On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were located—in this case, Massachusetts. In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JFA, MDL No. 2972 (D.S.C. June 28, 2022). We previously covered this court’s October 2021 ruling that the plaintiffs could sue Blackbaud directly, and not the charitable organizations to which it provided the services.
Blackbaud provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics services to various charitable organizations, including healthcare, religious, and educational institutions as well as various foundations. In this case, the plaintiffs are customers, donors, etc. of those charitable organizations, and not directly customers of Blackbaud.
According to the class action complaint, Blackbaud was subject to a two-part ransomware attack, commencing February 7, 2020 and continuing through May 20, 2020. The complaint alleged that cybercriminals first infiltrated Blackbaud’s computer networks, copied Plaintiffs’ data, and held it for ransom. The threat actors attempted to prevent Blackbaud from accessing its own system, but that tactic failed. Blackbaud paid the ransom, in exchange for a commitment that the threat actors would permanently destroy any data accessed.
The plaintiffs took issue with several aspects of this security event, claiming, among other things, that:
- Blackbaud did not comply with industry and regulatory standards for security by “by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields”
- Blackbaud failed to provide timely or accurate notice. Plaintiffs claimed that they did not receive notice until July 2020 at the earliest, and were told that information such as Social Security Numbers and bank account numbers had not been compromised. In contrast, Blackbaud’s September 29, 2020 public 8-K filing with the U.S. Securities and Exchange Commission stated that SSNs, bank account information, usernames, and passwords may have been exfiltrated during the ransomware attack.
The court initially believed (in October of 2021) that it lacked sufficient information to determine which state’s law would apply so, in light of Blackbaud’s headquarters being located in South Carolina—and, presumably, its servers as well—the court decided to apply South Carolina law.
The parties conducted additional discovery following the court’s ruling and Blackbaud stated that its domestic data centers were located in Massachusetts, Texas, California, and New Jersey, and the servers housing plaintiffs’ data were located solely in Massachusetts.
The parties had agreed that South Carolina choice of law principles applied this this action. Under South Carolina law, with respect to torts, the governing law is the law of the place in which the injury occurred.
The plaintiffs argued that the South Carolina test meant that the law of each plaintiff’s state of residency should apply because the injury occurred there. Blackbaud argued that South Carolina law should apply because all security decisions were made at Blackbaud’s headquarters in South Carolina. The court disagreed with both of them.
The court found that the injury occurred where the servers were attacked—in Massachusetts. The company’s decisions made in South Carolina “may have contributed to the breach, but they were not the last act necessary to establish the cause of action.” As for the plaintiffs’ argument, the court stated:
The actual identity theft, emotional distress, and time and/or money spent to mitigate the harm all flow from the initial injury – the exposure of Plaintiffs’ PI. Plaintiffs’ alleged injury and the last event necessary for Blackbaud to be potentially liable in tort, was the cybercriminals’ breach into the PI data servers.
If other courts follow this ruling, it could complicate organization’s IT architecture decisions, as well as litigation. Effectively, this ruling could mean that a company is subjecting itself to the breach laws of any jurisdiction in which the company stores data even if the company and the relevant data subjects have no other contact with that jurisdiction. This result is further complicated by the use of third parties to store data because they may store information in unexpected locations and/or change data centers during the course of the relationship–which theoretically could change a company’s legal exposure (even if the type of data and quality of data security remained constant).
Moreover, in this case, all of the impacted data was stored in one location in one jurisdiction, but this singular location did not have to be the case. Many organizations use (and connect) multiple data centers in multiple jurisdictions. A cyber incident could impact data spread across multiple locations. In fact, a single data subject could have data impacted in multiple locations. Would the data subject’s rights change depending on which data center the data happened to be in at the time of the event (this is especially arbitrary given that data could move between centers for IT optimization or other reasons (in fact, it could change even during the event itself))? Would companies elect to store data in countries that do not permit individuals to have a private right of action, but not disclose that fact? What about data that was taken in transit?
This ruling appears straightforward in this particular instance and under this particular set of facts, but when applied to common IT architectures of even moderately complex companies, this decision becomes extremely complicated and difficult to apply (and that is without considering that many business continuity and archiving systems are specifically designed to store data in separate remote (i.e. geographically distant) data centers that could also be impacted).