In re Blackbaud, Inc., Customer Data Breach Litig.

IN RE: BLACKBAUD, INC., CUSTOMER DATA BREACH LITIGATION

MDL No. 2972

No. 3:20-mn-02972-JMC

United States District Court, D. South Carolina, Columbia Division

August 12, 2021

ORDER AND OPINION

THIS DOCUMENT RELATES TO: ALL ACTIONS:

This matter is before the court on Defendant Blackbaud, Inc.'s (“Blackbaud”) Motion to Dismiss seven (7) of Plaintiffs' statutory claims pursuant to Federal Rule of Civil Procedure 12(b)(6). (ECF No. 110.) For the reasons set forth below, the court GRANTS IN PART and DENIES IN PART Blackbaud's Motion. (Id.)

I. RELEVANT BACKGROUND

Blackbaud is a publicly traded cloud software company incorporated in Delaware and headquartered in Charleston, South Carolina. (ECF No. 77 at 110-11 ¶ 419, 112 ¶ 424.) The company provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to social good entities such as non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations (“Social Good Entities”). (Id. at 4 ¶ 4, 114 ¶ 430.) Blackbaud's services include collecting and storing Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) from its customers' donors, patients, students, and congregants. (Id. at 3 ¶ 2, 114 ¶ 429.)

In this action, Plaintiffs represent a putative class of individuals whose data was provided to Blackbaud's customers and managed by Blackbaud. (Id. at 6 ¶ 12.) Thus Plaintiffs are patrons of Blackbaud's customers rather than direct customers of Blackbaud. (ECF Nos. 92-1 at 9; 109 at 7-8.)

Plaintiffs assert that from February 7, 2020 to May 20, 2020 cybercriminals orchestrated a two-part ransomware attack on Blackbaud's systems (“Ransomware Attack”). (ECF No. 77 at 11-12 ¶ 25.) Cybercriminals first infiltrated Blackbaud's computer networks, copied Plaintiffs' data, and held it for ransom. (Id. at 11 ¶ 25, 137 ¶ 496; ECF No. 92-1 at 7.) When the Ransomware Attack was discovered in May 2020, the cybercriminals then attempted but failed to block Blackbaud from accessing its own systems. (Id.) Blackbaud ultimately paid the ransom in an undisclosed amount of Bitcoin in exchange for a commitment that any data previously accessed by the cybercriminals was permanently destroyed. (ECF Nos. 77 at 9 ¶ 20, 138 ¶ 499; 92-1 at 7.)

Plaintiffs maintain that the Ransomware Attack resulted from Blackbaud's “deficient security program[.]” (ECF No. 77 at 117-18 ¶ 439.) They assert that Blackbaud failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields. (Id. at 117-18 ¶ 439, 134 ¶ 486, 136 ¶ 491, 142 ¶ 510.)

Plaintiffs further allege that after the Ransomware Attack, Blackbaud launched a narrow internal investigation into the attack that analyzed a limited number of Blackbaud systems and did not address the full scope of the attack. (Id. at 143 ¶ 514.) On July 14, 2020, Blackbaud received the investigation report (“Forensic Report”) which acknowledged that “names, addresses, phone numbers, email addresses, dates of birth, and/or SSNs” were disclosed in the breach but stated that the investigation was “unable to detect credit card data while reviewing exfiltrated data[.]” (Id. at 143 ¶ 514 n.112, 144 ¶ 516, 154 ¶ 549.) Plaintiffs claim the Forensic Report “improperly concludes that no credit card data was exfiltrated” because “such data could have existed in the unexamined database files.” (Id. at 144 ¶ 516.)

Plaintiffs contend that Blackbaud failed to provide them with timely and adequate notice of the Ransomware Attack and the extent of the resulting data breach. (Id. at 130-31 ¶ 473.) They claim that they did not receive notice of the Ransomware Attack “until July of 2020 at the earliest[.]” (Id. at 156 ¶ 555.) On July 16, 2020, The NonProfit Times reported that Blackbaud had been the subject of a ransomware attack and data breach and Blackbaud issued a statement about the Ransomware Attack on its website. (Id. at 9 ¶ 20, 138 ¶ 499.) In both disclosures, Blackbaud asserted that the cybercriminals did not access credit card information, bank account information, or SSNs. (Id.)

Plaintiffs allege that they subsequently received notices of the Ransomware Attack from various Blackbaud customers at different points in time from July 2020 to January 2021. (See, e.g., id. at 25 ¶ 63, 29 ¶ 82, 32 ¶ 93, 109 ¶ 414.) They maintain that some of the notices stated that SSNs, credit card data, and bank account information were not accessed during the Ransomware Attack while others stated that SSNs but not credit card data or bank account information were exposed during the Ransomware Attack. (See, e.g., id. at 25 ¶ 64, 29 ¶ 82, 52 ¶ 173, 65 ¶ 230.)

