A petition for a class action lawsuit against software and data services giant Blackbaud has been filed with the United States District Court District of South Carolina in Charleston after a system breach exposed donor data to hackers. The suit stems from a data breach which happened on Feb. 7 and was not discovered by the company until May 14. Users were not notified until July, as reported exclusively by The NonProfit Times.
Blackbaud provides a variety of data services and software to the nonprofit community. The incident was in the form of a ransomware attack in which hackers downloaded information and attempted to wrest control of Blackbaud’s systems and data hosting operations. They demanded payment for the destruction of the stolen material. Blackbaud paid an undisclosed amount in Bitcoin, as reported first by The NonProfit Times on July 16.
According to papers filed with the United States District Court District of South Carolina by William Allen, sworn to be a Raleigh, N.C., resident, the incident has resulted in consumers experiencing “ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”
Asked for reaction to the suit, a Blackbaud spokesperson said, “Blackbaud disagrees with the allegations and intends to demonstrate they are without merit.” Further comment was declined.
The criminals’ attempts to access and control the date ended by June 3, although they remained in contact with Blackbaud until at least June 18, Blackbaud spokespeople told The NonProfit Times in early August. On June 25, third-party forensic assessor gave Blackbaud a report regarding clients’ potential exposure.
Blackbaud also said the vulnerability exploited by the ransom demanders had been fixed, and there was no additional risk of information exposure between the start of its investigation and customer notification. Blackbaud representatives have asserted bank account information, credit card information and social security numbers were not accessed.
According to the request for class action certification, notifications sent out by Blackbaud advised those potentially affected “to monitor suspicious activity of their credit and accounts, that Social Security Numbers, credit card numbers, bank account numbers, and additional personally identifiable information (collectively ‘Private Information’) may also have been compromised.” Such language is standard for data security breach notifications.
Blackbaud representatives have asserted bank account information, credit card information and social security numbers were not accessed.
Allen’s complaint alleges Blackbaud did not provide timely notification of the breach, both due to Blackbaud’s alleged failures in discovering the breach and sealing it. The papers further assert Blackbaud and its employees failed to properly monitor its network, security and communications, failed to implement secure communications policies and failed to train employees regarding ransomware attacks.
According to the complaint, “Plaintiff and Class Members’ identities and Private Information are now at risk because of Defendant’s negligent conduct as the Private Information that Defendant collected and maintained was in the hands of data thieves. Defendant cannot reasonably maintain that the data thieves destroyed the subset copy simply because Defendant paid the ransom and the data thieves confirmed the copy was destroyed.”
Additionally, in Blackbaud’s data breach notifications to clients and consumers, the company advised clients and consumers to monitor their credit and other account activity for suspicious activity, such as unauthorized charges or identity theft, without compensation for the cost of credit monitoring services, time lost monitoring accounts, stress resulting from the breach.
While Allen’s claim asserts a higher likelihood of identity theft and other difficulties, it does not document any actual fiscal damage. The court papers petition for redress for the plaintiff and all class members as a result of several actions, including: negligence; wrongful intrusion into private affairs/invasion of privacy; breach of express contract; breach of implied contract; negligence per se; and violation of state data breach statues. The last stems from allegations of flawed data security procedures and lack of timeliness in notification practices.
In addition to certification as a class action, the plaintiff seeks to compel Blackbaud to increase its data security practices in unspecified way, to change practices that led to the breach, to pay for both actual and punitive damages and to pay attorneys’ fees and costs.
Allen also seeks a minimum of seven years of credit monitoring services for the entire class.
There is currently no federal law covering data breach consumer protections. A bill currently being considered by the North Carolina legislation, H.B. 904, calls for the companies subject to data breaches to provide two years’ credit monitoring, unless the affected company is a credit monitoring firm, in which case it must provide four years’ credit monitoring.