In Re Blackbaud Inc Customer Data Security Breach Litigation MDL 2972
3:20-mn-02972
D.S.C.May 14, 2024Background
- Blackbaud, a SaaS company, suffered a data breach (Feb 7–May 20, 2020) affecting ~90,000 customer backup files from ~13,000 customers and potentially exposing data for as many as 1.5 billion "constituents."
- Plaintiffs (constituents) sought class certification of a nationwide Massachusetts-law negligence class and state-law subclasses (CCPA, CMIA, N.Y. GBL, FDUTPA) defined to require that a putative member’s unencrypted information was stored in databases identified in Defendant’s Exhibit A.
- Central threshold dispute: ascertainability — whether class members can be identified by objective, administratively feasible means (including identifying which specific data elements were exposed and each putative member’s state residency when required).
- Plaintiffs proffered C. Matthew Curtin as their ascertainability expert, who proposed restoring backup files, building a “Referential Index,” and querying with information supplied by putative class members; Defendant offered Sonya Kwon as a rebuttal expert and challenged Curtin under Daubert.
- The court retained a technical consultant, heard a three-day Daubert/class-certification hearing, excluded Curtin’s ascertainability opinion in part (unreliable/untested/no error rate/nonreplicable), denied exclusion of Kwon, and denied class certification for failure to prove ascertainability.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether proposed classes are ascertainable | Curtin’s method (Referential Index + queries + claimant-provided info) or alternative methods (Defendant Fact Sheet, customer notice, Wirewheel/CCPA procedures) make identification administratively feasible | Identification would require vast individualized inquiry across 90,000 varied backup files and loose files, risking conflation and needing validation; methods are untested and not scalable | Not ascertainable — Plaintiffs failed to show an administratively feasible, objective means to identify class members and their exposed data elements |
| Admissibility of Curtin’s ascertainability opinions (Daubert/Rule 702) | Curtin is qualified and his automated method can be applied across datasets; testing not required to show feasibility | Curtin provided no error rate, insufficient testing, nonreplicable Referential Index, inadequate documentation; ipse dixit assertions | Curtin’s ascertainability opinions excluded in part for unreliability, nonreplicability, lack of testing and error-rate information |
| Admissibility of Kwon’s rebuttal opinions on replicability | Plaintiffs argued Kwon misunderstood Curtin and improperly compared prototypes | Kwon attempted replication using Curtin’s scripts/data and showed substantial discrepancies and inability to recreate Curtin’s Referential Index | Kwon’s opinion on nonreplicability admissible; Plaintiffs’ motion to exclude denied |
| Evidentiary weight of Defendant’s production (Fact Sheet / customer notice / Wirewheel) as showing ascertainability | Plaintiffs: Defendant’s Fact Sheet and notice processes show that affected individuals/data elements can be identified | Defendant: those processes used named‑plaintiff fact sheets, were manual, unscaled, relied on live DBs or pattern-matching, and did not validate individual constituent identity or PHI | Court: Defendant’s processes do not prove an administratively feasible method for Plaintiffs; apples-to-oranges and insufficient to cure ascertainability defects |
Key Cases Cited
- Daubert v. Merrell Dow Pharm., Inc., 509 U.S. 579 (1993) (trial court gatekeeper must assess relevance and reliability of expert testimony)
- Kumho Tire Co. v. Carmichael, 526 U.S. 137 (1999) (Daubert principles apply to all expert testimony; Daubert factors are not exhaustive)
- Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011) (plaintiff bears burden to show Rule 23 requirements by a preponderance)
- EQT Prod. Co. v. Adair, 764 F.3d 347 (4th Cir. 2014) (ascertainability requires objective criteria and administrative feasibility)
- Krakauer v. Dish Network, L.L.C., 925 F.3d 643 (4th Cir. 2019) (class members must be readily identifiable; court may consider administrative feasibility)
- Career Counseling, Inc. v. AmeriFactors Fin. Grp., LLC, 91 F.4th 202 (4th Cir. 2024) (individualized inquiries on large scale can defeat ascertainability)
- American Honda Motor Co. v. Allen, 600 F.3d 813 (7th Cir. 2010) (when an expert is critical to certification, district court must resolve Daubert challenges before certifying class)
- Gen. Elec. Co. v. Joiner, 522 U.S. 136 (1997) (courts may exclude expert opinion where there is too great an analytical gap between data and conclusions)
- In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 341 F.R.D. 128 (D. Md. 2022) (discussion of ascertainability and expert testing in data-breach class actions)