Cloud Software Company Blackbaud Sued Over Ransomware Attack And Data Breach


On Friday in the Southern District of Florida, plaintiffs Pam Arthur and Dorothy Kamm filed a class-action complaint against defendant Blackbaud, a cloud software company, for a ransomware attack and data breach that occurred in May of this year and exposed sensitive and personally-identifying information affecting the plaintiffs and the putative class.

According to the complaint, those affected include schools, healthcare providers, non-profits, and other organizations “whose data and servers were managed, maintained, and secured by Blackbaud”; the clients’ data and servers contained sensitive and personally-identifying information from individuals, such as students, patients, and donors, including the plaintiffs. As a result, the plaintiffs proffered that they and the putative class have “suffered ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.

The information allegedly exposed by the breach includes: “name(s), addresses, phone numbers, and other personal information.” However, the plaintiffs noted that based on their notice about the breach and the “type of accessed information, it is believed based on statements by Defendant’s Clients directing Class Members to monitor suspicious activity of their credit and accounts, that Social Security Numbers, credit card numbers, bank account numbers, and additional personally identifiable information” may have been obtained as well.

The plaintiffs stated that they have brought forth this suit to: “(1) address Defendant’s inadequate safeguarding of Class Members’ Private Information, which Defendant managed, maintained, and secured; (2) for failing to provide timely and adequate notice to Plaintiffs and  other Class Members that their information had been subject to the unauthorized access of an unknown third-party; (3) for failing to identify all information that was accessed; and (4) for failing to provide Plaintiffs and Class Members with any redress for the Data Breach.”

The plaintiffs claimed that the defendants “maintained and secured” this sensitive and private information “in a reckless manner” because Blackbaud purportedly failed to safeguard this information against attacks. They added that the information was kept on a “computer network in a condition vulnerable to attacks,” and that the defendant knew that the network was susceptible to an attack, but failed to properly secure this information despite this knowledge. Additionally, the plaintiffs alleged that the defendant “failed to properly monitor the computer network and systems that housed the Private Information” and “failed to implement appropriate policies to ensure secure communications,” while Blackbaud also “failed to properly train employees regarding ransomware attacks.”

After the attack, Blackbaud allegedly implemented changes to prevent future attack, but the plaintiffs noted that “had these changes been in place previously, this incident would not have happened.”

The counts against Blackbaud are negligence, invasion of privacy, breach of express contract, breach of implied contract and negligence per se. The plaintiffs have sought an order certifying a class action and to appoint plaintiffs and their counsel to represent the class; equitable relief, including enjoining defendants from further wrongful conduct and for the defendant to use proper methods and policies to collect and safeguard this information; restitution and disgorgement of revenues from this allegedly unlawful conduct; for the defendant to pay for credit monitoring; and an award for damages.

The plaintiffs are represented by Greg Coleman Law PC.