Readers of CPW are familiar with In re Blackbaud, a data privacy multi-district litigation (“MDL”) created in December 2020 that is currently pending in the District of South Carolina.  The MDL was created to manage the claims of individuals and putative class representatives against Blackbaud, a cloud software company that was targeted in several ransomware attacks between February and May 2020.  In a decision out the end of last week, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss.  MDL No. 2972 (D.S.C. Aug. 12, 2021).

In this MDL, which now concerns 29 consolidated cases, Plaintiffs represent a putative class of individuals whose data was provided to Blackbaud’s customers and managed by Blackbaud.  They allege that the cyberattack at issue resulted from Blackbaud’s “deficient security program” and that Blackbaud failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of cyber-threats.

Blackbaud had previously moved to dismiss the cases for lack of standing under Rule 12(b)(1), which was denied.  Blackbaud then moved to dismiss pursuant to Rule 12(b)(6) on June 4, 2021, contending that several of Plaintiffs’ claims failed.  The Court, however, largely rejected Blackbaud’s arguments.  This included the following:

  • California Consumer Privacy Act Claims (“CCPA”): The Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law.  The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.
  • California Confidentiality of Medical Information Act (“CMIA”): The Court granted in part and denied in part Blackbaud’s motion to dismiss Plaintiffs’ CMIA claims.  The Court agreed that some of the named Plaintiffs failed to adequately allege that their “medial information” was compromised in the data event at issue—which was a required element of their CMIA claims.  However, one Plaintiff alleged that the data event resulted in the disclosure of “when and where she received medical treatment, which doctors treated her, and whether her treatment required an inpatient stay.”  The Court found that this was sufficient to allege a CMIA claim.
  • New York General Business Law § 349 (“GBL”): To state a claim under GBL Section 349, a plaintiff must plausibly allege three elements: (1) “the challenged act or practice was consumer-oriented;” (2) the act or practice “was misleading in a material way;” and (3) “the plaintiff suffered injury as a result of the deceptive act.”  The Court rejected Blackbaud’s argument that Plaintiffs failed to allege the first element of a GBL claim.  This was because the New York Plaintiffs claimed that they would not have entrusted their PII and/or PHI to Blackbaud’s customers if they had known that Blackbaud—one of the primary cloud computing vendors the entity entrusted with their PII and/or PHI—failed to maintain adequate data security.  The Court held that “[s]uch allegations suggest that Blackbaud’s allegedly deceptive acts caused [individuals] in New York to suffer avoidable injuries such as identity theft and diminished data value.”

However, the Court dismissed several statutory claims from Florida, New Jersey, Pennsylvania, California and South Carolina Plaintiffs (for failure to allege actual harm resulting from the data event, among other deficiencies).  A hearing is scheduled for September 2, 2021 on Blackbaud’s Motion to Dismiss certain common law claims alleged by Plaintiffs in the MDL.  In the meantime, phased discovery is underway.  For more on this litigation, stay tuned.  CPW will be there to keep you in the loop.