Opinion
MDL 2972 Case 3:20-mn-02972-JMC
07-01-2021
ORDER AND OPINION
THIS DOCUMENT RELATES TO: ALL ACTIONS
This matter is before the court on Defendant Blackbaud, Inc.'s (“Blackbaud”) Motion to Dismiss for Lack of Subject Matter Jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1) (ECF No. 92). Blackbaud contends that the court lacks subject matter jurisdiction over Plaintiffs' claims, specifically asserting that Plaintiffs do not have Article III standing because they failed to sufficiently allege that their injuries are traceable to Blackbaud's conduct. (ECF No. 92-1 at 7.) For the reasons set forth below, the court DENIES Blackbaud's Motion (ECF No. 92).
I. RELEVANT BACKGROUND
Blackbaud is a publicly traded cloud software company incorporated in Delaware and headquartered in Charleston, South Carolina. (ECF No. 77 at 110-11 ¶ 419, 112 ¶ 424.) The company provides data collection and maintenance solutions for administration, fundraising, marketing, and analytics to social good entities such as non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations. (Id. at 4 ¶ 4, 114 ¶ 430.) As a result of this business model, Blackbaud collects and stores Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) from its customers' donors, patients, students, and congregants. (Id. at 3 ¶ 2, 114 ¶ 429.)
In this action, Plaintiffs represent a putative class of individuals whose data was provided to Blackbaud's customers and managed by Blackbaud. (Id. at 6 ¶ 12.) Thus, Plaintiffs are patrons of Blackbaud's customers rather than direct customers of Blackbaud. (ECF Nos. 92-1 at 9; 109 at 7-8.) Specifically, Plaintiffs allege that Blackbaud collected, stored, and maintained the following categories of their data:
• Name;
• Address;
• Phone number;
• Email address;
• Date of birth;
• Demographic information;
• Social Security No. (“SSN”);
• Credit card information;
• Bank account information;
• Educational history;
• Healthcare records;
• Insurance information;
• Photo identification;
• Employer information;
• Income information;
• Donor contribution information; and • Other private information, including passwords, places of birth, and mothers' maiden names.(ECF No. 77 at 113 ¶ 427.) Plaintiffs assert that from February 7, 2020 to May 20, 2020, cybercriminals orchestrated a two-part ransomware attack on Blackbaud's systems (“Ransomware Attack”). (Id. at 11 ¶ 25.)
Cybercriminals first infiltrated Blackbaud's computer networks, copied Plaintiffs' data, and held it for ransom. (Id. at 11 ¶ 25, 137 ¶ 496; ECF No. 92-1 at 7.) They then attempted but failed to block Blackbaud from accessing its own systems upon being discovered in May 2020. (Id.)
Blackbaud ultimately paid the ransom in an undisclosed amount of Bitcoin in exchange for a commitment that any data previously accessed by the cybercriminals was permanently destroyed. (ECF No. 77 at 9 ¶ 20, 138 ¶ 499; ECF No. 92-1 at 7.) Plaintiffs maintain that the Ransomware Attack resulted from Blackbaud's “deficient security program[.]” (ECF No. 77 at 117-18 ¶ 439.) They assert that Blackbaud failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields . (Id. at 117-18 ¶ 439, 134 ¶ 486, 136 ¶ 491, 142 ¶ 510.) Plaintiffs further allege that after the Ransomware Attack, Blackbaud launched a narrow internal investigation into the attack that analyzed a limited No. of Blackbaud systems and did not address the full scope of the attack. (Id. at 143 ¶ 514.) On July 14, 2020, Blackbaud received the investigation report (“Forensic Report”) which acknowledged that “names, addresses, phone numbers, email addresses, dates of birth, and/or SSNs” were disclosed in the breach but stated that the investigation was “unable to detect credit card data while reviewing exfiltrated data[.]” (Id. at 143 ¶ 514 n.112, 144 ¶ 516, 154 ¶ 549.) Plaintiffs claim the Forensic Report “improperly concludes that no credit card data was exfiltrated” because “such data could have existed in the unexamined database files.” (Id. at 144 ¶ 516.) Plaintiffs contend that Blackbaud failed to provide them with timely and adequate notice of the Ransomware Attack and the extent of the resulting data breach. (Id. at 130-31 ¶ 473.) They claim that they did not receive notice of the Ransomware Attack “until July of 2020 at the earliest[.]” (Id. at 156 ¶ 555.) On July 16, 2020, The NonProfit Times reported that Blackbaud had been the subject of a ransomware attack and data breach and Blackbaud issued a statement about the Ransomware Attack on its website. (Id. at 9 ¶ 20, 138 ¶ 499.) In both disclosures,
Blackbaud asserted that the cybercriminals did not access credit card information, bank account information, or SSNs. (Id.) Plaintiffs allege that they subsequently received notices of the Ransomware Attack from various Blackbaud customers at different points in time from July 2020 to January 2021. (See, e.g., Id. at 25 ¶ 63, 29 ¶ 82, 32 ¶ 93, 109 ¶ 414.) They maintain that some of the notices stated that SSNs, credit card data, and bank account information were not accessed during the Ransomware Attack while others stated that SSNs but not credit card data or bank account information were exposed during the Ransomware Attack. (See, e.g., Id. at 25 ¶ 64, 29 ¶ 82, 52 ¶ 173, 65 ¶ 230.) Some of the notices also allegedly expressed frustration with Blackbaud's lack of transparency about the Ransomware Attack. For example, Plaintiffs claim that a data breach notice from the International Refugee Assistance Project notes that “[i]n full transparency, we have been dissatisfied with the level of information provided by Blackbaud following this breach[, ]” while a data breach notice from the American Civil Liberties Union states “[i]n all candor, we are frustrated with the lack of information we've received from Blackbaud about this incident thus far.” (Id. at 101 ¶ 378.) Plaintiffs maintain that although Blackbaud initially represented that sensitive information such as SSNs and bank account No. were not compromised in the Ransomware Attack, Blackbaud informed certain customers in September and October 2020 that SSNs and other sensitive data were in fact stolen in the breach. (Id. at 141-42 ¶ 509.) Additionally, the Form 8-K Blackbaud filed with the Securities and Exchange Commission on September 29, 2020 states that SSNs, bank account information, usernames, and passwords may have been exfiltrated during the Ransomware Attack. (Id. at 12 ¶ 26, 143 ¶ 512.)
