Aspen American Insurance Company v. Blackbaud, Inc.

• Court: District Court, N.D. Indiana
• Decided: May 31, 2023
• Docket: 3:22-cv-00044
• Status: Unknown

Opinion

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF INDIANA SOUTH BEND DIVISION

ASPEN AMERICAN INSURANCE COMPANY, et al.,

Plaintiffs,

v. Case No. 3:22-CV-44 JD

BLACKBAUD, INC.,

Defendant.

OPINION AND ORDER This Court previously dismissed Plaintiffs Aspen American Insurance Company and Trinity Health Corporation’s complaint without prejudice, finding that they failed to adequately allege causation for each of their claims. (DE 49.) The Plaintiffs then filed an amended complaint. Defendant Blackbaud, Inc., has now moved to dismiss that amended complaint. (DE 56.) The Court GRANTS the motion to dismiss in part, as to the claims of negligence, gross negligence, negligent misrepresentation, and breach of fiduciary duty. However, the Court DENIES the motion as to the contract claims. A. Factual Background In reciting the facts, the Court accepts as true the well-pleaded factual allegations in the amended complaint and makes all reasonable inferences in favor of the non-moving parties— here, the Plaintiffs Aspen American Insurance Company (“Aspen”) and Trinity Health Corporation (“Trinity Health”) (collectively, the “Plaintiffs”). Trinity Health operates a multi-facility health system operating in northern Indiana and twenty-two other states. (DE 50 ¶ 3.) As a health system, Trinity Health possesses sensitive data of patients and donors, including protected health information (“PHI”) and names, addresses, and other information (“PII”).1 (Id. ¶ 5.) Sometime prior to June 17, 2015, Trinity Health began meeting with Blackbaud, Inc. (“Blackbaud”) which touts itself as a world leading software company that non-profits rely on to secure highly sensitive information. (Id. ¶¶ 2, 26.) During these meetings, Blackbaud gave presentations and written materials to Trinity Health in which it

made representations indicating that it “provided robust cybersecurity services.” (Id. ¶ 26–28.) Trinity Health alleges that it was “based on these representations” that it entered into two agreements with Blackbaud on June 17, 2015. (Id. ¶¶ 7–8, 29.) The first agreement was a Master Application Services Provider Agreement (“MSA”). In the MSA, Blackbaud represented that it had the “skills, expertise, and resources to” supply application services (including software and support services) and professional services, “in a timely, professional, and workmanlike manner” and “in accordance with industry standards with respect to level of skill, care, and diligence . . . .” (DE 50-1 §§ 1, 5.1.) The MSA requires Blackbaud to keep Confidential Data “in strictest confidence using the same or greater degree of care it uses with its own most sensitive information (but in no event less than a reasonable degree

of care)” and to “effect a comprehensive information security program that includes reasonable and appropriate technical, administrative, and physical security measures aimed at protecting such information from unauthorized access, disclosure, use, alteration or destruction, and that reflects industry-leading practices . . . .” (Id. §§ 7.1, 7.5.) The agreement also specified that Blackbaud had to comply with federal, state, and local laws, had to take measures to promptly remedy any violations of applicable law and its obligations under the MSA, and had to notify Trinity Health promptly of any violations of its obligations. (Id. § 8.1.)

1 The Court refers to “PHI” and “PII” collectively as “Confidential Information” or “Confidential Data.” The second agreement that Trinity Health and Blackbaud entered was a Business Associate Agreement (“BAA”). (DE 50 ¶ 39.) Under the BAA, Blackbaud agreed to comply with the “obligations of a business associate under HIPAA, HITECH and any implementing regulations . . . .” (DE 50-3 § B.) Blackbaud also agreed to “implement reasonable

administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all PHI.” (Id. § G.1.) If there was an actual or suspected privacy incident or breach of security, then Blackbaud had to notify Trinity Health within ten business days. (Id. § G.2.). The content of such report had to include, “to the extent reasonably possible, the identification of each individual whose PHI or ePHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed in connection with an actual or suspected breach of privacy, security, or HITECH.” (DE 50-3 § G.3.) The BAA also required Blackbaud to “cooperate to the extent practical with [Trinity Health] in mitigating . . . any harmful effect that is known to [the] Business Associate of a use or disclosure of PHI . . .” (Id. G.4.)

According to the Plaintiffs, Blackbaud maintained Trinity Health’s Confidential Data on an obsolete server. (DE 50 ¶ 71.) Various analysts and team members warned Blackbaud that the system was vulnerable, (Id. ¶ 79–81), and Blackbaud had plans to eventually update these older servers and upgrade them. (Id. ¶ 77.) Before Blackbaud had a chance to implement these plans, on February 7, 2020, a third-party bad actor bypassed Blackbaud’s security and penetrated Blackbaud’s systems. (Id. ¶¶ 35, 82.) This actor then “copied” data, but ultimately failed to block Blackbaud from accessing its own systems. (Id. ¶ 93.) Blackbaud did not discover that its systems had been compromised until May 14, 2020. (Id. ¶ 83.) That day, Blackbaud retained Kudelski Security to investigate the “unauthorized activity” on its systems. (Id. ¶ 96.) Kudelski Security issued a report on July 14, 2020, regarding the incident. (Id. ¶ 97.) Two days later, Blackbaud contacted Trinity Health to inform it about the incident. (Id. ¶ 97.) After being informed of the incident, Trinity Health met with Blackbaud multiple times,

requested a copy of the Trinity Health data involved in the incident, and was delivered a copy of the Trinity Health data in early august. (Id. ¶ 110.) In the meetings, Blackbaud “reported that their analysis did not include specific detail related to the level of compromise that would be needed to facilitate individual notifications.” (DE 50 ¶ 109.) Blackbaud also “declined to participate or assist with individual notifications.” (Id.) Trinity Health determined that PHI was included in the impacted information. Based on applicable regulations under HIPAA and a Guidance Document issued from HHS entitled “FACT SHEET: Ransomware and HIPAA,” Trinity Health determined that it had to report the breach to impacted individuals. (Ids. ¶¶ 114, 119.) In order to report the breach, Trinity Health hired Kroll, a company specializing in

cybersecurity and breach notifications. Kroll determined that the data accessed during the incident contained unencrypted information of around 3,289,937 patients. (Id. ¶ 120.) Trinity Health then notified these patients using first class mail, notices to statewide media, and substitute notice on its website. (Id. ¶ 122.) Trinity Health also began to offer credit monitoring to mitigate the harmful effect of disclosing the PHI, in line with its belief that it had a duty to do so under the applicable regulations and under certain state laws. (Id. ¶¶ 136–137.) On December 15, 2021, Plaintiffs filed a complaint against Blackbaud. (DE 6.) Blackbaud then moved to dismiss the complaint for failure to state a claim (DE 9), which the Court granted with leave to amend. (DE 49.) On September 28, 2022, Plaintiffs filed an amended complaint against Blackbaud containing six causes of action: Count I: Negligent Misrepresentation Count II: Breach of the MSA Count III: Breach of the BAA Count IV: Negligence Count V: Gross Negligence Count VI: Breach of Fiduciary Duty (with respect to PHI) (DE 50.) Plaintiffs seek damages for the costs of retaining legal experts, computer experts, providing notice, maintaining a call center for patient and donor inquiries, and providing credit monitoring (collectively, “Remediation Damages”). Blackbaud then filed a motion to dismiss this amended complaint (DE 56), which is now ripe for review.

B. Legal Standard In reviewing a motion to dismiss for failure to state a claim upon which relief can be granted under Federal Rule of Civil Procedure 12(b)(6), the Court construes the complaint in the light most favorable to the plaintiff, accepts the well-pleaded factual allegations as true, and draws all reasonable inferences in the plaintiff’s favor. Calderon-Ramirez v. McCament, 877 F.3d 272, 275 (7th Cir. 2017). A complaint must contain only a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). That statement must contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face, Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009), and raise a right to relief above the speculative level. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). However, a plaintiff’s claim need only be plausible, not probable. Indep. Trust Corp. v. Stewart Info. Servs. Corp., 665 F.3d 930, 935 (7th Cir. 2012). Evaluating whether a plaintiff’s claim is sufficiently plausible to survive a motion to dismiss is “‘a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.’” McCauley v. City of Chicago, 671 F.3d 611, 616 (7th Cir. 2011) (quoting Iqbal, 556 U.S. at 678).

