On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers.  In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JMC, MDL No. 2972 (D.S.C. Oct. 19, 2021).  The court therefore denied the vendor’s motion to dismiss these counts in the plaintiff’s complaint, although it did grant the motion to dismiss for the plaintiff’s negligence per se and unjust enrichment claims.

Background

Blackbaud provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics services to various charitable organizations, including healthcare, religious, and educational institutions as well as various foundations.  In this case, the plaintiffs are customers, donors, etc. of those charitable organizations, and not directly customers of Blackbaud.

According to the class action complaint, Blackbaud was subject to a two-part ransomware attack, commencing February 7, 2020 and continuing through May 20, 2020.  The complaint alleged that cybercriminals first infiltrated Blackbaud’s computer networks, copied Plaintiffs’ data, and held it for ransom.  The threat actors attempted to prevent Blackbaud from accessing its own system, but that tactic failed.  Blackbaud paid the ransom, in exchange for a commitment that the threat actors would permanently destroy any data accessed.

The plaintiffs took issue with several aspects of this security event, claiming, among other things, that:

  • Blackbaud did not comply with industry and regulatory standards for security by “by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields”
  • Blackbaud failed to provide timely or accurate notice. Plaintiffs claimed that they did not receive notice until July 2020 at the earliest, and were told that information such as Social Security Numbers and bank account numbers had not been compromised.  In contrast,  Blackbaud’s September 29, 2020 public 8-K filing with the U.S. Securities and Exchange Commission stated that SSNs, bank account information, usernames, and passwords may have been exfiltrated during the ransomware attack.

The court believed that it lacked sufficient information to determine which state’s law would apply so, in light of Blackbaud’s headquarters being located in South Carolina—and, presumably its servers as well—the court decided to apply South Carolina law.

The Decision

South Carolina law requires the familiar four elements to prove a negligence claim:  a duty to the plaintiffs, a breach of that duty, damage to the plaintiff, and that the damage was proximately caused by breach of the duty.  The court ruled—again, at the motion to dismiss stage—that Blackbaud owed a duty to the plaintiffs.  The court stated:  “Blackbaud’s customers use its services to collect and protect information of third parties, including Plaintiffs. Therefore, . . . Blackbaud’s contracts with the Social Good Entities support recognition of a duty to Plaintiffs because the purpose of the contracts was to maintain and secure Plaintiffs’ Private Information.”

The court also rejected Blackbaud’s argument that, as a SaaS provider, the customers and not Blackbaud had control over the personal data.  The court found:

Even if the customizable nature of Blackbaud’s services gives its customers primary control of the data, however, Blackbaud still has the greatest amount of control over the security of the data that is stored. . . . Thus, Blackbaud remains in the best position to prevent harm associated with a data breach to its systems. Accordingly, the court finds Plaintiffs have alleged facts showing a special circumstance sufficient to impose a common law duty arising from Blackbaud’s contracts with the Social Good Entities.

Blackbaud also argued it had no duty to the plaintiffs against the unlawful conduct of a third-party criminal actor.  Plaintiffs claimed that, under South Carolina law, an exception to that general rule applied here:  that Blackbaud had a duty to protect Plaintiffs from the criminal conduct of third parties based on Blackbaud’s own negligent conduct in creating the risk by failing to use reasonable security measures.  The plaintiffs claimed that “despite Blackbaud’s acknowledgement of the risk of cyberattacks and repeated notifications of the inadequacy of its systems, Blackbaud failed to correct, update, or upgrade its security protections.”  The court ruled that “Plaintiffs have alleged facts supporting the application of this exception to the general rule that there is no duty to protect another from the conduct of third parties.”

Therefore, the court concluded, “Based upon the foregoing, the court finds Plaintiffs have alleged sufficient facts to support their assertion that Blackbaud owed them a duty based on the special circumstances of Blackbaud’s contracts with the Social Good Entities and Blackbaud’s alleged creation of the risk.”

Takeaways

Although this case is at a very early (motion to dismiss) stage,

  1. If consumers can directly sue parties with which they have no direct contact or even a contract, it may become even more difficult/expensive to obtain cyberinsurance because liability may become almost unlimited.
  2. We note that the plaintiffs claimed that the negligence and gross negligence claims included Blackbaud’s alleged “storing obsolete data.” As we have previously written, over-retention of personal data can be expensive.