September 24, 2020; BankInfoSecurity and JDSupra
It’s probably not a great business strategy to be fighting multiple class action lawsuits brought against you by clients, especially when you are in the business of holding confidential data, but that is where the increasingly omnipresent Blackbaud is at this moment.
Blackbaud bills itself as a cloud computing provider specifically serving the social good community—that is, nonprofits. The breach of its pooled database, which occurred last May, was not revealed to the whole of its nonprofit clients until July, who, having been assured by Blackbaud that the affected data had been destroyed by the hackers, then chose their own timelines for informing their stakeholders. In some cases, those were donors, but in the case of universities, those impacted also included students. Then, there were the hospitals who saw patient information compromised.
The incident affected not only hundreds of nonprofits in this country, but internationally. Just in the US, almost 40 reports from health organizations that were affected by the ransomware attack have been posted to the breach “Wall of Shame” at the Department of Health and Human Services.
Sign up for our free newsletters
Subscribe to NPQ's newsletters to have our top stories delivered directly to your inbox.
By signing up, you agree to our privacy policy and terms of use, and to receive messages from NPQ and our partners.
At least ten lawsuits have been filed against the company. One, filed by Mamie Estes and Shawn Regan in California District Court, claims that “as a result of the data breach, plaintiffs and thousands of other class member users suffered ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”
That lawsuit claims that the company’s assurances that the hackers destroyed the information they stole is not reasonable.
Blackbaud is being sued for negligence, invasion of privacy, and breach of contract, as well as violations of state laws. The company is also accused of not maintaining an appropriate degree of security.
The American Medical Collection Agency suffered a similar breach last year, impacting a far smaller number of clients and it eventually filed for bankruptcy after multiple class-action lawsuits were filed. But it is not just Blackbaud that will get sued. JDSUPRA points out that a few days ago, a class action suit was filed against the President and Fellows of Harvard College, Bank Street College of Education, and the Lower East Side Tenement Museum. (See Cohen v. Blackbaud, Inc. et al., No 2:20-cv-01388 [W.D. Wash.]) This appears to be the first suit filed against those who contracted with the software company, but it will probably not be the last. The alert from JDSUPRA lays out potential defenses to be considered if your nonprofit is named as a defendant in a similar lawsuit.—Ruth McCambridge