In re Blackbaud, Inc., Customer Data Breach Litigation

• Decision Date: 19 October 2021
• Docket Number: Case No. 3:20-mn-02972-JMC,MDL No. 2972
• Citation: 567 F.Supp.3d 667
• Parties: IN RE: BLACKBAUD, INC., CUSTOMER DATA BREACH LITIGATION This Document Relates to: All Actions:
• Court: U.S. District Court — District of South Carolina

567 F.Supp.3d 667

IN RE: BLACKBAUD, INC., CUSTOMER DATA BREACH LITIGATION

This Document Relates to: All Actions:

Case No. 3:20-mn-02972-JMC

MDL No. 2972

United States District Court, D. South Carolina, Columbia Division.

Signed October 19, 2021

ORDER AND OPINION

J. Michelle Childs, United States District Judge

This matter is before the court on Defendant Blackbaud, Inc.’s ("Blackbaud") Motion to Dismiss four (4) of Plaintiffs’ common law claims pursuant to Federal Rule of Civil Procedure 12(b)(6). (ECF No. 124.) For the reasons set forth below, the court GRANTS IN PART and DENIES IN PART Blackbaud's Motion. (Id. )

I. RELEVANT BACKGROUND

Blackbaud is a publicly traded cloud software company incorporated in Delaware and headquartered in Charleston, South Carolina. (ECF No. 77 at 110–11 ¶ 419, 112 ¶ 424.) The company provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to social good entities such as non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations ("Social Good Entities"). (Id. at 4 ¶ 4, 114 ¶ 430.) Blackbaud's services include collecting and storing Personally Identifiable Information ("PII") and Protected Health Information ("PHI") from its customers’ donors, patients, students, and congregants. (Id. at 3 ¶ 2, 114 ¶ 429.)

In this action, Plaintiffs represent a putative class of individuals whose data was provided to Blackbaud's customers and managed by Blackbaud. (Id. at 6 ¶ 12.) Thus, Plaintiffs are patrons of Blackbaud's customers rather than direct customers of Blackbaud. (ECF Nos. 92-1 at 9; 109 at 7–8.) Plaintiffs assert that, from February 7, 2020 to May 20, 2020, cybercriminals orchestrated a two-part ransomware attack on Blackbaud's systems ("Ransomware Attack"). (ECF No. 77 at 11–12 ¶ 25.) Cybercriminals first infiltrated Blackbaud's computer networks, copied Plaintiffs’ data, and held it for ransom. (Id. at 11 ¶ 25, 137 ¶ 496; ECF No. 92-1 at 7.) When the Ransomware Attack was discovered in May 2020, the cybercriminals then attempted but failed to block Blackbaud from accessing its own systems. (Id. ) Blackbaud ultimately paid the ransom in an undisclosed amount of Bitcoin in exchange for a commitment that any data previously accessed by the cybercriminals was permanently destroyed. (ECF Nos. 77 at 9 ¶ 20, 138 ¶ 499; 92-1 at 7.)

Plaintiffs maintain that the Ransomware Attack resulted from Blackbaud's "deficient security program[.]" (ECF No. 77 at 117–18 ¶ 439.) They assert that Blackbaud failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields. (Id. at 117–18 ¶ 439, 134 ¶ 486, 136 ¶ 491, 142 ¶ 510.)

Plaintiffs further allege that after the Ransomware Attack, Blackbaud launched a narrow internal investigation into the attack that analyzed a limited number of Blackbaud systems and did not address the full scope of the attack. (Id. at 143 ¶ 514.) Plaintiffs contend that Blackbaud failed to provide them with timely and adequate notice of the Ransomware Attack and the extent of the resulting data breach. (Id. at 130–31 ¶ 473.) They claim that they did not receive notice of the Ransomware Attack "until July of 2020 at the earliest[.]" (Id. at 156 ¶ 555.) Plaintiffs allege that they subsequently received notices of the Ransomware Attack from various Blackbaud customers at different points in time from July 2020 to January 2021. (See, e.g. , id. at 25 ¶ 63, 29 ¶ 82, 32 ¶ 93, 109 ¶ 414.) Plaintiffs maintain that although Blackbaud initially represented that sensitive information such as SSNs and bank account numbers were not compromised in the Ransomware Attack, Blackbaud informed certain customers in September and October 2020 that SSNs and other sensitive data were in fact stolen in the breach. (Id. at 141–42 ¶ 509.) Additionally, on September 29, 2020, Blackbaud filed a Form 8-K with the Securities and Exchange Commission stating that SSNs, bank account information, usernames, and passwords may have been exfiltrated during the Ransomware Attack. (Id. at 12 ¶ 26, 143 ¶ 512.)

After the Ransomware Attack was made public, putative class actions arising out of the intrusion into Blackbaud's systems and subsequent data breach were filed in state and federal courts across the country. (ECF No. 1 at 1.) On December 15, 2020, the Judicial Panel on Multidistrict Litigation consolidated all federal litigation related to the Ransomware Attack into this multidistrict litigation ("MDL") for coordinated pretrial proceedings.¹ (Id. at 3.)

On April 2, 2021, thirty-four (34) named Plaintiffs² from twenty (20) states filed a Consolidated Class Action Complaint ("CCAC") alleging that their PII and/or PHI was compromised during the Ransomware Attack. (ECF No. 77.)³ They assert six (6) claims on behalf of a putative nationwide class as well as ninety-one (91) statutory claims on behalf of putative state subclasses. (Id. at 173 ¶ 627 – 424 ¶ 1815.)