After the Ransomware Attack was made public, putative class actions arising out of the intrusion into Blackbaud's systems and subsequent data breach were filed in state and federal courts across the country. (ECF No. 1 at 1.) On December 15, 2020, the Judicial Panel on Multidistrict Litigation consolidated all federal litigation related to the Ransomware Attack into this multidistrict litigation (“MDL”) for coordinated pretrial proceedings. (Id. at 3.)
As of July 1, 2021, this MDL is comprised of twenty-eight (28) class actions. An additional case is pending conditional transfer to this MDL. (ECF No. 116.)
On April 2, 2021, thirty-four (34) named Plaintiffs from twenty (20) states filed a Consolidated Class Action Complaint (“CCAC”) alleging that their PII and/or PHI was compromised during the Ransomware Attack. (ECF No. 77.) They assert six (6) claims on behalf of a putative nationwide class as well as ninety-one (91) statutory claims on behalf of putative state subclasses. (Id. at 173 ¶ 627 - 424 ¶ 1815.) Eighteen (18) named Plaintiffs allege that they received data breach notices informing them that their PHI may have been compromised while six (6) named Plaintiffs assert that they received data breach notices informing them that their SSNs may have been exposed. However, Plaintiffs claim that it is unclear how much of their personal information was actually compromised during the Ransomware Attack due to Blackbaud's previous inaccurate representations about the scope of the data breach. (Id. at 139 ¶ 501.)
All named Plaintiffs are identified in paragraphs forty-five (45) through 418 of the CCAC. (See ECF No. 77 at 20 ¶ 45 - 110 ¶ 418.)
The CCAC supersedes all other complaints in this MDL filed on behalf of Blackbaud's customer's patrons against Blackbaud. (ECF Nos. 23 at 4; 77.) Although the docket reflects that the CCAC was not publicly filed until April 16, 2021, Plaintiffs provided Blackbaud and the court with the CCAC on April 2, 2021 to facilitate the sealing process and maintain the cadence of this litigation. (ECF Nos. 66; 72; 76; 77.)
Plaintiffs Clayton (ECF No. 77 at 22 ¶ 52), Arman (id. at 40 ¶ 125), Garcia-Martinez (id. at 43 ¶ 135), Lofton (id. at 46 ¶ 146), Gignac (id. at 49 ¶ 161), Frontera (id. at 52 ¶ 172), Bishop (id. at 54-55 ¶ 182), Maher (id. at 57-58 ¶ 194), Glasper (id. at 60 ¶ 204), Mandel (id. at 62 ¶ 214), Peragine (id. at 70 ¶ 250), Martin (id. at 77 ¶ 279), Duranko (id. at 85 ¶ 311), Ford (id. at 88 ¶ 322), Watts (id. at 92 ¶ 344), Jason Money (id. at 95 ¶ 357), Nicole Money (id. at 98 ¶ 367), and Sheth (id. at 104 ¶ 391).
Plaintiffs Estes (ECF No. 77 at 27 ¶ 72), Regan (id. at 29 ¶ 82), Mitchell (id. at 32 ¶ 93), Carpenella (id. at 35 ¶ 103), Martin Roth (id. at 65-66 ¶ 230), and Rachel Roth (id. at 68 ¶ 240).
Blackbaud filed the instant Motion to Dismiss for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) on May 3, 2021. (ECF No. 92.) As Blackbaud makes both facial and factual challenges to Plaintiffs' standing, the company filed two (2) exhibits with its Motion. (ECF Nos. 99; 100.) The first exhibit, the “Kroll Summary, ” summarizes an investigation by an external cybersecurity firm into whether named Plaintiffs' PII and/or PHI was publicly exposed as a result of the Ransomware Attack. (ECF No. 99.) The second exhibit, the “Stio Declaration, ” is comprised of Plaintiffs' Fact Sheets. (ECF No. 100.) On June 2, 2021, Plaintiffs filed a Response (ECF No. 109) as well as an exhibit, the “Worley Declaration, ” (ECF No. 109-1) evaluating the Kroll Summary's findings and methodology. The court held a hearing on the Motion on June 9, 2021. (ECF No. 112.)
The court observes that the Kroll Summary fails to address the exposure of Plaintiffs' PHI. The summary focuses on the exposure of Plaintiffs' PII through previous data breaches and Plaintiffs' social media accounts and only references one (1) other data breach involving the exposure of Plaintiffs' PHI. (See ECF No. 99.) However, the other data breach involving PHI only affected one (1) named Plaintiff and occurred in January 2021, months after the Ransomware Attack alleged here. (Id. at 42, 143.)
On June 28, 2021, Blackbaud filed a Notice of Supplemental Authority (ECF No. 118), informing the court of the Supreme Court's decision in TransUnion LLC v. Ramirez, No. 20-297, 2021 WL 2599472 (U.S. June 25, 2021). Plaintiffs filed a Response (ECF No. 120) on July 1, 2021.
II. LEGAL STANDARD
Article III of the Constitution limits the jurisdiction of federal courts to “Cases” and “Controversies.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 157 (2014) (citing U.S. Const. art. III, § 2). “One element of the case-or-controversy requirement is that plaintiffs must establish that they have standing to sue.” Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017) (citing Clapper v. Amnesty Int'l USA, 568 U.S. 398, 408 (2013)). The doctrine of standing addresses whether “the plaintiff has ‘alleged such a personal stake in the outcome of the controversy' as to warrant his invocation of federal-court jurisdiction and to justify exercise of the court's remedial powers on his behalf.” Warth v. Seldin, 422 U.S. 490, 498-99 (1975) (quoting Baker v. Carr, 369 U.S. 186, 204 (1962)).
