Blackbaud must face data breach claims over 2020 ransomware attack

REUTERS/Dado Ruvic/

(Reuters) - A South Carolina federal judge is allowing multidistrict data breach litigation against software company Blackbaud Inc to go forward, finding the plaintiffs have sufficiently alleged standing to keep the case on track.

The Thursday decision from U.S. District Judge J. Michelle Childs in Columbia comes in litigation against Charleston-based Blackbaud, which was hit with a ransomware attack in early 2020. Cybercriminals allegedly later exfiltrated an "astronomical amount of data," according to a consolidated complaint.

"We are pleased with Judge Childs' decision, which we believe may be the first district court case addressing whether the Supreme Court’s TransUnion v. Ramirez opinion closes the courthouse doors to consumers demanding accountability from companies when they are careless with their data," co-lead counsel for the plaintiffs said in a statement. "We look forward to continuing to represent the class on these important issues."

Amy Keller of DiCello Levitt Gutzler, Harper Segui of Milberg Coleman Bryson Phillips Grossman, Krysta Kauble Pachman of Susman Godfrey and Marlon Kimpson of Motley Rice are co-lead counsel.

Ronald Raether of Troutman Pepper Hamilton Sanders, a lawyer for Blackbaud, didn't immediately respond to a request for comment Friday.

Blackbaud offers software and other products for "social good organizations," such as nonprofits, foundations and education institutions, according to its website.

The Judicial Panel on Multidistrict Litigation in December pooled together several lawsuits against the company, assigning the litigation to Childs. As of Thursday there are 28 class actions in the MDL, she said in her order denying Blackbaud's motion to dismiss for lack of subject matter jurisdiction, one of at least two motions filed to dismiss the case.

Blackbaud paid a ransom to cybercriminals to assure that data stolen from its systems after a "months-long" intrusion was deleted, the plaintiffs said in their April consolidated class complaint. They allege the company "downplayed" the incident and its "unlawfully deficient data security" injured millions of people.

The company moved to dismiss the complaint, in part arguing that the plaintiffs have not adequately alleged their injuries are "fairly traceable" to its conduct, thus not satisfying an Article III standing requirement.

In the Thursday decision, the judge said she would not consider Blackbaud's factual challenge to standing because it involves "facts that are intertwined with the merits" of the claims. The company asserted that a summary of an investigation by cybersecurity firm Kroll Inc supports its argument.

Turning to the company's facial challenge, the judge concluded the plaintiffs sufficiently alleged Blackbaud was a "plausible source" of their personal information, as needed to survive such a challenge in data breach cases.

The plaintiffs have also pled a "plausible connection" between the types of data allegedly compromised and their injuries, among other things, she said.

They have satisfied the traceability requirement at this phase, the judge said, adding that even if the company demonstrates after discovery that the attack didn't cause the alleged injuries, "it is premature to dismiss Plaintiffs' claims on grounds of traceability at this stage."

The case is In Re Blackbaud Inc Customer Data Security Breach Litigation (MDL 2972), U.S. District Court for the District of South Carolina, No. 3:20-MN-02972.

For the plaintiffs: Amy Keller of DiCello Levitt Gutzler, Harper Segui of Milberg Coleman Bryson Phillips Grossman, Krysta Kauble Pachman of Susman Godfrey, Marlon Kimpson of Motley Rice

For Blackaud: Celeste Jones of Burr & Forman and Ronald Raether of Troutman Pepper Hamilton Sander

Read More:

MDL panel pools litigation for data cases against Blackbaud, Clearview

Our Standards: The Thomson Reuters Trust Principles.

Thomson Reuters

Sara Merken reports on privacy and data security, as well as the business of law, including legal innovation and key players in the legal services industry. Reach her at sara.merken@thomsonreuters.com