AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âïžLegal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.10â$0.50 per brief, depending on opinion length and retries
Full Opinion
IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF SOUTH CAROLINA COLUMBIA DIVISION ) ) ) Case No.: 3:20-mn-02972-JMC IN RE: BLACKBAUD, INC., ) CUSTOMER DATA BREACH ) MDL No. 2972 LITIGATION ) ) ORDER AND OPINION ) ) ____________________________________) THIS DOCUMENT RELATES TO: ALL ACTIONS: This matter is before the court on Defendant Blackbaud, Inc.âs (âBlackbaudâ) Motion to Dismiss seven (7) of Plaintiffsâ statutory claims pursuant to Federal Rule of Civil Procedure 12(b)(6). (ECF No. 110.) For the reasons set forth below, the court GRANTS IN PART and DENIES IN PART Blackbaudâs Motion. (Id.) I. RELEVANT BACKGROUND Blackbaud is a publicly traded cloud software company incorporated in Delaware and headquartered in Charleston, South Carolina. (ECF No. 77 at 110-11 ¶ 419, 112 ¶ 424.) The company provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to social good entities such as non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations (âSocial Good Entitiesâ). (Id. at 4 ¶ 4, 114 ¶ 430.) Blackbaudâs services include collecting and storing Personally Identifiable Information (âPIIâ) and Protected Health Information (âPHIâ) from its customersâ donors, patients, students, and congregants. (Id. at 3 ¶ 2, 114 ¶ 429.) In this action, Plaintiffs represent a putative class of individuals whose data was provided to Blackbaudâs customers and managed by Blackbaud. (Id. at 6 ¶ 12.) Thus, Plaintiffs are patrons of Blackbaudâs customers rather than direct customers of Blackbaud. (ECF Nos. 92-1 at 9; 109 at 7-8.) Plaintiffs assert that from February 7, 2020 to May 20, 2020, cybercriminals orchestrated a two-part ransomware attack on Blackbaudâs systems (âRansomware Attackâ). (ECF No. 77 at 11-12 ¶ 25.) Cybercriminals first infiltrated Blackbaudâs computer networks, copied Plaintiffsâ data, and held it for ransom. (Id. at 11 ¶ 25, 137 ¶ 496; ECF No. 92-1 at 7.) When the Ransomware Attack was discovered in May 2020, the cybercriminals then attempted but failed to block Blackbaud from accessing its own systems. (Id.) Blackbaud ultimately paid the ransom in an undisclosed amount of Bitcoin in exchange for a commitment that any data previously accessed by the cybercriminals was permanently destroyed. (ECF Nos. 77 at 9 ¶ 20, 138 ¶ 499; 92-1 at 7.) Plaintiffs maintain that the Ransomware Attack resulted from Blackbaudâs âdeficient security program[.]â (ECF No. 77 at 117-18 ¶ 439.) They assert that Blackbaud failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields. (Id. at 117-18 ¶ 439, 134 ¶ 486, 136 ¶ 491, 142 ¶ 510.) Plaintiffs further allege that after the Ransomware Attack, Blackbaud launched a narrow internal investigation into the attack that analyzed a limited number of Blackbaud systems and did not address the full scope of the attack. (Id. at 143 ¶ 514.) On July 14, 2020, Blackbaud received the investigation report (âForensic Reportâ) which acknowledged that ânames, addresses, phone numbers, email addresses, dates of birth, and/or SSNsâ were disclosed in the breach but stated that the investigation was âunable to detect credit card data while reviewing exfiltrated data[.]â (Id. at 143 ¶ 514 n.112, 144 ¶ 516, 154 ¶ 549.) Plaintiffs claim the Forensic Report âimproperly concludes that no credit card data was exfiltratedâ because âsuch data could have existed in the unexamined database files.â (Id. at 144 ¶ 516.) Plaintiffs contend that Blackbaud failed to provide them with timely and adequate notice of the Ransomware Attack and the extent of the resulting data breach. (Id. at 130-31 ¶ 473.) They claim that they did not receive notice of the Ransomware Attack âuntil July of 2020 at the earliest[.]â (Id. at 156 ¶ 555.) On July 16, 2020, The NonProfit Times reported that Blackbaud had been the subject of a ransomware attack and data breach and Blackbaud issued a statement about the Ransomware Attack on its website. (Id. at 9 ¶ 20, 138 ¶ 499.) In both disclosures, Blackbaud asserted that the cybercriminals did not access credit card information, bank account information, or SSNs. (Id.) Plaintiffs allege that they subsequently received notices of the Ransomware Attack from various Blackbaud customers at different points in time from July 2020 to January 2021. (See, e.g., id. at 25 ¶ 63, 29 ¶ 82, 32 ¶ 93, 109 ¶ 414.) They maintain that some of the notices stated that SSNs, credit card data, and bank account information were not accessed during the Ransomware Attack while others stated that SSNs but not credit card data or bank account information were exposed during the Ransomware Attack. (See, e.g., id. at 25 ¶ 64, 29 ¶ 82, 52 ¶ 173, 65 ¶ 230.) Plaintiffs maintain that although Blackbaud initially represented that sensitive information such as SSNs and bank account numbers were not compromised in the Ransomware Attack, Blackbaud informed certain customers in September and October 2020 that SSNs and other sensitive data were in fact stolen in the breach. (Id. at 141-42 ¶ 509.) Additionally, on September 29, 2020, Blackbaud filed a Form 8-K with the Securities and Exchange Commission stating that SSNs, bank account information, usernames, and passwords may have been exfiltrated during the Ransomware Attack. (Id. at 12 ¶ 26, 143 ¶ 512.) After the Ransomware Attack was made public, putative class actions arising out of the intrusion into Blackbaudâs systems and subsequent data breach were filed in state and federal courts across the country. (ECF No. 1 at 1.) On December 15, 2020, the Judicial Panel on Multidistrict Litigation consolidated all federal litigation related to the Ransomware Attack into this multidistrict litigation (âMDLâ) for coordinated pretrial proceedings.1 (Id. at 3.) On April 2, 2021, thirty-four (34) named Plaintiffs2 from twenty (20) states filed a Consolidated Class Action Complaint (âCCACâ) alleging that their PII and/or PHI was compromised during the Ransomware Attack. (ECF No. 77.) 3 They assert six (6) claims on behalf of a putative nationwide class as well as ninety-one (91) statutory claims on behalf of putative state subclasses. (Id. at 173 ¶ 627 â 424 ¶ 1815.) To facilitate the efficient resolution of the litigation, the court ordered that the first phase of motions practice address jurisdictional issues, certain statutory claims, and specific common law claims. (ECF Nos. 23 at 2; 78 at 1.) On May 3, 2021, Blackbaud filed a Motion to Dismiss for Lack of Subject Matter Jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1) (âJurisdictional Motion to Dismissâ). (ECF No. 92.) The court denied Blackbaudâs Jurisdictional Motion to Dismiss on July 1, 2021. (ECF No. 121.) Blackbaud filed the instant Motion to Dismiss pursuant to Rule 12(b)(6) on June 4, 2021, contending that Plaintiffsâ California Consumer Privacy Act of 2018 (âCCPAâ), Cal. Civ. Code 1 As of August 12, 2021, this MDL is comprised of twenty-nine (29) member cases. 2 All named Plaintiffs are identified in paragraphs forty-five (45) through 418 of the CCAC. (See ECF No. 77 at 20 ¶ 45 â 110 ¶ 418.) 