The court will apply the law of the United States Court of Appeals for the Fourth Circuit (“Fourth Circuit”) to determine whether it has subject matter jurisdiction over this action. See, e.g., In re Porsche Cars North America, Inc., 880 F.Supp.2d 801, 815 (S.D. Ohio 2012) (“In interpreting federal law, a transferee court in a multidistrict case should look to the law of its own circuit rather than the law of the transferor courts' circuits.”); In re Methyl Tertiary Butyl Ether (MTBE) Prods. Liab. Litig., 241 F.R.D. 435, 439 (S.D.N.Y. 2007) (“[C]ourts have held that the law of the transferee circuit controls pretrial issues such as whether the court has subject matter . . . jurisdiction over the action, or whether the cases should be remanded to state court because the cases were not properly removed.”); In re Bridgestone/Firestone, Inc., ATX, ATX II, 129 F.Supp.2d 1202, 1204 n.2 (S.D. Ind. 2001) (“The law of the circuit where the transferee court sits governs questions of federal law in MDL proceedings.”).
The “irreducible constitutional minimum” of standing consists of three (3) elements. Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992)). To establish Article III standing, the plaintiff must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. As the party invoking federal jurisdiction, the plaintiff bears the burden of establishing these elements. Id. (citing FW/PBS, Inc. v. Dallas, 493 U.S. 215, 231 (1990)). “The objection that a federal court lacks subject-matter jurisdiction may be raised by a party, or by a court on its own initiative, at any stage in the litigation, even after trial and the entry of judgment.” Arbaugh v. Y&H Corp., 546 U.S. 500, 506 (2006) (internal citations omitted). Since standing is an “indispensable” part of a plaintiff's case, “each element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.” Lujan, 504 U.S. at 561.
In a class action, named plaintiffs representing a class “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Warth, 422 U.S. at 502. “[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.” O'Shea v. Littleton, 414 U.S. 488, 494 (1974).
Challenges to Article III standing are addressed under Federal Rule of Civil Procedure 12(b)(1), which governs motions to dismiss for lack of subject matter jurisdiction. See CGM, LLC v. BellSouth Telecomms., Inc., 664 F.3d 46, 52 (4th Cir. 2011). A defendant may contest subject matter jurisdiction under Rule 12(b)(1) through a facial attack or a factual attack. Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009).
In a facial attack, the defendant contends “that a complaint simply fails to allege facts upon which subject matter jurisdiction can be based.” Id. (quoting Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982)). When reviewing a facial challenge to subject matter jurisdiction under Rule 12(b)(1), “the trial court must apply a standard patterned on Rule 12(b)(6)[.]” Id. at 193. Accordingly, the court “must assume all well-pled facts to be true and draw all reasonable inferences in favor of the plaintiff” when standing is challenged facially. People for the Ethical Treatment of Animals, Inc. v. Stein, 737 F. App'x. 122, 127 (4th Cir. 2018). To survive a facial challenge to Article III standing, “a complaint must contain sufficient factual matter, accepted as true, ‘to state a claim to relief that is plausible on its face.'” Wikimedia Found. v. Nat'l Sec. Agency, 857 F.3d 193, 208 (4th Cir. 2017) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). “[T]he motion must be denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction.” Kerns, 585 F.3d at 192.
In a factual attack, the defendant asserts “‘that the jurisdictional allegations of the complaint [are] not true.'” Id. (quoting Adams, 697 F.2d at 1219). Thus, a trial court may “go beyond the allegations of the complaint” and “consider evidence by affidavit, depositions or live testimony without converting the proceeding to one for summary judgment.” Adams, 697 F.2d at 1219. When a factual challenge is made, there is no presumption of truthfulness attached to the plaintiff's allegations, and the plaintiff bears the burden of proving the facts supporting subject matter jurisdiction by a preponderance of the evidence. Beck, 848 F.3d at 270; U.S. ex rel. Vuyyuru v. Jadhav, 555 F.3d 337, 347 (4th Cir. 2009). However, if the jurisdictional facts “are so intertwined with the facts upon which the ultimate issues on the merits must be resolved, ” the “entire factual dispute is appropriately resolved only by a proceeding on the merits.” Jadhav, 555 F.3d at 348 (citing Adams, 697 F.2d at 1219-20).
Jurisdictional facts are not intertwined with the facts central to the merits of a dispute when the jurisdictional facts are “wholly unrelated to the basis for liability.” Kerns, 585 F.3d at 196; see also Jadhav, 555 F.3d at 350 (finding that the jurisdictional and merits facts were not intertwined because the “proof required to establish the substantive elements of [plaintiff's claims was] wholly distinct from that necessary to survive [d]efendants' jurisdictional challenge”). In contrast, “[w]hen facts are said to be ‘intertwined,' it means that facts necessary to prove jurisdiction overlap with facts necessary to prove the merits of the case such that a 12(b)(1) motion is, essentially, an indirect attack on the plaintiff's alleged factual merits.” Kuntze v. Josh Enters., Inc., 365 F.Supp.3d 630, 638 (E.D. Va. 2019) (citing Kerns, 585 F.3d at 193, 195 (holding that the jurisdictional facts were intertwined with those central to the merits because “the scope-of-employment issue [was] determinative of both jurisdiction and the underlying merits of [plaintiff's] FTCA claim”)).
When a defendant makes a factual attack to subject matter jurisdiction and the jurisdictional and merits facts are intertwined, “the defendant has challenged not only the court's jurisdiction but also the existence of the plaintiff's cause of action.” Kerns, 585 F.3d at 193. Accordingly, a trial court should dismiss a case under Rule 12(b)(1) “only when the jurisdictional allegations are ‘clearly . . . immaterial, made solely for the purpose of obtaining jurisdiction or where such a claim is wholly unsubstantial and frivolous.'” Id. (quoting Bell v. Hood, 327 U.S. 678, 682 (1946)). If the jurisdictional facts are intertwined with the merits of the case,
the trial court should assume jurisdiction exists (if the jurisdictional allegations are sufficient on their face) and proceed with limited or full discovery after either (1) denying the 12(b)(1) motion, or (2) converting the 12(b)(1) motion into a motion for summary judgment on the merits and taking it under advisement until discovery is completed and it is ripe for summary judgment[.]Kuntze, 365 F.Supp.3d at 645.
