Potential Liability for SaaS Providers in South Carolina Federal Court Case

Written by: Brock Wolf, Esq.

I. Background

In early 2020, Blackbaud Inc., a cloud software company based out of Charleston, South Carolina, was subject to a ransomware attack that resulted in the breach of personally identifiable information (“PII”) and protected health information (“PHI”) held in Blackbaud’s network. Blackbaud provides data collection and maintenance services to an array of customers, including non-profit organizations, religious institutions, educational institutions, and healthcare organizations.

Upon discovery of the attack, many affected individuals filed suit against directly Blackbaud, rather than the organizations of which they were members or customers. Plaintiffs alleged that the cyberattack was the result of deficient security on part of Blackbaud and that Blackbaud failed to comply with industry and regulatory standards. All of the suits filed against Blackbaud in federal court were consolidated into a single action in the United States District Court for the District of South Carolina.

II. The District of South Carolina’s Decision

On October 19, 2021, the South Carolina federal trial court made a key ruling on Blackbaud’s motion to dismiss. While negligence per se and unjust enrichment claims against Blackbaud were dismissed, the court refused to dismiss common law negligence and gross negligence claims against the service provider.

The court found that Blackbaud’s customers, “use its services to collect and protect information of third parties,” and that a contractual relationship between Blackbaud and its customers supports the “recognition of a duty to Plaintiffs.”

Additionally, Blackbaud argued that its status as a software-as-a-service (“Saas”) provider meant that its customers, not Blackbaud itself, had primary control of plaintiffs’ data. The court rejected this argument, finding that Blackbaud “has the greatest amount of control over the security of the data” and was “in the best position to prevent harm associated with a data breach to its systems.” In light of this, the court held that the plaintiffs had alleged sufficient facts to find that Blackbaud owed them a duty, despite not having a direct relationship with Blackbaud.

III. Implications for SaaS Providers

While this case is in its early stages, there are notable implications for SaaS providers. This case may significantly expand the scope of liability for SaaS providers. SaaS providers should be careful to maintain effective security measures and make every effort to protect sensitive information of all customers and third parties.