3 The CCAC supersedes all other complaints in this MDL filed on behalf of Blackbaudâs customerâs patrons against Blackbaud. (ECF Nos. 23 at 4; 77.) Although the docket reflects that the CCAC was not publicly filed until April 16, 2021, Plaintiffs provided Blackbaud and the court with the CCAC on April 2, 2021 to facilitate the sealing process and maintain the cadence of this litigation. (ECF Nos. 66; 72; 76; 77.) §§ 1798.100â1798.199.95; California Confidentiality of Medical Information Act (âCMIAâ), Cal. Civ. Code §§ 56â56.265; Florida Deceptive and Unfair Trade Practices Act (âFDUTPAâ), Fla. Stat. §§ 501.201â501.213; New Jersey Consumer Fraud Act (âNJCFAâ), N.J. Stat. Ann. §§ 56:8- 1â56:8-20; New York General Business Law (âGBLâ) § 349; Pennsylvania Unfair Trade Practices and Consumer Protection Law (âUTPCPLâ), 73 P.S. §§ 201-1â201-9.2; and South Carolina Data Breach Security Act (âSCDBAâ), S.C. Code Ann. § 39-1-90, claims (collectively, âSelect Statutory Claimsâ) should be dismissed for failure to state a claim. (ECF No. 110.) Plaintiffs filed a Response on July 6, 2021. (ECF No. 123.) The court held a hearing on the Motion on July 20, 2021. (ECF Nos. 136, 137.) II. LEGAL STANDARD A. Applicable Law In federal diversity actions, federal law governs procedural issues and state law governs substantive issues. See Dixon v. Edwards, 290 F.3d 699, 710 (4th Cir. 2002). In the MDL context, a transferee court must apply federal law as interpreted by the circuit where the transferee court sits to matters of procedure. See, e.g., In re Porsche Cars North America, Inc., 880 F. Supp. 2d 801, 815 (S.D. Ohio 2012); McGuffie v. Mead Corp., 733 F. Supp. 2d 592, 594 (E.D. Pa. 2010). Accordingly, the court will apply the United States Court of Appeals for the Fourth Circuitâs interpretation of federal procedural law. In contrast, the court âmust apply the jurisprudence of the relevant stateâs highest court or, if it has not spoken to the issue, predict how the stateâs highest court would ruleâ to analyze Plaintiffsâ state statutory claims. In re Marriott Intâl, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 467 (D. Md. 2020) (citing Erie Railroad Co. v. Tompkins, 304 U.S. 64, 58 (1938); Private Mortg. Inv. Servs., Inc. v. Hotel & Club Assocs., Inc., 296 F.3d 308, 312 (4th Cir. 2002)). B. Motion to Dismiss A motion to dismiss pursuant to Rule 12(b)(6) âchallenges the legal sufficiency of a complaint.â Francis v. Giacomelli, 588 F.3d 186, 192 (4th Cir. 2009). It is not intended to ââresolve contests surrounding the facts, the merits of a claim, or the applicability of defenses.ââ Presley v. City of Charlottesville, 464 F.3d 480, 483 (4th Cir. 2006) (quoting Edwards v. City of Goldsboro, 178 F.3d 231, 243 (4th Cir. 1999)). A complaint must contain a âshort and plain statement of the claim showing that the pleader is entitled to relief.â Fed. R. Civ. P. 8(a)(2). Thus, â[t]o survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to âstate a claim to relief that is plausible on its face.ââ Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). âA claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.â Id. (quoting Twombly, 550 U.S. at 556). âThe plausibility standard is not akin to a âprobability requirement,â but it asks for more than a sheer possibility that a defendant has acted unlawfully.â Id. (citing Twombly, 550 U.S. at 556). When considering a Rule 12(b)(6) motion to dismiss, the court must accept all well-pled factual allegations as true and view the complaint in the light most favorable to the plaintiff. See e.g., Aziz v. Alcolac, 658 F.3d 388, 391 (4th Cir. 2011); Ostrzenski v. Seigel, 177 F.3d 245, 251 (4th Cir. 1999). However, the court is not required to accept legal conclusions as true. Aziz, 658 F.3d at 391 (citing Iqbal, 556 U.S. at 680). To survive a motion to dismiss, âclaims of fraudâ must satisfy both Rule 8(a)âs plausibility requirement and Federal Rule of Civil Procedure 9(b)âs particularity standard. Xia Bi v. McAuliffe, 927 F.3d 177, 182 (4th Cir. 2019). Rule 9(b) imposes a heightened pleading standard on fraud claims, requiring a plaintiff to âstate with particularity the circumstances constituting fraud or mistake.â Fed. R. Civ. P. 9(b). The Rule 9(b) particularity standard requires a party to, âat a minimum, describe âthe time, place, and contents of the false representations, as well as the identity of the person making the misrepresentation and what he obtained thereby.â These facts are often âreferred to as the who, what, when, where, and how of the alleged fraud.ââ Bakery & Confectionary Union & Indus. Intâl Pension Fund v. Just Born II, Inc., 888 F.3d 696, 705 (4th Cir. 2018) (quoting U.S. ex rel. Wilson v. Kellogg Brown & Root, Inc., 525 F.3d 370, 379 (4th Cir. 2008)). Rule 9(b)âs heightened pleading requirements apply to state law claims litigated in federal court. Topshelf Mgmt., Inc. v. Campbell-Ewald Co., 117 F. Supp. 3d 722, 726 (M.D.N.C. 2015) (citing U.S. ex rel. Palmieri v. Alpharma, Inc., 928 F. Supp. 2d 840, 853 (D. Md. 2013)). As the court will decide the instant Motion to Dismiss before class certification, the courtâs rulings will only bind the named Plaintiffs. MANUAL FOR COMPLEX LITIGATION (FOURTH) § 21.11 (2004) (âMotions such as challenges to jurisdiction and venue, motions to dismiss for failure to state a claim, and motions for summary judgment may be decided before a motion to certify the class, although such precertification rulings bind only the named parties.â). III. ANALYSIS Blackbaud contends that the court should dismiss Plaintiffsâ Select Statutory Claims for failure to state a claim. (ECF No. 110 at 10.) The court will address each claim in turn. A. California Consumer Privacy Act Claims California Plaintiffs Kassandre Clayton (âClaytonâ), Philip Eisen (âEisenâ), Mamie Estes (âEstesâ), and Shawn Regan (âReganâ) (collectively, âCalifornia Plaintiffsâ) allege claims under the CCPA. (ECF No. 77 at 214 ¶ 819 â 216 ¶ 833.) The CCPA provides a private right of action for actual or statutory damages to â[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the businessâs violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]â Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 924 (S.D. Cal. 2020) (quoting Cal. Civ. Code § 1798.150(a) (West 2021)) (emphasis added). Blackbaud contends California Plaintiffsâ CCPA claims fail as a matter of law because Blackbaud is not a âbusinessâ regulated by the Act. (ECF No. 110-1 at 19.) Since the CCPA only applies to data breaches that occurred after January 1, 2020, courts have had few opportunities to dissect the Actâs provisions. See Gardiner v. Walmart Inc., No. 20- CV-04618-JSW, 2021 WL 2520103, at *2 (N.D. Cal. Mar. 5, 2021) (finding that data breaches are only actionable under the CCPA if they occur after January 1, 2020). However, the plain text of the statute is instructive. The CCPA defines a âbusinessâ as a for-profit entity (1) âthat is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumersâ personal information[;] orâ (2) âon the behalf of which that information is collected[;] orâ (3) âthat alone, or jointly with others, determines the purposes and means of the processing of consumersâ personal information[.]â Cal. Civ. Code § 1798.140(c) (West 2021). Such an entity must also meet one (1) of the following thresholds to qualify as a âbusinessâ under the CCPA: (A) have annual gross revenues in excess of $25 million; (B) annually buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices; or (C) earn more than half of its revenue from selling consumersâ personal information. Id. Here, California Plaintiffs adequately allege that Blackbaud qualifies as a âbusinessâ under the CCPA. First, they specifically maintain that âBlackbaud and its direct customers determine the purposes and means of processing consumersâ personal information. Blackbaud uses consumersâ personal data to provide services at customersâ requests, as well as to develop, improve, and test Blackbaudâs services.â (ECF No. 77 at 215 ¶ 823.) The CCAC is also filled with claims that Blackbaud develops software solutions to process its customersâ patronsâ personal information. (See, e.g., id. at 7 ¶ 15 (âBlackbaud markets itself to Social Good Entities by developing data-hosting âsolutionsâ to meet those entitiesâ needsâ); 115 ¶ 433 (âBlackbaud determines the purposes or means of processing customersâ data based on which solutions or services are utilized by the customersâ); 116 ¶ 436 (Blackbaud offers âprofessional and managed services in which its expert consultants provide data conversion, implementation, and customization services for each of its software solutionsâ).) Second, the California Plaintiffs contend that Blackbaud has âannual gross revenues over $25 million.