Tuesday, August 17, 2021

data breaches can lead to a potpourri of claims

In re Blackbaud, Inc., Customer Data Breach Litig., No. 3:20-mn-02972-JMC, MDL No. 2972, 2021 WL 3568394 (D.S.C. Aug. 12, 2021)

Query whether this kind of case will come out differently as TransUnion v. Ramirez gets further assimilated into the law.

Blackbaud (good name!) “provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to social good entities such as non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations.”

It stores both PII and Protected Health Information from its customers’ donors, patients, students, and congregants. Plaintiffs “represent a putative class of individuals whose data was provided to Blackbaud’s customers and managed by Blackbaud,” thus they weren’t direct customers of Blackbaud.

In early 2020, “cybercriminals orchestrated a two-part ransomware attack on Blackbaud’s systems,” copying plaintiffs’ data and holding it for ransom. The cybercriminals then attempted but failed to block Blackbaud from accessing its own systems. “Blackbaud ultimately paid the ransom in an undisclosed amount of Bitcoin in exchange for a commitment that any data previously accessed by the cybercriminals was permanently destroyed.” [Um. That commitment seems … hard to believe?]

Plaintiffs alleged that the attack resulted from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards. Its forensic report found that “names, addresses, phone numbers, email addresses, dates of birth, and/or SSNs” were disclosed in the breach but allegedly improperly concluded that there was no credit card data taken. Plaintiffs also alleged that Blackbaud failed to provide them with timely and adequate notice of the attack and the extent of the resulting data breach. In its July 2020 disclosures, Blackbaud asserted that the cybercriminals did not access credit card information, bank account information, or SSNs. But its September 2020 Form 8-K with the Securities and Exchange Commission said that SSNs, bank account information, usernames, and passwords might have been taken. This litigation followed.

This opinion addresses certain statutory claims, highlighting variation around the country in both specific data breach and general consumer protection claims.

California Consumer Privacy Act :

The CCPA

provides a private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]”

Blackbaud argued that it was not a “business” regulated by the Act. Short answer: it was adequately alleged to be one.

California Confidentiality of Medical Information Act: One plaintiff plausibly alleged that her “medical information” was disclosed during the attack, and that Blackbaud plausibly qualified as a “medical provider” under the CMIA despite its lack of direct contact with her.

Florida Deceptive and Unfair Trade Practice Act: Monetary recovery requires “(1) a deceptive act or unfair practice; (2) causation; and (3) actual damages.” Blackbaud’s alleged bad practices were failing to adopt reasonable security measures and adequately notify customers and Plaintiffs of the data breach; misrepresenting that certain sensitive PII was not exposed during the breach, that it would protect Plaintiffs’ PII, and that it would adopt reasonable security measures; and concealing that it did not adopt reasonable security measures. However, the Florida plaintiffs failed to sufficiently allege actual damages, which under FDUTPA are “economic damages related solely to a product or service purchased in a consumer transaction infected with unfair or deceptive trade practices or acts.” A plaintiff may not recover for “damage to property other than the property that is the subject of the consumer transaction.” Here, Blackbaud’s data management software was “the property that is the subject of the consumer transaction,” not the data itself. And these plaintiffs didn’t allege damage to that property, only to their own bank accounts, emotional well-being, and data.

However, the Florida plaintiffs did state a claim for injunctive relief, since FDUTPA makes “declaratory and injunctive relief available to a broader class of plaintiffs than could recover damages,” as long as a plaintiff is “a person ‘aggrieved’ by the deceptive act or practice.” Plaintiffs alleged that Blackbaud’s misrepresentations and omissions about its security efforts and the scope of the Ransomware Attack “prompted them to take mitigation efforts out of fear that they were at an increased risk for fraud or identity theft.”

New Jersey Consumer Fraud Act: Blackbaud argued that its services weren’t within the scope of the NJCFA because it sells services to sophisticated businesses and entities, not the general public. The NJCFA prohibits a person from using an “unconscionable commercial practice, deception, fraud,” or the like “in connection with the sale or advertisement of any merchandise or real estate.” Merchandise is defined as “any objects, wares, goods commodities, services or anything offered, directly or indirectly to the public for sale.” New Jersey courts have said that the law’s applicability “is limited to consumer transactions which are defined both by the status of the parties and the nature of the transaction itself.” Although the NJCFA does not define “consumer,” New Jersey courts have interpreted the term to mean “one who uses economic goods and so diminishes or destroys their utilities.” A plaintiff does not qualify as a “consumer” if they do not purchase a product for consumption. Thus, the NJ plaintiffs weren’t “consumers” entitled to the protection of the NJCFA. Nor were donations to the entities that transacted with Blackbaud enough. Donors are not “consumers” under the NJCFA because they are “not being approached in their commonly accepted capacity as consumers” and a donation “involves neither commercial goods nor commercial services.” Plaintiffs didn’t allege that they purchased or used Blackbaud’s services, knew Blackbaud existed, or perceived that Blackbaud managed their data.

New York General Business Law § 349: This requires a consumer-oriented practice, which occurs if it has “a broader impact on consumers at large,” or “something more than a single-shot consumer transaction or a contract dispute unique to the parties.” However, GBL § 349 does “not impose a requirement that consumer-oriented conduct be directed to all members of the public[.]” Unsurprisingly, the allegations here adequately established consumer-oriented conduct.

Privity isn’t required under GBL § 349, so it was irrelevant that the NY plaintiffs weren’t direct consumers of Blackbaud. Section 349(h) specifically empowers “[a]ny person who has been injured by reason of any violation of this section” to bring an action. GBL § 349(h). “The critical question, then, is whether the matter affects the public interest in New York, not whether the suit is brought by a consumer or a competitor.”

Pennsylvania Unfair Trade Practices and Consumer Protection Law: The UTPCPL provides a private cause of action to “[a]ny person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by any person of a method, act or practice declared unlawful” by the Act. “It is the plaintiff’s burden to prove justifiable reliance in the complaint.” Again unsurprisingly, the Pennsylvania plaintiff failed to sufficiently allege reliance on Blackbaud’s misrepresentations and omissions. She instead alleged that she was “required to provide her PHI to her healthcare provider as a predicate to receiving healthcare services[,]” and didn’t allege that she knew that Blackbaud maintained her data or was that she was exposed to representations Blackbaud made to her or her healthcare provider. Her allegation that she “would not have entrusted her Private Information to one or more Social Good Entities had she known that one of the entity’s primary cloud computing vendors entrusted with her Private Information failed to maintain adequate data security” was merely conclusory. Courts sometimes presume reliance, but only in cases involving life-threatening defects.

South Carolina Data Breach Security Act: The provision plaintiffs sued under covered only entities that “own[] or licens[e] computerized data or other data that includes personal identifying information,” requiring them to notify South Carolina residents in the event of a data breach; Blackbaud didn’t own or license the data; its possession was insufficient. True, a separate provision of the law required someone “maintaining computerized data or other data that includes personal identifying information that the person does not own” to notify the owner or licensee after a data breach, but plaintiffs didn’t assert claims under that provision.  

No comments:

Post a Comment