C. Discussion Blackbaud argues that Plaintiffs’ amended complaint must be dismissed for several reasons. First, Blackbaud argues that Plaintiffs’ negligence and gross negligence claims do not state a plausible claim because there is no common law duty to safeguard the public from the risk of data exposure. Second, Blackbaud argues that Plaintiffs’ negligent misrepresentation claim fails because it is barred by the economic loss rule. Third, Blackbaud argues that Plaintiffs’ breach of fiduciary duty claim fails because no fiduciary relationship was plausibly alleged.

Fourth, Blackbaud argues that the contract claims must be dismissed because the Plaintiffs fail to plead causation, fail to plead compensable damages, and because the damages are barred by the express language in the contracts. The Court considers each of these arguments individually. (1) Negligence (Count IV) and Gross Negligence (Count V) Blackbaud first argues that the Plaintiffs fail to allege an actionable duty in their

negligence and gross negligence claims. A negligence claim has three elements: “(1) a duty on the part of the defendant to conform his conduct to a standard of care arising from his relationship with the plaintiff; (2) a failure of the defendant to conform his conduct to the requisite standard of care required by the relationship; and (3) an injury to the plaintiff proximately caused by the breach.” EngineAir, Inc. v. Centra Credit Union, 107 N.E.3d 1061, 1068 (Ind. Ct. App. 2018) (citation omitted). “A defendant cannot be found negligent where there is no duty to the plaintiff.” Jaffri v. JPMorgan Chase Bank, N.A., 26 N.E.3d 635, 638 (Ind. Ct. App. 2015). Gross negligence similarly requires that the defendant owe the plaintiff a duty, but the defendant must also intentionally fail to perform that duty in reckless disregard of the consequences to the other party. McGowen v. Montes, 152 N.E.3d 654, 661 (Ind. Ct. App. 2020). In the Plaintiffs’ amended complaint, they allege that because “Blackbaud was in a superior position to safeguard Trinity Health’s Confidential Information . . . Blackbaud owed a

duty to safeguard/protect Trinity Health’s Confidential Information.” (DE 49 ¶ 205.) In their response, they also argue that Blackbaud had a “common law duty to safeguard the public from the risk of data exposure” which was created when Blackbaud ignored the “warning signs of a data breach . . . .” (DE 60 at 20.) Blackbaud argues that this is not a recognized duty in Indiana, and so cannot be the basis of a negligence or gross negligence claim. There does not appear to be any Indiana case law from either the state supreme court or any intermediate appellate courts that directly addresses whether there is a common law duty to safeguard private information. Furthermore, neither party cites to any cases from Indiana supporting that such a duty exists. Where state law does not address an issue directly, the Court consults “a variety of other sources, including other relevant state precedents, analogous

decisions, considered dicta, scholarly works, and any other reliable data tending convincingly to show how the highest court in the state would decide the issue at hand.” Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 635 (7th Cir. 2007) (citation and quotation marks omitted). The court may also examine the reasoning from other jurisdictions addressing the same issue. Id. Indiana state statutes support a finding that Indiana law does not recognize a common law duty to compensate the public for inconvenience or potential harm caused by data exposure. In Pisciotta, the Seventh Circuit considered a similar question as that presented here: “whether Indiana would recognize a cause of action for a data exposure injury.” 499 F.3d at 636. The court concluded that Indiana would not recognize such a cause of action, partially relying on the limited duties imposed by the Indiana Data Breach Notification statute, which “require[s] only that a database owner disclose a security breach to potentially affected consumers” and “do[es] not require the database owner to take any other affirmative act in the wake of a breach.” Pisciotta, 499 F.3d at 637; see also Ind. Code § 24-4.9-3-1 (“After discovering . . . a breach of

the security of data, the data base owner shall disclose the breach to an Indiana resident whose . . . unencrypted personal information was or may have been acquired by an unauthorized person . . . or encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key.”). The Seventh Circuit also found that not recognizing a cause of action was consistent with “the statute provid[ing] for enforcement only by the Attorney General of Indiana.” Id. Like the Seventh Circuit in Pisciotta, the Court finds that “[t]he narrowness of the defined duties imposed [by the Indiana Breach Notification statute], combined with state- enforced penalties as the exclusive remedy, strongly suggest that Indiana law would not recognize” a common law duty on the part of Plaintiffs to safeguard private information. Id. at

637. The Indiana state legislature considered what type of remedy should be available in the event of a data breach and concluded that the exclusive remedy was an action by the attorney general. Ind. Code § 24-4.9-4-1 (“A person that is required to make a disclosure . . . and that fails to comply with any provision of this article commits a deceptive act that is actionable only by the attorney general[.]”). Given this clear indication by the state legislature that it desired enforcement to “only” be by the attorney general, the Court finds that Blackbaud had no actionable duty under the common law to safekeep Trinity Health’s data. Other courts considering the same issue, involving similar state statutes to the Indiana Breach Notification statute, have also found that no duty to safeguard private information exists. The Seventh Circuit in Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 816 (7th Cir. 2018) recently held that Illinois law did not support a common law duty to safeguard data. There, the Seventh Circuit noted that Illinois appellate courts had rejected the common law duty to safeguard information, writing that “we do not believe that the creation of a new legal duty

beyond legislative requirements. . . is part of our role on appellate review [because] the legislature has specifically addressed the issue . . . .” Id. (quoting Cooney v. Chicago Public Schools, 943 N.E.2d 23, 27 (2010)). Like Indiana, Illinois legislative requirements only imposed a duty to notify affected parties of the disclosure. Based on the intermediate court’s holding in Cooney, the Seventh Circuit “predict[ed] that the state court would not impose [a] common law data security duty.” Id. Despite the above authority, the Plaintiffs argue that two district court cases support their position that Indiana law would recognize a duty to safeguard private information. Plaintiffs first cite In re: The Home Depot, Inc., Customer Data Sec. Breach Litig., No. 1:14-MD-2583-TWT, 2016 WL 2897520, at *3 (N.D. Ga. May 18, 2016). In that case, the court held that because

Georgia “recognizes a general duty ‘to all the world not to subject them to an unreasonable risk of harm’ . . . [a] retailer’s actions and inactions, such as disabling security features and ignoring warnings signs of a duty breach [show that the retailer] owed a duty in tort.” Id. There are several reasons Plaintiffs’ citation to Home Depot is unpersuasive. First, the Seventh Circuit has found that the Home Depot opinion was “based on a prediction of Georgia law that seems to have been incorrect.” Cmty. Bank of Trenton, 887 F.3d at 819; see also McConnell v. Dep’t of Lab., 787 S.E.2d 794, 797 n.4 (Ga. Ct. App. 2016) (explaining that a duty in negligence depended on a special relationship existing and that the state intermediate court was “not bound to follow the district court’s interpretation of Georgia law.”). Second, the court in Home Depot did not consider a statute akin to the Indiana Breach Notification statute, which supports that the legislature only wished to create a duty to notify which was exclusively enforced by the state attorney general. Because the court in Home Depot did not consider a similar statute, its analysis is inapplicable here.