â (Id. at 214 ¶ 821.) Blackbaudâs status as a âbusinessâ under the CCPA is further supported by Blackbaudâs alleged registration as a âdata brokerâ in California. California Plaintiffs claim that Blackbaud is registered as a âdata brokerâ in California pursuant to Cal. Civ. Code § 1798.99.80. (Id. at 215 ¶ 824.) Cal. Civ. Code § 1798.99.80 provides that a âdata brokerâ is a âbusiness that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.â Cal. Civ. Code § 1798.99.80(d) (West 2021) (emphasis added). The provision also explicitly employs the same definition of âbusinessâ as the CCPA, Cal. Civ. Code § 1798.140(c). Cal. Civ. Code § 1798.99.80(a) (West 2021) (â(a) âBusinessâ has the meaning provided in subdivision (c) of Section 1798.140.â). Since an entity must qualify as a âbusinessâ under the CCPA in order to be registered as a âdata brokerâ in California, Blackbaudâs alleged registration as a âdata brokerâ suggests that it is also a âbusinessâ under the CCPA. Finally, the court rejects Blackbaudâs argument that Blackbaud is not a âbusinessâ under the CCPA because it qualifies as a âservice providerâ under the Act. (ECF No. 110-1 at 19.) The CCPA defines âservice providerâ as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumerâs personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business. Cal. Civ. Code § 1798.140(v) (West 2021). In other words, a âservice providerâ is a for-profit organization that processes consumer personal information on behalf of a business pursuant to a contract. Thus, a âservice providerâ could also qualify as a âbusinessâ because a âbusinessâ is a for-profit organization âthat alone, or jointly with others, determines the purposes and means of the processing of consumersâ personal information[.]â Cal. Civ. Code § 1798.140(c) (West 2021). Accordingly, the statutory definition of âservice providerâ suggests that âbusinessâ is a broader term that encompasses âservice provider.â Such an interpretation is consistent with the CCPAâs direction that the Act âbe liberally construed to effectuate its purposesâ to âfurther the constitutional right of privacy and to supplement existing laws relating to consumersâ personal information[.]â Cal. Civ. Code §§ 1798.175, 1798.194 (West 2021). Because Blackbaud could be both a âservice providerâ and a âbusinessâ under the CCPA, it would not be insulated from liability under the CCPA if it qualified as a âservice provider.â Consequently, the court need not consider whether Blackbaud is a âservice providerâ under the CCPA to resolve the Motion to Dismiss presently before the court. (ECF No. 110.) As California Plaintiffs adequately assert that Blackbaud constitutes a âbusinessâ under the CCPA, they sufficiently allege violations of the CCPA. Accordingly, the court denies Blackbaudâs Motion to Dismiss California Plaintiffsâ claims under the CCPA. (Id.) B. California Confidentiality of Medical Information Act Claims California Plaintiffs also assert claims under Californiaâs CMIA. (ECF No. 77 at 214 ¶ 819 â 216 ¶ 833.) The CMIA prohibits a âprovider of health careâ from disclosing a patientâs âmedical informationâ without authorization except in certain specified instances. Cal. Civ. Code § 56.10(a) (West 2021). Blackbaud asserts that California Plaintiffsâ CMIA claims should be dismissed because their âmedical informationâ was not exposed as a result of the Ransomware Attack and Blackbaud does not qualify as a âprovider of health careâ under the CMIA. (ECF No. 110-1 at 23-27.) Californiaâs CMIA applies to â[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information.â Cal. Civ. Code § 56.06(b); see also Valerie J. Lopez, Health Data Privacy: How States Can Fill the Gaps in HIPAA, 50 U.S.F.L. 313, 326 (2016) (stating âCalifornia's CMIA applies to any business that maintains or offers software that maintains medical information.â) (citing Cal. Civ. Code § 56.06(b) (West 2013)). The CMIA defines âmedical informationâ as âany individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patientâs medical history, mental or physical condition, or treatment.â Cal. Civ. Code § 56.05(j) (West 2021). Thus, âa prohibited release by a health care provider must include more than individually identifiable information but must also include information relating to medical history, mental or physical condition, or treatment of the individualâ to constitute âmedical information.â Eisenhower Med. Ctr. v. Superior Court, 172 Cal. Rptr. 3d 165, 170 (Cal. Ct. App. 2014). Here, Eisen, Estes, and Regan have not plausibly alleged that âinformation relating to [their] medical history, mental or physical condition, or treatmentâ was disclosed during the Ransomware Attack, thus they have failed to sufficiently assert that their âmedical informationâ was exposed as a result of the data breach. Eisenhower, 172 Cal. Rptr. 3d at 170. Estes and Regan claim that their names, SSNs, and tax identification numbers were exposed while Eisen maintains that his street addresses and telephone numbers were compromised. (ECF No. 77 at 25 ¶ 63, 27 ¶ 72, 29 ¶ 82.) All assert that it is unknown how much of their PII was exposed during the Ransomware Attack, but none maintain that their PHI could have been compromised. (Id. at 25 ¶ 64, 27 ¶ 74, 30 ¶ 84.) It is also not plausible that Eisenâs, Estesâ, and Reganâs âmedical informationâ was disclosed during the Ransomware Attack because they allege that their PII was exposed as a result of their relationships with non-profit organizations rather than their interactions with medical providers. Thus, they do not state claims under the CMIA. However, Clayton plausibly alleges that her âmedical informationâ was disclosed during the Ransomware Attack. She claims Community Medical Centers notified her that her name, address, phone number, email address, date of birth, room number, patient identification number, name of hospital where treated, and applicable hospital department or unit may have been exposed and Trinity Health informed her that her name, address, phone number, email, most recent donation date, date of birth, age, inpatient/outpatient status, dates of service, hospital location, patient room number and physician name were exposed. (ECF No. 77 at 22 ¶ 52.) Furthermore, Clayton contends that âadditional medical information, such as [her] diagnosis or treatment planâ may have also been compromised due to Blackbaudâs lack of transparency about the scope of the Ransomware Attack. (Id. at 22 ¶ 53.) Therefore, the information Clayton alleges was compromised in the Ransomware Attack shows when and where she received medical treatment, which doctors treated her, and whether her treatment required an inpatient stay. If more information was exposed during the Ransomware Attack than initially reported, it may also reveal her medical history, mental and/or physical condition, and specific treatments. Accordingly, Clayton has plausibly alleged that âinformation relating to [her] medical history, mental or physical condition, or treatmentâ was exposed during the Ransomware Attack. Eisenhower, 172 Cal. Rptr. 3d at 170. The CMIAâs definition of âprovider of health careâ encompasses traditional medical providers such as nurses, doctors, and hospitals. Cal. Civ. Code § 56.05(m) (West 2021). But in order âto protect the confidentiality of individually identifiable medical information obtained from a patient by a health care provider[,]â the CMIAâs definition of âprovider of health careâ also includes entities that are not ordinarily considered medical providers, such as technology companies that process and maintain âmedical information.â Brown v. Mortensen, 253 P.3d 522, 533 (Cal. 2011) (explaining the protective purpose of the CMIA); Cal. Civ. Code § 56.06(b) (West 2021) (âAny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . shall be deemed a provider of healthcare subject to the requirements of this part.