By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther
Duane Morris Takeaways: In a data breach lawsuit entitled In Re Blackbaud, Inc., Customer Data Breach Litigation, MDL No.2972, Case No. 3:20-MN-02972, 2024 WL 2155221 (D.S.C. May 14, 2024), Judge Joseph F. Anderson, Jr. of the U.S. District Court for the District of South Carolina denied Plaintiff’s motion for class certification. The Court found that the Plaintiffs failed to meet their burden of proof as to ascertainability since they could not demonstrate an administratively reasonable method by which to ascertain the estimated 1.5 billion putative class members. This case serves as an important reminder that a plaintiff’s failure to provide a court with an administratively reasonable way to ascertain a class can be an effective tool when combatting class certification motions.
Case Background
Defendant Blackbaud, Inc. provides data collection and storage services to a wide variety of organizations (“customers”). Id. at 2. Defendant collects and stores personally identifiable information and protected health information of individuals on behalf of its clients. Id.
Between February and May 2020, a cybercriminal breached Defendant’s systems, capturing 90,000 backup files containing data belonging to 13,000 of Defendant’s customers, and data belonging to approximately 1.5 billion individuals worldwide. Id. at 3-4.
Various plaintiffs filed suits nationwide, and on December 15, 2020, all of the lawsuits were combined into a multidistrict litigation in the District of South Carolina. Id. at 5. Thereafter, the Plaintiffs moved to certify one main nationwide class, and four other sub-classes, including two in California, one in New York, and one in Florida. Id. at 5-6.
The Court’s Decision
The Court denied Plaintiffs’ motion for class certification. It held that Plaintiffs failed to meet their burden of proof as to Rule 23’s ascertainability requirement. Id. at 1. As a threshold requirement to any class certification, a plaintiff must demonstrate that a class is “ascertainable”, i.e., “that there will be an administratively feasible way for the court to determine whether a particular individual is a class member.” Id. at 16.
Plaintiffs argued four primary points in support of ascertainability, including: (i) the method proposed by their expert; (ii) Defendant’s ability to create a fact sheet about the named Plaintiffs; (iii) Defendant’s ability to give notice to its customers; and (iv) Defendant’s use of a program called Wirewheel. Id. at 17.
As to Plaintiffs’ first point, the Court granted Defendant’s motion to exclude the Plaintiffs’ expert’s testimony on the grounds that the expert failed to sufficiently test his method, was unable to replicate his method, failed to sufficiently document his method, and could not provide the Court with an error rate consistent with generally accepted statistical practices. Id. at 18.
As to Plaintiffs’ second point, the Court found that the Defendant’s ability to create a fact sheet containing information about 34 named Plaintiffs did not weigh in favor of ascertainability, as the Defendant’s process was “not proof that Plaintiffs [could] undertake the larger task of ascertaining the proposed classes and sub-classes” for 1.5 billion individuals. Id. at 45-46. In its decision, the Court placed particular emphasis on the fact that Plaintiffs had not “tested, briefed, or otherwise demonstrated how they would collect information from putative plaintiffs to conduct a process similar to the process Defendant undertook” in creating its fact sheet. Id. at 40-41.
As to Plaintiff’s third point, the Court similarly found that the Defendant’s ability to give notice of the breach did not weigh in favor of ascertainability, because “[t]he steps Defendant took to give notice to its customers [is] not comparable to the steps Plaintiffs would need to take to ascertain a class.” Id. at 48-49. The Court emphasized the distinction between Defendant’s task to provide notice to its 13,000 customers versus Plaintiffs’ task to identify all of the 1.5 billion individual constituents of Defendant’s customers. Id. at 46, 49.
As to Plaintiff’s fourth and final point, the Court again held that it did not weigh in favor of ascertainability, as “the Defendant’s ability to utilize a singular, live database that it maintains for the sole purpose of responding to [certain] requests does not in any way indicate that Defendant is necessarily able to restore and query 90,000 backup files of databases that were customized, maintained, and controlled by 13,000 separate customers.” Id. at 49-50.
In sum, the Court found that the Plaintiffs failed to demonstrate that their “proposed classes and sub-classes” were able to be ascertained “without significant individualized inquiry at a scale that [was] not administratively feasible for Plaintiffs, th[e] Court, Defendant, or any individuals or entities acting at their direction to undertake.” Id.
Implications For Companies
The Court’s ruling in In Re Blackbaud, Inc., Customer Data Breach Litigation underscores the importance of ascertainability in large-scale data breach class actions. The reality is that companies across the world face threats of large scale cyber-attacks to capture their data daily, whether it be through their own servers or through the technologies and tools they utilize. Since a majority of these cyber threats focus on personally identifiable information or personal health information, each data breach could now potentially affect millions (or billions) of individuals.
It is natural for a company to experience trepidation in light of these threats and the likelihood of a class action that could follow. However, it is important to remember that in any class action, Rule 23 requires a plaintiff to demonstrate that putative class members are identifiable without extensive and individualized fact-finding. The broader the swath Plaintiff wants to brush, the harder it will be for that Plaintiff to demonstrate and plausibly claim to the Court that their class is ascertainable.