On August 12, 2021, Judge Childs of the United States District Court for the District of South Carolina declined to dismiss claims against Blackbaud premised on California’s California Consumer Privacy Act (“CCPA”). The claims relate to a well-publicized ransomware attack on the company in early 2020.
Blackbaud is a cloud software company that “provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to social good entities such as non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations.” Op. at 1. Blackbaud collected and stored both personally identifiable information and protected health information as part of its services for its customers. After an attack involving both ransomware and data exfiltration, Blackbaud reportedly paid a ransom in cryptocurrency, and the exchange included a commitment that any data previously obtained by attackers would be permanently destroyed.
Plaintiffs in the Blackbaud multidistrict litigation (“MDL”) assert that the ransomware incident was a result of Blackbaud’s “deficient security program” and that it did not address the full scope of the ransomware attack in its investigation of the attack. Id. at 2. Once the ransomware incident was made public, a number of lawsuits were filed. The federal litigation was consolidated into a MDL, and a Consolidated Class Action Complaint was filed on April 2, 2021. The court requested the briefing on motions to dismiss to be in two rounds with the first round to address jurisdictional issues pursuant to Rule 12(b)(1) and the second round to address 12(b)(6) issues. Id. at 4. The court denied the jurisdictional motion on July 1, 2021.
While plaintiffs asserted claims under numerous state laws, the court first addressed plaintiffs’ CCPA claims. The CCPA creates a private right of action for "actual or statutory damages to any consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Id. at 7-8 (quotation and alteration omitted).
Blackbaud argued it was not a “business” under the CCPA’s definition of the term, but rather a “service provider,” and therefore plaintiffs’ claims under the CCPA failed as a matter of law. Under the CCPA, a “service provider” is a for-profit entity that processes consumer personal data for a business based on a contract. A “business” is a for-profit entity “that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information[;]” ““on the behalf of which that information is collected[;] or” (3) “that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information[.]” Id. at 8 (quoting Cal. Civ. Code § 1798.140(c)). In addition, a business must meet one of the following to qualify as a business under the CCPA: “(A) have annual gross revenues in excess of $25 million; (B) annually buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices; or (C) earn more than half of its revenue from selling consumers’ personal information.” Id. (quoting Cal. Civ. Code § 1798.140(c)).
The court acknowledged that few courts have addressed the provisions of the CCPA since the statute just took effect on January 1, 2020. The court ultimately determined Blackbaud was a “business” within the scope of the CCPA because the complaint alleged “Blackbaud and its direct customers determine the purposes and means of processing consumers’ personal information. Blackbaud uses consumers’ personal data to provide services at customers’ requests, as well as to develop, improve, and test Blackbaud’s services.” Id. at 8-9. The complaint also alleged Blackbaud develops software to process the personal information of its customers’ patrons. The California plaintiffs also alleged that Blackbaud had annual gross revenue over $25 million, the threshold under the CCPA.
In further support of its finding that Blackbaud could be a CCPA “business,” the court also pointed out that Blackbaud is registered as a “data broker” in California, and that “Cal. Civ. Code § 1798.99.80 provides that a ‘data broker’ is a ‘business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.’” Id. at 9 (quoting Cal. Civ. Code § 1798.99(d)) (emphasis in original). The court further noted that the provision uses the same definition of business as the CCPA. “Since an entity must qualify as a ‘business’ under the CCPA in order to be registered as a ‘data broker’ in California, Blackbaud’s alleged registration as a ‘data broker’ suggests that it is also a ‘business’ under the CCPA.” Id. at 9.
Finally, the court determined Blackbaud could be both a “service provider” and a “business” under the CCPA, and thus did not need to decide whether Blackbaud was a “service provider” under the CCPA in order to decide the motion to dismiss.
Based on its analysis, the court allowed the California plaintiffs’ CCPA claims, as well as other claims asserted by the plaintiffs, to go forward. However, the court dismissed some of the plaintiffs’ claims, including claims seeking damages under Florida’s Deceptive and Unfair Trade Practice Act (while still allowing claims for injunctive relief to go forward), New Jersey Consumer Fraud Act, the Pennsylvania Unfair Trade Practices and Consumer Protection Law, and the South Carolina Data Breach Security Act.