â). Notably, the CMIA was amended in 2013 to clarify its application to businesses that maintain or offer software that maintains medical information. See A.B. 658, chap. 296, 2013 Leg. (Cal. 2013), amending Cal. Civ. § 56.06(b); see also Assembly Committee on Appropriations, Bill Analysis, A.B. 658 (May 1, 2013). Specifically, the CMIA defines âprovider of health careâ in relevant part as [a]ny business that offers software or hardware to consumers . . . in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual . . . . Cal. Civ. Code § 56.06(b) (West 2021). The purpose of the 2013 amendment of CMIA § 56.06 was to close a loophole âby applying the existing statutory provisions to the newest platform for commercial vendors who offer storage, maintenance, and sharing of sensitive medical information.â Lopez, Health Data Privacy, supra, at 327 (citing Assembly Committee on Appropriations, Bill Analysis, A.B. 658 (May 1, 2013)). Blackbaud falls within this category. Blackbaud first maintains that it is not a âprovider of health careâ under Cal. Civ. Code § 56.06(b) because âCalifornia Plaintiffs never had direct contact with Blackbaud and at no point purchased a product from Blackbaud.â (ECF No. 110-1 at 25.) 4 This argument fails. The statute does not require a business to offer software or hardware directly to a plaintiff in order to qualify as a âprovider of health care.â In fact, the text of the statute provides that a technology company can be a âprovider of health careâ even if the âindividualâ whose information is managed by the technology and the âprovider of health careâ using the technology are not âconsumersâ of the technology. See Cal. Civ. Code § 56.06(b) (West 2021). Moreover, the statutory language suggests that the definition of âconsumersâ is not limited to âindividualsâ because it uses both terms. See id. (â[a]ny business that offers software or hardware to consumers . . . in order to make the information available to an individualâ) (emphasis added). Second, Blackbaud argues that it cannot be a âprovider of health careâ because California Plaintiffs fail to allege that Blackbaud collected their information âfor purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a 4 As there is presently no case law interpreting Cal. Civ. Code § 56.06(b), the court will rely on the text of the statute and legislative history to resolve Blackbaudâs challenge. medical condition of the individual[.]â (ECF No. 110-1 at 26 (citing Cal. Civ. Code § 56.06(b) (West 2021)).) In amending Cal. Civ. Code § 56.06 to include businesses that maintain or offer software that maintains medical information, the California legislature intended to ensure that the CMIA would apply to all businesses that maintain medical information âwhether or not the business was organized for that purpose.â Joseph R. Tiffany et al., The Doctor is in, but your Medical Information is Out, 24 No. 1 COMPETITION: J. ANTI. & UNFAIR COMP. L. SEC. ST. B. CAL. 206, 225 (2015); see also Assembly Committee on Appropriations, Bill Analysis, A.B. 658 (May 1, 2013). The court observes that Blackbaudâs argument requires a tortured reading of the CMIA. Cal. Civ. Code § 56.06(b) does not suggest that a business can only be a âprovider of health careâ if its software or hardware is used âfor purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual[.]â Cal. Civ. Code § 56.06(b) (West 2021). Instead, a business can qualify as a âprovider of health careâ if it offers software or hardware to consumers (1) âin order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care,â (2) âfor purposes of allowing the individual to manage his or her information, orâ (3) âfor the diagnosis, treatment, or management of a medical condition of the individual[.]â Id. California Plaintiffs plausibly allege that Blackbaud offered its software for such uses. They specifically claim that âBlackbaudâs systems were designed, in part, to make medical information available to Social Good Entities by providing cloud-based computing solutions through which those organizations could store, access, and manage consumersâ medical information, including but not limited to diagnosing, treating, or managing consumersâ medical conditions.â (ECF No. 77 at 217 ¶ 840.) Clayton also maintains that she was ârequired to provide her PHI to several healthcare providers as a predicate to receiving healthcare servicesâ and her âPHI was in turn provided to Blackbaud to be held for safekeeping.â (Id. at 22 ¶ 52.) Because Clayton claims she provided her PHI to several medical centers in order to receive healthcare services and the medical centers entrusted her PHI to Blackbaud, it is plausible that Blackbaudâs software was used âto make the information available to [Clayton] or a provider of health care at the request of [Clayton] or a provider of health careâ or âfor the diagnosis, treatment, or management of [Claytonâs] medical condition[.]â Cal. Civ. Code § 56.06(b) (West 2021). Accordingly, California Plaintiffs plausibly allege that Blackbaud constitutes a âprovider of health careâ under Cal. Civ. Code § 56.06(b). In summary, the court grants in part and denies in part Blackbaudâs Motion to Dismiss California Plaintiffsâ CMIA claims. (ECF No. 110.) The court grants Blackbaudâs Motion to Dismiss as to California Plaintiffs Eisenâs, Estesâ, and Reganâs CMIA claims because they do not allege that their âmedical informationâ was compromised in the Ransomware Attack. (Id.) However, the court denies Blackbaudâs Motion to Dismiss as to California Plaintiff Clayton because she sufficiently asserts that her âmedical informationâ was exposed as a result of the Ransomware Attack and that Blackbaud qualifies as a âmedical providerâ under the CMIA. (Id.) C. Florida Deceptive and Unfair Trade Practice Act Claims FDUTPA proscribes â[u]nfair methods of competition, unconscionable acts or practices, and unfair or deceptive acts or practices in the conduct of any trade or commerce . . . .â Fla. Stat. Ann. § 501.204 (West 2021). âTo enforce this proscription, the Act has created a private cause of action for damages, Fla. Stat. § 501.211(2), and for declaratory or injunctive relief, Fla. Stat. § 501.211(1).â Klinger v. Weekly World News, Inc., 747 F. Supp. 1477, 1479 (S.D. Fla. 1990). In the present case, Florida Plaintiffs William Carpenella and Dorothy Kamm (collectively, âFlorida Plaintiffsâ) assert FDUTPA claims for damages as well as declaratory and injunctive relief. (ECF No. 77 at 233 ¶ 929 â 237 ¶ 944.) To state a claim for damages under FDUTPA, a plaintiff must allege: â(1) a deceptive act or unfair practice; (2) causation; and (3) actual damages.â City First Mortgage Corp. v. Barton, 988 So. 2d 82, 86 (Fla. Dist. Ct. App. 2008). Here, Florida Plaintiffs allege that Blackbaud committed nine (9) deceptive acts or unfair practices. (ECF No. 77 at 234-35 ¶ 933.) In summary, they claim that Blackbaud: âą Failed to adopt reasonable security measures and adequately notify customers and Plaintiffs of the data breach; âą Misrepresented that certain sensitive PII was not exposed during the breach, it would protect Plaintiffsâ PII, and it would adopt reasonable security measures; and âą Concealed that it did not adopt reasonable security measures. (Id.) As a result of such alleged deceptive acts or unfair practices, Florida Plaintiffs assert that they suffered damages such as âfraud and identity theft; time and expenses related to monitoring their financial accounts for fraudulent activity; an increased, imminent risk of fraud and identity theft; and loss of value of their Private Information.â (Id. at 236 ¶ 943.) Viewing the CCAC in the light most favorable to Florida Plaintiffs, Florida Plaintiffs have failed to sufficiently establish the âactual damagesâ leg of the âFDUTPA liability tripod.â Rollins, Inc. v. Butland, 951 So. 2d 860, 871 (Fla. Dist. Ct. App. 2006). Under FDUTPA, a plaintiff may recover âeconomic damages related solely to a product or service purchased in a consumer transaction infected with unfair or deceptive trade practices or acts.