A court in the District of South Carolina recently denied class certification in a putative consumer data breach class action after concluding that the proposed class and sub-classes were not ascertainable. See In re Blackbaud, Inc., Customer Data Breach Litigation, 2024 WL 21555221 (D.S.C. May 14, 2024).
In February 2022, plaintiffs filed suit against Blackbaud, a business-to-business software company that sells cloud-computing services to social good organizations. Plaintiffs, who had provided personal information to Blackbaud’s customers, alleged that their information was compromised during a breach of Blackbaud’s data centers. In December 2022, plaintiffs moved to certify nationwide and sub-classes representing individuals whose “unencrypted information was stored on the database” of a Blackbaud customer. In support of class certification, plaintiffs sought to demonstrate that the proposed classes were ascertainable by relying on (1) expert opinion, (2) Blackbaud’s discovery responses, (3) customer notices Blackbaud sent following the breach, and (4) Blackbaud’s use of a database to comply with the California Consumer Privacy Act. The court rejected each of those arguments.
First, the court held that plaintiffs could not rely on their ascertainability expert’s opinion because his proposed method for identifying potential class members could not be replicated and lacked an error rate.
Second, the court rejected plaintiffs’ reliance on Blackbaud’s discovery responses identifying the specific types of data exposed during the breach, and whether that data belonged to certain named plaintiffs. According to the court, Blackbaud’s discovery responses had little bearing on the ascertainability analysis because the responses were the result of “a manual and time-consuming process that was not designed to be used on a large scale.”
Third, the court concluded that the steps Blackbaud took “to give notice to its customers” following the data breach were “not comparable to the steps” needed to “ascertain a class” because Blackbaud “never contacted any putative class members directly, nor [was] there any evidence that” Blackbaud’s customers contacted any putative class members to provide them with notice of the breach.
Finally, the court was “not persuaded” by plaintiffs’ argument that Blackbaud’s use of a live database to respond to California Consumer Privacy Act requests demonstrated that the proposed classes were ascertainable. That Blackbaud maintained such a database did “not in any way indicate” that Blackbaud could restore and search the thousands of customer backup files that were affected by the breach.
Ultimately, given plaintiffs’ failure to provide an “administratively feasible method of ascertaining class members,” the court denied plaintiffs’ certification motion and “decline[d] to join the minority of courts that have certified a class in a consumer data breach such as this.”