Long-time readers of CPW will recall that we’ve previously covered In re Blackbaud, a data privacy multi-district litigation (“MDL”) currently pending in the District of South Carolina. The defendant in the MDL is a cloud software company that suffered multiple ransomware attacks and data breaches between February and May 2020. The plaintiffs are individuals and putative class representatives who were notified by the defendant’s customers of the potential disclosure of their information via these attacks and breaches. Although the MDL is in its early stages, the court recently issued an interesting opinion regarding discovery, In re Blackbaud, Inc., 2021 U.S. Dist. LEXIS 67594, that merits attention.
Currently in the litigation the parties are disputing foundational issues of jurisdiction, standing, and forum selection. The plaintiffs requested that the defendant identify all of its customers who were notified of the attacks and breaches. The defendant argued that the requested discovery was irrelevant, overbroad, and unduly burdensome at this stage of the litigation, and should be saved for the class certification process, when broader discovery generally occurs. The court disagreed with defendant, and ordered the production.
In the court’s view, the defendant’s notifications to its customers were relevant to determining whether the disclosure of information was fairly traceable to defendant’s actions, as required for standing under Spokeo, Inc. v. Robins. Many putative class representatives received notifications from the defendant’s customers stating that their personal information had been compromised, but those notifications did not specify whether their information had been compromised in the specific breaches at issue in this litigation. The notifications would shed light on whether the representatives had actually been injured in the breaches at issue in this case, or instead by some other breach. Because the discovery went directly to the ability of the named plaintiffs to bring suit, as opposed to the size and scope of the class, the court held that the requested discovery was proper at this stage.
We’ll keep an eye on any more interesting developments that come along in this MDL. And for more on the ever-changing area of data privacy litigation, stay tuned. CPW will be there.