The second case Plaintiffs cite is In re Target Corp. Customer Data Sec. Breach Litig., 64 F. Supp. 3d 1304, 1310 (D. Minn. 2014). This case is also unpersuasive. There, the court held that Target owed plaintiffs a duty to safeguard information. The court noted that while the applicable consumer protection statute gave some enforcement authority to the attorney general for a data breach, the statute also indicated that these remedies were not exclusive. Id. Meaning, the court did not consider a statute like the Indiana Data Breach Notification statute, where state- enforced penalties are the exclusive remedy. Without consideration of such a statute, the court finds that In re Target Corporation’s rationale and holding are inapplicable to the instant case. Based on the above, the Court predicts that the Indiana Supreme Court would hold there is no common law duty to safeguard the public from the risk of data exposure. Plaintiffs raise no

other potential duty. Accordingly, because Plaintiffs complaint does not plausibly allege duty, the claim for Negligence (Count IV) and Gross Negligence (Count V) must be dismissed. (2) Negligent Misrepresentation (Count I) Blackbaud argues that Plaintiffs’ negligent misrepresentation claim must be dismissed because it is barred by the economic loss rule. Under the economic loss rule, “a defendant is not

liable under a tort theory for any purely economic loss caused by its negligence (including, in the case of a defective product or service, damage to the product or service itself).” Indianapolis- Marion Cnty. Pub. Libr. v. Charlier Clark & Linard, P.C. (IMPL), 929 N.E.2d 722, 729 (Ind. 2010). The Seventh Circuit has explained that the rule exists because “tort law is a superfluous and inapt tool for resolving purely commercial disputes [and that contract law is the] body of law designed for such disputes.” Miller v. U.S. Steel Corp., 902 F.2d 573, 574 (7th Cir. 1990). By preventing the application of the “inapt tool” of tort law to purely commercial disputes, the economic loss doctrine protects the freedom of parties to allocate economic risk by contract and

encourages the “party best situated to assess the risk [of] economic loss, the commercial purchaser, to assume, allocate, or insure against that risk.” KB Home Indiana Inc. v. Rockville TBD Corp., 928 N.E.2d 297, 304 (Ind. Ct. App. 2010) (citation and quotation marks omitted). Plaintiffs do not argue that the loss is not purely economic. Nor could they, given that the alleged remediation damages were various expenditures made pursuant to regulatory duties, not injuries to the person or property. Rather, Plaintiffs argue that this negligent misrepresentation claim falls under an exception to the general economic loss rule. Negligent misrepresentation is recognized in Indiana as “one of the exceptions to the economic loss rule.” U.S. Bank, N.A. v. Integrity Land Title Corp. (Integrity), 929 N.E.2d 742, 744 (Ind. 2010). Meaning, the claim “may be actionable and inflict only economic loss . . . .” Id.

at 747 (quoting Greg Allen Constr. Co., Inc. v. Estelle, 798 N.E.2d 171, 174 (Ind. 2003)). But this exception to the economic loss rule is not broad and a negligent misrepresentation claim may only be brought in limited circumstances. Troth v. Warfield, 495 F. Supp. 3d 729, 743 (N.D. Ind. 2020) (explaining that “Indiana courts have historically” applied the tort of negligent misrepresentation “narrowly”). The Indiana Supreme Court has quoted the Second Restatement of Torts when describing the elements of such a claim: One who, in the course of his business, profession or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information. Integrity, 929 N.E.2d at 747 (quoting Restatement (Second) of Torts § 552 (1977)) (emphasis added). Like any other claim for negligence, the plaintiff must show that the defendant owed them a duty. Springbrook Vill. Batesville LLC v. Se. Indiana Title Inc., 195 N.E.3d 398, 404 (Ind. Ct. App. 2022). Indiana courts have only recognized such a duty in limited circumstances, such as when a “professional” has “actual knowledge that [a] third person will rely on his professional opinion.” Integrity, 929 N.E.2d at 747. According to Plaintiffs, a “data security company, such as Blackbaud, would qualify as

such a profession[.]” (DE 60 at 23.) In support of this, the Plaintiffs cite a case from this court, Troth v. Warfield, 495 F. Supp. 3d 729 (N.D. Ind. 2020). In that case, the plaintiffs brought a claim of negligent misrepresentation against an insurance and financial services professional, after it was revealed the professional used false information in constructing their financial profiles. Id. at 744. The court held that the claim could proceed, because it was alleged the defendant provided “misinformation,” the plaintiffs “relied on it,” and incurred financial losses as a result. Id. Additionally, the profession of “insurance and financial planning” tracked the other recognized professionals subject to claims of negligent misrepresentation. Id. But there are significant differences between this case and Troth. First, the allegations in the amended complaint do not support the type of professional, advisory relationship between

Blackbaud and Trinity Health that was present in Troth. In Troth, the court explained that the Indiana Supreme Court had identified relevant factors to whether the tort of negligent misrepresentation could be extended to a given professional, including whether “there was an advisory relationship between the defendant and the plaintiff, that the defendant had superior knowledge and was in the business of providing such knowledge, and that the information was provided in response to a specific request and designed to guide the plaintiff in making a decision.” Troth, 495 F. Supp. 3d, at 743. The Plaintiffs’ amended complaint does not support that Blackbaud was advising Trinity Health on its data security, that its business was providing knowledge regarding data security, or

that the information provided was intended to guide Trinity Health into making a decision regarding its data security outside of its decision to enter into a service contract. The amended complaint indicates that Trinity Health was a “world leading software company and application service provider . . . that non-profits rely on to secure highly sensitive information[.]” (DE 49 ¶ 2.) Rather than its service being advisory, Blackbaud represented that it provided “cybersecurity services[.]” (DE 50 at 6.) Furthermore, the contract itself was for “Blackbaud’s software and subscription ASP services.” (DE 50 at 6.) This is not the type of professional advisory role that Indiana courts have held can support a claim for negligent misrepresentation. See Jeffrey v. Methodist Hosps., 956 N.E.2d 151, 153 (Ind. Ct. App. 2011) (denying motion to dismiss on negligent misrepresentation claim

where the defendants were medical professionals who failed to provide information that a child was developmentally disabled to prospective adopted parents because the relationship could be characterized as “advisory” and because the hospital was “in the business of supplying information” regarding a child’s health to prospective adoptive parents); see also Essex v. Ryan, 446 N.E.2d 368, 371 (Ind. Ct. App. 1983) (“[C]ertain professionals, by virtue of the nature of their business, makes representations, render opinions, and give advice . . . thus, brokers are liable in tort for failure to disclose all facts within their knowledge that may be material to the matter in which they are employed . . . attorneys are liable for failure to exercise ordinary care, skill, and diligence . . . and abstractors may be held accountable for failure to fulfill their duty to prepare an accurate abstract.”). Unlike an attorney, broker, or a medical professional, Blackbaud was not alleged to be in the business of providing advice. Rather, according to the Plaintiffs, Blackbaud represented that they could provide a service with a certain standard of care in the course of negotiations surrounding a potential contract. But representing that one can meet a

certain level of care, or has a certain level of competence, in the course of contract negotiations does not create the type of trusting, advisory relationship necessary for a claim of negligent misrepresentation. The second reason that this differs from Troth is that there is a contract between Blackbaud and Trinity Health, while in Troth, the parties did not allege they entered any express contract. In Indianapolis-Marion Cnty. Pub. Libr. v. Charlier Clark & Linard, P.C. (IMPL), 929 N.E.2d 722, 740 (Ind. 2010), the Indiana Supreme Court recognized the principle that “no exception to the economic loss rule is merited where the plaintiff reasonably could have, by contracts with the defendant or through an intermediary, protected itself from the loss.” While the court did not hold that this principle applied in every situation, it held that “there [was] no

liability in tort to the owner of a major construction project for pure economic loss caused unintentionally by contractors, subcontractors, engineers, design professionals, or others engaged in the project with whom the project owner, whether or not technically in privity of contract, is connected through a network or chain of contracts.” Id. The court reasoned that in such a contract chain, the parties had an “opportunity to bargain and define their rights and remedies, or to decline to enter into the contractual relationship if they are not satisfied with it.” Id. In a separate case decided the same day as IMPL, the Indiana Supreme Court addressed the importance of contractual privity when deciding whether a negligent misrepresentation claim may be brought. In U.S. Bank, N.A. v. Integrity Land Title Corp. (Integrity), 929 N.E.2d 742, 744 (Ind. 2010), the court held that a “title commitment issuer, with which it had no contractual privity, [was] liable for negligence in failing to uncover a defect during [a] title search.” The case involved a defendant in the business of preparing title commitments and a plaintiff who was the successor in interest to a mortgage lender. Id. at 743. The court concluded that the relationship

