A federal judge has rejected class certification in a combined class action lawsuit filed against Blackbaud in connection with a ransomware attack and data breach in 2020 because the plaintiffs did not satisfy their burden of proof for ascertainability. Blackbaud is a company offering financial, administration, and fundraising software to organizations, schools, and non-profits. In February 2020, a hacker breached Blackbaud’s security and acquired access to its networks and was not noticed for three months. The hacker used compromised credentials to access Blackbaud’s remote desktop system and moved to access the company’s data centers located in Massachusetts. Blackbaud discovered the breach on May 20, 2024.
In those three months, a large volume of data was extracted from Blackbaud’s system. Over 13,000 of Blackbaud’s clients were impacted and approximately the sensitive data of 1.5 billion patients, donors, and other individuals was stolen. The hackers professed to have extracted over 400 terabytes of information and left a ransom note. They demanded a ransom payment to delete the files. After paying a 24-bitcoin ransom, Blackbaud didn’t get any evidence that the hackers had deleted the data.
People whose information was stolen during the attack filed over a dozen class action lawsuits. Because the lawsuits had the same accusations and were in line with the identical facts, the lawsuits were combined into one lawsuit. The lawsuit claimed that Blackbaud did not apply reasonable and proper security procedures and that it neglected its breach response, which was misleading. The Federal Trade Commission (FTC) looked into the breach and arrived at these conclusions:
- Blackbaud committed FTC Act violations for being unable to carry out proper security measures
- keeping data, including PHI, while there was no purpose for the business to keep the data
- giving inaccurate statements concerning the scope of the breach
The Securities and Exchange Commission (SEC) also investigated Blackbaud and decided to issue a $3 million penalty to settle the allegations it gave deceptive reports regarding the breach.
The lawsuit suggested several classes, which include nationwide negligence and gross negligence classes under Massachusetts legislation covering every natural person in the United States of America whose information was compromised from Blackbaud, in addition four subclasses for locals of California, Florida, and New York. Although it is not a statutory precondition to class certification, a few courts call for plaintiffs to prove ascertainability at the class certification step.
By ascertainability, it means that members of a certified class should be adequately certain and should be quickly ascertained or established using objective standards, which is essential to the fairness and manageability of class action proceedings. U.S. District Court Judge Joseph Anderson rejected certification since the plaintiffs did not prove the ascertainability of the proposed classes and subclasses. As per Anderson, the plaintiffs did not demonstrate that there seemed to be an administratively achievable way for the court to decide whether a specific person was a part of a class without substantial, personalized fact-finding.