III. ANALYSIS
Blackbaud argues that Plaintiffs lack Article III standing and therefore the court lacks subject matter jurisdiction over their claims. (ECF No. 92-1 at 7.) At this stage, Blackbaud does not dispute that Plaintiffs suffered injuries in fact that could be redressed by a favorable decision. (See ECF No. 114 at 5:6-13, 12:17-25.) It only claims that Plaintiffs have neither facially nor factually established that their injuries are traceable to Blackbaud's conduct. (Id.) A. Injury in Fact
Together, Plaintiffs assert that they suffered six (6) types of injury as a result of the Ransomware Attack:
1. Identity theft or fraud - Thirty-one (31) named Plaintiffs assert they experienced actual identity theft or fraud as a result of the Ransomware Attack.
2. Increased risk of identity theft in the future - All thirty-four (34) named Plaintiffs claim they are at an increased risk of experiencing identity theft in the future due to the Ransomware Attack.
3. Time and/or money spent to mitigate risk of harm - All thirty-four (34) named Plaintiffs maintain they have spent time and/or money to mitigate their exposure to identity theft or fraud as a result of the Ransomware Attack.
4. Emotional distress - Thirty-three (33) named Plaintiffs contend the Ransomware Attack caused them to suffer from emotional distress.
5. Diminished value of data - All thirty-four (34) named Plaintiffs claim the Ransomware Attack diminished the value of their PII and/or PHI.
6. Invasion of privacy - All thirty-four (34) named Plaintiffs allege they experienced an invasion of privacy as a result of the Ransomware Attack.
Plaintiffs Clayton (ECF No. 77 at 24 ¶ 58), Eisen (id. at 26 ¶ 69), Estes (id. at 28-29 ¶ 78), Regan (id. at 31 ¶ 88), Carpenella (id. at 36-37 ¶ 108), Kamm (id. at 39 ¶ 117), Arman (id. at 42 ¶ 131), Garcia-Martinez (id. at 45 ¶ 141), Lofton (id. at 47 ¶ 151), Gignac (id. at 51 ¶ 167), Frontera (id. at 53-54 ¶ 178), Bishop (id. at 56 ¶ 189), Maher (id. at 59 ¶ 199), Glasper (id. at 61 ¶ 210), Mandel (id. at 63 ¶ 220), Martin Roth (id. at 67 ¶ 236), Rachel Roth (id. at 69 ¶ 245), Peragine (id. at 71 ¶ 256), Zielinski (id. at 74 ¶ 266), Allen (id. at 76 ¶ 275), Martin (id. at 79 ¶ 285), Pettiford (id. at 81 ¶ 295), Welsh (id. at 84 ¶ 306), Ford (id. at 89 ¶ 328), Scott (id. at 91 ¶ 338), Watts (id. at 94 ¶ 350), Jason Money (id. at 97 ¶ 363), Nicole Money (id. at 99-100 ¶ 373), Case (id. at 102-03 ¶ 384), Sheth (id. at 106 ¶ 397), and Simkins (id. at 108 ¶ 408).
Plaintiffs Clayton (ECF No. 77 at 23-24 ¶ 57, 24 ¶ 60), Eisen (id. at 26 ¶¶ 68, 70), Estes (id. at 28 ¶ 77, 29 ¶ 80), Regan (id. at 31 ¶¶ 87, 90), Mitchell (id. at 33 ¶ 97, 34 ¶ 98), Carpenella (id. at 36 ¶ 107, 37 ¶ 110), Kamm (id. at 38-39 ¶ 116, 39 ¶ 119), Arman (id. at 41 ¶ 130, 42 ¶ 132), Garcia-Martinez (id. at 45 ¶ 140, 45-46 ¶ 143), Lofton (id. at 47 ¶ 150, 48 ¶ 153), Gignac (id. at 51 ¶¶ 166, 169), Frontera (id. at 53 ¶ 177, 54 ¶ 180), Bishop (id. at 56 ¶ 188, 57 ¶ 191), Maher (id. at 58-59 ¶ 198, 59 ¶ 201), Glasper (id. at 61 ¶¶ 209, 211), Mandel (id. at 63 ¶ 219, 63-64 ¶ 221), Martin Roth (id. at 66-67 ¶ 235, 67 ¶ 237), Rachel Roth (id. at 69 ¶¶ 244, 246), Peragine (id. at 71 ¶ 255, 72 ¶ 257), Zielinski (id. at 74 ¶¶ 265, 267), Allen (id. at 76 ¶¶ 274, 276), Martin (id. at 79 ¶¶ 284, 286), Pettiford (id. at 81 ¶ 294, 82 ¶ 297), Welsh (id. at 84 ¶¶ 305, 308), Duranko (id. at 86 ¶ 316, 87 ¶ 317), Ford (id. at 89 ¶¶ 327, 330), Scott (id. at 91 ¶¶ 337, 339), Watts (id. at 93 ¶ 349, 94 ¶ 351), Jason Money (id. at 96-97 ¶ 362, 97 ¶ 364), Nicole Money (id. at 99 ¶ 372, 100 ¶ 374), Case (id. at 102 ¶ 383, 103 ¶ 386), Sheth (id. at 105 ¶ 396, 106 ¶ 399), Simkins (id. at 108 ¶¶ 407, 409), and Molnar (id. at 110 ¶¶ 417, 418).
