In a recent development, a federal judge has denied class certification in a consolidated proposed class action lawsuit against Blackbaud. This decision stems from a 2020 ransomware attack on the cloud-based fundraising software vendor, which affected 13,000 clients and compromised the data of approximately 1.5 billion donors, patients, and other individuals.

The ruling by U.S. District Court Judge Joseph Anderson for the U.S. District Court of South Carolina stated that the plaintiffs failed to demonstrate that the proposed class and subclasses were “ascertainable.” This case consolidated over two dozen proposed class action lawsuits filed against Blackbaud following the breach.

The lawsuit’s proposed classes included negligence and gross negligence classes under Massachusetts common law for all U.S. residents whose unencrypted information was stored in the compromised database. In addition, there were subclasses for residents of New York, Florida, and California.

The judge highlighted the plaintiffs’ failure to provide an “administratively feasible” way for the court to determine class membership without extensive and individualized fact-finding. As a result, the motion for class certification was denied.

Attorneys representing the plaintiffs did not immediately respond to requests for comments on the ruling or the next steps in the case. On the other hand, attorney Ron Raether, representing Blackbaud, expressed satisfaction with the court’s decision and looked forward to representing the company’s interests in future phases of the litigation.

The breach details revealed that threat actors infiltrated Blackbaud’s data centers between February 7 and May 20, 2020. The attackers gained access to over 400 terabytes of data and demanded a ransom for its deletion, which Blackbaud paid without receiving proof of data deletion.

The plaintiffs alleged that Blackbaud’s lack of adequate safeguards allowed the breach to go undetected for months. They also criticized the company’s response to the breach, claiming it was negligent and misleading. Furthermore, approximately 90,000 backup files belonging to 13,000 customers were impacted, affecting data of 1.5 billion constituents.

In the aftermath of the incident, Blackbaud faced enforcement actions from federal and state government regulators, including settlements and fines. The Federal Trade Commission ordered Blackbaud to delete unnecessary personal data and implement security improvements. The company was cited for deceptive breach notification statements and misleading information about its security practices.

State attorneys general reached a $49.5 million settlement with Blackbaud to address data security practices. The company also agreed to pay a $3 million civil penalty imposed by the U.S. Securities and Exchange Commission for omitting facts about the cybersecurity incident in a quarterly report.

Additionally, Britain’s Information Commissioner’s Office reprimanded Blackbaud for violating the U.K.’s General Data Protection Regulation. Reprimands typically highlight violations and provide recommendations for rectifying shortcomings.

The denial of class certification in the lawsuit against Blackbaud signifies a significant development in the ongoing legal battle over the 2020 ransomware attack. It highlights the challenges faced by plaintiffs in proving ascertainability and underscores the broader repercussions of data breaches on individuals and organizations. The case serves as a reminder of the importance of robust cybersecurity measures and the need for accountability in data security practices.

Source link