â Delgado v. J.W. Courtesy Pontiac GMC-Truck, Inc., 693 So. 2d 602, 606 (Fla. Dist. Ct. App. 1997) (emphasis added). A plaintiff may not recover for âdamage to property other than the property that is the subject of the consumer transaction.â Fla. Stat. Ann. § 501.212(3) (West 2021). Thus, FDUTPA âentitles a consumer to recover damages attributable to the diminished value of the goods or services received, but does not authorize recovery of consequential damages to other property attributable to the consumerâs use of such goods or services.â Schauer v. Morse Operations, Inc., 5 So. 3d 2, 7 (Fla. Dist. Ct. App. 2009). In the present case, the data management software Blackbaud provided to Social Good Entities is âthe property that is the subject of the consumer transaction.â Fla. Stat. Ann. § 501.212(3) (West 2021). Throughout the CCAC, Florida Plaintiffs contend that Social Good Entities purchased software solutions from Blackbaud to store, analyze, and manage their patronsâ data. (See, e.g., ECF No. 77 at 6 ¶ 12, 13-14 ¶ 30, 112 ¶ 424, 115 ¶ 431.) They do not maintain that Social Good Entities sold or licensed their patronsâ data to Blackbaud. Thus, like the subject of a sale of photo editing software is the software and not the pictures that the purchaser edits with the software, the subject of Social Good Entitiesâ purchase of data management software is the software rather than the data they managed with the software. Accordingly, Florida Plaintiffs can only recover for damages to the data management products organizations purchased from Blackbaud to maintain Florida Plaintiffsâ PII. However, Florida Plaintiffs allege no such damages. Fraud and identity theft, time and money spent on mitigation, an increased risk of fraud and identity theft, and loss of value of Florida Plaintiffsâ PII do not constitute harm to the data management products Social Good Entities purchased from Blackbaud to maintain Florida Plaintiffsâ data. (Id. at 236 ¶ 943.) Instead, such injuries constitute harm to Florida Plaintiffsâ bank accounts, emotional well-being, and data. As Florida Plaintiffs have not alleged damages to âthe property that is the subject of the consumer transaction[,]â they have failed to sufficiently assert âactual damagesâ under FDUTPA. Fla. Stat. Ann. § 501.212(3) (West 2021). Therefore, the court grants Blackbaudâs Motion to Dismiss Florida Plaintiffsâ FDUTPA claims seeking damages. (ECF No. 110.) Although Florida Plaintiffs fail to state a claim for damages under FDUTPA, they adequately state a claim for injunctive relief under FDUTPA. FDUTPA makes âdeclaratory and injunctive relief available to a broader class of plaintiffs than could recover damages.â Smith v. Wm. Wrigley Jr. Co., 663 F. Supp. 2d 1336, 1339 (S.D. Fla. 2009). Thus, to state a claim for injunctive relief, âthe plain language of the statute requires a plaintiff to allege that the defendant engaged in a deceptive act or practice in trade or commerce, § 501.204(1), and that the plaintiff be a person âaggrievedâ by the deceptive act or practice, § 501.211(1).â Klinger, 747 F. Supp. at 1480; see also Wyndham Vacation Resorts, Inc. v. Timeshares Direct, Inc., 123 So. 3d 1149, 1152 (Fla. Dist. Ct. App. 2012). Blackbaud presently does not dispute that Florida Plaintiffs have alleged that Blackbaud engaged in a deceptive act or unfair practice. (See ECF No. 110-1.) Florida Plaintiffs have also plausibly pled that they were âaggrievedâ by Blackbaudâs allegedly deceptive acts or unfair practices. They maintain that Blackbaudâs security failures contributed to the Ransomware Attack that compromised their data, exposing them to fraud and identity theft and diminishing the value of their PII. (ECF No. 77 at 234 ¶ 933 â 236 ¶ 943.) Florida Plaintiffs further assert that Blackbaudâs misrepresentations and omissions about its security efforts and the scope of the Ransomware Attack prompted them to take mitigation efforts out of fear that they were at an increased risk for fraud or identity theft. (Id.) As Florida Plaintiffs have sufficiently alleged a claim for declaratory and injunctive relief under FDUTPA, the court denies Blackbaudâs Motion to Dismiss Florida Plaintiffsâ FDUTPA declaratory and injunctive relief claims. (ECF No. 110.) D. New Jersey Consumer Fraud Act Claims Blackbaud contends that New Jersey Plaintiffs Martin Rothâs and Rachel Rothâs (collectively, âNew Jersey Plaintiffsâ) claims under the NJCFA should be dismissed for failure to state a claim. (ECF No. 110-1 at 31-35.) Blackbaud asserts its services do not fall within the purview of the NJCFA because it sells services to sophisticated businesses and entities, not the general public. (ECF No. 110-1 at 32.) As such, New Jersey Plaintiffs are not âconsumersâ of its services protected by the NJCFA. To state a NJCFA claim, a âconsumerâ must allege sufficient facts to demonstrate (1) unlawful conduct by the defendant that violates the NJCFA; (2) an ascertainable loss by the plaintiff; and (3) a causal relationship between the unlawful conduct and the ascertainable loss. Gonzalez v. Wilshire Credit Corp., 25 A.3d 1103, 1115 (N.J. 2011) (citing Lee v. Carter-Reed Co., L.L.C., 4 A.3d 561, 576 (N.J. 2010)). âIt is well-established that NJCFA claims must meet the heightened pleading requirements of Fed. R. Civ. P. 9(b).â Lieberson v. Johnson & Johnson Consumer Cos., Inc., 865 F. Supp. 2d 529, 538 (D.N.J. 2011) (citing Frederico v. Home Depot, 507 F.3d 188, 200 (3d Cir. 2007)). Although Blackbaud does not explicitly contend that New Jersey Plaintiffs lack statutory standing, the court construes Blackbaudâs assertion that New Jersey Plaintiffsâ claims âfall outside the NJCFAâs purviewâ as a challenge to statutory standing. (ECF No. 110-1 at 31-32, 32 n. 2.) Statutory standing is a âdistinctâ concept from Article III and prudential standing. CGM, LLC v. BellSouth Telecomms., Inc., 664 F.3d 46, 52 (4th Cir. 2011). Statutory standing âapplies only to legislatively-created causes of actionâ and concerns âwhether a statute creating a private right of action authorizes a particular plaintiff to avail herself of that right of action.â Id. A motion to dismiss for lack of statutory standing is addressed under Rule 12(b)(6) rather than Rule 12(b)(1) because a âdismissal for lack of statutory standing is properly viewed as a dismissal for failure to state a claim rather than a dismissal for lack of subject matter jurisdiction.â Id. (citing Vaughn v. Bay Envtl. Mgmt., Inc., 567 F.3d 1021, 1024 (9th Cir. 2009)). The NJCFA âprovides a private cause of action to consumers who are victimized by fraudulent practices in the marketplace,â Gonzalez, 25 A.3d at 1114, and prohibits a person from using an âunconscionable commercial practice, deception, fraud,â or the like âin connection with the sale or advertisement of any merchandise or real estate.â N.J. Stat. Ann. § 56:8-2. Merchandise is defined as âany objects, wares, goods commodities, services or anything offered, directly or indirectly to the public for sale.â Id. § 56:8- 1. The NJCFA âis not intended to cover every transaction that occurs in the marketplace[,]â instead â[i]ts applicability is limited to consumer transactions which are defined both by the status of the parties and the nature of the transaction itself.â Arc Networks, Inc. v. Gold Phone Card Co., 756 A.2d 636, 638 (N.J. Super. Ct. Law Div. 2000) (citing City Check Cashing, Inc. v. National State Bank, 582 A.2d 809 (N.J. App. Div. 1990)). Accordingly, only âconsumersâ and âcommercial competitorsâ have statutory standing to bring claims under the NJCFA. 800-JR Cigar, Inc. v. GoTo.com, Inc., 437 F. Supp. 2d 273, 295- 96 (D.N.J. 2006) (citing Conte Bros. Automotive, Inc. v. Quaker State-Slick 50, Inc., 992 F. Supp. 709, 716 (D.N.J. 1998)). In order to recover under the NJCFA as a âconsumer,â âa Plaintiff must be a consumer of the product vis-Ă -vis the defendant.â In re Managed Care Litig., 298 F. Supp. 2d 1259, 1303-04 (S.D. Fla. 2003). Although the NJCFA does not define âconsumer,â New Jersey courts have interpreted the term to mean âone who uses economic goods and so diminishes or destroys their utilities.