Plaintiffs Clayton (ECF No. 77 at 22-23 ¶ 54, 23 ¶ 55, 24 ¶¶ 59, 60), Eisen (id. at 25 ¶¶ 65, 66, 26 ¶ 70), Estes (id. at 27 ¶ 73, 28 ¶ 75, 29 ¶¶ 79, 80), Regan (id. at 30 ¶¶ 83, 85, 31 ¶¶ 89, 90), Mitchell (id. at 33 ¶ 95, 34 ¶ 98), Carpenella (id. at 35 ¶ 104, 37 ¶¶ 109, 110), Kamm (id. at 38 ¶ 114, 39 ¶¶ 118, 119), Arman (id. at 41 ¶ 127, 42 ¶¶ 131, 132), Garcia-Martinez (id. at 43-44 ¶ 137, 44 ¶ 138, 45-46 ¶¶ 142, 143), Lofton (id. at 47 ¶ 148, 48 ¶¶ 152, 153), Gignac (id. at 50 ¶¶ 163, 164, 51 ¶¶ 166, 168, 169), Frontera (id. at 52-53 ¶ 174, 54 ¶¶ 179, 180), Bishop (id. at 55-56 ¶ 185, 56 ¶ 186, 57 ¶¶ 190, 191), Maher (id. at 58 ¶ 196, 59 ¶¶ 200, 201), Glasper (id. at 60-61 ¶ 206, 61 ¶¶ 210, 211), Mandel (id. at 62-63 ¶ 216, 63-64 ¶ 221), Martin Roth (id. at 66 ¶ 232, 67 ¶ 237), Rachel Roth (id. at 68 ¶ 241, 69 ¶ 246), Peragine (id. at 70-71 ¶ 252, 72 ¶ 257), Zielinski (id. at 73 ¶ 262, 74 ¶ 267), Allen (id. at 75 ¶ 271, 76 ¶¶ 272, 276), Martin (id. at 78 ¶¶ 281, 282, 79 ¶ 286), Pettiford (id. at 80 ¶ 291, 80-81 ¶ 292, 81-82 ¶ 296, 82 ¶ 297), Welsh (id. at 83 ¶¶ 302, 303, 84 ¶¶ 307, 308), Duranko (id. at 85-86 ¶ 313, 87 ¶ 317), Ford (id. at 88 ¶ 324, 89 ¶¶ 329, 330), Scott (id. at 90 ¶ 334, 91 ¶ 339), Watts (id. at 93 ¶ 346, 94 ¶ 351), Jason Money (id. at 96 ¶ 359, 97 ¶ 364), Nicole Money (id. at 98-99 ¶ 369, 100 ¶ 374), Case (id. at 101-02 ¶ 380, 102 ¶ 381, 103 ¶¶ 385, 386), Sheth (id. at 105 ¶ 393, 106 ¶¶ 398, 399), Simkins (id. at 107 ¶ 404, 108 ¶ 409), and Molnar (id. at 110 ¶¶ 415, 418).
Plaintiffs Clayton (ECF No. 77 at 23 ¶ 56), Eisen (id. at 26 ¶ 67), Estes (id. at 28 ¶ 76), Regan (id. at 30 ¶ 86), Mitchell (id. at 33 ¶ 96), Carpenella (id. at 36 ¶ 106), Kamm (id. at 38 ¶ 115), Arman (id. at 41 ¶ 129), Garcia-Martinez (id. at 44 ¶ 139), Lofton (id. at 47 ¶ 149), Gignac (id. at 50-51 ¶ 165), Frontera (id. at 53 ¶ 176), Bishop (id. at 56 ¶ 187), Maher (id. at 58 ¶ 197), Glasper (id. at 61 ¶ 207), Mandel (id. at 63 ¶ 218), Martin Roth (id. at 66 ¶ 234), Rachel Roth (id. at 68-69 ¶ 242), Peragine (id. at 71 ¶ 254), Zielinski (id. at 73 ¶ 264), Allen (id. at 76 ¶ 273), Martin (id. at 78 ¶ 283), Pettiford (id. at 81 ¶ 293), Welsh (id. at 83 ¶ 304), Duranko (id. at 86 ¶ 315), Ford (id. at 88 ¶ 326), Scott (id. at 91 ¶ 336), Watts (id. at 93 ¶ 348), Jason Money (id. at 96 ¶ 361), Nicole Money (id. at 99 ¶ 371), Case (id. at 102 ¶ 382), Sheth (id. at 105 ¶ 395), and Simkins (id. at 108 ¶ 406).
Plaintiffs Clayton (ECF No. 77 at 23-24 ¶ 57), Eisen (id. at 26 ¶ 68), Estes (id. at 28 ¶ 77), Regan (id. at 31 ¶ 87), Mitchell (id. at 33 ¶ 97), Carpenella (id. at 36 ¶ 107), Kamm (id. at 38-39 ¶ 116), Arman (id. at 41 ¶ 130), Garcia-Martinez (id. at 45 ¶ 140), Lofton (id. at 47 ¶ 150), Gignac (id. at 51 ¶ 166), Frontera (id. at 53 ¶ 177), Bishop (id. at 56 ¶ 188), Maher (id. at 58-59 ¶ 198), Glasper (id. at 61 ¶ 209), Mandel (id. at 63 ¶ 219), Martin Roth (id. at 66-67 ¶ 235), Rachel Roth (id. at 69 ¶ 244), Peragine (id. at 71 ¶ 255), Zielinski (id. at 74 ¶ 265), Allen (id. at 76 ¶ 274), Martin (id. at 79 ¶ 284), Pettiford (id. at 81 ¶ 294), Welsh (id. at 84 ¶ 305), Duranko (id. at 86 ¶ 316), Ford (id. at 89 ¶ 327), Scott (id. at 91 ¶ 337), Watts (id at 93 ¶ 349), Jason Money (id. at 96-97 ¶ 362), Nicole Money (id. at 99 ¶ 372), Case (id. at 102 ¶ 383), Sheth (id. at 105 ¶ 396), Simkins (id. at 108 ¶ 407), and Molnar (id. at 110 ¶ 417).
