its direct customers, plaintiffs are “strangers” to Blackbaud. The company also contended the plaintiffs had not adequately pleaded damages or causation.
But U.S. District Judge J. Michelle Childs, who has presided over the MDL for almost a year, rejected those common data breach defense arguments. “Plaintiffs plausibly allege that Blackbaud had custody of their Private Information, that Blackbaud’s systems were hacked, that these hackers obtained Plaintiffs’ Private Information, and that as a result of the Ransomware [Attack], they have suffered identity theft and other fraudulent activity,” she wrote in the October 19 opinion.
Blackbaud did persuade Judge Childs to dismiss as inadequately pleaded the plaintiffs’ negligence per se and unjust enrichment claims, but as with her rulings on two previous motions to dismiss, the plaintiffs emerged with the core of their case intact.
The Breach and the MDL
The ransomware attack at issue lasted from February to May 2020, when Blackbaud discovered the intrusion and paid the cybercriminals to destroy the copied personal data they stole. Blackbaud began reporting the incident to its customers – hospitals, schools, and similar “social good” institutions – in July 2020, at which point Blackbaud’s customers in turn notified their respective constituents – typically donors, patients, and students.
The first putative class action lawsuit was filed by a customer constituent in August 2020. In September 2020, Blackbaud revealed that more sensitive data had been exposed than previously believed. Approximately 30 more putative class actions were filed around the country by the end of the year, when most were consolidated before Judge Childs in the District of South Carolina.
After tackling preliminary MDL logistics in the spring, Judge Childs considered Blackbaud’s arguments for dismissing the 425-page, 97-count consolidated class action complaint over the summer. In July, she denied Blackbaud’s motion to dismiss the complaint for lack of subject matter jurisdiction, based in part on Blackbaud’s “lack of transparency” about the extent of the breach.
Judge Childs then considered arguments regarding a prominent handful of the plaintiffs’ 91 state statutory claims. In August, she dismissed claims under the New Jersey Consumer Fraud Act (plaintiffs did not adequately allege they were “consumers”), Pennsylvania Unfair Trade Practices and Consumer Protection Law (allegations of reliance were conclusory), and South Carolina Data Breach Security Act (plaintiffs inadequately alleged that Blackbaud “owned or licensed” data and did not allege until their motion brief that Blackbaud “maintained” data).
But Judge Childs allowed other important statutory claims to proceed. She ruled that the plaintiffs adequately alleged Blackbaud was a “business” (i.e., “service provider” is a subset of “business”) under the California Consumer Privacy Act, a notable interpretation in the short history of the CCPA. Judge Childs also held that Blackbaud is a “provider of health care” under the California Confidentiality of Medical Information Act; that plaintiffs adequately alleged Blackbaud’s business was “consumer-oriented” under New York General Business Law § 349; and that a Florida Deceptive and Unfair Trade Practices Act claim could also proceed in part.
Common Law Claims
In her most recent opinion, which addressed most of the consolidated complaint’s common-law counts, Judge Childs first determined that South Carolina law should govern because, among other reasons, that is where Blackbaud is based.
Judge Childs relied on a 2019 South Carolina Supreme Court decision that a drug-testing laboratory owed a special duty of care to its corporate customers’ employees to hold that Blackbaud owed a similar duty to the plaintiffs. Further, plaintiffs’ allegation that Blackbaud’s own conduct created the risk of a breach by failing to use reasonable security measures fit an exception to the rule that there is no duty to protect someone from the conduct of third parties, Judge Childs concluded. (Because Blackbaud did not make separate arguments against plaintiffs’ gross negligence theory, that claim also survived.) With respect to damages, Judge Childs simply noted that other courts in prominent data breach cases had recognized the damages the Blackbaud plaintiffs seek.
In a win for Blackbaud, Judge Childs rejected the statutory bases for negligence per se. Specifically, she ruled that HIPAA aims to protect the public, not individual private rights; that the plaintiffs did not define the group the FTC Act is meant to protect; and that there was no allegation Blackbaud’s website was directed to children under 13 or that Blackbaud collected information from a minor child to support a COPPA-based claim. Plaintiffs’ unjust enrichment claim also failed because the plaintiffs, whose relationship was with Blackbaud’s customers, not Blackbaud, did not allege facts that showed they conferred a benefit on Blackbaud.
In addition to the putative class actions and the hundreds of direct customer requests for reimbursement (or reservations of right to do so), Blackbaud has also received inquiries from U.S. state attorneys general and federal enforcement agencies, as well as from foreign data protection agencies. In September, the Information Commissioner’s Office in the U.K. notified Blackbaud that it had closed its investigation, issuing only a reprimand to Blackbaud’s European subsidiary for non-compliance with the U.K. General Data Protection Regulation. The Spanish Data Protection Authority also closed its investigation in September, having fined Blackbaud’s European subsidiary € 60,000 for late notification of two data controllers in that country. It remains to be seen what becomes of the American investigations.
Phase I discovery on “ascertainability, damages, and causation” in the litigation before Judge Childs was supposed to conclude in November. Expected in the coming weeks are the plaintiffs’ amended consolidated class action complaint and a motion for class certification, which is scheduled for argument in the spring. Updates regarding the next steps in the MDL should come on Wednesday when Judge Childs hosts Case Management Conference No. 8.