On November 20, 2020, a class action lawsuit was filed on behalf of Heidi Imhof against Blackbaud Inc., claiming that the software company failed to safeguard users’ personal information and did not notify them of a data breach until months after a ransomware attack, as a mass tort lawyer in Las Vegas, NV can explain.
The class action complaint was filed in Florida by the Consumer Protection Firm, LLC.
Blackbaud is a cloud computing provider that provides services to nonprofits, foundations, corporations, educational institutions, healthcare organizations and religious organizations.
In February of 2020, a hacker entered Blackbaud’s system and remained there for three months until Blackbaud’s cyber security team discovered the hacker and purged them from their system. The lawsuit alleges that before the hacker was removed from the system, they were able to view Blackbaud user information for three months and copy some data from the Blackbaud system. Blackbaud claims that it paid the hacker a “ransom-to-delete” because “protecting customers’ data is top priority”.
One of the institutions affected by the hack was Stetson University, the law school that Plaintiff Heidi Imhof attended. Stetson University was notified of the breach on July 16. Imhof was notified by Stetson University on October 2 that her name, social security number, date of birth, student ID, demographic information and donation history had potentially been compromised.
The lawsuit alleges that Blackbaud failed to properly safeguard and protect the Plaintiff’s and Class Members’ personally identifiable information and failed to provide timely, accurate and adequate notice that their personally identifiable information had been compromised.
The lawsuit further alleges that Blackbaud disregarded the rights of Plaintiff and Class Members by, inter alia, meaning intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure their data and cyber security systems were protected against unauthorized intrusions and failing to disclose that it did not have adequately robust computer systems and security practices to safeguard individual personally identifiable information.
The lawsuit claims that as a result of Blackbaud’s negligence, the Plaintiffs and Class Members suffered damages not limited to economic damages and are entitled to compensation for credit monitoring and theft protection services, theft of their personal and financial information, loss of privacy, imminent and certainly impending injury flowing from potential fraud and identity theft, untimely and inadequate notification of the data breach and more.
The lawsuit brings forth eight causes of action, they include:
- Negligence (on behalf of Plaintiff and the Nationwide Class)
- Negligence Per Se (on behalf of Plaintiff and the Nationwide Class)
- Breach of Implied Contract (on behalf of Plaintiff and the Nationwide Class)
- Unjust Enrichment (on behalf of Plaintiff and the Nationwide Class)
- Declaratory Judgment (on behalf of Plaintiff and the Nationwide Class)
- Breach of Confidence (on behalf of Plaintiff and the Nationwide Class)
- Violation of the Florida Unfair and Deceptive Trade Practices Act, Fla. Stat. §§ 501.201, et seq. (on behalf of Plaintiff and the Nationwide Class)
- Invasion of Privacy- Wrongful Publicizing of Private Affairs and Wrongful Intrusion Into Private Affairs (on behalf of Plaintiff and the Nationwide Class)
Thanks to Eglet Adams, class action attorneys, for their insight on the Blackbaud Software class cation lawsuit.