CYBER CORNER

COURT REFUSES TO DISMISS DATA BREACH SUIT AGAINST IT SERVICE PROVIDER

In re: Blackbaud Inc. Customer Data Breach Litig., No. 3:20-mn-02972, (D.S.C. Oct. 19, 2021)

A federal judge recently denied a cloud computing provider’s bid to dismiss a class action lawsuit brought against the company following a 2020 ransomware attack that plaintiffs allege compromised their data. 

The cloud provider serviced a range of healthcare organizations, educational institutions, and charities whom the plaintiffs had entrusted with their personal information. 

 

While dismissing several claims brought under various federal statutes, as well as a claim for unjust enrichment, the judge rejected the cloud provider’s argument that it owed no duty of care to the plaintiffs to safeguard their personal data. Although the court has yet to rule on the merits of the plaintiffs’ negligence claims, the judge found “the purpose of the contracts [between the cloud provider and the various entities] was to secure plaintiffs’ private information.” While the plaintiffs did not directly furnish their personal information to the cloud provider, the judge nevertheless found the nature of the cloud provider’s services put the company “in the best position to prevent harm associated with a data breach to its systems.”

The Takeaway

It remains to be seen whether the cloud provider will be found directly liable to these individuals for damages caused by the breach, but a judgment for the plaintiffs here could embolden plaintiffs’ attorneys looking for “deeper pockets” than might otherwise be available.