â U.S. ex rel. Krahling v. Merck & Co., Inc., 44 F. Supp. 3d 581, 607 (E.D. Pa. 2014) (citing City Check Cashing, Inc. v. Natâl State Bank, 582 A.2d 809, 811 (N.J. Super. Ct. App. Div. 1990)). A plaintiff does not qualify as a âconsumerâ if they do not purchase a product for consumption. See Standard Fire Ins. Co. v. MTU Detroit Diesel, Inc., No. CIV. A. 07-3827 GEB, 2009 WL 2568199, at *5 (D.N.J. Aug. 13, 2009) (finding that an insurance company asserting an NJCFA claim product defect claim was not a âconsumerâ because it âdid not even purchase the yacht at issueâ); In re Schering-Plough Corp. Intron/Temodar Consumer Class Action, No. 2:06- CV-5774(SRC), 2009 WL 2043604, at *31 (D.N.J. July 10, 2009) (âProducts and services that are purchased for consumption or use in the operation of a business are covered by the NJCFA.â) (concluding that third-payor payers who did not âuse or consume the drugs they purchase[d]â were not âconsumersâ of the drugs they purchased); Windsor Card Shops, Inc. v. Hallmark Cards, Inc., 957 F. Supp. 562, 567 n.6 (D.N.J. 1997) (holding that a corporation âcannot sue as a consumer of goods under [the] NJCFAâ when it âpurchased the goods at wholesale to sell to its store customersâ). Here, New Jersey Plaintiffs are not âconsumersâ entitled to the protection of the NJCFA. Martin Roth alleges that Blackbaud maintained his data as a result of his relationship with Joseph Kushner Hebrew Academy and claims that the school retained his data because his âchildren attended Joseph Kushner Hebrew Academy and he also made charitable donations during the time his children attended the school.â (ECF No. 77 at 66 ¶ 231.) Such assertions do not plausibly establish that Martin Roth was a âconsumerâ of Blackbaudâs data management services. They do not suggest that Martin Roth knew that Blackbaud existed or managed his data on behalf of Joseph Kushner Hebrew Academy, let alone that he purchased and used Blackbaudâs services. Further, Martin Rothâs donation to Joseph Hebrew Academy does not render him a âconsumerâ of philanthropy. Donors are not âconsumersâ under the NJCFA because they are ânot being approached in their commonly accepted capacity as consumersâ and a donation âinvolves neither commercial goods nor commercial services.â See Del Tufo v. Natâl Republican Senatorial Comm., 591 A.2d 1040, 1042 (N.J. Super. Ct. Ch. Div. 1991). Thus, the CCAC does not plausibly allege that Martin Roth purchased any services for consumption. Similarly, Rachel Roth does not plausibly contend that she is a âconsumerâ of Blackbaudâs services. Rachel Roth claims that Blackbaud stored her data as a result of her attendance at Joseph Kushner Hebrew Academy from 2005 through 2014. (ECF No. 77 at 68 ¶¶ 239, 240.) But like Martin Roth, she does not assert that she purchased or used Blackbaudâs services, knew Blackbaud existed, or perceived that Blackbaud managed her data. (See id. at 67 ¶ 238 â 69 ¶ 246.) Therefore, New Jersey Plaintiffs fail to state claims under the NJCFA because they do not plausibly allege that they are âconsumersâ of services entitled to the NJCFAâs protection. Accordingly, the court grants Blackbaudâs Motion to Dismiss New Jersey Plaintiffsâ NJCFA claims. (ECF No. 110.) E. New York General Business Law § 349 Claims New York Plaintiffs Ralph Peragine and Karen Zielinski (collectively, âNew York Plaintiffsâ) assert claims under GBL § 349. (ECF No. 77 at 342 ¶ 1443 â 344 ¶ 1451.) To bring a claim for a violation of GBL § 349, a plaintiff must plausibly allege three elements: (1) âthe challenged act or practice was consumer-oriented;â (2) the act or practice âwas misleading in a material way;â and (3) âthe plaintiff suffered injury as a result of the deceptive act[.]â Stutman v. Chem. Bank, 731 N.E.2d 608, 611 (N.Y. 2000). Blackbaud contends that New York Plaintiffs have failed to establish the first element of a GBL § 349 claim. An act or practice is âconsumer-orientedâ if it has âa broader impact on consumers at large.â Oswego Laborersâ Local 214 Pension Fund v. Marine Midland Bank, N.A., 647 N.E.2d 741, 744 (N.Y. 1995). Thus, â[p]laintiffs must allege conduct that implicates the public interest, something more than a single-shot consumer transaction or a contract dispute unique to the parties.â Phifer v. Home Savers Consulting Corp., No. 06 CV 3841 (JG), 2007 WL 295605, at *5 (E.D.N.Y. Jan. 30, 2007) (citing Teller v. Bill Hayes, Ltd., 630 N.Y.S.2d 769 (N.Y. App. Div. 1995)). However, GBL § 349 does ânot impose a requirement that consumer-oriented conduct be directed to all members of the public[.]â Plavin v. Grp. Health Inc., 146 N.E.3d 1164, 1170 (N.Y. 2020). The âconsumer-orientedâ act or practice requirement has been âconstrued liberally.â New York v. Feldman, 210 F. Supp. 2d 294, 301 (S.D.N.Y. 2002). Contrary to Blackbaudâs assertions, New York Plaintiffs adequately plead that Blackbaudâs allegedly deceptive acts were âconsumer-oriented.â New York Plaintiffs allege that Blackbaud engaged in nine (9) deceptive acts or practices in violation of GBL § 349. (ECF No. 77 at 342-43 ¶ 1444.) Essentially, they assert that Blackbaud: âą Failed to implement reasonable security measures and timely and adequately notify Blackbaud customers, New York Plaintiffs, and New York Subclass members of the data breach; âą Misrepresented its security measures and the scope of the data breach; and âą Concealed the fact that it did not reasonably secure the PII and/or PHI of New York Plaintiffs and New York Subclass members. (Id.) Viewing the CCAC in the light most favorable to New York Plaintiffs, New York Plaintiffs plausibly claim that such deceptive acts had âa broader impact on consumers at large.â Oswego, 647 N.E.2d at 744. They maintain that Blackbaudâs misrepresentations and omissions deceived donors, patients, students, and congregants in New York to believe they did not need to take actions to secure their identities because their data was not exposed. (ECF No. 77 at 6 ¶ 11, 343-44 ¶ 1446.) They also assert that Blackbaudâs deceptions misled donors, patients, students, and congregants in New York about the adequacy of Blackbaudâs data security. (Id. at 6 ¶ 11, 343 ¶ 1445.) Specifically, New York Plaintiffs claim that they would not have entrusted their PII and/or PHI to a Social Good Entity if they had known that one of the primary cloud computing vendors the entity entrusted with their PII and/or PHI failed to maintain adequate data security. (Id. at 69- 70 ¶ 248, 72 ¶ 258.) Such allegations suggest that Blackbaudâs allegedly deceptive acts caused donors, patients, students, and congregants in New York to suffer avoidable injuries such as identity theft and diminished data value. Accordingly, it is plausible that Blackbaudâs misrepresentations and omissions impacted a broad segment of New York consumers. As privity is not required to state a claim under GBL § 349, it is irrelevant that New York Plaintiffs are not direct consumers of Blackbaud. See Bildstein v. MasterCard Intâl, Inc., No. 03 CIV.9826I(WHP), 2005 WL 1324972, at *3 (S.D.N.Y. June 6, 2005). While the typical case under section 349 generally involves claims arising directly out of a commercial transaction between a plaintiff consumer and a defendant seller, neither the text of the statute nor the case law establishes this requirement. The phrase âcommercial transactionâ can be found nowhere in the plain language of the statute, and section 349(h) specifically empowers â[a]ny person who has been injured by reason of any violation of this sectionâ to bring an action. GBL § 349(h). Indeed, â[t]here is no requirement of privity, and victims of indirect injuries are permitted to sue under the Act.â In re Methyl Tertiary Butyl Ether Products Liab. Litig., 175 F. Supp. 2d 593, 630-31 (S.D.N.Y. 2001) (quoting Vitolo v. Dow, 634 N.Y.S.2d 362 (N.Y. Sup. Ct. 1995)). âThe critical question, then, is whether the matter affects the public interest in New York, not whether the suit is brought by a consumer or a competitor.