In re Blackbaud, Inc., Customer Data Breach Litig., No. 3:20-mn-02972-JMC, MDL No. 2972, 2021 WL 3568394 (D.S.C. Aug. 12, 2021)
Query whether this kind of case will come out differently as
TransUnion v. Ramirez gets further assimilated into the law.
Blackbaud (good name!) “provides data collection and
maintenance software solutions for administration, fundraising, marketing, and
analytics to social good entities such as non-profit organizations,
foundations, educational institutions, faith communities, and healthcare
organizations.”
It stores both PII and Protected Health Information from its
customers’ donors, patients, students, and congregants. Plaintiffs “represent a
putative class of individuals whose data was provided to Blackbaud’s customers
and managed by Blackbaud,” thus they weren’t direct customers of Blackbaud.
In early 2020, “cybercriminals orchestrated a two-part
ransomware attack on Blackbaud’s systems,” copying plaintiffs’ data and holding
it for ransom. The cybercriminals then attempted but failed to block Blackbaud
from accessing its own systems. “Blackbaud ultimately paid the ransom in an
undisclosed amount of Bitcoin in exchange for a commitment that any data
previously accessed by the cybercriminals was permanently destroyed.” [Um. That
commitment seems … hard to believe?]
Plaintiffs alleged that the attack resulted from Blackbaud’s
“deficient security program” and failure to comply with industry and regulatory
standards. Its forensic report found that “names, addresses, phone numbers,
email addresses, dates of birth, and/or SSNs” were disclosed in the breach but allegedly
improperly concluded that there was no credit card data taken. Plaintiffs also
alleged that Blackbaud failed to provide them with timely and adequate notice
of the attack and the extent of the resulting data breach. In its July 2020
disclosures, Blackbaud asserted that the cybercriminals did not access credit
card information, bank account information, or SSNs. But its September 2020
Form 8-K with the Securities and Exchange Commission said that SSNs, bank
account information, usernames, and passwords might have been taken. This
litigation followed.
This opinion addresses certain statutory claims, highlighting
variation around the country in both specific data breach and general consumer
protection claims.
California Consumer Privacy Act :
The CCPA
provides a private right of action
for actual or statutory damages to “[a]ny consumer whose nonencrypted and
nonredacted personal information ... is subject to an unauthorized access and
exfiltration, theft, or disclosure as a result of the business’s violation of
the duty to implement and maintain reasonable security procedures and practices
appropriate to the nature of the information to protect the personal
information[.]”
Blackbaud argued that it was not a “business” regulated by
the Act. Short answer: it was adequately alleged to be one.
California Confidentiality of Medical Information Act: One
plaintiff plausibly alleged that her “medical information” was disclosed during
the attack, and that Blackbaud plausibly qualified as a “medical provider”
under the CMIA despite its lack of direct contact with her.
Florida Deceptive and Unfair Trade Practice Act: Monetary
recovery requires “(1) a deceptive act or unfair practice; (2) causation; and
(3) actual damages.” Blackbaud’s alleged bad practices were failing to adopt
reasonable security measures and adequately notify customers and Plaintiffs of
the data breach; misrepresenting that certain sensitive PII was not exposed
during the breach, that it would protect Plaintiffs’ PII, and that it would
adopt reasonable security measures; and concealing that it did not adopt
reasonable security measures. However, the Florida plaintiffs failed to sufficiently
allege actual damages, which under FDUTPA are “economic damages related solely
to a product or service purchased in a consumer transaction infected with
unfair or deceptive trade practices or acts.” A plaintiff may not recover for
“damage to property other than the property that is the subject of the consumer
transaction.” Here, Blackbaud’s data management software was “the property that
is the subject of the consumer transaction,” not the data itself. And these
plaintiffs didn’t allege damage to that property, only to their own bank
accounts, emotional well-being, and data.
