In re Blackbaud, Inc., Customer Data Beach Litig.

1

IN RE BLACKBAUD, INC., CUSTOMER DATA BREACH LITIGATION

MDL No. 2972

No. 3:20-mn-02972-JFA

United States District Court, D. South Carolina, Columbia Division

May 14, 2024

MEMORANDUM OPINION AND ORDER

Joseph F. Anderson, Jr. United States District Judge

This matter is currently before the Court on Plaintiffs' Motion for Class Certification (ECF No. 292). The motion has been fully briefed and is ripe for review. Each party has also moved to exclude portions of the reports and testimony of the others' experts under Rule 702 of the Federal Rules of Evidence and Daubert v. Merrell Dow Pharm Inc., 509 U.S. 579, and those motions are fully briefed and pending as well. (ECF Nos. 335, 337, 339, 341, 343, 345 418, 419, 420, 426). The Court held a three-day Daubert and class certification hearing from March 6-8, 2024 at which all pending motions were argued. Having reviewed Plaintiffs' Amended Consolidated Class Action Complaint, the parties' class certification briefs, the parties' Daubert briefs, the expert's reports, and the many volumes of exhibits, as well as the relevant law, this Court denies Plaintiffs' Motion for Class Certification (ECF No. 292) because of Plaintiffs' failure to meet their burden of proof as to ascertainability grants in part Defendant's Motion to Exclude the Report and Testimony of C. Matthew Curtin, CISSP (ECF No. 341) denies Plaintiffs' Motion to Exclude the Report and Testimony of Sonya Kwon (ECF No. 419), and denies as moot all other pending Daubert motions.^[1]

I. FACTUAL AND PROCEDURAL HISTORY

This case arises out of a data breach of Defendant Blackbaud's systems which occurred between approximately February 7, 2020 and May 20, 2020. Defendant is a publicly traded Software-as-a-Service (“SaaS”) company incorporated in Delaware and headquartered in Charleston, South Carolina. (ECF No. 194, p. 86). The company provides data collection services to a wide variety of “social good entities” including arts and cultural organizations, faith communities, foundations, healthcare organizations, higher education institutions, individual change agents, K-12 schools, and nonprofit organizations. These entities make up Defendant's customers, and Defendant serves them by collecting and storing the Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) belonging to these customers' donors, patients, students, and congregants, which this Court will refer to as Defendant's “constituents.” The constituents, rather than Defendant's customers, are the plaintiffs in this case. The parties estimate that as many as 1.5 billion constituents' data was exposed during the breach. (ECF No. 317-2, p. 75).

Although not directly pertinent to this order, the details of the data breach are as follows: Between February 7, 2020 and May 20, 2020, individuals this Court will refer to as “threat actors” infiltrated some of Defendant's data centers that are located in Massachusetts. (ECF No. 265). The threat actors' identity was and is unknown. The threat actors were able to access Defendant's remote desktop environment initially using a compromised customer account, and they were ultimately able to gain widespread access to Defendant's data centers. Plaintiffs allege that over 400 terabytes of data was successfully exfiltrated, and the threat actors subsequently demanded that Defendant pay a ransom in exchange for their deletion of the data. Defendant paid the ransom, but it never received any proof that the data had been deleted. (ECF No. 293, p. 9). Plaintiffs argue that the breach was able to occur and remain undetected for months because Defendant did not have adequate safeguards in place to prevent the breach. (ECF No. 293, pp. 9-10). Plaintiffs also criticize Defendant's remediation efforts after discovering the breach, contending that its response was negligent and misleading. (ECF No. 293, p. 9). Accordingly, Plaintiffs contend that putative class members' data remains susceptible to misuse and is actively being marketed on the dark web. (ECF No. 293, pp. 10-11).

In total, approximately ninety thousand backup files belonging to thirteen thousand Blackbaud customers and containing data belonging to approximately 1.5 billion constituents were impacted by the breach.^[2](ECF No. 329, p. 13). As shown in the chart below, Defendant provides- or at one point provided-those customers with varying combinations of eleven separate products. (ECF No. 342, p. 9).

