A lawsuit filed against Blackbaud Inc. alleging violations of the California Consumer Privacy Act (CCPA) has survived a motion to dismiss. Judge Childs of the United States District Court for the District of South Carolina declined to dismiss the plaintiffs’ claims under the CCPA.
The Charleston, SC-based cloud software company suffered a ransomware attack in May 2020, with the hackers first gaining access to its systems on February 7, 2020. The attackers copied the data of the plaintiffs and other members of the putative class action and held it to ransom, in what is commonly referred to as a double extortion attack. The attackers attempted to prevent Blackbaud from accessing its own systems but that attempt failed. Blackbaud took the decision to pay the attackers for the keys to decrypt data and prevent the sale or publication of data stolen in the attack. Blackbaud received assurances that the hackers had deleted the data.
The plaintiffs alleged Blackbaud was negligent for having “a deficient security program,” and the company failed to adhere to industry standards by utilizing out-of-date servers, storing obsolete data, and maintaining unencrypted data fields. The plaintiffs also alleged the internal investigation into the attack was too narrow in scope and did not cover all appropriate systems.
Blackbaud reported the data breach as not involving any credit card details, but the plaintiffs alleged the investigation did not examining database files where credit card data could have been stored and Blackbaud failed to provide the plaintiffs with adequate and timely notice about the attack and resultant data breach.
The motions to dismiss the lawsuit were dealt with in two rounds, the first addressing jurisdictional issues. The court denied the jurisdictional motion to dismiss on July 1, 2021. The second meeting covered the other motions to dismiss under various state laws, including under the CCPA.
The CCPA has a private right of action allowing individuals to take legal action over data breaches for actual or statutory damages when unencrypted, nonredacted personal information is subject to a data breach. However, Blackbaud maintained it was not a business covered by the definition of the CCPA and was instead a service provider. Service providers are not required to comply with the CCPA.
It was acknowledged by the court that since the CCPA only took effect on January 1, 2020, few courts had addressed CCPA provisions but ruled that Blackbaud did fall under the definition of a business and was therefore covered by the CCPA.
Blackbaud was determined to be a for-profit entity and that its direct customers determine the purposes and means of processing consumers’ personal information. Blackbaud uses the personal data of consumers to provide services at consumers’ requests and has revenues exceeding $25 million per annum.
Additionally, Blackbaud was registered as a data broker in California. The Cal. Civ. Code § 1798.99.80 states that a data broker is a business that collects and sells the personal information of consumers to third parties that the business does not have a direct relationship with.
The court ruled that the plaintiffs had successfully alleged violations of the CCPA and the court denied Blackbaud’s motions to dismiss the plaintiffs’ claims under the CCPA, although some of the plaintiffs’ claims under other state legislative acts were dismissed by the court.
