Data Privacy and Cybersecurity Litigation Update - November 2021November 2, 2021
There’s never a dull moment in the burgeoning field of data privacy and cybersecurity litigation. Every week seems to bring a new court decision or government press release on the topic. The following are brief summaries of recent litigation impacting the data privacy and cybersecurity legal arena.
Court applies novel theory of “duty” to sustain Blackbaud class action consumer negligence claims
Blackbaud is a leading provider of cloud data storage, focusing on serving nonprofit and healthcare clients. Those clients store large amounts of data regarding their donors and customers in Blackbaud’s systems. Between February and May 2020, hackers infiltrated Blackbaud’s data environment, copying and exfiltrating large amounts of the clients’ data—often the personal identifiable information (PII) and protected health information (PHI) of donors and customers. After discovering the hack, Blackbaud paid the hackers a ransom in exchange for destruction of the data, then began informing its clients of the breach and its scope. Many of those clients, in turn, had to notify their donors and customers of the breach. This entire process took several months.
Several different groups of consumers—the donors and customers of Blackbaud’s clients—sued Blackbaud for various violations of state and federal laws, including both statutory and common law. Those cases were consolidated into a single proceeding, now pending in the District of South Carolina, where Blackbaud is headquartered. In August, the presiding judge issued a split decision on Blackbaud’s motion to dismiss, dismissing several state statutory claims but sustaining a claim under the California Consumer Privacy Act (CCPA).
More recently, the same judge considered Blackbaud’s motion to dismiss the putative class’s common-law negligence claims, and allowed those claims to proceed on the basis of a theory of legal “duty” that could be important in other data-breach litigation. Blackbaud argued that the negligence claim against it should be dismissed because Blackbaud did not owe any duty to the putative class members, who had a direct relationship with Blackbaud’s clients but not Blackbaud itself.
The court rejected Blackbaud’s argument, holding that the purpose of Blackbaud’s contracts with its clients “was to maintain and secure Plaintiffs’ Private Information.” Blackbaud was also “in the best position to prevent harm associated with a data breach to its systems.” Therefore, consistent with a 2019 decision of the South Carolina Supreme Court that found a drug testing laboratory owed a duty of care to the employees subject to testing, rather than just the employer with whom the lab had a relationship, the judge in the Blackbaud case determined that Blackbaud owed a duty of care to the plaintiffs and allowed the claim to proceed. Earlier, in October 2020, the District of Maryland reached a similar decision in consumers’ class action against the IT vendor of Marriott.
Blackbaud’s relationship to its clients and their customers is common: many businesses rely on third-party vendors to store customer data. If the analysis from the Blackbaud decision is used in other cases, those third-party vendors will not be able to rely on their lack of a direct relationship with the customers to insulate them from negligence claims stemming from data breaches.
Marriott’s board of directors narrowly escapes shareholder action alleging failure to protect company from data hack
In 2016, Marriott acquired Starwood Hotels. At the time, Marriott was almost certainly unaware that Starwood’s network was, and, since 2014 had been, compromised. Marriott discovered the breach in 2018, at which point it estimated that between 300 million and 500 million consumers’ PII was accessed. An unidentified number of those consumers also had their payment card information leaked. Consumer class action litigation predictably followed.
More recently, however, a class of Marriott shareholders derivatively sued Marriott’s board of directors, alleging that the board should have discovered the breach during due diligence on its $13 billion acquisition of Starwood. Delaware’s Court of Chancery dismissed the suit. The court’s analysis relied partly on procedural hurdles it determined the suit did not clear, including a time bar and problems with providing pre-suit notice, but also considered the merits of the stockholders’ argument. Ultimately, the court said that the claims were not viable, in part because “Marriott was the victim of an illegal act rather than the perpetrator.” This and some of the court’s other statements in the dismissal order could prove valuable in similar shareholder actions and in consumer class action litigation.
Expect an increase in False Claims Act litigation for cybersecurity shortcomings
On Oct. 6, 2021, Deputy U.S. Attorney General Lisa Monaco announced the launch of the Department of Justice’s (DOJ’s) Civil Cyber-Fraud Initiative. With the initiative, the DOJ plans to use its “civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.” The DOJ’s announcement indicates that enforcement will occur under the False Claims Act (FCA). It seems to encourage qui tam suits—civil lawsuits brought by private parties (a/k/a relators or whistleblowers) who share in any recovery with the government—by highlighting the FCA’s “unique whistleblower provision” that “protects whistleblowers who bring these violations and failures from retaliation.” Qui tam actions can be lucrative for relators. According to the DOJ, in fiscal year 2019, relators filed 633 qui tam lawsuits leading to the recovery of more than $2.1 billion, and in 2020, relators filed 672 qui tam lawsuits leading to the recovery of more than $1.6 billion.
According to the DOJ’s announcement, the initiative seeks to ensure that contractors accurately represent their cybersecurity practices and meet their obligations to monitor and report cybersecurity incidents and breaches. This announcement was followed by the Federal Trade Commission’s (FTC’s) adoption of stricter safeguards for financial institutions’ protection of consumer information and the Commodity Futures Trading Commission’s (CFTC’s) wide publicization of a $200 million award to a whistleblower—indicating, respectively, both a heightened federal role in data regulation and further executive emphasis on encouraging whistleblower suits. Taken together, these all suggest that a wave of FCA litigation on cybersecurity issues, particularly qui tam actions brought by whistleblowers, may be on the horizon.
Case law continues to rapidly develop in consumer actions under Illinois’ Biometric Information Privacy Act
In recent years, consumer class actions for violations of Illinois’ BIPA—which creates a private right of action—have skyrocketed. Illinois state and federal courts, and the Seventh Circuit, to which the orders of Illinois’ federal district courts are appealed, have been issuing decisions at a rapid clip. Meanwhile, massive tech companies have been settling lawsuits for huge amounts. That includes Facebook settling for $650 million and TikTok for $92 million. Recent highlights include:
- The Seventh Circuit heard oral arguments and will soon decide a case that will determine whether each instance of a data collection (in this case, a fingerprint scan) is a separate BIPA violation for which the plaintiff should be compensated. The difference is meaningful: if each instance is treated separately, the potential statutory damages in the case reach into the billions of dollars.
- The Illinois Court of Appeals—in a ruling that will probably be reviewed by the state’s Supreme Court—applied a five-year limitation period to BIPA claims alleging failure to obtain the plaintiff’s consent. It applied a shorter one-year period to cases alleging that the defendant profited from or disclosed biometric information.
- Depending on policy language, insurers may have a duty to defend BIPA lawsuits. Others disagree. Other federal and state laws probably don’t preempt BIPA, but some believe they will. And collective bargaining agreements might, too.
For more information on this topic, or to learn how Godfrey & Kahn can help, contact a member of our Litigation and Data Privacy & Cybersecurity Law practice groups.