(Image Omitted)

Defendant's customers can customize these products once they purchase them, and its customers have ultimate control over the data that is stored using these products, how it is stored, whether encrypted fields are used as designed by Defendant, and whether a product is customized to suit a given customer's specific needs.^[3](ECF No. 329, p. 13). As a result of the data breach, nearly 90,000 backup files containing data belonging to the 13,000 aforementioned customers were accessed. In other words, the threat actors accessed a slew of customer backup files during the breach, as opposed to the “live” databases that Defendant also maintains. (ECF No. 293, p. 28; ECF No. 329, p. 13).

In this action, Plaintiffs represent a putative class of individuals (or “constituents”) whose data was provided to Defendant's customers and was ultimately hosted by Defendant. They assert that their PII and PHI were compromised from February 7, 2020 to May 20, 2020, when threat actors successfully infiltrated Defendant's systems. After the breach was made public, lawsuits were filed in state and federal courts across the United States before eventually being consolidated into the instant multidistrict ligation (“MDL”) case before this Court. The Initial Transfer Order placing the MDL in the District of South Carolina was entered on December 15, 2020 (ECF No. 1), and the Consolidated Amended Complaint containing all claims that survived Defendant's Motion to Dismiss (ECF No. 124) was filed on February 3, 2022. (ECF No. 194). Following this Court's Order Granting in Part and Denying in Part Plaintiffs' Motion to Stage Class Certification Briefing (ECF No. 285), the instant Motion to Certify a Class was filed, addressing the subset of claims that the parties were instructed to brief.^[4] (ECF No. 292).

Plaintiffs' Motion for Class Certification asks this Court to certify the following classes and sub-classes: “Nationwide negligence and gross negligence classes under Massachusetts common law” for “[a]ll natural persons residing in the United States whose unencrypted information was stored on the database of a customer identified in Exhibit A to Defendant's Revised Fact Sheet from February 7, 2020 to May 20, 2020”; a sub-class under the California Consumer Privacy Act (“CCPA”) consisting of “[a]ll natural persons residing in California whose unencrypted information (1) was stored on the database of a customer identified in Exhibit A to Defendant's Revised Fact Sheet from February 7, 2020 to May 20, 2020 and (2) contains the combination of data elements identified in Appendix 2 to this memorandum”; a sub-class under the California Confidentiality of Medical Information Act (“CMIA”) consisting of “[a]ll natural persons residing in California whose unencrypted information (1) was stored on the database of a customer identified in Exhibit A to Defendant's Revised Fact Sheet from February 7, 2020 to May 20, 2020 and (2) contains the combination of data elements identified in Appendix 2 to this memorandum”; a sub-class under the New York General Business Law (“N.Y. GBL”) consisting of “[a]ll natural persons residing in New York (1) whose unencrypted information was stored on the database of a customer identified in Exhibit A to Defendant's Revised Fact Sheet from February 7, 2020 to May 20, 2020, and (2) who viewed or were exposed to Blackbaud's postbreach representations regarding the scope of the breach and the ‘confirmation' of destruction by the cybercriminals”; and lastly a sub-class under the Florida Deceptive and Unfair Trade Practices ACT (“FDUTPA”) that seeks injunctive relief and would consist of “[a]ll natural persons residing in Florida (1) whose unencrypted information was stored on the database of a customer identified in Exhibit A to Defendant's Revised Fact Sheet from February 7, 2020 to May 20, 2020 and (2) who viewed or were exposed to Blackbaud's post-breach representations regarding the scope of the breach and the ‘confirmation' of destruction by the cybercriminals.” (ECF No. 293, pp. 1112). Plaintiffs ask this Court to certify these classes and sub-classes under Federal Rules of Civil Procedure 23(b)(2) and 23(b)(3). Defendant opposes Plaintiffs' motion on numerous grounds. Chief among them is that Plaintiffs have failed to show that a class is ascertainable under Rule 23 and Fourth Circuit precedent and further that the basic elements of Rule 23(a)-(b) are not met because “individual issues predominate.” (ECF No. 329, pp. 11-12).

II. LEGAL STANDARD

A. Class Certification

1. Federal Rule of Civil Procedure 23

Federal Rule of Civil Procedure 23(a) provides that class certification is proper only if: “(1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class.” Fed.R.Civ.P. 23(a).

Even if all elements of Rule 23(a) are met, the proposed classes and sub-classes must satisfy one of the three additional requirements for certification found in Rule 23(b). See EQT Prod. Co. v. Adair, 764 F.3d 347, 357 (4th Cir. 2014) (quoting Gunnells v. Healthplan...