Data breach plaintiffs defeat Blackbaud’s third motion to dismiss

Plaintiffs alleging software company Blackbaud Inc. failed to secure or protect the private information of tens-of-thousands of its clients, leading to a ransomware attack affecting millions, defeated Blackbaud’s third motion to dismiss on Oct. 19, 2021.

Motley Rice attorney Marlon Kimpson is co-lead counsel for plaintiffs in the multidistrict litigation, which is filed in U.S. District Court for the District of South Carolina, along with Amy Keller of DiCello Levitt Gutzler LLC; Harper Segui of Milberg Coleman Bryson Phillips Grossman, PLLC; and Krysta Kauble Pachman of Susman Godfrey L.L.P.

In its third motion to dismiss brought in the MDL, Blackbaud argued that the Consolidated Amended Class Action Complaint’s negligence, negligence per se, and gross negligence claims should be dismissed, proclaiming that Plaintiffs’ were “strangers” to whom Blackbaud did not owe any common-law duties. Blackbaud also sought dismissal of the Plaintiffs’ claim for unjust enrichment.

The Court, however, found that Plaintiffs’ claims asserting negligence and gross negligence could proceed.

The Court’s order concluded that Blackbaud’s contracts with its clients (the “Social Good Entities”), who collected data from Plaintiffs, “support recognition of a duty [of care] to Plaintiffs because the purpose of the contracts was to maintain and secure Plaintiffs’ Private Information.” The Court recognized in the order that Blackbaud “has the greatest amount of control over the security of the data that is stored…. Thus, Blackbaud remains in the best position to prevent harm associated with a data breach to its systems.” Accordingly, the Court found that “Plaintiffs have alleged facts showing a special circumstance sufficient to impose a common law duty arising from Blackbaud’s contracts with the Social Good Entities.”

“We are pleased that the Court recognized the viability and importance of the common-law claims in this case. We look forward to showing Blackbaud failed to meet the duty of care of the named plaintiffs and the class,” said Motley Rice attorney and co-lead counsel for the plaintiffs, Marlon Kimpson. “We welcome the opportunity to continue to litigate this significant data security case.”

Blackbaud is a publicly-traded company based in South Carolina and provides cloud-based services for a variety of organizations including charitable foundations, educational and health institutions, religious organizations and non-profit groups in the U.S. and abroad. Cybercriminals launched a ransomware attack on the company in February 2020, and three months passed before Blackbaud discovered and stopped the attack. Blackbaud waited another two months before alerting the public in July 2020. Plaintiffs allege millions of names, addresses, phone numbers, bank information and other personal information – including that of children – may have been compromised in the attack.

The case is In Re Blackbaud Inc Customer Data Security Breach Litigation (MDL 2972), U.S. District Court for the District of South Carolina, No. 3:20-MN-02972.

Read the order denying the motion to dismiss.

Read the full complaint.