Plaintiffs Clayton (ECF No. 77 at 23-24 ¶ 57), Eisen (id. at 26 ¶ 68), Estes (id. at 28 ¶ 77), Regan (id. at 31 ¶ 87), Mitchell (id. at 33 ¶ 97), Carpenella (id. at 36 ¶ 107), Kamm (id. at 38-39 ¶ 116), Arman (id. at 41 ¶ 130), Garcia-Martinez (id. at 45 ¶ 140), Lofton (id. at 47 ¶ 150), Gignac (id. at 51 ¶ 166), Frontera (id. at 53 ¶ 177), Bishop (id. at 56 ¶ 188), Maher (id. at 58-59 ¶ 198), Glasper (id. at 61 ¶ 209), Mandel (id. at 63 ¶ 219), Martin Roth (id. at 66-67 ¶ 235), Rachel Roth (id. at 69 ¶ 244), Peragine (id. at 71 ¶ 255), Zielinski (id. at 74 ¶ 265), Allen (id. at 76 ¶ 274), Martin (id. at 79 ¶ 284), Pettiford (id. at 81 ¶ 294), Welsh (id. at 84 ¶ 305), Duranko (id. at 86 ¶ 316), Ford (id. at 89 ¶ 327), Scott (id. at 91 ¶ 337), Watts (id at 93 ¶ 349), Jason Money (id. at 96-97 ¶ 362), Nicole Money (id. at 99 ¶ 372), Case (id. at 102 ¶ 383), Sheth (id. at 105 ¶ 396), Simkins (id. at 108 ¶ 407), and Molnar (id. at 110 ¶ 417).
Although Blackbaud challenged whether Plaintiffs' allegations of harm constitute injury in fact in its Motion, it abandoned that challenge at the hearing. (ECF Nos. 92-1 at 20-37; 114 at 5:6-13, 12:17-25.) Blackbaud did not retract its abandonment of the challenge to the injury in fact requirement of Article III standing when it notified the court of the Supreme Court's decision in Ramirez after the hearing. (See ECF No. 118.) Accordingly, Blackbaud only asserts that Plaintiffs have failed to satisfy the traceability requirement of Article III standing. (ECF No. 114 at 5:6-13.)
In its Motion, Blackbaud challenged Plaintiffs' standing to seek injunctive relief on the basis that Plaintiffs failed to establish the requisite danger of imminent injury. (ECF No. 92-1 at 37-38.) As Blackbaud abandoned its attack on the sufficiency of Plaintiffs' alleged injuries, including Plaintiffs' alleged risk of future identity theft, the court will not consider Blackbaud's challenge to Plaintiffs' standing to seek injunctive relief. (ECF No. 114 at 5:6-13, 12:17-25.)
The court observes that even if Blackbaud asserted that Plaintiffs' alleged injuries are insufficient to confer Article III standing, Ramirez would not impact the court's injury in fact analysis at this stage of the litigation. In Ramirez, the Supreme Court “focuse[d] on the Article III requirement that the plaintiff 's injury in fact be ‘concrete' - that is, ‘real, and not abstract.'” 2021 WL 2599472, at *7. As the case before the court had proceeded to trial, the Supreme Court required that “the specific facts set forth by the plaintiff to support standing ‘. . . be supported adequately by the evidence adduced at trial.'” Id. at *10 (quoting Lujan, 504 U.S. at 561). After examining the evidence presented at trial, the Supreme Court concluded that some of the plaintiffs failed to “factually establish” that their risk of future harm materialized into a sufficient “concrete” harm to satisfy the injury in fact requirement. Id. at *14. Accordingly, it found that those plaintiffs lacked Article III standing. Id. at *3. Here, all named Plaintiffs allege that they suffered an increased risk of future harm like the plaintiffs in Ramirez. See supra note 8. However, this case is procedurally distinguishable from Ramirez because the court does not have the “helpful benefit of a jury verdict” at this phase of the litigation. 2021 WL 2599472, at *22 (Thomas, J., dissenting). “At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss [courts] ‘presum[e] that general allegations embrace those specific facts that are necessary to support the claim.'” Lujan, 504 U.S. at 561. Since the court must rely on the pleadings to resolve the instant Motion, the court is not in a position to discern whether Plaintiffs have “factually establish[ed]” that their alleged risk of future harm materialized into a sufficient “concrete” harm as held in Ramirez. 2021 WL 2599472, at *14. Such an inquiry may be appropriate after a proceeding on the merits but it is not proper at this juncture. Plaintiffs should have the benefit of discovery before being required to “factually establish” their injuries. Id.
B. Traceability
To satisfy the traceability requirement of Article III standing, “there must be a causal connection between the injury and the conduct complained of - the injury has to be ‘fairly . . . trace[able] to the challenged action of the defendant, and not . . . th[e] result [of] the independent action of some third party not before the court.'” Lujan, 504 U.S. at 560 (quoting Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976)). However, the “fairly traceable standard is not equivalent to a requirement of tort causation.” Hutton v. National Board of Examiners in Optometry, Inc., 892 F.3d 613, 623 (4th Cir. 2018) (citing Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 161 (4th Cir. 2000)). Blackbaud makes both factual and facial challenges to the traceability requirement of Article III standing. (ECF No. 92-1 at 20.) The court will address each challenge in turn.
i. Factual Attack
In its factual attack, Blackbaud asserts that the Kroll Summary disproves Plaintiffs' allegations that their injuries are fairly traceable to Blackbaud's wrongdoing. (Id.) To determine whether the court may consider Blackbaud's factual attack on Plaintiff's standing, the court must evaluate whether the facts dispositive of Plaintiffs' claims are intertwined with the facts dispositive of Blackbaud's jurisdictional challenge to Plaintiffs' Article III standing. Jadhav, 555 F.3d at 348.
