Ongoing litigation in the U.S. federal court system is reinforcing the idea that technology companies ultimately have responsibility for the data they collect.
The case in question is In Re Blackbaud Inc Customer Data Security Breach Litigation (MDL 2972), U.S. District Court for the District of South Carolina, No. 3:20-MN-02972.
Blackbaud is a publicly traded company based in South Carolina, which provides cloud-based services for a variety of organizations including charitable foundations, educational and health institutions, religious organizations and non-profit groups in the U.S. and abroad.
In February 2020, cybercriminals launched a ransomware attack on the company. Three months allegedly passed before Blackbaud discovered and stopped the attack. Blackbaud waited another two months before alerting the public in July 2020, according to a complaint.
The plaintiffs alleged specifically that Blackbaud Inc. failed to secure or protect the private information of tens-of-thousands of its clients. This allegedly led to millions of names, addresses, phone numbers, bank information and other personal information – including that of children – being compromised.
Blackbaud has moved to dismiss the claim three times, most recently on Oct. 19, 2021.
In the latest motion, Blackbaud argued that the plaintiffs’ negligence, negligence per se, and gross negligence claims should be dismissed, proclaiming that the plaintiffs were “strangers” to whom Blackbaud did not owe any common-law duties. Blackbaud also sought dismissal of the plaintiffs’ claim for unjust enrichment.
The court, however, found that the plaintiffs’ claims asserting negligence and gross negligence could proceed.
The Court’s order concluded that Blackbaud’s contracts with its clients (the “Social Good Entities”), who collected data from the plaintiffs, “support recognition of a duty [of care] to the plaintiffs because the purpose of the contracts was to maintain and secure the plaintiffs’ Private Information.” The court recognized in the order that Blackbaud “has the greatest amount of control over the security of the data that is stored…. Thus, Blackbaud remains in the best position to prevent harm associated with a data breach to its systems.”
Accordingly, the court found that the plaintiffs “have alleged facts showing a special circumstance sufficient to impose a common law duty arising from Blackbaud’s contracts with the Social Good Entities.”