However, the Florida plaintiffs did state a claim for
injunctive relief, since FDUTPA makes “declaratory and injunctive relief
available to a broader class of plaintiffs than could recover damages,” as long
as a plaintiff is “a person ‘aggrieved’ by the deceptive act or practice.” Plaintiffs
alleged that Blackbaud’s misrepresentations and omissions about its security
efforts and the scope of the Ransomware Attack “prompted them to take
mitigation efforts out of fear that they were at an increased risk for fraud or
identity theft.”
New Jersey Consumer Fraud Act: Blackbaud argued that its
services weren’t within the scope of the NJCFA because it sells services to
sophisticated businesses and entities, not the general public. The NJCFA prohibits
a person from using an “unconscionable commercial practice, deception, fraud,”
or the like “in connection with the sale or advertisement of any merchandise or
real estate.” Merchandise is defined as “any objects, wares, goods commodities,
services or anything offered, directly or indirectly to the public for sale.” New
Jersey courts have said that the law’s applicability “is limited to consumer
transactions which are defined both by the status of the parties and the nature
of the transaction itself.” Although the NJCFA does not define “consumer,” New
Jersey courts have interpreted the term to mean “one who uses economic goods
and so diminishes or destroys their utilities.” A plaintiff does not qualify as
a “consumer” if they do not purchase a product for consumption. Thus, the NJ
plaintiffs weren’t “consumers” entitled to the protection of the NJCFA. Nor
were donations to the entities that transacted with Blackbaud enough. Donors
are not “consumers” under the NJCFA because they are “not being approached in
their commonly accepted capacity as consumers” and a donation “involves neither
commercial goods nor commercial services.” Plaintiffs didn’t allege that they
purchased or used Blackbaud’s services, knew Blackbaud existed, or perceived
that Blackbaud managed their data.
New York General Business Law § 349: This requires a
consumer-oriented practice, which occurs if it has “a broader impact on
consumers at large,” or “something more than a single-shot consumer transaction
or a contract dispute unique to the parties.” However, GBL § 349 does “not
impose a requirement that consumer-oriented conduct be directed to all members
of the public[.]” Unsurprisingly, the allegations here adequately established
consumer-oriented conduct.
Privity isn’t required under GBL § 349, so it was irrelevant
that the NY plaintiffs weren’t direct consumers of Blackbaud. Section 349(h)
specifically empowers “[a]ny person who has been injured by reason of any
violation of this section” to bring an action. GBL § 349(h). “The critical
question, then, is whether the matter affects the public interest in New York,
not whether the suit is brought by a consumer or a competitor.”
Pennsylvania Unfair Trade Practices and Consumer Protection
Law: The UTPCPL provides a private cause of action to “[a]ny person who
purchases or leases goods or services primarily for personal, family or
household purposes and thereby suffers any ascertainable loss of money or
property, real or personal, as a result of the use or employment by any person
of a method, act or practice declared unlawful” by the Act. “It is the
plaintiff’s burden to prove justifiable reliance in the complaint.” Again
unsurprisingly, the Pennsylvania plaintiff failed to sufficiently allege
reliance on Blackbaud’s misrepresentations and omissions. She instead alleged
that she was “required to provide her PHI to her healthcare provider as a
predicate to receiving healthcare services[,]” and didn’t allege that she knew
that Blackbaud maintained her data or was that she was exposed to
representations Blackbaud made to her or her healthcare provider. Her
allegation that she “would not have entrusted her Private Information to one or
more Social Good Entities had she known that one of the entity’s primary cloud
computing vendors entrusted with her Private Information failed to maintain
adequate data security” was merely conclusory. Courts sometimes presume
reliance, but only in cases involving life-threatening defects.
South Carolina Data Breach Security Act: The provision plaintiffs
sued under covered only entities that “own[] or licens[e] computerized data or
other data that includes personal identifying information,” requiring them to
notify South Carolina residents in the event of a data breach; Blackbaud didn’t
own or license the data; its possession was insufficient. True, a separate
provision of the law required someone “maintaining computerized data or other
data that includes personal identifying information that the person does not
own” to notify the owner or licensee after a data breach, but plaintiffs didn’t
assert claims under that provision.
Posts
No comments:
Post a Comment