Blackbaud – firm that paid off crooks after 2020 ransomware attack – fails to get California privacy law claim dropped
Suit could net $750 a pop under GDPR-ish rule for complainants who allege info 'unencrypted'
A judge in South Carolina has struck out a number of claims in a consolidated class-action suit alleging cloud CRM provider Blackbaud didn't do enough to prevent a 2020 ransomware attack, but allegations under California's Consumer Privacy Act (CCPA) will move forward.
Blackbaud, a cloud software provider that sells CRM systems for fundraising and communications to charities and educational institutions, admitted last year that it had paid off a ransomware attacker that hit its servers with file-encrypting software in May.
It said at the time: "The cybercriminal did not access credit card information, bank account information, or social security numbers."
According to an order filed last week by the judge hearing the consolidated class-action case in the district of Columbia, South Carolina, the complainants allege the CRM firm "failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields."
The case – which deals with more than 15 lawsuits by 34 plaintiffs across 20 states – was consolidated into a single complaint in April by the Judicial Panel on Multidistrict Litigation.
US district judge J Michelle Childs said in a 33-page ruling [PDF] that "Blackbaud's alleged registration as a 'data broker' suggests that it is also a 'business' under the CCPA." The firm had previously argued it did not qualify as a "business" regulated by the CCPA, California's GDPR-ish data privacy regulations that came into effect in July 2020.
The CCPA claim, if successful, could net statutory damages of up to $750 per violation for the California plaintiffs.
One of the first cases to include CCPA claims was Barnes v. Hanna Andersson and Salesforce (4:20-cv-00812-DMR) which was settled for $400,000 [PDF] late last year.
- Cloud biz Blackbaud admits ransomware crims may have captured folks' bank info, months after saying that everything's fine
- 'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks'
- Brit unis hit in Blackbaud hack inform students that their data was nicked, which has gone as well as you might expect
- Cloud biz Blackbaud caved to ransomware gang's demands – then neglected to inform customers for two months
Another of the claims, filed under Florida's Deceptive and Unfair Trade Practices Act, was that Blackbaud "engaged in a deceptive act or unfair practice" by allegedly making "misrepresentations and omissions about its security efforts and the scope of the ransomware attack." Judge Childs also decided the Florida claim would move forward in part, seeking injunctive relief, but denied a claim for damages under the same law.
Judge Childs did strike down several of the claims that the consolidated class-action complaint raised. Claimants from New Jersey, South Carolina, and Pennsylvania all had their claims struck out when the judge granted Blackbaud's motion to dismiss them.
The New York plaintiffs also saw some success, with the judge denying Blackbaud's motion to dismiss their claim under NY's General Business Law Section 349, which makes unlawful any "deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state."
The judge explained:
New York plaintiffs assert that Blackbaud's public misrepresentations about the scope of the ransomware attack misled plaintiffs into believing they did not need to take mitigation measures against identity theft and fraud... Such conduct is akin to an "extensive marketing scheme" utilizing "multi-media dissemination of information to the public" since Blackbaud allegedly promulgated misrepresentations about the extent of the ransomware attack through media interviews, its website, and Social Good Entities.
Blackbaud previously argued, in July 2021, that the plaintiffs didn't show their alleged injuries were traceable to the data breach. Judge Childs has already rejected that argument in an order handed down last month [PDF].
The CRM firm has claimed that "there is 'no evidence' that Plaintiffs' PII was on the dark web or being marketed for sale" – citing the "Kroll Summary", an investigation by an external cybersecurity firm into whether "named Plaintiffs' PII and/or PHI was publicly exposed as a result of the Ransomware Attack". The plaintiffs, on the other hand, say that miscreants can commit identity fraud "without contact information or SSNs by combining and cross-referencing data stolen."
The case continues.
The firm announced its 2021 Q2 results earlier this month, reporting total GAAP revenue of $229.4m, down just 1.1 per cent, and last week announced that its October virtual annual conference will include special guest LeVar Burton, aka Lt Commander Geordi La Forge off of Star Trek: TNG
We have asked Blackbaud for comment. ®