between the title commitment issuer and the lender “was of an advisory nature,” and that the title commitment issuer “had superior knowledge and expertise, was in the business of supplying title information, and was compensated for the information it provided to” the lender. Id. at 749. But the court stressed that the outcome would be different if the parties had been in contractual privity: [The defendant] has argued at every stage of this litigation that it was not in contractual privity with U.S. Bank. This is a critical point. Were there to be a contract between [plaintiff and defendant], the parties in all likelihood would be relegated to their contractual remedies. See Indianapolis–Marion County Pub. Library, 929 N.E.2d at 729 (quoting Miller v. U.S. Steel Corp., 902 F.2d 573, 574 (7th Cir. 1990) (Posner, J.)) Integrity, 929 N.E.2d at 745. Furthermore, in a footnote positioned after the court reached its holding, the court “reiterate[d] the importance of the lack of contractual privity.” Id. at 749 n.6. In that footnote, the court went on to say that “we do not adopt the proposition that a tort claim for negligent misrepresentation may be brought where the parties are in contractual privity.” Id. The Plaintiffs allege that Trinity Health entered into two contracts with Blackbaud: the BAA and the MSA. Recognizing a separate tort claim here would defeat the purpose of contract law to provide parties the freedom to allocate economic risk by contract and to encourage the parties who are in the best position to assess the risk and decide how to allocate it. See KB Home Indiana Inc., 928 N.E.2d at 304. If Trinity Health needed other assurances, then it could have negotiated for these guarantees before deciding to execute a contract with Blackbaud. See Miller, 902 F.2d at 575 (“A disputant should not be permitted to opt out of commercial law by refusing to avail himself of the opportunities which that law gives him. Back when U.S. Steel was urging Mr. Miller to specify Cor-Ten steel for the walls of his building, he could have asked U.S. Steel for an express warranty, which he could then have enforced in a suit for breach of warranty.”). Trinity Health could have asked for contractual provisions requiring Blackbaud to provide

“reasonable” security over their confidential data or security in line with industry standards. In fact, as discussed below, the contracts between Trinity Health and Blackbaud did include such provisions. The Plaintiffs proper recourse is to pursue those contractual remedies, not a claim for negligent misrepresentation. Because Blackbaud was not a professional who was in the business of providing guidance or information, and because Trinity Health and Blackbaud were in privity of contract, the Court finds that the economic loss doctrine bars the negligent misrepresentation claim.

(3) Breach of Fiduciary Duty (Count VI) Blackbaud next argues that the Plaintiffs’ breach of fiduciary duty claim fails to plausibly allege that Blackbaud was Trinity Health’s agent. “Agency is the fiduciary relationship that arises when one person (a ‘principal’) manifests assent to another person (an ‘agent’) that the agent shall act on the principal’s behalf and subject to the principal's control, and the agent manifests assent or otherwise consents so to act.” Yost v. Wabash Coll., 3 N.E.3d 509, 519 (Ind. 2014) (citation and quotation marks omitted). An “essential element of the agency relationship” is that the agent must “act on the principal’s behalf.” Id. While agency is often a factual issue, a

plaintiff at the pleading stage is “required to allege a factual basis that gives rise to an inference of an agency relationship . . . .” Cunningham v. Foresters Fin. Servs., Inc., 300 F. Supp. 3d 1004, 1015 (N.D. Ind. 2018); Frazier v. U.S. Bank Nat. Ass’n, No. 11 C 8775, 2013 WL 1337263, at *4 (N.D. Ill. Mar. 29, 2013) (“To plead the existence of an agency relationship, a plaintiff must allege a factual predicate to create the inference of agency.”). “[P]leading the existence of an agency relationship requires more than a general statement that such a relationship exists.” LifeWorks Tech. Grp. LLC v. First Delta Grp., Inc., No. 18 C 2996, 2019 WL 4345362, at *5 (N.D. Ill. Sept. 12, 2019).

In the amended complaint, the Plaintiffs allege that under “the BAA, Blackbaud was responsible for handling PHI, and, therefore, Blackbaud was Trinity Health’s agent[.]” (DE 50 ¶ 40.) The Plaintiffs also allege that “Trinity Health was entitled to give interim instructions and directions to Blackbaud regarding PHI. Specifically, the BAA requires Trinity Health’s authorization and approval for Blackbaud’s transfer, handling, and storage of PHI.” (Id.) In support of its claim that Trinity Health had to authorize and approve of Blackbaud’s transfer, handling, and storage of PHI, the Plaintiffs cite to multiple provisions of the BAA.2 The BAA supports that Trinity Health had authority over Blackbaud only in limited situations. For example, under BAA § H.5., Blackbaud agreed to “make PHI available in electronic format upon request by” Trinity Health. Or, under BAA § M.2., upon termination of the BAA, Blackbaud was

required to “return or destroy . . . all PHI in its possession [but] if [it] is unable to return PHI and if requested to destroy the PHI and destruction is not feasible, then upon request [by Trinity Health], [Blackbaud] must extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.” (DE 50-3 § M.2.). That section also required Blackbaud not to transfer the PHI “to any other person” without “prior written approval” of Trinity Health. Finally, under the BAA, Blackbaud was not

2 It is proper for the court to refer to these documents because they were attached to the amended complaint and are central to the fiduciary duty claim. McCready v. eBay, Inc., 453 F.3d 882, 891 (7th Cir. 2006); see Geinosky v. City of Chi., 675 F.3d 743, 745 n. 1 (7th Cir. 2012) (“A motion under Rule 12(b)(6) can be based only on the complaint itself, documents attached to the complaint, documents that are critical to the complaint and referred to in it, and information that is subject to proper judicial notice.”) (citations omitted). permitted to disclose PII, PHI, or PCI “beyond the boundaries and jurisdiction of the United States without express written authorization from” Trinity Health. (DE 50-3 § N.) The Court finds that the allegation that Trinity Health had the authority and ability to authorize certain disclosures by Blackbaud under the BAA cannot alone support that Blackbaud

was their agent. Under Indiana law, contractual agreements do not generally give rise to a fiduciary relationship creating a duty “absent an intent” to transform the contractual relationship into a fiduciary relationship. Jaffri, 26 N.E.3d at 639. While the BAA supports that Blackbaud provided Trinity Health with data security services, the contract does not support the inference that the parties intended to enter into an agency relationship. The BAA gave Trinity Health the ability to authorize disclosures by Blackbaud in certain contexts, such as disclosures to individuals beyond the jurisdiction of the United States or PHI transfers to other persons. But the BAA does not support that Trinity Health could exercise the type of control over Blackbaud needed to demonstrate an agency relationship. As the Seventh Circuit has described, “[t]he principal’s control over the purported agent’s day-

to-day operations is of paramount importance [to an Agency Relationship under Indiana law]. Day-to-day operations could include such things as personnel decisions, bookkeeping and financial matters, and buying and selling inventory and supplies.” Carlisle v. Deere & Co., 576 F.3d 649, 656–57 (7th Cir. 2009) (citations omitted); Steak N Shake Operations, Inc. v. Nat’l Waste Assocs., LLC, 177 N.E.3d 816, 827 (Ind. Ct. App. 2021) (“The United States Court of Appeals for the Seventh Circuit [in Carlisle] has accurately summarized Indiana law on determining whether an agency relationship exists.”). Here, there is nothing in the BAA supporting that Trinity Health had the right to control the “day-to-day” operations over Blackbaud. Other courts have refused to find a plausible agency relationship when faced with similar contracts. For example, in Shanahan v. National Auto Protection Corp., the plaintiff alleged that the defendant, National Auto, had “illegally called consumers’ telephones using an automatic system and artificial voice recordings while acting as the agent of [Matrix Warranty Solutions].”