Such an inquiry first requires the court to identify the elements of Plaintiffs' claims. Kuntze, 365 F.Supp.3d at 638. Although this litigation has yet to address the body of law applicable to Plaintiffs' common law claims on behalf of the putative nationwide class, it is clear that causation is an essential element of Plaintiffs' negligence and negligence per se causes of action on behalf of the putative nationwide class. (ECF No. 77 at 173-80). “Causation in fact - i.e., proof that the defendant's conduct did in fact cause the plaintiff's injury - is a standard requirement of any tort claim . . . .” Univ. of Texas Sw. Med. Ctr. v. Nassar, 570 U.S. 338, 346 (2013). Additionally, the Restatement (Second) of Torts provides that causation is an element of a negligence cause of action while the Restatement (Third) of Torts: Physical and Emotional Harm states that a plaintiff must prove causation to succeed on a negligence per se claim. See
Restatement (Second) of Torts § 281 (Am. Law Inst. 1965); Restatement (Third) of Torts: Phys. & Emot. Harm § 14 cmt. h (Am. Law. Inst. 2010). Plaintiffs will also have to demonstrate causation to prove many of their claims on behalf of the putative state sub-classes. As Blackbaud admits in its Motion to Dismiss Certain Statutory Claims (ECF Nos. 110; 110-1), causation is an element of Plaintiffs' Florida Deceptive and Unfair Trade Practice Act, New Jersey Consumer Fraud Act, New York General Business Law § 349, and Pennsylvania Unfair Trade Practices and Consumer Protection Law claims. See City First Mortg. Corp. v. Barton, 988 So.2d 82, 86 (Fla. Dist. Ct. App. 2008); Bosland v. Warnock Dodge, Inc., 964 A.2d 741, 749 (N.J. 2009); Stutman v. Chem. Bank, 731 N.E.2d 608, 611 (N.Y. 2000); Kaymark v. Bank of Am., N.A., 783 F.3d 168, 180 (3d Cir. 2015), abrogated on other grounds by Obduskey v. McCarthy & Holthus LLP, 139 S.Ct. 1029 (2019). Accordingly, Plaintiffs will have to prove that Blackbaud caused their injuries in order to prevail on the merits of their federal and state claims.
Next, the court must ascertain the facts dispositive of Blackbaud's jurisdictional challenge. Kuntze, 365 F.Supp.3d at 646. Here, Blackbaud's factual challenge to the traceability element of Article III standing depends on whether there is a “causal connection” between Plaintiffs' injuries and Blackbaud's actions. Lujan, 504 U.S. at 560. Blackbaud asserts that no such causal connection exists because the Kroll Summary concluded there is “no evidence” that Plaintiffs' PII was on the dark web or being marketed for sale. (Id. at 25.) Without such exposure, Blackbaud maintains that Plaintiffs cannot establish that they suffered injuries from the Ransomware Attack. (Id. at 25, 30-31.) Blackbaud also claims that Plaintiffs cannot establish that their injuries are fairly traceable to the Ransomware Attack because the Kroll Summary “confirms that Plaintiffs' personal information has already been compromised in a plethora of prior security incidents that do not involve Blackbaud.” (Id. at 31.)
Finally, the court must determine whether the “facts necessary to prove jurisdiction overlap with facts necessary to prove the merits of the case such that [Blackbaud's] motion is, essentially, an indirect attack on . . . [P]laintiff[s'] alleged factual merits.” Kuntze, 365 F.Supp.3d at 638 (citing Kerns, 585 F.3d at 193). In this case, whether Plaintiffs' injuries resulted from Blackbaud's actions is determinative of both jurisdiction and the merits of Plaintiffs' claims. For example, the Kroll Summary's contention that Plaintiffs' PII was not exposed on the dark web but was compromised in previous data breaches would weigh against Plaintiffs' claims on the merits but in favor of Blackbaud's jurisdictional challenge to Plaintiffs' standing. (ECF No. 92-1 at 25.) As the Ninth Circuit observed in another challenge to Article III standing in a data breach case, “[t]hat hackers might have stolen Plaintiffs' PII in unrelated breaches, and that Plaintiffs might suffer identity theft or fraud caused by the data stolen in those other breaches (rather than the data stolen from [defendant]), is less about standing and more about the merits of causation and damages.” In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018). Thus, “while the merits and jurisdictional questions are not identical, they are so closely related that the jurisdictional issue is not suited for resolution in the context of a motion to dismiss for lack of subject matter jurisdiction.” United States v. North Carolina, 180 F.3d 574, 581 (4th Cir. 1999).
The overlap between the facts necessary to establish the traceability requirement of Article III standing and the facts necessary to prove Plaintiffs' claims is further underscored by the cases Blackbaud cites in support of its jurisdictional challenge. Many of the cases cited in Blackbaud's Motion concern causation as a substantive element of a cause of action rather than the jurisdictional requirement of traceability. For example, Blackbaud cites Resnick v. AvMed, Inc., 693 F.3d 1317, 1326 (11th Cir. 2012) for the proposition that Plaintiffs cannot show that their allegations of actual fraud or identity theft are traceable to Blackbaud's actions because “the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence.” (ECF No. 92-1 at 21.) However, Resnick used that language in its evaluation of the causation elements of the plaintiffs' negligence, negligence per se, breach of fiduciary duty, breach of contract, breach of implied contract, and breach of the implied covenant of good faith and fair dealing claims under Rule 12(b)(6). Id. at 1326-27. Likewise, Blackbaud claims that Stollenwerk v. Tri-West Health Care All., 254 F. App'x. 664, 668 (9th Cir. 2007) supports its assertion that “[a] mere coincidence of timing - at some point during a period of twelve months since the Ransomware Attack - is insufficient to establish the necessary causal link between the harms Plaintiffs rely on to ground standing and the Ransomware Attack.” (ECF No. 92-1 at 21.) But Stollenwerk did not even address standing. 254 F. App'x. at 667-68. Instead, it addressed whether the plaintiffs established a sufficient causal connection to survive summary judgment on their negligence claim. Id.
