CPW has previously covered In re Blackbaud, a data privacy multi-district litigation (“MDL”) created in December 2020 that is currently pending in the District of South Carolina.  The MDL was created to manage the claims of individuals and putative class representatives against Blackbaud, a cloud software company that was targeted in several ransomware attacks between February and May 2020.  In its most recent opinion, the court denied Blackbaud’s motion to dismiss for lack of subject matter jurisdiction and allowed plaintiffs’ claims to proceed, finding that plaintiffs had sufficiently alleged Article III standing.  Read on to learn how it all played out.

To maintain a lawsuit in federal court, a plaintiff must establish standing under Article III of the Constitution by alleging: (1) an injury in fact; (2) that is fairly traceable to defendant’s conduct; and (3) that could likely be redressed by a favorable judicial decision.  Blackbaud had argued that plaintiffs had not sufficiently established the second element, i.e. that plaintiffs’ injuries were not fairly traceable to Blackbaud’s conduct.  Blackbaud raised both factual and facial challenges to the traceability requirement, but the court declined to consider Blackbaud’s factual challenge, finding that the facts needed to prove that element were too intertwined with the facts needed to prove the merits of plaintiffs’ claims.

With respect to Blackbaud’s facial challenge to plaintiffs’ standing, however, the court found that plaintiffs had met their obligation to sufficiently allege that the defendant was a plausible source of disclosure of their personal information.  Op. at 3 (“To survive a facial challenge to Article III standing, “a complaint must contain sufficient factual matter, accepted as true, ‘to state a claim to relief that is plausible on its face.’”).  The opinion noted that there was a plausible connection between the types of data alleged to have been compromised in the ransomware attacks and the plaintiffs’ subsequent injuries, which included an increase in spam and phishing.  It also observed that, because Blackbaud had not been transparent about the extent of the ransomware attacks, it was likely that additional types of personal information may have been compromised.  The same was true for the data incidents involved in the MDL, as each plaintiff alleged harm less than a year after the incidents in question.

This ruling helps to illustrate the bounds of the Supreme Court’s groundbreaking decision in TransUnion v. Ramirez, which held that Article III standing requires allegations of a concrete injury in addition to a statutory violation.  Plaintiffs’ claims were allowed to survive here in part because of the specific allegations they raised concerning the injuries and harm they had suffered, which included identity theft and fraud, diminished value of data, and invasion of privacy, among others.

Of course, whether a plaintiff pleads injury for purposes of Article III standing is a wholly separate issue from whether a complaint raises a viable cause of action (and alleges sufficient injury for purposes of pleading cognizable damages).  Not to worry, CPW will be there to keep you in the loop as to how this case progresses.  Stay tuned.