To facilitate the efficient resolution of the litigation, the court ordered various phases of motions practice to address jurisdictional issues, certain statutory claims, and specific common law claims. (ECF Nos. 23 at 2; 78 at 1.) This phase addresses the common law claims. Blackbaud filed the instant Motion to Dismiss pursuant to Rule 12(b)(6) on July 9, 2021, contending that Plaintiffs’ negligence, negligence per se , gross negligence, and unjust enrichment claims should be dismissed for failure to state a claim. (ECF No. 124.) Plaintiffs filed a Response on August 9, 2021. (ECF No. 142.) The court held a hearing on the Motion to Dismiss on September 2, 2021. (ECF No. 147.)

II. LEGAL STANDARD

A. Applicable Law

1. Choice of Law: Negligence, Negligence Per Se, and Gross Negligence

The parties have stipulated to the application of South Carolina choice of law principles. (ECF No. 93.) For tort claims, South Carolina uses the lex loci delicti analysis of the First Restatement of Conflict of Laws. The goals of the First Restatement were to "reduce forum shopping and increase predictability and uniformity" of result. See Yasamine J. Christopherson, Conflicted About Conflicts? A Simple Introduction to Conflicts of Laws , 21 S.C. LAW. 30, Sept. 2009, at 31. Under the traditional or "vested-rights" rule, "the cause of action was considered to be created in the state of the tort, and the capacity to sue or immunity or defense was considered part and parcel of those rights." 29 A.L.R.3d 603 (1970) ; see also Trahan v. E.R. Squibb & Sons, Inc. , 567 F. Supp. 505, 508 (M.D. Tenn. 1983) ("The lex loci doctrine is derived from the vested right approach which holds that a plaintiff's cause of action ‘owes its creation to the law of the jurisdiction where the injury occurred and depends for its existence and extent solely on such law.’ ") (quoting Winters v. Maxey , 481 S.W.2d 755, 756 (Tenn. 1972) ). Accordingly, under the traditional lex loci delicti test, the court applies "the law of the place in which the event occurred that created the right on which the party brings suit." Choice of Law in Tort and Contract Actions Chart, Practical Law Checklist , 2-558-2049, THOMAS REUTERS (Oct. 18, 2021).

Here, Plaintiffs assert the place of wrong is South Carolina because the last act making Blackbaud liable in tort was its negligent conduct in South Carolina where it "manages, maintains, and provides cloud computing software, services, and cybersecurity." (ECF No. 142 at 20 (citing ECF No. 77).) Conversely, Blackbaud contends the last event necessary was Plaintiffs’ injuries and that the injuries must have occurred in Plaintiffs’ respective home states. (ECF No. 124-1 at 23 (citing In re Premera Blue Cross Customer Data Sec. Breach Litig. , No. 3:15-md-2633-SI, 2019 WL 3410382, at *19-20, 2019 U.S. Dist. LEXIS 127093, at *41 (D. Or. July 29, 2019) ; Veridian Credit Union v. Eddie Bauer, LLC , 295 F. Supp. 3d 1140, 1153 (W.D. Wash. 2017) ).)

The acts and events necessary to constitute a tort is a question of law that varies depending on the state. RESTATEMENT ( FIRST ) OF CONFLICT OF LAWS § 377 cmt. a ( AM. L. INST. 1934). Under South Carolina's choice of law rules, the place of wrong is the location where the injury occurred, which is not necessarily the domicile of the plaintiffs. Rogers v. Lee , 414 S.C. 225, 777 S.E.2d 402, 407 (S.C. Ct. App. 2015) ("[W]e are not persuaded our courts should blindly apply the residence of a plaintiff in a legal malpractice claim as the location of the injury"). Further, under South Carolina law, "lex loci delicti is determined by the state in which the injury occurred , not where the results of the injury were felt or where the damages manifested themselves." Id. at 405 (emphasis original).

Determination of the last act necessary to identify the place of wrong "necessarily turns on the elements of the specific tort at issue." Cockrum v. Donald J. Trump for President, Inc. , 365 F. Supp. 3d 652, 667 (E.D. Va. 2019). The elements of negligence are duty, breach, causation, and damages. Savannah Bank, N.A. v. Stalliard , 400 S.C. 246, 734 S.E.2d 161, 163–64 (2012) (citing Thomasko v. Poole , 349 S.C. 7, 561 S.E.2d 597, 599 (2002) ); Kleckley v. Nw. Nat'l Cas. Co. , 338 S.C. 131, 526 S.E.2d 218, 221 (2000). Thus, the last event necessary for a defendant to be liable for negligence is damage to the plaintiff. See Bank of Louisiana v. Marriott Int'l, Inc. , 438 F. Supp. 3d 433, 443 (D. Md. 2020) (claim for negligence would not exist without injury); Cockrum v. Donald J. Trump for President, Inc. , 365 F. Supp. 3d at 667–68 (looking to the "point of completion" of the specific tort at issue to determine the place of wrong); Tolman v. Stryker Corp. , 926 F. Supp. 2d 1255, 1258–59 (D. Wyo. 2013) (the last event necessary for negligence claims is the injury). Plaintiffs allege that t...