IN RE: BLACKBAUD (2020)

TRANSFER ORDER

Before the Panel:^* Plaintiff in one action (Allen) moves under 28 U.S.C. § 1407 to centralize this litigation in the District of South Carolina. This litigation currently consists of eight actions pending in four districts, as listed on Schedule A. Since the filing of the motion, the Panel has been notified of thirteen related federal actions.¹

Common defendant Blackbaud, Inc., supports centralization in the District of South Carolina. All responding plaintiffs also support, or do not oppose, the motion for centralization. In the alternative, plaintiff in one action suggests the Southern District of New York.

On the basis of the papers filed and the hearing session held,² we find that these actions involve common questions of fact, and that centralization in the District of South Carolina will serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation. These putative class actions present common factual questions concerning an alleged ransomware attack and data security breach of Blackbaud's systems from about February 2020 through May 2020 that allegedly compromised the personal information ³ of millions of consumers doing business with entities served by Blackbaud's cloud software and services.⁴ The common factual questions include: (1) Blackbaud's data security practices and whether the practices met industry standards; (2) how the unauthorized access occurred; (3) the extent of personal information affected by the breach; (4) when Blackbaud knew or should have known of the breach; (5) the investigation into the breach; and (6) the alleged delay in disclosure of the breach to Blackbaud clients and affected consumers.⁵ Centralization will eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary.

We conclude that the District of South Carolina is an appropriate transferee district. Defendant Blackbaud and all responding plaintiffs support or do not oppose this district, where three actions on the motion and four potential tag-along actions are pending. Blackbaud has its headquarters in South Carolina. Thus, common witnesses and other evidence likely will be located in this district. The Honorable J. Michelle Childs is an experienced transferee judge with the ability and willingness to manage this litigation efficiently. We are confident she will steer this matter on a prudent course.⁶

IT IS THEREFORE ORDERED that the actions listed on Schedule A and pending outside the District of South Carolina are transferred to the District of South Carolina and, with the consent of that court, assigned to the Honorable J. Michelle Childs for coordinated or consolidated pretrial proceedings.

SCHEDULE A

MDL No. 2972 — IN RE: BLACKBAUD, INC., CUSTOMER DATA SECURITY BREACH LITIGATION

 Central District of California

ESTES, ET AL. v. BLACKBAUD, INC., C.A. No. 2:20-08275

EISEN v. BLACKBAUD, INC., C.A. No. 2:20-08356

 Southern District of Florida

ARTHUR, ET AL. v. BLACKBAUD, INC., C.A. No. 2:20-14319

 Southern District of New York

GRAIFMAN v. BLACKBAUD, INC., C.A. No. 1:20-07600

ZIELINSKI v. BLACKBAUD, INC., C.A. No. 1:20-07714

 District of South Carolina

ALLEN v. BLACKBAUD, INC., C.A. No. 2:20-02930

JOHNSON v. BLACKBAUD, INC., C.A. No. 2:20-03181

MARTIN v. BLACKBAUD, INC., C.A. No. 2:20-03286

FOOTNOTES

FOOTNOTE.   Certain Panel members who could be members of the putative classes in this litigation have renounced their participation in the classes and have participated in this decision.

1.   The related actions are pending in the Middle District of Florida, the Northern District of Illinois, the District of Massachusetts, the District of Minnesota, the Eastern District of New York, the Southern District of New York, the District of South Carolina, the Eastern District of Virginia, and the Western District of Washington. These and any other related actions are potential tag-along actions. See Panel Rules 1.1(h), 7.1 and 7.2.

2.   In light of the concerns about the spread of COVID-19 virus (coronavirus), the Panel heard oral argument by videoconference at its hearing session of December 3, 2020. See Suppl. Notice of Hearing Session, MDL No. 2972 (J.P.M.L. Nov. 16, 2020), ECF No. 65.

3.   Plaintiffs allege that the personal information compromised by the breach includes user names, email addresses, dates of birth, phone numbers, social security numbers, credit card numbers, bank account numbers, financial profiles, passwords, and health information.

4.   Plaintiffs in the actions on the motion allegedly received data breach notices from the following organizations: Atrium Health; Bread for the World; Crystal Stairs; Episcopal High School; Light of Life Rescue Mission; Planned Parenthood; St. David's Center for Child and Family Development; University of Wisconsin - Eau Claire; WakeMed Foundation; and Manhattan School of Music. Plaintiffs in the potential tag-along actions allegedly received notices from Allina Health; Bank Street College of Education; Childrens’ Hospitals and Clinics of Minnesota; Harvard College; Inova Health System; KidsQuest Children's Museum; Lower East Side Tenement Museum; Mt. Sinai Health System; Northwest Memorial Healthcare; Nuvance Health; Planned Parenthood; Stetson University; Stony Brook University Hospital; and UMass Memorial Medical Center. The actions allege that numerous other schools, universities, healthcare institutions, and non-profit organizations were affected by the data breach.

5.   We find it unnecessary to modify the MDL caption to replace the reference to data security breach with, as defendant suggests, “Malware Incident Response.” The central allegation in all actions concerns an alleged data security breach of Blackbaud's systems, as reflected in the current caption. A more specific description of the type of breach in the caption is not warranted.

6.   We decline to consider defendant's request for a stay of deadlines in the underlying cases. Such matters are for the transferee court to decide. See In re Tylenol (Acetaminophen) Mktg., Sales Practices and Prods. Liab. Litig., 936 F. Supp. 2d 1379, 1380 n.3 (J.P.M.L. 2013) (“We leave to the discretion of the transferee judge all issues related to the conduct of the pretrial proceedings”); In re Holocaust Era German Indus., Bank & Ins. Litig., MDL No. 1337, 2000 U.S. Dist. LEXIS 11650 (J.P.M.L. Aug. 4, 2000) (“It is not within the Panel's province to instruct the transferee court on the conduct of pretrial proceedings under Section 1407 once transfer has been effected.”).

KAREN K. CALDWELL, Chair