Federal Judge Allows Blackbaud Consolidated Class Action Data Breach Lawsuit to Proceed

Plaintiffs in a class action lawsuit against Blackbaud sufficiently demonstrated they have standing, and the lawsuit has survived Blackbaud’s motion to dismiss.

Blackbaud is a publicly traded cloud software company with headquarters in Charleston, SC. Blackbaud provides data collection and maintenance solutions for administration, fundraising, marketing, and analytics to entities such as non-profit organizations, foundations, educational institutions, and healthcare organizations. In the course of providing its services, the company collects and stores personally identifiable information (PII) and Protected Health Information (PHI) from its customers’ donors, patients, students, and congregants.

From February 7, 2020 to May 20, 2020, cybercriminals gained access to Blackbaud’s systems, exfiltrated data, and then used ransomware to encrypt files on Blackbaud’s systems. A ransom demand was then issued by the attackers and the attackers claimed they would provide the keys to decrypt data on Blackbaud’s systems and permanently delete the data they had exfiltrated if the ransom was paid. Blackbaud decided to pay the ransom and received assurances that the stolen files had been deleted.

Following the attack, more than two dozen class action lawsuits were filed against Blackbaud. In December, the Judicial Panel on Multidistrict Litigation combined the lawsuits and, as of Thursday 1, 2021, there were 28 class action lawsuits combined in the Multidistrict Litigation with 34 named plaintiffs from 20 states. The plaintiffs assert six claims on behalf of a putative nationwide class and ninety-one statutory claims on behalf of putative state subclasses. The six types of injury the plaintiffs assert are identity theft or fraud, increased risk of identity theft in the future, time and money spent to mitigate the risk of harm, emotional distress, diminished value of data, and invasion of privacy.

The plaintiffs alleged the data breach was the result of Blackbaud’s “deficient security program” and that the company had failed to comply with industry and regulatory standards by neglecting to mitigate against the risk of unauthorized data access. The plaintiffs claimed Blackbaud was utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields.

The plaintiffs also claimed that Blackbaud only conducted a narrow internal investigation following the data breach, did not address the full scope of the attack, and downplayed the attack and the extent of the data exposed. The plaintiffs claimed the Forensic Report “improperly concludes that no credit card data was exfiltrated” because “such data could have existed in the unexamined database files.”

They also claim that timely and adequate notice about the attack was not provided, with the company waiting until July 2020 to start issuing notifications, with some individuals affected by the breach not being notified by Blackbaud’s customers until January 2021.

On May 1, 2021, Blackbaud filed a motion to dismiss the lawsuit for lack of subject matter jurisdiction. The company argued that the plaintiffs lacked Article III standing as they neither facially nor factually established that their injuries are traceable to Blackbaud’s conduct; therefore, the court lacked subject matter jurisdiction. Blackbaud also challenged whether the plaintiffs’ allegations of harm constitute injury in fact, although that challenge was later dropped.

U.S. District Judge J. Michelle Childs in Columbia, SC said in her decision on July 1, 2021, that the factual challenge to standing would not be considered because it “involves facts that are intertwined with the merits of plaintiffs’ claims.”

The facial challenge to determine whether plaintiffs allege facts that plausibly confer jurisdiction was considered, with Judge Childs concluding the plaintiffs had sufficiently alleged Blackbaud was a “plausible source” of their personal information and that there was a “plausible connection” between the types of data they alleged were compromised and the injuries they had sustained, saying “it is premature to dismiss Plaintiffs’ claims on grounds of traceability at this stage.” Blackbaud’s motion to dismiss for lack of subject matter jurisdiction was denied.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.