Charleston-based Blackbaud Faces Potential Class Action Lawsuit Over Data Breach
In a significant development in Charleston, South Carolina, Blackbaud, a leading software vendor, could face a class-action lawsuit on the grounds of a security breach that reportedly compromised more than a million sensitive data files. The breach, discovered in May 2020, affected around a third of their clientele, who are primarily organizations advocating social change, such as non-profits, animal shelters, health clinics, and schools.
Legal Battle in Federal Court
The legal team, consisting of at least 12 individuals, represents affected Blackbaud’s clients and aims to initiate a class-action lawsuit. Over several days, lawyers from both sides presented their case in federal court, with Blackbaud aiming to avoid a large-scale lawsuit while the plaintiffs argue that the scale and impact of the breach cannot be ignored.
Blackbaud’s software solutions are primarily used for data storage, covering everything from addresses and emails to credit card information, Social Security numbers, and health information. The plaintiffs allege that Blackbaud misrepresented the security of its software, which led to the data breach.
The Breach and Its Aftermath
Blackbaud reported that a hacker had successfully breached its server in May 2020, remaining undetected for approximately three months and accessing information from around 13,000 companies. The company communicated this breach to their customers in July 2020. However, the plaintiffs allege that Blackbaud downplayed the severity of the situation.
Further, the plaintiffs claim that Blackbaud was aware of its security issues, marking them as negligent and responsible for the hack. Evidence is cited from BlackbaudChief Information Security Officer’s correspondence from 2019 that identified security shortcomings and suggested the company was a decade behind on security measures.
Blackbaud’s Legal Challenges
Blackbaud has already settled with attorneys-general from 49 states for $49.5 million, including South Carolina Attorney General Alan Wilson. Furthermore, the company was fined by the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) for lax security. The software company now also faces ongoing litigation from the attorney general of California.
Arguments from Blackbaud
While acknowledging the breach, Blackbaud disputes the proposed class action. They argue that the wide range and highly customizable nature of their services mean that each client company had significantly different impacts due to the breach. As such, they posit that losses incurred should not be legally combined into a class-action lawsuit.
The software services provided by Blackbaud range from accounting and fundraising to marketing. Each of their client companies had the autonomy to choose which software to use and what kind of information to input into the software. Consequently, the type of data breached ranged from names and email addresses to social security numbers and health testing data.
The final decision on whether the victims of the breach can sue Blackbaud collectively in a single lawsuit now lies with Federal Judge Joseph Anderson.