No. 1:19-CV-03788, 2020 WL 3058088, at *1 (N.D. Ill. June 9, 2020). National Auto had allegedly been selling service plans on behalf of Matrix. The contract between the two prohibited National Auto from modifying the terms of the service plans “without [Matrix’s] prior written consent.” Id. at 4. The court held that this did not establish a plausible agency relationship because “[t]he mere fact that Matrix Warranty prohibits National Auto from changing its product [without its prior consent] does not make National Auto its agent. Nor does there exist any other contractual provisions that grant control to Matrix Warranty regarding how National Auto sells the Service Plans . . . .” Id. (emphasis added). Similar to Shanahan, the BAA does not grant Trinity Health the ability to control how Blackbaud keeps the PHI confidential. Rather, the BAA only requires Blackbaud to “implement

reasonable administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all PHI.” (DE 50-3 § G.1.) Furthermore, while Trinity Health had to provide written consent before Blackbaud made certain disclosures, the BAA does not support that Trinity Health had any right to control whether Blackbaud made these disclosures or how Blackbaud went about making them once authorized. The Court notes that Trinity Health alleges they had the power to give “interim instructions,” citing the BAA in support. See Restatement (Third) of Agency § 1.01 cmt. f(1) (“[T]he power to give interim instructions distinguishes principals in agency relationships from those who contract to receive services provided by persons who are not agents.”). Courts have found that a principal has the authority to issue interim instructions where that principal controlled the timing and target of the agent’s actions. Smith v. State Farm Mut. Auto. Ins. Co., 30 F. Supp. 3d 765, 776 (N.D. Ill. 2014) (explaining that there were sufficient facts alleged to show an insurer exercised control over a telemarketer’s activities, where the insurer controlled

“the timing, target location, and volume” of the calls). But the sections Trinity Health cites in the BAA do not support that Trinity Health had any ability to issue instructions to Blackbaud. (DE 50 ¶ 40.) The BAA does not support that Trinity Health had control over how PHI was stored, when Blackbaud had to make certain disclosures, or the means through which any disclosures would be made if consent was given. It is proper to allow an exhibit attached to a complaint to control where it conflicts with the complaint. Forrest v. Universal Sav. Bank, F.A., 507 F.3d 540, 542 (7th Cir. 2007). Because the BAA does not support that Trinity Health had the ability to issue interim instructions to Blackbaud, the Court defers to the BAA rather than the generic allegation provided by the Plaintiffs.

Without any other factual allegations to support an agency relationship besides those based on the BAA, the Court finds that the amended complaint fails to state a plausible agency relationship between Trinity Health and Blackbaud. Accordingly, the claim for breach of fiduciary duty must be dismissed. (4) Breach of the MSA (Count II) and Breach of the BAA (Count III)

Blackbaud argues that the breach of contract claims must be dismissed for three reasons. First, Blackbaud argues that Plaintiffs failed to sufficiently plead causation. Second, Blackbaud argues that none of the categories of damages the Plaintiffs seek are compensable.3 Third, Blackbaud argues that the express terms of the contract prohibit the recovery of the damages. The Court will address each of these arguments in turn.

(a) Causation Blackbaud first argues that causation has not been adequately pled. In this Court’s prior order, it dismissed each of Plaintiffs’ claims, finding that they “failed to adequately plead causation[.]” (DE 49 at 15.) The Plaintiffs’ initial complaint only generally alleged that Trinity Health suffered damages “as a direct and proximate result of Blackbaud’s breaches” and that

“Remediation Damages [were] necessitated by the Incident.” (DE 6 ¶¶ 109–150.) The Court explained that these type of sparse, conclusory allegations were insufficient to properly plead causation: [W]ithout any allegations explaining why they had to spend these amounts, the Court is left to speculate how Blackbaud’s breaches caused Trinity Health’s Remediation Damages: was Trinity Health’s own data compromised in the attack, exposing them to a risk of valuable lost information it hoped to reduce in advance by making these expenditures? Or did the loss of Trinity Health’s donor and patient data pose a threat to Trinity Health’s reputation, which it hoped to restore with the expenditures by demonstrating to its donors and patients that it was taking the data breach seriously? (DE 49 at 16.) Without allegations fleshing out why Trinity Health spent the remediation expenses, the Court found that causation had not been sufficiently pled. Plaintiffs’ amended complaint now provides a sufficient explanation for why they had to spend these remediation damages. In order to plead causation, a complaint must provide a

3 Blackbaud argued that the negligence claims and the breach of fiduciary duty claims also failed to plead causation and compensable damages. But, because this Court has dismissed those claims on independent grounds, it only examines those issues as to the remaining breach of contract claims. plausible explanation for how an injury was caused by the breach. See O’Brien v. Intuitive Surgical, Inc., No. 10 C 3005, 2011 WL 3040479, at *1 (N.D. Ill. July 25, 2011) (“Without some explanation of how the [breach] caused his injuries, [plaintiff] could not ‘plausibly suggest’ proximate causation or, it follows, ‘a right to relief.’”); Johnson v. Wal-Mart Stores, Inc., 588

F.3d 439, 445 (7th Cir. 2009) (“Courts remain entirely free to dismiss a claim supported by prima facie evidence where the pleadings do not permit a reasonable inference of proximate cause.”). A breach of contract claim requires that the breach be a substantial contributing factor to the damages. Dana Companies, LLC v. Chaffee Rentals, 1 N.E.3d 738, 748 (Ind. Ct. App. 2013); Fowler v. Campbell, 612 N.E.2d 596, 602 (Ind. Ct. App. 1993). In other words, “[t]he damages claimed for such a breach must be the natural, foreseeable, and proximate consequence of the breach.” Hi-Tec Properties, LLC v. Murphy, 14 N.E.3d 767, 776 (Ind. Ct. App. 2014). “The foreseeability of damages is based upon facts known at the time of entry into the contract, not facts existing or known at the time of the breach.” L.H. Controls, Inc. v. Custom Conveyor, Inc.,

974 N.E.2d 1031, 1043 (Ind. Ct. App. 2012). While the Plaintiffs list various expenditures as “remediation damages,” the Court perceives three sets of expenditures therein. First are those damages which were undertaken to identify those individuals affected by the data breach (“Identification Damages”). These damages include those that required Trinity Health to retain computer experts such as Kroll to investigate the data breach as well as “assistance from its attorneys.” (DE 50 ¶ 120.) Second, are “Notification Damages,” which include those damages related to drafting, translating, printing, and mailing the letters notifying the affected individuals. (DE 50 ¶ 16.) Third, are “Mitigation Damages,” which are those costs undertaken after the breach to mitigate the harm of the breach, which include the costs of maintaining a “call center” to respond to patient and donor inquiries and the cost of providing credit monitoring. (Id.) The Court examines causation as to each of these damages separately. As to the Identification Damages, Plaintiffs allege that Trinity Health “was required to

comply with numerous state and federal statutes and regulations because of Blackbaud’s misrepresentations, negligence, failures, and breaches” and that “[c]ompliance with these various laws caused damages to Plaintiffs because Trinity Health” was required to undergo remediation expenses. (DE 50 ¶¶ 15–16.) One of these requirements was a duty to notify affected individuals of the breach under 45 C.F.R. § 164.404(d)(1) by written mail. (DE 50 ¶ 121.) The BAA obligated Blackbaud to take certain steps to help facilitate that notification. For example, under the BAA, Blackbaud had an obligation to report, “to the extent reasonably possible, the identification of each individual whose PHI or ePHI has been, or is reasonably believed by the Business Associate, to have been accessed, acquired, or disclosed in connection with an actual or suspected breach of privacy, security, or HITECH.” (BAA, DE 50-3 § G.3.)

