On August 12, 2021, Judge Childs of the United States District Court for the District of South Carolina decreases to dismiss claims against Blackbaud based on the California Consumer Privacy Act (“CCPA”). The allegations relate to a high-profile ransomware attack against the company in early 2020.

Blackbaud is a cloud-based software company that “provides data collection and maintenance software solutions for administration, fundraising, marketing and analytics to social interest entities such as non-profit organizations. profit, foundations, educational institutions, religious communities and health organizations “. Op. To 1. Blackbaud has collected and stored both Personally Identifiable Information and Protected Health Information as part of its services for its customers. After an attack involving both ransomware and data exfiltration, Blackbaud reportedly paid a ransom in cryptocurrency, and the exchange included a pledge that all data previously obtained by the attackers would be permanently destroyed.

Plaintiffs in Blackbaud’s Multidistrict (“MDL”) Litigation Claim the Ransomware Incident was the Result of Blackbaud’s “Flawed Security Program” and Did Not Address the Full Scope of the Ransomware Attack in his investigation of the attack. Username. to 2. Once the ransomware incident was made public, a number of lawsuits were filed. The federal litigation was consolidated into an MDL, and a consolidated class action complaint was filed on April 2, 2021. The court requested that the briefing on the dismissal motions be in two rounds with the first round to deal with the issues. jurisdiction under Rule 12 (b) (1) and the second round to address questions 12 (b) (6). Identifier. to 4. The court rejected the judicial request on July 1, 2021.

While the plaintiffs have asserted claims under numerous state laws, the court first considered the plaintiffs’ claims under the CCPA. The CCPA creates a private right of action for “real or statutory damages to any consumer whose personal information is unencrypted and unredacted … implement and maintain reasonable security procedures and practices appropriate to the nature of the information in order to protect personal information. Identifier. at 7-8 (citation and modification omitted).

Blackbaud argued that it was not a “business” as defined by the CCPA, but rather a “service provider”, and therefore the plaintiffs’ claims under the CCPA have failed in law. Under the CCPA, a “service provider” is a for-profit entity that processes consumer personal data for a business on the basis of a contract. A “business” is a for-profit entity “organized or operated for the profit or financial benefit of its shareholders or other owners that collects the personal information of consumers.[;]”“ “On whose behalf this information is collected[;] or “(3)” which, alone or jointly with others, determines the purposes and means of processing consumers’ personal information[.]” Username. at 8 (citing Cal. Civ. Code § 1798.140 (c)). In addition, a business must meet one of the following conditions to be considered a business under the CCPA: “(A) have annual gross revenues greater than $ 25 million; (B) buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices each year; or (C) derive more than half of its income from the sale of consumer personal information. ” Username. (citing Cal. Civ. Code § 1798.140 (c)).

The court recognized that few courts have considered the provisions of the CCPA since the law came into effect on January 1, 2020. The court ultimately determined that Blackbaud was a “company” within the scope of the CCPA because that the complaint alleged “Blackbaud and its customers determine the purposes and means of processing consumers’ personal information. Blackbaud uses consumer personal data to provide services on customer demand, as well as to develop, improve, and test Blackbaud’s services. Username. to 8-9. The complaint also alleged that Blackbaud is developing software to process the personal information of its customers’ customers. The California plaintiffs also alleged that Blackbaud had annual gross income above $ 25 million, the threshold under the CCPA.

In support of its finding that Blackbaud may be an ACCP “company”, the court also noted that Blackbaud is registered as a “data broker” in California, and that “Cal. Civ. The code § 1798.99.80 provides that a “data broker” is an “andBusiness which knowingly collects and sells to third parties the personal information of a consumer with whom the company has no direct relationship. at 9 (citing Cal. Civ. Code § 1798.99 (d)) (emphasis in original). The court further noted that the provision uses the same definition of business as the CCPA. “Since an entity must be considered a ‘business’ under the CCPA to be registered as a ‘data broker’ in California, Blackbaud’s alleged registration as a ‘data broker’ suggests that it is also a “business” under the CCAC. ” Username. at 9 o’clock.

Finally, the court determined that Blackbaud could be both a “service provider” and a “business” under the CCPA, and therefore did not need to decide whether Blackbaud was a “service provider” under the CCPA. CCPA in order to decide on the motion for dismissal.

Based on its analysis, the court allowed prosecution of the CCPA claims of the California plaintiffs, as well as other claims claimed by the plaintiffs. However, the court dismissed some of the plaintiffs’ claims, including damages claims under the Florida Deceptive and Unfair Business Practices Act (while allowing injunctive relief), the Fraud Act. New Jersey Consumer Affairs, Pennsylvania Unfair Trade Practices and Consumer Law, and South Carolina Data Breach Security Law.