A plaintiff’s motion for class certification in a Blackbaud data breach case has been rejected by a judge of the U.S. District Court for the District of South Carolina Columbia Division.

Judge Joseph F. Anderson Jr. indicated that a method proposed by the plaintiffs’ expert had not shown how class members would be determined. By some counts, the class size could have reached 1.5 billion members, reflecting the number of records compromised.

The case number is 3:20-mn-02972-JFA.

The denial is one of the latest actions stemming from a data breach at the Charleston, South Carolina-based software and data services firm. Blackbaud was hacked in February 2020 and information on around 1.5 billion individuals from roughly 13,000 Blackbaud customers was compromised. The breach was not discovered by the company until May 14 of that year, and users were not notified until July 16. (https://thenonprofittimes.com/npt_articles/breaking-blackbaud-hacked-ransom-paid/).

Blackbaud ultimately paid a ransom in bitcoin in return for the hackers’ assurance that the data would be destroyed. Company officials have not disclosed the value of the ransom. Blackbaud officials said they had received confirmation that the data had been destroyed.

In denying the class certification, Judge Anderson cited the difficulty of ascertaining affected class members through objective criteria in this instance. Class status requires a manageable and fair method of determining eligibility. Specifically, Anderson wrote:

* “[T]he method proposed by [plaintiffs’ computer scientist and cybersecurity consultant Matthew] Curtin of identifying putative plaintiffs and identifying which of their data elements were exposed in the breach” was excluded due to “Curtin’s inability to provide this Court with an error rate and a statement about its occurrence consistent with generally accepted statistical practices for the Court to evaluate, his failure to sufficiently test his method, the non-replicability of his method, and his failure to sufficiently document his method so that it could be tested by Defendant’s rebuttal expert.”

* “[A]t one point, Plaintiffs believed that Curtin could identify class members themselves using the email addresses present in the customer backup files. Plaintiffs no longer make this argument in their Response in Opposition to Defendant’s Motion to Exclude Curtin’s Report and Testimony.”

* “Curtin’s method is unreliable and unhelpful to this Court in light of Curtin’s failure to provide an error rate for this Court to evaluate. … The unreliability of Curtin’s method is further underscored by the fact that his method (specifically his Referential Index) cannot be replicated, several of the steps he has proposed have not been sufficiently tested, Curtin has failed to identify the “final product” of step two of his method, and Curtin has not demonstrated that his method can be scaled to operate accurately across classes and sub-classes consisting of as many as 1.5 billion putative plaintiffs.”

Blackbaud was first alerted to the breach when its systems flagged a suspicious log-in on an internal server. At the time, officials said the hackers were not able to access the company’s cloud operations, and only removed a subset of data from Blackbaud’s self-hosted environment. No credit card information, bank account information or Social Security numbers were compromised, a spokesperson said at the time (https://thenonprofittimes.com/npt_articles/the-hack-of-blackbaud-damage-is-still-being-assessed/).

In addition to the current ongoing litigation, Blackbaud has already paid several penalties stemming from the breach. In March 2023, Blackbaud officials agreed to pay a $3 million fine to the Securities and Exchange Commission for concealing the extent of the 2020 breach. In between the company’s discovery of the breach in May 2020 and its disclosure of the breach in July 2020, the company made a June 2020 offer to sell stock to its employees (https://thenonprofittimes.com/legal/blackbaud-settles-with-sec-for-3m-on-donor-data-breach/).

Blackbaud “omitted this material information about the scope of the attack, and misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical” in a required August 4, 2020 SEC filing where it stated “only that the cybercriminal removed a copy of a subset of data,” according to the federal agency.

In paying the fine, Blackbaud officials neither admitted nor denied the SEC’s findings, but agreed not to contest them.

Separately, in October 2023 Blackbaud agreed to pay $49.5 million to settle investigations by 49 states and the District of Columbia. California’s attorney general did not participate in the multistate agreement.

All 50 states have laws requiring organizations experiencing data breaches to notify affected entities. However, there is a delicate balance between the need to comply with the laws and notify those whose data has been compromised and the need not to compromise an investigation, if the breach is ongoing. The concern, regarding publicly announcing a breach, is that the hackers will go back into the system and cover their tracks. When Blackbaud officials discovered the breach in May 2020, they arranged for their internal security team to work with law enforcement and independent forensic experts.

Blackbaud has been the target of a multiyear acquisition effort by Clearlake Capital Group. Blackbaud officials recently rejected an $80 per share bid by Clearwater, which would have resulted in a $4.3 billion purchase price. Blackbaud’s stock opened today on the NASDAQ exchange at $79.72, down 20 cents from its previous close.

The post Class Action Denied In Blackbaud Data Breach Case appeared first on The NonProfit Times.

Source From Non Profit Times