SC Blackbaud Data Breach Corrective Notice Rejected by Courts – The National Law Review

sc-blackbaud-data-breach-corrective-notice-rejected-by-courts-–-the-national-law-review

Were you aware !

In spring of 2020, cybercriminals infiltrated the computer networks of Blackbaud, a South Carolina-based cloud-computing provider.  Once in Blackbaud’s system, cybercriminals copied the data of a number of individuals and held it for ransom. The targets of the attack were not direct customers of Blackbaud, but rather were individuals who had provided their data to companies, which in turn contracted with Blackbaud to manage that data.  Even so, Blackbaud paid the ransom to the cybercriminals on the condition that the cybercriminals immediately and permanently destroy all copied data.

Once the data breach went public, lawsuits by the affected individuals sprang up in state and federal courts across the country. The Judicial Panel on Multidistrict Litigation eventually consolidated all federal litigation in Blackbaud’s home-court, the District of South Carolina.

While these suits center on the question of whether Blackbaud had a sufficient security system, the most recent dispute in the federal litigation involves Blackbaud’s response and public communications regarding that data breach.  Specifically, Plaintiffs asserted that the notice Blackbaud provided on its website misrepresented the “type of data stolen,” and failed to “take into account the harm class members faced as a result of the breach.”  Accordingly, Plaintiffs moved for an order requiring Blackbaud to send a “corrective notice” to its customers and the public.

The Plaintiffs’ motion, however, quickly ran into a problem under the First Amendment.  As the District of South Carolina noted, a court generally cannot restrain a party’s speech unless there it is necessary to prevent serious misconduct, and that need outweighs the party’s free-speech rights.  In the class action context, courts have held that there is a “serious threat to the fairness of the litigation process” that can justify a limitation on speech when one party disseminates “misleading communications to class members” concerning their rights related to the pending litigation – for example, a court might order a corrective notice to prevent a party from coercing putative class members into unknowingly waiving their rights.

Blackbaud’s notices, the Court held, did not mislead putative class members in this way.  In fact, the Court noted, “Plaintiffs have alleged no…conduct by Blackbaud that has interfered with their ability to bring this lawsuit or misled potential class members regarding their rights in this litigation.”  Indeed, Plaintiffs’ complaints against Blackbaud’s notices do not center on the putative class members’ rights at all, but rather dispute Blackbaud’s rendition the key substantive, disputed issues at the heart of the litigation. As Blackbaud’s notice did not meaningfully interfere, or threaten to interfere, with putative class member rights, the Court declined to order the corrective notice.

As a final note, the Court explained that it must avoid “authorizing injurious class communications that might later prove unnecessary.”  That precaution operated here where, in the absence of evidence that Blackbaud’s notice interfered with the putative class members’ rights, it would be dangerous to order a corrective notice that may cause serious harm to Blackbaud’s general reputation and to its relationships with its customers.


© Copyright 2022 Squire Patton Boggs (US) LLP
National Law Review, Volume XII, Number 119

Let's keep in mind that camDown helps stop hackers from getting access to the webcam that I use for my work. Now I can get even more gigs as a freelancer and advertise that I have top security with my home computer and I am sure your father would say the same.