Attorneys for Blackbaud and the putative class action plaintiffs allegedly impacted by the publicly-traded software company’s data breach last year were scheduled to meet last month to discuss a possible resolution of the remaining claims in the multi-district litigation. But the only filings in the case since then concern a contemplated amended complaint, suggesting the MDL is entering a new phase rather than nearing a conclusion.
The planned mediation and order regarding the expected new pleading came several days after Blackbaud announced, along with strong third-quarter financial results, that it has nearly exhausted its $50 million in relevant insurance coverage.
“Based on our review of expenses incurred to date, and upon consideration of the number of matters outstanding,” the company reported, referring to hundreds of customer requests for reimbursement in addition to the putative consumer class actions in the U.S. and Canada, “we believe that total costs related to the Security Incident will exceed the limits of our insurance coverage during the fourth quarter of 2021.” The company, whose fundraising and constituent-relationship software is widely used by nonprofits, noted that breach-related costs would “negatively impact our [Generally Accepted Accounting Principles] profitability and cash flow for the foreseeable future.”Continue Reading Blackbaud Ransomware Litigation Update
On January 12, 2021, the U.S. District Court for the District of Columbia granted a motion to compel production of allegedly privileged cybersecurity documents in Guo Wengui v. Clark Hill, PLC, 1:19-cv-03195. In doing so, the Court determined that the Defendant’s cybersecurity assessment was neither covered by work product protection nor attorney client privilege because the Defendant law firm would have investigated the breach in the same way as a business function.
Organizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.
In an interesting data protection case, Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent) [2020] UKSC 10, the UK Supreme Court has held that the UK Government breached data protection laws in passing information to US authorities following a mutual legal assistance (MLA) request that could involve the US seeking the death penalty for two men. The men are alleged to have been members of a terrorist group operating in Syria involved in the torture and murder of hostages.
Recent class action complaints against Zoom Video Communications, Inc. (“Zoom”) are interesting examples of the new risks posed by the California Consumer Privacy Act (“CCPA”) which took effect on January 1. While formal enforcement by the California Attorney General will not begin until July 1, the CCPA’s private right of action allows individuals to bring suits before July. Although the text of the CCPA’s private right of action would lead a reader to believe that the private right of action is limited to suits alleging a breach of personal information, apparently some plaintiffs are not shying away from attempting to use the CCPA to support other litigation. How the California courts handle such lawsuits will be instructive to businesses who collect personal information from California residents.