Plaintiffs maintain that although Blackbaud initially represented that sensitive information such as SSNs and bank account numbers were not compromised in the Ransomware Attack, Blackbaud informed certain customers in September and October 2020 that SSNs and other sensitive data were in fact stolen in the breach. (Id. at 141-42 ¶ 509.) Additionally, on September 29, 2020, Blackbaud filed a Form 8-K with the Securities and Exchange Commission stating that SSNs, bank account information, usernames, and passwords may have been exfiltrated during the Ransomware Attack. (Id. at 12 ¶ 26, 143 ¶ 512.)

After the Ransomware Attack was made public, putative class actions arising out of the intrusion into Blackbaud's systems and subsequent data breach were filed in state and federal courts across the country. (ECF No. 1 at 1.) On December 15, 2020, the Judicial Panel on Multidistrict Litigation consolidated all federal litigation related to the Ransomware Attack into this multidistrict litigation (“MDL”) for coordinated pretrial proceedings.^[1] (Id. at 3.)

On April 2, 2021, thirty-four (34) named Plaintiffs^[2] from twenty (20) states filed a Consolidated Class Action Complaint (“CCAC”) alleging that their PII and/or PHI was compromised during the Ransomware Attack. (ECF No. 77.)^[3] They assert six (6) claims on behalf of a putative nationwide class as well as ninety-one (91) statutory claims on behalf of putative state subclasses. (Id. at 173 ¶ 627 - 424 ¶ 1815.)

To facilitate the efficient resolution of the litigation, the court ordered that the first phase of motions practice address jurisdictional issues, certain statutory claims, and specific common law claims. (ECF Nos. 23 at 2; 78 at 1.) On May 3, 2021, Blackbaud filed a Motion to Dismiss for Lack of Subject Matter Jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1) (“Jurisdictional Motion to Dismiss”). (ECF No. 92.) The court denied Blackbaud's Jurisdictional Motion to Dismiss on July 1, 2021. (ECF No. 121.)

Blackbaud filed the instant Motion to Dismiss pursuant to Rule 12(b)(6) on June 4, 2021, contending that Plaintiffs' California Consumer Privacy Act of 2018 (“CCPA”), Cal. Civ. Code §§ 1798.100-1798.199.95; California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code §§ 56-56.265; Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”), Fla. Stat. §§ 501.201-501.213; New Jersey Consumer Fraud Act (“NJCFA”), N.J. Stat. Ann. §§ 56:81-56:8-20; New York General Business Law (“GBL”) § 349; Pennsylvania Unfair Trade Practices and Consumer Protection Law (“UTPCPL”), 73 P.S. §§ 201-1-201-9.2; and South Carolina Data Breach Security Act (“SCDBA”), SC Code Ann. § 39-1-90, claims (collectively, “Select Statutory Claims”) should be dismissed for failure to state a claim. (ECF No. 110.) Plaintiffs filed a Response on July 6, 2021. (ECF No. 123.) The court held a hearing on the Motion on July 20, 2021. (ECF Nos. 136, 137.)

II. LEGAL STANDARD

A. Applicable Law

In federal diversity actions, federal law governs procedural issues and state law governs substantive issues. See Dixon v. Edwards, 290 F.3d 699, 710 (4th Cir. 2002). In the MDL context, a transferee court must apply federal law as interpreted by the circuit where the transferee court sits to matters of procedure. See, e.g., In re Porsche Cars North America, Inc., 880 F.Supp.2d 801, 815 (S.D. Ohio 2012); McGuffie v. Mead Corp., 733 F.Supp.2d 592, 594 (E.D. Pa. 2010). Accordingly, the court will apply the United States Court of Appeals for the Fourth Circuit's interpretation of federal procedural law. In contrast, the court “must apply the jurisprudence of the relevant state's highest court or, if it has not spoken to the issue, predict how the state's highest court would rule” to analyze Plaintiffs' state statutory claims. In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 467 (D. Md. 2020) (citing Erie Railroad Co. v. Tompkins, 304 U.S. 64, 58 (1938); Private Mortg. Inv. Servs., Inc. v. Hotel & Club Assocs., Inc., 296 F.3d 308, 312 (4th Cir. 2002)).

B. Motion to Dismiss

A motion to dismiss pursuant to Rule 12(b)(6) “challenges the legal sufficiency of a complaint.” Francis v. Giacomelli, 588 F.3d 186, 192 (4th Cir. 2009). It is not intended to “‘resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses.'” Presley v. City of Charlottesville, 464 F.3d 480, 483 (4th Cir. 2006) (quoting Edwards v. City of Goldsboro, 178 F.3d 231, 243 (4th Cir. 1999)).

A complaint must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). Thus, “[t]o survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2...