â Securitron Magnalock Corp. v. Schnabolk, 65 F.3d 256, 264 (2d Cir. 1995). Furthermore, Blackbaudâs allegedly deceptive acts are similar to other acts that courts have found to be âconsumer-orientedâ under GBL § 349. Conduct has been held to be sufficiently consumer-oriented to satisfy the statute âwhere it involved âan extensive marketing scheme,â where it involved the âmulti-media dissemination of information to the public,â and where it constituted a standard or routine practice that was âconsumer-oriented in the sense that [it] potentially affect[ed] similarly situated consumers.ââ Tomassini v. FCA U.S. LLC, No. 3:14-CV- 1226 MAD/DEP, 2015 WL 3868343, at *4 (N.D.N.Y. June 23, 2015) (quoting N. State Autobahn, Inc. v. Progressive Ins. Grp. Co., 953 N.Y.S.2d 96, 102 (N.Y. App. Div. 2012)). Additionally, âcourts have allowed claims under Section 349 where misleading statements are made to third parties resulting in harm to consumers.â Bose v. Interclick, Inc., No. 10 CIV. 9183 DAB, 2011 WL 4343517, at *8 (S.D.N.Y. Aug. 17, 2011) (citing Securitron, 65 F.3d at 264; Kuklachev v. Gelfman, 600 F. Supp. 2d 437, 476 (E.D.N.Y. 2009)). In the present case, New York Plaintiffs assert that Blackbaudâs public misrepresentations about the scope of the Ransomware Attack misled Plaintiffs into believing they did not need to take mitigation measures against identity theft and fraud. (ECF No. 77 at 343-44 ¶ 1446.) Such conduct is akin to an âextensive marketing schemeâ utilizing âmulti-media dissemination of information to the publicâ since Blackbaud allegedly promulgated misrepresentations about the extent of the Ransomware Attack through media interviews, its website, and Social Good Entities. (Id. at 9 ¶ 20, 16 ¶ 36, 70 ¶ 251, 72-73 ¶ 261, 138 ¶ 499.) New York Plaintiffs also claim that âmisleading statements [were] made to third parties resulting in harm to consumersâ because they contend Blackbaudâs misrepresentations about its data security to its customers prevented consumers from protecting their data. (Id. at 6 ¶ 11, 69-70 ¶ 248, 72 ¶ 258, 343 ¶ 1445.) Since New York Plaintiffs have sufficiently alleged that Blackbaud engaged in acts in violation of GBL § 349 that were âconsumer-oriented,â the court denies Blackbaudâs Motion to Dismiss New York Plaintiffsâ GBL § 349 claims. (ECF No. 110.) F. Pennsylvania Unfair Trade Practices and Consumer Protection Law Claim Pennsylvania Plaintiff Christina Duranko (âPennsylvania Plaintiffâ) asserts a claim under the UTPCPL. (ECF No. 77 at 362 ¶ 1531 â 365 ¶ 1542.) The UTPCPL provides a private cause of action to â[a]ny person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by any person of a method, act or practice declared unlawfulâ by the Act. 3 Pa. Stat. Ann. § 201-9.2 (West 2021). To maintain a private right of action under the UTPCPL, âa plaintiff must show that he justifiably relied on the defendantâs wrongful conduct or representation and that he suffered harm as a result of that reliance.â Yocca v. Pittsburgh Steelers Sports, Inc., 854 A.2d 425, 438 (Pa. 2004); see also Hunt v. U.S. Tobacco Co., 538 F.3d 217, 221 (3d Cir. 2008). âIt is the plaintiffâs burden to prove justifiable reliance in the complaint.â Riviello v. Chase Bank USA, N.A., No. 3:19-CV-0510, 2020 WL 1129956, at *4 (M.D. Pa. Mar. 4, 2020) (citing Weinberg v. Sun Co., Inc., 777 A.2d 442, 446 (Pa. 2001)). Pennsylvania Plaintiff has failed to meet this burden. Pennsylvania Plaintiffâs UTPCPL claim is premised on both Blackbaudâs alleged misrepresentations and its alleged omissions. She asserts that Blackbaud misrepresented that it would protect the privacy and confidentiality of her information, the scope of the Ransomware Attack, and that it would comply with common law and statutory duties pertaining to the security and privacy of her information. (ECF No. 77 at 362-63 ¶ 1535). She also maintains that Blackbaud omitted that it did not adequately secure her information or comply with common law and statutory duties pertaining to the security and privacy of her information. (Id.) However, Pennsylvania Plaintiff does not sufficiently allege that she relied on such alleged misrepresentations and omissions. She claims that she was ârequired to provide her PHI to her healthcare provider as a predicate to receiving healthcare services[,]â her PHI âwas in turn provided to Blackbaud to be held for safekeeping[,]â and she suffered injuries as a result of her ârelianceâ on Blackbaudâs misrepresentations and omissions. (Id. at 85 ¶ 310, 364 ¶ 1541.) But the CCAC is bereft of allegations suggesting that Pennsylvania Plaintiff knew that Blackbaud maintained her data or was exposed to representations Blackbaud made to her or her healthcare provider. In fact, the CCAC does not even assert that Pennsylvania Plaintiff knew that Blackbaud existed. Pennsylvania Plaintiff does maintain that she âwould not have entrusted her Private Information to one or more Social Good Entities had she known that one of the entityâs primary cloud computing vendors entrusted with her Private Information failed to maintain adequate data security.â (Id. at 84-85 ¶ 309.) However, such an assertion is nothing more than a conclusory allegation. Thus, even viewing the CCAC in the light most favorable to Pennsylvania Plaintiff, Pennsylvania Plaintiff has failed to adequately establish the reliance requirement of a UTPCPL claim. Recognizing the weakness of her claim, Pennsylvania Plaintiff asks the court to âhold that [her] UTPCPL theories based on Blackbaudâs omissions may nonetheless proceedâ because reliance is not an element of an omission-based UTPCPL claim. (ECF Nos. 123 at 38 n.11; 137 at 58:13-17.) Such an interpretation of UTPCPL case law ârelaxes the âjustifiable relianceâ element of a UTPCPL claim far too much[.]â In re Rutterâs Inc. Data Sec. Breach Litig., No. 1:20- CV-382, 2021 WL 29054, at *20 (M.D. Pa. Jan. 5, 2021). Pennsylvania courts âhave presumed reliance [in UTPCPL cases] only under narrow circumstances not present here, such as securities fraud[] and manufacturing defects[.]â Moore v. Angieâs List, Inc., 118 F. Supp. 3d 802, 817 n.8 (E.D. Pa. 2015). Pennsylvania Plaintiff correctly notes that plaintiffs were not required to establish reliance to prove their omission-based UTPCPL claims in Drayton v. Pilgrimâs Pride Corp., No. 03-2334, 2004 WL 765123 (E.D. Pa. Mar. 31, 2004) and Zwiercan v. Gen. Motors Corp., 58 Pa. D. & C. 4th 251 (Pa. Com. Pl. 2002). (ECF No. 123 at 37.) However, Drayton and Zwiercan stand for the limited proposition that reliance can be presumed in UTPCPL actions where a manufacturer knows of a dangerous safety defect that customers would be unable to discover themselves. Drayton, 2004 WL 765123, at *7 (citing Zwiercan, 58 Pa. D. & C. 4th 251). Drayton presumed the reliance element of a UTPCPL claim against defendant poultry processing plants by a plaintiff whose husband died from ingestion of listeria-contaminated meat, while Zwiercan did not require a plaintiff car purchaser to establish the reliance element in a UTPCPL action against a defendant car manufacturer for dangerously defective front seats. 2004 WL 765123, at *7; 58 Pa. D. & C. 4th 251. In other words, Drayton and Zwiercan both involved manufacturers of potentially- dangerous products that âallegedly knew their product was adulterated and therefore dangerous, and would therefore have a duty to advise unsophisticated consumers of that material fact.â Drayton, 2004 WL 765123, at *7 (citing Zwiercan, 58 Pa. D. & C. 4th 251). Acknowledging that the decision to presume reliance in both cases was driven by the life-threatening consequences of the omissions at issue, the court in Drayton explicitly noted that âin normal UTPCPL false advertising claims reliance is required[.]