claim of “actual” fraud on a different part of the standing analysis — namely its lack of traceability to the defendant’s conduct. The court reasoned that the mere existence of isolated incidents of “fraud” alerts on the plaintiffs’ bank accounts were not the same as actual proof that the so-called harm was caused by the defendant. Finally , the court held that allegations of a “future injury based on stolen personal information” only can be considered a plausible injury in fact where accompanied by allegations of current direct harm. Id. at 17. If no such current harm exists, then the plaintiffs were merely speculating that harm may or may not occur in the future. With all of the plaintiff’s theories rejected, the court dismissed the class action as a whole and entered judgment on behalf of the defendant. 3. Data Breach Class Certification Rulings Courts issued a mixed bag of results in adjudicating class certification motions in data breach cases this past year. In In Re Blackbaud, Inc., Customer Data Breach Litigation, 2024 WL 2155221 (D.S.C. May 14, 2024), a cybercriminal breached the computer systems of the defendant, a company that collects and stores the personally identifiable information (PII) and protected health information (PHI) of its customers’ donors, patients, students, and constituents. The cybercriminal stole 90,000 backup files containing data belonging to approximately 1.5 billion constituents of about 13,000 of the defendant’s customers. Id. at 3-4. Various constituents filed suits nationwide, and on December 15, 2020, all of the lawsuits were combined into a multidistrict litigation in the District of South Carolina. Id. at 5. Thereafter, the plaintiffs moved to certify a nationwide class of constituents whose unencrypted information was stored on one of the 13,000 identified customers, and four sub-classes, including two in California, one in New York, and one in Florida. Id. at 5-6. The court denied the plaintiffs’ motion for class certification on the basis that the plaintiffs failed to meet their burden of proof as to Rule 23’s ascertainability requirement. Id. at 1. As a threshold requirement to any class certification, a plaintiff must demonstrate that a class is “ascertainable”, i.e ., “that there will be an administratively feasible way for the court to determine whether a particular individual is a class member.” Id. at 16. The defendants argued that the plaintiffs’ case “must fail as a threshold matter because plaintiffs are unable to ascertain the class of individuals whose data was stored in Defendant’s backup files without extensive and individual fact-finding, nor could they show that they can identify the affected data elements belonging to those individuals as required by their class and sub-class definitions.” The plaintiffs argued four primary points in support of ascertainability, including: (i) the method proposed by their expert; (ii) the defendant’s ability to create a fact sheet about the named plaintiffs; (iii) the defendant’s ability to give notice to its customers; and (iv) the defendant’s use of a program called Wirewheel. Id. at 17. As to the plaintiffs’ first point, the court granted the defendant’s motion to exclude the testimony of the plaintiffs’ expert on the grounds that the expert failed to sufficiently test his method, was unable to replicate his method, failed to sufficiently document his method, and could not provide the court with an error rate consistent with generally accepted statistical practices. Id. at 18. As to the plaintiffs’ second point, the court found that the defendant’s ability to create a fact sheet containing information about 34 named plaintiffs did not weigh in favor of ascertainability, as the defendant’s manual, time- consuming process was not designed to be automated or scaled and, therefore, “not proof that plaintiffs [could] undertake the larger task of ascertaining the proposed classes and sub-classes” for 1.5 billion individuals. Id. at 45-46. In its decision, the court placed particular emphasis on the fact that the plaintiffs had not “tested, briefed, or otherwise demonstrated how they would collect information from putative plaintiffs to conduct a process similar to the process defendant undertook” in creating its fact sheet. Id. at 40-41. As to plaintiff’s third point, the court found that the defendant’s ability to give notice of the breach to its customers differed from the plaintiffs’ task to identify all of the 1.5 billion individual constituents of the defendant’s customers. Id. at 46, 49. As to the plaintiff’s fourth and final point, the court held that it, too, did not weigh in favor of ascertainability, as the defendant’s “ability to utilize a singular, live database that it maintains for the sole purpose of responding to [certain] requests does not in any way indicate that defendant is necessarily able to restore and query 90,000 backup files of databases that were customized, maintained, and controlled by 13,000 separate customers.” Id. at 49-50. As the court concluded, “given plaintiffs’ failure to provide this Court with an administratively feasible method of ascertaining class members, this court declines to join the minority of courts that have certified a class in a consumer data breach case such as this.” Id. at *25. The court also noted that “many of the issues affecting ascertainability — namely the variability in data storage practices across defendant’s customer base, the differences in the kinds of data stored for each putative plaintiff, the differences in the functions served by each Blackbaud customer, and the variability in the putative plaintiffs’ own circumstances such as prior
12
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online