Unlike the prior Complaint, the Plaintiffs now provide detailed allegations about how Blackbaud failed to live up to this obligation to assist in identification. First, the Plaintiffs allege that “Blackbaud . . . did not [report] specific detail related to the level of compromise that would be needed to facilitate individual notifications.” (DE 50 ¶ 109.) Furthermore, the Plaintiffs allege that Blackbaud “misrepre[sented] the extent to which Trinity Data was exposed to the breach.” (Id. ¶ 101.) The Plaintiffs point to Blackbaud’s representation on July 16, 2020, that the cybercriminals “[d]id not access credit card information, bank account information, or social security numbers,” that “the cybercriminal did not gain access to bank account information, usernames, passwords, or social security numbers,” and that Blackbaud did not consider the incident “to be a reportable incident under HIPAA.” (DE 50 ¶¶ 105, 107.) After conducting its own investigation, Trinity Health determined that PHI was, in fact, impacted, including unencrypted data concerning “donors’ relationships to patients, patient insurance, patient name, social security numbers, and financial account information.” (DE 50 ¶¶ 112, 113.) Trinity

Health, unlike Blackbaud, concluded that this was a reportable incident under HIPAA. Based on the above allegations, the Court finds that the Plaintiffs have adequately pled causation as to the Identification Damages. The Plaintiffs not only describe the regulatory obligations that Trinity Health was under, including the duty to provide notification to affected individuals, but also provide allegations supporting that Blackbaud had a duty under the BAA to help identify those affected individuals and that Plaintiffs failed to meet this duty by (1) misrepresenting the extent of the breach and (2) failing to identify the individuals who Trinity Health later determined were, in actuality, affected. Accordingly, the Court finds that causation has been adequately pled as to the identification damages, since it was foreseeable at the time of contract that, in the event of a leak of PHI, the failure of Blackbaud to exercise reasonable care in

providing Trinity Health with the identities of the affected individuals would result in Trinity Health having to expend funds to conduct its own investigation.4 Next, the Court finds that causation has been adequately pled as to the Notification Damages. The Plaintiffs allege that Blackbaud breached its contractual duty by failing to use reasonable measures to keep Trinity Health’s Confident Data secure from unauthorized access. (DE 50 ¶ 159.) The Plaintiffs provide a series of allegations regarding the regulations and guidance they considered when deciding to spend money on notification. For example, the

4 When reviewing BAA § G.3, the Court makes every reasonable inference in favor of the Plaintiffs, given that they are the non-moving party. Neither party briefed the meaning of the language in this section and such an interpretation could change at a later stage. Plaintiffs allege that they considered both the HIPAA Breach Notification Rule and the Indiana Breach notification rule under Ind. Code § 24-4.9-3-1 and 45 C.F.R. § 164.400-414, which required them to notify affected individuals. Given this obligation, it was foreseeable that if Blackbaud breached its duty to provide reasonable security as to the Confidential Information, a

data breach could occur, triggering Trinity Health’s duty to notify, which would require them to spend money drafting, translating, printing, and mailing letters to the affected individuals. As to the mitigation damages, the Plaintiffs now allege that Trinity Health “reviewed” and “considered its duty to mitigate any harmful effect of disclosure of PHI” under 45 C.F.R. § 164.530(f) (requiring a covered entity to “mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of” PHI in violation of the applicable policies and procedures”). The Plaintiffs also allege that they considered a rule issued by the Office for Civil Rights, which is responsible for enforcing the Privacy and Security Rules under HIPAA and HITECH, in which OCR indicates it expects covered entities like Trinity Health to use “flexibility and judgment [depending on the circumstances] to dictate the best approach to

mitigating harm.” (DE 50 ¶ 138.) In line with this rule and 45 C.F.R. § 164.530(f), the Plaintiffs allege Trinity Health “considered its duty to mitigate any harmful effect of disclosure of PHI, and exercised its judgment in offering credit monitoring to potentially affected individuals.” (DE 50 ¶ 137.) The above allegations provide a sufficient explanation for why Blackbaud’s alleged breach caused Trinity Health to make these expenditures. In other words, given these regulations, it was foreseeable that if Blackbaud failed to exercise reasonable care in securing Trinity Health’s Confidential Data, a data leak might occur, triggering Trinity Health’s duty to mitigate by using measures like credit monitoring and call centers. Furthermore, some provisions in the contract indicate that Blackbaud knew of Trinity Health’s duty to mitigate when it entered the contract. For example, there is a mitigation provision in the BAA, where the “Business Associate [meaning, Blackbaud] agree[d] to cooperate to the extent practical with the Covered Entity [meaning, Trinity Health] in mitigating

. . . any harmful effect that is known of [the] Business Associate[.]” This indicates not only that Blackbaud knew of Trinity Health’s duty to mitigate when it entered the contract, but that it also had some obligation to cooperate in that mitigation.5 (DE 50-3 § G.3.) In Blackbaud’s motion to dismiss, it emphasizes that this Court previously found that various regulatory provisions did not require, on their face, “affirmative action[s] in the wake of the breach other than disclosure[.]” (DE 57 at 12.) Blackbaud appears to have interpreted this to mean that the regulations themselves must impose affirmative obligations on their face for causation to be sufficiently pled. But these statements by the Court were only acknowledging that mere citation to regulations, with only sparse allegations about why the remediation expenditures were made pursuant to those regulations, failed to sufficiently plead causation. In

the Court’s prior order, it explained that the Plaintiffs failed “[t]o cite to any cases interpreting the breach notification provisions of HIPAA, provide[d] no analysis of the text of these provisions, and neglect[ed] to even include the text of these provisions,” but asserted “in a conclusory manner” that “a complex web of 14 provisions, spanning from 45 C.F.R. 164.400 to 164.414 somehow result[ed] in them having to make these expenditures.” (DE 49 at 24.)

5 The Court notes that there are some contractual ambiguities regarding mitigation expenditures that have not been sufficiently developed to address at this stage. Neither party explains BAA Section G.4 and what “cooperation” was required by Blackbaud under that section. Without this analysis, the Court is unsure whether Blackbaud’s alleged actions after the incident also could have plausibly been a breach of contract, rather than the alleged failure of Blackbaud to reasonably secure the data before the incident. While this distinction is not decisive as to the causation analysis, it becomes important in a later section of this opinion which discusses whether the damages are consequential or direct. Not only do the Plaintiffs now provide citations to those regulations, but they also include detailed allegations concerning the surrounding context, such as Blackbaud’s failure to identify the affected individuals and certain misrepresentations about the extent of the breach. In other words, while the Plaintiffs previously pointed out to the Court that Trinity Health had a

duty to notify affected individuals under the regulations, they did not allege (1) the failure of Blackbaud to identify the affected individuals, (2) Blackbaud’s specific misrepresentations about the extent of the breach, (3) the regulations and policy guidance that led Trinity Health to make its decisions, or (4) that Trinity Health made the mitigation payments because of its duty under the regulations after determining it was the “best approach.” In their amended complaint, the Plaintiffs now include these allegations. Therefore, the Court finds that the amended complaint sufficiently alleges how Blackbaud’s breaches caused the Remediation Damages.

(b) Compensable damages Blackbaud next argues that the Plaintiffs’ claims must be dismissed because the Remediation Damages are not compensable under Indiana law. Damages are an element of both negligence and breach of contract. Pisciotta, 499 F.3d at 635 (explaining that, under Indiana law, a negligence claim requires “a compensable injury proximately caused by defendant’s breach of duty” and that “[c]ompensable damages are an element of a breach of contract cause of action as well”). Blackbaud argues that credit monitoring and call centers, attorneys’ fees, data-recovery damages, and goodwill are each not compensable.