As Blackbaud's factual challenge to the traceability requirement of Article III standing involves facts that are intertwined with the merits of Plaintiffs' claims, the court will not consider Blackbaud's factual attack at this juncture. The court now moves to Blackbaud's facial challenge to determine whether Plaintiffs allege facts in their CCAC that plausibly confer jurisdiction.
ii. Facial Attack
To survive a facial challenge to the traceability requirement of Article III standing, plaintiffs in a data breach case must sufficiently allege that the defendant was a “plausible source of [their] personal information.” Hutton, 892 F.3d at 623. “Therefore, “[p]leadings must be something more than an ingenious academic exercise in the conceivable.” Id. (quoting United States v. Students Challenging Regulatory Agency Procedures, 412 U.S. 669, 687 (1973)).
This burden is “relatively modest[.]” Bennett v. Spear, 520 U.S. 154, 170-71 (1997). For example, a plaintiff may adequately plead traceability despite a defendant's failure to confirm the occurrence or extent of a data breach. See Hutton, 892 F.3d at 623-24 (finding that the complaints sufficiently alleged traceability despite the defendant's failure to confirm that a data breach occurred); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015) (concluding that the plaintiffs plausibly alleged their injuries were fairly traceable to a data breach of the defendant's systems by claiming that the defendant “admitted that 350, 000 cards might have been exposed and that it contacted members of the class to tell them they were at risk”) (emphasis added); In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 467 (D. Md. 2020) (holding that the plaintiffs adequately alleged traceability by asserting that the plaintiffs gave their personal information to the defendant, the defendant was the victim of a data breach, the scope of the breach was unknown, and the plaintiffs subsequently experienced harm).
Here, Blackbaud claims that Plaintiffs have not established traceability because the CCAC fails to allege a connection between Plaintiffs' injuries and the Ransomware Attack. (ECF No. 92-1 at 20.) It contends that Plaintiffs rely on “coincidences and timing” to establish that their injuries resulted from the Ransomware Attack. (Id. at 21.) Additionally, Blackbaud asserts that Plaintiffs' alleged injuries could not have resulted from the types of data they allege to have been compromised. (Id. at 24.) For example, it maintains that Plaintiffs Estes, Regan, Carpenella, Kamm, Garcia-Martinez, Frontera, Glasper, Mandel, Martin Roth, Zielinski, Welsh, Ford, Scott, and Watts could not have experienced an increase in spam or phishing because they do not allege that their phone No. or email addresses were compromised in the Ransomware Attack. (Id.) Blackbaud also claims that “only three Plaintiffs who allege actual identity theft or fraud also alleged that their [SSNs] - traditionally the sine qua non of committing actual identity theft - were possibly implicated[.]” (Id. at 23.)
The court first observes that Plaintiffs have pled a plausible connection between the types of data allegedly compromised during the Ransomware Attack and their subsequent injuries. Contrary to Blackbaud's assertions, Plaintiffs Garcia-Martinez and Zielinski allege that a type of PII that could be used to facilitate spam or phishing was exposed since they claim that their “contact information” was exposed as a result of the Ransomware Attack. (ECF No. 77 at 43 ¶ 135, 72 ¶ 260.) Nevertheless, Plaintiffs claim that it is likely that more information than was listed in the data breach notices was compromised due to Blackbaud's inaccurate representations about the scope of the data breach. (Id. at 139-40 ¶ 501.) Given Blackbaud's lack of transparency about the extent of the Ransomware Attack, it is more than plausible that additional information such as contact information, SSNs, and financial information that could be used for spam, phishing, or other forms of fraud was accessed during the Ransomware Attack. Furthermore, Plaintiffs have plausibly pled that hackers can commit identity fraud without contact information or SSNs by combining and cross-referencing data stolen during the Ransomware Attack with information obtained in other data breaches. (Id. at 156 ¶ 553.)
The CCAC also contains allegations demonstrating that it is both plausible and likely that a breach of Blackbaud's systems resulted in Plaintiffs' alleged injuries. Plaintiffs maintain that Blackbaud collected and stored their personal information, cybercriminals stole Blackbaud's customers' patrons' information from Blackbaud's systems, Blackbaud publicly acknowledged the data breach, each Plaintiff received a notice letter from one (1) or more of Blackbaud's customers informing them that their PII and/or PHI was accessed in the breach, the scope of the breach is unknown, and each Plaintiff experienced harm less than a year after the breach. (Id. at 7-8 ¶ 15, 12 ¶ 26, 16 ¶ 36, 21 ¶ 51 - 110 ¶ 418, 114 ¶ 429.)
Such assertions are more than an “ingenious academic exercise in the conceivable.” Hutton, 892 F.3d at 623 (quoting Students Challenging Regulatory Agency Procedures, 412 U.S. at 687). When viewed in their totality, they suggest that Blackbaud was a common repository of Plaintiffs' personal information, potentially all of Plaintiffs' personal information maintained by Blackbaud was compromised during the Ransomware Attack, and Plaintiffs suffered injuries shortly after the data breach. Therefore, Plaintiffs have met their “relatively modest” burden and adequately alleged that Blackbaud was a “plausible source” of their PII and/or PHI. See Bennett, 520 U.S. at 170-71 (1997); Hutton, 892 F.3d at 623-24.
As the CCAC contains sufficient factual matter to render Plaintiffs' allegations plausible on their face with respect to traceability, Plaintiffs have sufficiently established the traceability requirement of Article III standing at this stage of the litigation. Hutton, 892 F.3d at 623-24. Accordingly, the court denies Blackbaud's Motion (ECF No. 92). Even if Blackbaud ultimately shows after discovery that Plaintiffs' alleged injuries were not caused by the Ransomware Attack, it is premature to dismiss Plaintiffs' claims on grounds of traceability at this stage. Marriott, 440 F.Supp.3d at 467.
IV. CONCLUSION
For the foregoing reasons, the court DENIES Defendant Blackbaud, Inc.'s Motion to Dismiss for Lack of Subject Matter Jurisdiction (ECF No. 92).
IT IS SO ORDERED.