On October 19, 2021, the District of South Carolina issued an order granting in part and denying in part a motion to dismiss claims brought against software provider Blackbaud in litigation stemming from a ransomware attack the company suffered in 2020. The order is a mixed bag for data breach class action defendants; it provides favorable analysis defendants can use to defeat certain data breach-based claims, but also features discussion that may make such claims more difficult to defeat in some circumstances, particularly when brought under South Carolina law.

• Blackbaud provides fundraising, marketing, and analytics software for an array of non-profit organizations, including religious, educational, and healthcare institutions. In 2020, the company suffered a ransomware attack that led to the exposure of personally identifiable information (“PII”) and protected health information (“PHI”) of the patrons of Blackbaud’s customers (i.e., the “donors, patients, students, and congregants” of the aforementioned non-profits).
• Following the announcement of the attack and resulting breach, dozens of actions were brought in federal court on behalf of putative classes of “individuals whose data was provided to Blackbaud’s customers and managed by Blackbaud.” The class actions were consolidated into an MDL proceeding in the District of South Carolina. The consolidated class action complaint in the MDL asserted an array of common law and statutory claims. Per a procedure the court developed for dealing with Rule 12(b)(6) motion practice, the court’s October 19 order considered only the plaintiffs’ negligence, negligence per se, gross negligence, and unjust enrichment claims.
• Nearly half of the court’s order focused on choice-of-law issues. On the negligence claims, the court explained that under South Carolina choice-of-law principles, the law of the place of the “[p]laintiffs’ alleged injury” controlled. The court reasoned that the place of the alleged injury was “not necessarily the domicile of the plaintiffs”—where the plaintiffs presumably experienced their injuries—but was instead where “the last event necessary for Blackbaud to be potentially liable in tort” took place. Since that event “was the data being accessed by a third party,” the court determined that the plaintiffs’ injury occurred “where the breach occurred.” But since the court could not determine where the breach occurred on the pleadings, it defaulted to applying South Carolina law because South Carolina was both the forum and “the only Blackbaud location specifically enumerated in the [pleading stage] record.” The court determined South Carolina law should apply to the unjust enrichment claim as well because South Carolina was the place “where the benefit or enrichment was [allegedly] received” by Blackbaud.
• The court began its discussion of the merits with the negligence and gross negligence claims, and, for both of those claims, focused almost exclusively on the duty element. The court found that Blackbaud owed the plaintiffs a duty to protect their PII and PHI under South Carolina law based primarily on the contractual relationship between Blackbaud and its customers (who, again, were not the plaintiffs but entities the plaintiffs were associated with). In so doing, the court relied primarily on a 2019 decision from the South Carolina Supreme Court, which held that “the contractual relationship between an employer and a drug testing laboratory . . . support[ed] the imposition of a duty of care owed by the laboratory to employees who are subject to testing.” Like courts in certain other data breach cases, the court found that this duty extended to the prevention of cyberattacks because, though those attacks were criminal acts of third parties, the plaintiffs alleged that Blackbaud knew of the risk of cyberattacks but nevertheless failed to take adequate measures to guard against those attacks. The court ended its discussion of the negligence claims by largely rejecting Blackbaud’s argument that the plaintiffs had failed to allege negligence-related damages and concluding that the plaintiffs had adequately stated claims for both negligence and gross negligence.
• The plaintiffs based their negligence per se claims on Blackbaud’s purported violations of three federal statutes—the Healthcare Insurance Portability and Accountability Act (“HIPPA”), the Federal Trade Commission Act, and the Children’s Online Privacy Protection Act (“COPPA”). The court found that South Carolina law required that the plaintiffs “show that [each] statute was designed to protect a particular individual or group of people and that [plaintiffs] are members of that group.” The court found that the plaintiffs had failed to make this showing for each of the three statutes at issue and accordingly dismissed the plaintiffs’ negligence per se claims. In so doing, the court noted that these statutes were not focused on the prevention of data breaches.
• The court concluded its order with a discussion of plaintiffs’ unjust enrichment claim. In analyzing that claim, the court focused on the indirectness of the relationship between the plaintiffs and Blackbaud to conclude that the plaintiffs had not alleged that they conferred any benefit on Blackbaud as their unjust enrichment claim required.
• Taken as a whole, the court’s order is both helpful and, in some respects, unhelpful for data breach defendants. The court’s discussion of a duty to protect PII and PHI is unhelpful, as it appears to expand the circumstances under which a contractual relationship that does not include putative class members can trigger such a duty. But the court’s discussion of the duty issue was specific to South Carolina law and may therefore be limited in its future reach. The court’s discussion of the plaintiffs’ negligence per se and unjust enrichment claims, in contrast, provides data breach defendants with fodder for defeating such claims in the future. And it is based on broader common law principles likely to govern negligence per se and unjust enrichment claims in other jurisdictions.

The case is No. 3:20-mn-02972-JMC, In re: Blackbaud, Inc. Customer Data Breach Litigation, and you can read the court’s full order here.