In the early months of 2020, cybercriminals orchestrated a ransomware attack on Blackbaud Inc., a cloud software company headquartered in Charleston, South Carolina that provides data collection and maintenance software solutions to non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations. Blackbaud’s services include collecting and storing personally identifiable information (PII) and protected health information (PHI) from its customers’ donors, patients, students, and congregants.
The ransomware attack resulted in the cybercriminals’ acquisition of PII and PHI stored in Blackbaud’s network. Following the discovery of the attack, a number of the constituents of Blackbaud’s customers filed suit against Blackbaud. The plaintiffs alleged the cyberattack resulted from Blackbaud’s “deficient security program” and that Blackbaud failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of cyber-threats.
In December 2020, all of the suits filed against Blackbaud in federal court were consolidated into a single multi-district litigation action in the United States District Court for the District of South Carolina.
The District of South Carolina’s Ruling
On October 19, 2021, the court denied Blackbaud’s motion to dismiss plaintiffs’ negligence and gross negligence claims. In its motion to dismiss, Blackbaud argued that because the plaintiffs – constituents of Blackbaud’s customers – were third-parties with no direct relationship to Blackbaud, Blackbaud did not owe plaintiffs a common law duty of care, and so their negligence claims failed as a matter of law.
The court disagreed. Relying on the analysis in Shaw v. Psychmedics Corp., the court found that because Blackbaud’s customers “use its services to collect and protect” the information of third-parties, the contractual relationship between Blackbaud and its customers “support recognition of a duty” to the plaintiffs.
Further, despite Blackbaud’s argument that its status as a software-as-a-service provider meant that its customers had primary control over the plaintiffs’ data, the court found that Blackbaud “still has the greatest amount of control over the security of the data that is stored” and was therefore “in the best position to prevent harm associated with a data breach to its systems.” As a result, the court held that the plaintiffs had established a special relationship “sufficient to impose a common law duty arising from Blackbaud’s contracts” with its customers.
Implications for SaaS Providers
SaaS providers should be wary of attempting to avoid liability to their customers’ users by arguing that their customers are primarily responsible for the security of the users’ data. Further, common law claims such as those at issue in this case can create difficulty obtaining dismissal of claims of individuals without a contractual relationship with the SaaS provider. SaaS providers should take note of this precedent and stay focused on maintaining up-to-date and effective security measures to protect the sensitive information with which they are entrusted, regardless of whether the individuals’ relationships are directly with the SaaS provider or not.
Adams and Reese’s Privacy, Cybersecurity, and Data Management team will continue to monitor the latest developments in the areas of data breach litigation and information security.