â Id. The facts of the present case are more similar to a ânormal UTPCPL false advertising claim[]â than to the facts in Drayton and Zwiercan. Id. Defendants in data breach cases cannot be âaptly compared to a car manufacturer or a meat-processing plantâ because they are ânot duty- bound, like a car manufacturer with front seat defects or meat-processer with a listeria outbreak, to alert customers or state or federal officials as to any potential data-security issues.â In re Rutterâs, 2021 WL 29054, at *21. Here, Pennsylvania Plaintiff did not purchase a potentially- dangerous product that would impose a duty on Blackbaud to notify Pennsylvania Plaintiff or government officials of any potential data-security issues. Unlike the omissions in Drayton and Zwiercan, Blackbaudâs alleged omissions about its data security practices did not expose its customers and their patrons to life-or-death consequences. Pennsylvania Plaintiffâs UTPCPL data breach claim also differs from the UTPCPL product defect claims at issue in Drayton and Zwiercan because âthe plaintiffs in Zwiercan and Drayton were totally unable to establish the reliance elementâin both cases, âthe unsophisticated Plaintiff is at the mercy of the Defendant to inform her of a known safety defect.ââ Id. at *21 (quoting Zwiercan, 58 Pa. D. & C. 4th 251). In contrast, Blackbaud made representations about its security infrastructure and the scope of the Ransomware Attack in the present case. Pennsylvania Plaintiff does not assert that she relied on such representations when deciding to entrust her data to her healthcare provider and Blackbaud. Given that this case does not involve a potentially-dangerous product and Pennsylvania Plaintiff could have established the reliance element of a UTPCPL claim based on Blackbaudâs alleged misrepresentations, the court finds that the reliance presumption enunciated in Drayton and Zwiercan does not apply here. This conclusion is supported by the United States District Court for the Middle District of Pennsylvaniaâs decision not to extend the reliance presumption articulated in Drayton and Zwiercan to the data breach context in In re Rutterâs. 2021 WL 29054, at *21. As Pennsylvania Plaintiff does not sufficiently assert that she justifiably relied on Blackbaudâs alleged misrepresentations and omissions and a presumption of reliance does not apply to the facts of this case, Pennsylvania Plaintiff has failed to establish the justifiable reliance requirement of a UTPCPL claim. Accordingly, the court grants Blackbaudâs Motion to Dismiss Pennsylvania Plaintiffâs UTPCPL claim. (ECF No. 110.) G. South Carolina Data Breach Security Act Claims South Carolina Plaintiffs Latricia Ford and Clifford Scott (collectively, âSouth Carolina Plaintiffsâ) advance SCDBA claims under S.C. Code Ann. § 39-l-90(a). (ECF No. 77 at 370 ¶ 1574 â 372 ¶ 1581.) S.C. Code Ann. § 39-l-90(A) requires a person conducting business in South Carolina and âowning or licensing computerized data or other data that includes personal identifying informationâ to notify South Carolina residents in the event of a data breach. S.C. Code Ann. § 39-1-90(A) (West 2021) (emphasis added). Blackbaud maintains that it is not liable under the SCDBA because it does not âown[] or licens[e]â data. (ECF No. 110-1 at 41-44 (citing S.C. Code Ann. § 39-l-90(A) (West 2021).) The court agrees. The CCAC features the conclusory assertion that Blackbaud âis a business that owns or licenses computerized data or other data that includes personal identifying information as defined by S.C. Code Ann. § 39-1-90(A).â (ECF No. 77 at 371 at ¶ 1575.) However, it does not âcontain sufficient factual matterâ to plausibly allege that Blackbaud âown[s] or licens[es]â data. Iqbal, 556 U.S. at 678; S.C. Code Ann. § 39-l-90(A) (West 2021). The CCAC suggests that Blackbaud possesses data, contending that Social Good Entities âentrusted Plaintiffsâ and class membersâ data to Blackbaudâ and Blackbaud âhostedâ information from Social Good Entities. (ECF No. 77 at 7- 8 ¶ 15, 8 ¶ 16, 11 ¶ 24.) But it does not assert that Blackbaud has an ownership interest or other form of legal entitlement to the data it receives from Social Good Entities and their patrons. Possession may be a necessary condition of âowning or licensing[,]â but it is not sufficient to establish âowning or licensing[.]â S.C. Code Ann. § 39-l-90(A) (West 2021). In fact, South Carolina Plaintiffsâ counsel admitted at the hearing that they âalleged the bare minimum in [their] complaintâ and professed âitâs really difficult to stand here and argue that [Blackbaud is] without a doubt an owner or licensor without additional information.â (ECF No. 137 at 60:1-3.) âLabels, conclusions, recitation of a claimâs elements, and naked assertions devoid of further factual enhancement will not suffice to meet the Rule 8 pleading standard.â ACA Fin. Guar. Corp. v. City of Buena Vista, Virginia, 917 F.3d 206, 211 (4th Cir. 2019). As the CCAC contains nothing more than a naked assertion that Blackbaud âis a business that owns or licensesâ data, South Carolina Plaintiffs have failed to plausibly allege that Blackbaud is a business âowning or licensingâ data under S.C. Code Ann. § 39-l-90(A). (ECF No. 77 at 371 at ¶ 1575); S.C. Code Ann. § 39-l-90(A) (West 2021). In their Response, South Carolina Plaintiffs assert that they state a claim under the SCDBA because they fulfill the pleading requirements for a SCDBA claim under S.C. Code Ann. § 39-l- 90(B). (ECF No. 123 at 39-41.) This argument is unavailing. Unlike S.C. Code Ann. § 39-l- 90(A) which only applies to those âowning or licensingâ data, S.C. Code Ann. § 39-l-90(B) requires a person doing business in South Carolina and âmaintaining computerized data or other data that includes personal identifying information that the person does not ownâ to notify the owner or licensee of the information after a data breach. S.C. Code Ann. § 39-l-90(A)-(B) (West 2021) (emphasis added). Thus, S.C. Code Ann. § 39-l-90(A) and S.C. Code Ann. § 39-l-90(B) provide for separate claims. See Morgan v. Haley, No. 2012-CP-4007331, 2013 WL 8335566, at *2 (S.C. Com. Pl. February 27, 2013) (noting that the plaintiff asserted âtwo separate claimsâ under S.C. Code Ann. § 39-l-90(A) and S.C. Code Ann. § 39-l-90(B)). Here, South Carolina Plaintiffs explicitly pursue claims under S.C. Code Ann. § 39-l-90(A) and fail to even reference S.C. Code Ann. § 39-l-90(B) in the CCAC. (ECF No. 77 at 370 ¶ 1574 â 372 ¶ 1581.) Since they fail to provide âa short and plain statement of [a S.C. Code Ann. § 39-l-90(B)] claim showing that [they are] entitled to relief[,] South Carolina Plaintiffs do not assert claims under S.C. Code Ann. § 39- l-90(B) in the CCAC. Fed. R. Civ. P. 8(a)(2). As South Carolina Plaintiffs only assert a SCDBA claim under S.C. Code Ann. § âĄâĄâĄâĄâĄ 90(A) and do not plausibly allege that Blackbaud is a business âowning or licensingâ data, the court grants Blackbaudâs Motion to Dismiss South Carolina Plaintiffsâ SCDBA claims. (ECF No. 110.) IV. CONCLUSION For the foregoing reasons, the court GRANTS IN PART and DENIES IN PART Blackbaudâs Motion to Dismiss. (ECF No. 110.) Specifically, the court: e Denies Blackbaudâs Motion to Dismiss California Plaintiffsâ CCPA claims; e Grants Blackbaudâs Motion to Dismiss California Plaintiffs Eisenâs, Estesâ, and Reganâs CMIA claims; e Denies Blackbaudâs Motion to Dismiss California Plaintiff Claytonâs CMIA claim; e Grants Blackbaudâs Motion to Dismiss Florida Plaintiffsâ FDUTPA claims seeking damages; e Denies Blackbaudâs Motion to Dismiss Florida Plaintiffsâ FDUTPA declaratory and injunctive relief claims; e Grants Blackbaudâs Motion to Dismiss New Jersey Plaintiffsâ NJCFA claims; e Denies Blackbaudâs Motion to Dismiss New York Plaintiffsâ GBL § 349 claims; e Grants Blackbaudâs Motion to Dismiss Pennsylvania Plaintiff's UTPCPL claim; and e Grants Blackbaudâs Motion to Dismiss South Carolina Plaintiffsâ SCDBA claims. IT IS SO ORDERED. ft United States District Judge August 12, 2021 Columbia, South Carolina 33
Case Information
- Court
- D.S.C.
- Decision Date
- August 12, 2021
- Status
- Precedential