Blackbaud first argues that Trinity Health’s expenditures for credit monitoring and call centers are not compensable damages under Indiana law. Blackbaud’s argument is based on the Seventh Circuit’s holding in Pisciotta, 499 F.3d at 629. According to Blackbaud, Pisciotta holds that credit monitoring and call center costs are never recoverable in Indiana, regardless of the injury claimed. The Court disagrees and finds that Pisciotta’s holding is inapplicable. In Pisciotta, the Seventh Circuit had to “determine whether Indiana would consider that the harm caused by identity information exposure, coupled with the attendant costs to guard

against identity theft, constitutes an existing compensable injury and consequent damages[.]” Id. at 636. The Seventh Circuit held that Indiana would not recognize a cause of action for data exposure injury, writing that “without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.” Id. at 640. In coming to this holding, the court analogized the harm from risk of future identity theft to the harm from exposure in the toxic tort liability context: The Supreme Court of Indiana has suggested that compensable damage requires more than an exposure to a future potential harm. Specifically, in AlliedSignal, Inc. v. Ott, 785 N.E.2d 1068 (Ind. 2003), the Supreme Court of Indiana held that no cause of action accrues, despite incremental physical changes following asbestos exposure, until a plaintiff reasonably could have been diagnosed with an actual exposure-related illness or disease. Id. at 1075. In its decision that no compensable injury occurs at the time of exposure, the court relied on precedent from both state and federal courts in general agreement with the principle that exposure alone does not give rise to a legally cognizable injury. Id. at 639. Trinity Health’s injury is different in kind from the injury alleged by the plaintiffs in Pisciotta. In Pisciotta, the injury the plaintiffs alleged as the basis of their negligence claim was their exposure to the potential risk of future identity theft. The costs of credit monitoring were sought to reduce that potential risk. Unlike Pisciotta, there was an express contract between Trinity Health and Blackbaud. Rather than an uncertain risk of future identity theft, the Plaintiffs’ injury is the breach of contract itself. Berkel & Co. Contractors v. Palm & Assocs., Inc., 814 N.E.2d 649, 658 (Ind. Ct. App. 2004) (“A party injured by a breach of contract may recover the benefit of the bargain.”); Singer v. Farnsworth, 2 Ind. 597, 598 (1851) (“[T]he law aims to give the party injured, by a breach of contract, the value of that which the other party stipulated to perform.”). Meaning, Trinity Health’s injury is not the risk of future identity theft addressed in Pisciotta, but Blackbaud’s broken contractual promises. 24 Williston on Contracts §

64:1 (4th ed. May 2023) (“The primary if not the only remedy for injuries caused by the nonperformance of most contracts is an action for damages for the breach . . . .”). Blackbaud’s position not only ignores the importance of the nature of the claimed injury, but also, if adopted, would result in absurd outcomes. If credit monitoring and call center costs were never recoverable, as Blackbaud argues, then a central purpose of contract law would be undermined. Contract law has the “goal of compensating the promisee following a breach of contract by the promisor” to place the “promisee in as good a position as he or she would have occupied had the defendant-promisor not breached the contract.” 24 Williston on Contracts § 64:1 (4th ed May 2023). But if Blackbaud were correct, then promissors could breach valid contracts and leave promisees in a much worse position than the position they occupied before

breach. For example, imagine a promissor who made the following promise as part of a valid contract: “I Promissor agree to provide Promisee credit monitoring at-or-above industry standards. Furthermore, in the event I Promissor provide credit monitoring below industry standards, I will cover the complete cost of any replacement credit monitoring without deducting the fees paid for my credit monitoring services.” If Promissor failed to provide at-or-above industry standard credit monitoring, and proceeded to refuse to cover the cost of any replacement credit monitoring, then, under Blackbaud’s position that the costs of credit monitoring is always not recoverable, the Promisee would not receive the precise benefit of what they bargained for. This position is unacceptable and goes against the basic principle of contract law to provide an injured party with “the benefit of its bargain.” L.H. Controls, Inc., 974 N.E.2d at 1043 (“It is axiomatic that a party injured by a breach of contract may recover the benefit of its bargain but is limited in its recovery to the loss actually suffered.”). Blackbaud also argues that this Court’s prior opinion confirmed that credit monitoring or

call center costs are not “compensable in tort or in contract under well-established Indiana law.” (DE 57 at 9.) But this Court’s prior opinion did not reach that holding. Rather, this Court’s discussion of Pisciotta took place after the Court held that causation had not been adequately pled. After discussing Pisciotta, this Court concluded that “even if Plaintiffs had alleged that they experienced a harm in the form of identity information exposure, in Indiana this would be insufficient to support their claim for Remediation Damages.” (DE 48 at 19 (emphasis added).) There is nothing in this opinion holding that the costs of credit monitoring or the costs of a call center would not be recoverable in a contract action as consequential or direct damages where causation was properly pled. Blackbaud makes no other argument outside of its argument relying on Pisciotta. As

explained above, that argument is unpersuasive, since Pisciotta did not address an express contract between two companies for data security services. Accordingly, the Court finds that the holding in Pisciotta does not preclude the Plaintiffs from seeking the costs of providing credit monitoring and the call center as damages for their contract claim. Next, Blackbaud argues that attorneys’ fees are not recoverable as a matter of Indiana law. Indiana follows the American Rule for attorneys’ fees. Smith v. Laurenz Place LLC, 127 N.E.3d 1250, 1255 (Ind. Ct. App. 2019). “Generally, attorney’s fees are not recoverable from the opposing party as costs, damages, or otherwise, in the absence of an agreement between the parties, statutory authority, or rule to the contrary.” Thor Elec., Inc. v. Oberle & Assocs., Inc., 741 N.E.2d 373, 382 (Ind. Ct. App. 2000). Plaintiffs argue that attorneys’ fees are recoverable because “legal fees incurred to mitigate damages from a loss caused by the defendant are compensable.” (DE 60 at 17.) In

support of this, the Plaintiffs cite a decision from the Allen County Superior Court, Barnes & Thornburg LLP v. Hayes Lemmerz Intern., Inc., No. 02D01-0801-PL-8, 2012 WL 1136164 (Ind. Super. Feb. 29, 2012). In that case, the court noted that cases “have consistently recognized that an injured party is allowed to recover the expenses incurred in a reasonable effort to mitigate damages.” Id. However, in support of this rule, the court cited no Indiana precedent, instead citing to decisions from the Second Circuit, the Illinois Appellate Court, and the Court of Appeals of New York. Id. This Court does not follow the rule set forth by the Allen County Superior Court because the authority it cites conflicts with guidance from Indiana appellate courts. For example, the Second Circuit decision cited by the court in Thornburg allowed attorneys’ fees because they

were “consequential damages flowing from [defendant’s] culpable conduct.” Baker v. Dorfman, 239 F.3d 415, 427 (2d Cir. 2000). But Indiana courts have consistently held that attorneys’ fees are not recoverable even if they are consequential damages flowing naturally and probably from a breach. See Thor Elec., Inc., 741 N.E.2d at 382 (explaining that even if legal expenses were “a reasonably foreseeable cost resulting from the breach” they were still not recoverable); Indiana Ins. Co. v. Plummer Power Mower & Tool Rental, Inc., 590 N.E.2d 1085, 1093 (Ind. Ct. App. 1992) (finding that attorney fees are not recoverable on a breach of contract claim as consequential damages despite the argument that such fees flow naturally from the breach and are reasonably foreseeable, since this “is not the rule in Indiana”); Shumate v. Lycan, 675 N.E.2d 749, 754 (Ind. Ct. App. 1997) (“[A]ttorney’s fees and costs should not be awarded for the breach of an agreement not to sue unless the agreement expressly provides for that remedy, or such an award is permitted by statute or court rule.”). Given that the weight of authority in Indiana supports that attorneys’ fees are not

recoverable even if they constitute consequential damages, the Court finds that they are not recoverable. Blackbaud next argues that the costs of “data-recovery” are not compensable. Blackbaud asserts these damages are not compensable because plaintiffs do not allege that the data was “lost” and there was no allegation of physical harm to the data. (DE 57 at 8.) This appears more in the realm of a causation argument, rather than a compensability argument.6 In any event, Blackbaud is reading the amended complaint too narrowly. While in one portion of the amended complaint, Blackbaud uses the phrase “data recovery” (DE 50 ¶ 152), Plaintiffs elaborate that the damages they sustained were the costs of “retain[ing] computer experts to investigate the data breach as required under law and expected by regulators.” (Id. ¶ 16.) Accordingly, because other

portions of the amended complaint explain how the breaches led to these costs, the Court finds that it has been sufficiently pled. Next Blackbaud argues that goodwill is not compensable under Indiana law. The Plaintiffs allege in the amended complaint that Blackbaud’s breaches caused Trinity Health’s

6 Compensability often refers to the injury being of the sort that justifies the award of damages. For example, in AlliedSignal, Inc. v. Ott, 785 N.E.2d 1068, 1075 (Ind. 2003), the Indiana Supreme Court found that the mere risk of exposure from asbestos did not create a compensable injury. See Simmons v. Pacor, Inc., 543 Pa. 664, 674 A.2d 232, 237 (1996) (“[A]symptomatic pleural thickening is not a compensable injury which gives rise to a cause of action . . . . [N]o physical injury has been established that necessitates the awarding of damages . . . .”); see also In re Hawaii Federal Asbestos Cases, 734 F. Supp. 1563, 1567 (D. Haw. 1990) (“Plaintiffs must show a compensable harm by adducing objective testimony of a functional impairment due to asbestos exposure. . . . In other words, the mere presence of asbestos fibers, pleural thickening or pleural plaques in the lung unaccompanied by an objectively verifiable functionable impairment is not enough.”). “good will” to be injured. The Court finds that goodwill is not recoverable in an action for breach of contract. See Belle City Amusements, Inc. v. Doorway Promotions, Inc., 936 N.E.2d 243, 250 (Ind. Ct. App. 2010) (“[A] party may not recover future profits for loss of face in the industry or loss of goodwill in an action for breach of contract.”).

Lastly, in their response, the Plaintiffs argue that Blackbaud did not make any argument that the costs of drafting, translating, printing, and mailing letters are not compensable injuries in its motion to dismiss. The Court agrees. Blackbaud did not make any arguments on why those costs would not be compensable. Rather, its arguments concerned causation not being sufficiently pled as to those categories of damages. To the extent that Blackbaud was arguing that these damages were not compensable, such an argument is waived. United States v. Berkowitz, 927 F.2d 1376, 1384 (7th Cir. 1991) (“[P]erfunctory and undeveloped arguments, and arguments that are unsupported by pertinent authority, are waived . . . .”). In line with the above, the Court finds that attorneys’ fees and lost future profits from harmed goodwill are not compensable.

(c) Limitation on consequential damages Blackbaud argues that both contract claims must be dismissed because the remediation damages Plaintiffs seek are prohibited by Section 11.1 of the MSA. In Section 11.1 of the MSA, the parties agreed that neither party would be liable for consequential damages arising out breach of contract: Except for damages finally judicially awarded to a third party in connection with a claim for which a party has an indemnification obligation under the agreement, in no event will either party be liable to the other for any special, consequential, incident[]al, indirect, exemplary, special or punitive damages (including, without limitation, loss of revenues, profits or opportunities) whether arising out of breach of contract, tort (including negligence) or otherwise regardless of whether such damage was foreseeable and whether or not such party has been advised of the possibility of such damages. (DE 50-1 § 11.1.) “Consequential damages are damages that do not flow directly and immediately from the breach, but only from consequences or results of the breach.” Reid Hosp. & Health Care Servs., Inc. v. Conifer Revenue Cycle Sols., LLC, 8 F.4th 642, 648 (7th Cir. 2021) (quoting 24 Williston

on Contracts § 64:16 (4th ed. May 2021 update)). Consequential damages “may be awarded on a breach of contract claim when the non-breaching party’s loss flows naturally and probably from the breach and was contemplated by the parties when the contract was made.” Johnson v. Scandia Assocs., Inc., 717 N.E.2d 24, 31 (Ind. 1999). In other words, consequential damages “actually result from the wrong but . . . do not necessarily result therefrom.” Miller v. Long, 126 Ind. App. 482, 497 (Ind. App. 1956). As opposed to consequential damages, direct damages are said to be the “natural, proximate, and necessary result” of the breach. Indianapolis Newspapers, Inc. v. Fields, 254 Ind. 219, 256 (Ind. 1970) (emphasis added). Or, as the Seventh Circuit has described, “direct damages are ‘considered to include those damages that . . . would follow any breach of similar character in the usual course of events.” Reid Hosp. & Health Care Servs., Inc,

8 F.4th at 648 (quoting 24 Williston on Contracts § 64:16 (4th ed. May 2021 update)). If the loss is commercial in nature, consequential damages may be limited or excluded in a contract. Rheem Mfg. Co. v. Phelps Heating & Air Conditioning, Inc., 746 N.E.2d 941, 947 (Ind. 2001). The ability of parties to exclude consequential damages stems from the freedom of parties “to craft contractual provisions that delineate the nature and extent to which certain damages are recoverable.” U.S. Automatic Sprinkler Corp. v. Erie Ins. Exch., 204 N.E.3d 215, 222 (Ind. 2023). It is only under “extraordinary circumstances” that a court doesn’t “enforce a contract’s plain and ordinary language,” such as when enforcement “would lead to some absurdity, or some repugnance or inconsistency with the rest of the instrument.” Hartman v. BigInch Fabricators & Constr. Holding Co., 161 N.E.3d 1218, 1224 (Ind. 2021) (cleaned up). Section 11.1 of the MSA specifies that “in no event will either party be liable to the other for any . . . consequential . . . damages (including, without limitation, loss of revenues, profits or

opportunities) . . . arising out of breach of contract.” This limitation does not apply to indemnification claims arising under the contract where there had been damages judicially awarded to a third party. But this is not an indemnification claim and no damages have been awarded. Nor do the Plaintiffs argue that the Section 11.1 limitation on liability clause is unenforceable. Instead, Plaintiffs argues that, at this stage in the proceedings, it would be improper to determine whether Plaintiffs’ damages were either direct or consequential. The Court agrees. Whether categories of damages are direct or consequential depends on interpretations of sections of the BAA which were not addressed by Blackbaud in its motion to dismiss. For example, under the BAA, Blackbaud had an obligation to report, “to the extent reasonably

possible, the identification of each individual whose PHI or ePHI has been, or is reasonably believed by the Business Associate, to have been accessed, acquired, or disclosed in connection with an actual or suspected breach of privacy, security, or HITECH.” (BAA, DE 50-3 § G.3.) Furthermore, under the BAA, Blackbaud had to “cooperate to the extent practical with [Trinity Health] in mitigating . . . any harmful effect that is known to [the] Business Associate of a use or disclosure of PHI . . .” (Id. G.4.) Even though Trinity Health alleges that Blackbaud breached the BAA by concealing information after the data leak, Blackbaud fails to mention either of these sections of the BAA. If Blackbaud’s alleged concealment breached its obligation to report the identity of the individuals, then the remediation damages expended by Trinity Health to determine those identities could theoretically be direct damages, not consequential. After all, it seems very likely that failing to expend a reasonable effort to identify the individuals would lead to Trinity Health having to expend resources conducting their own identification into which individuals were affected. There

are also ambiguities regarding the extent of “cooperation” envisioned by Section G.4. If the “cooperation” envisioned was extensive, then Blackbaud’s failure to help mitigate the harm may have directly led to Trinity Health expending funds on call centers and credit monitoring. Perhaps the meaning of “cooperation” is more limited. But that’s precisely the point: no party addresses these ambiguities. Therefore, this Court cannot say whether various categories of damages are direct or consequential. Where contractual ambiguities cloud the categorization of damages, deferring the decision until the record is more fully developed is appropriate. For example, in Sedaker Grp. of S. California Inc. v. DirectBuy Inc., No. 215CV198-PPS, 2015 WL 6610212, at *5 (N.D. Ind. Oct. 29, 2015), the court noted there were issues of the interpretation. The “parties dispute[d]

which provision, if any, of [an] agreement applie[d] to [the allegedly excessive fees].” Id. at *1. The court explained that the contractual ambiguities required it to wait to classify the damages until the record was more fully developed. Id. at 3 (“At the present, I am not in a position to engage in contract construction and make determinations about the meaning and application of potentially ambiguous provisions of the franchise agreement.”). As in Sedaker, the parties fail to address the meaning of certain sections in the BAA, such as Section G.3 and Section G.4, and the impact this might have on whether the remediation damages are direct or consequential. Without further development of the record establishing the meaning of these sections, the Court must defer its decision until a later stage. D. Conclusion For the reasons explained above, the Court GRANTS the motion to dismiss in part, as to the claims of negligent misrepresentation (Count I), negligence (Count IV), gross negligence (Count V), and breach of fiduciary duty (Count VI). (DE 56.) However, the Court DENIES the

motion as to the contract claims. (DE 56.)

SO ORDERED. ENTERED: May 31, 2023

/s/ JON E. DEGUILIO Chief Judge United States District Court