DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Court Rejects Demand for “Corrective” Notice in Blackbaud Data Breach MDL

Posted on April 30, 2022 by Dissent

Brianna Soltys and Kristin L. Bryan of Squire Patton Boggs write that the the Judicial Panel on Multidistrict Litigation, which had consolidated all federal lawsuits against Blackbaud in the District of South Carolina, has rejected plaintiffs’ motion to require Blackbaud to issue a corrective notice.

As a brief reminder: Blackbaud provides third-party services for entities in the medical sector who want to manage mailings seeking donations. They also provide services to the education sector. When they were the victim of a ransomware attack, they decided to pay the ransom to prevent their clients’ data from being dumped or sold on the dark web. But even with that, lawsuits were filed in state and federal courts. SuspectFile tracked the education sector clients of Blackbaud who disclosed the breach while DataBreaches tracked the medical sector.

With respect to the federal suits, Soltys and Bryan explain:

While these suits center on the question of whether Blackbaud had a sufficient security system, the most recent dispute in the federal litigation involves Blackbaud’s response and public communications regarding that data breach.  Specifically, Plaintiffs asserted that the notice Blackbaud provided on its website misrepresented the “type of data stolen,” and failed to “take into account the harm class members faced as a result of the breach.”  Accordingly, Plaintiffs moved for an order requiring Blackbaud to send a “corrective notice” to its customers and the public.

The Plaintiffs’ motion, however, quickly ran into a problem under the First Amendment.  As the District of South Carolina noted, a court generally cannot restrain a party’s speech unless there it is necessary to prevent serious misconduct, and that need outweighs the party’s free-speech rights.  In the class action context, courts have held that there is a “serious threat to the fairness of the litigation process” that can justify a limitation on speech when one party disseminates “misleading communications to class members” concerning their rights related to the pending litigation – for example, a court might order a corrective notice to prevent a party from coercing putative class members into unknowingly waiving their rights.

Read more at The National Law Review.

DataBreaches is not aware of whether any researchers or litigation experts have tracked how often courts actually do order corrective notices. This court’s order seems to focus on rights to the pending litigation, but I’m not sure I understand why plaintiff’s in some class actions couldn’t successfully argue that a defendant had not disclosed information vital to assess their risk of harm and vital to assessing whether class members might want to waive any rights in the class action.  As an example, if some plaintiffs raised the issue of whether a defendant should be required to issue a corrective notice because defendants had knowingly withheld information that people’s information had already appeared on the dark web on a leak site or for sale, what might a court decide? Is it still a First Amendment issue?

DataBreaches knows a number of very smart lawyers follow this blog. Please consider this an encouragement or request to dive more into this issue and explain how withholding information that data have already been dumped on the dark web might be handled by a court if plaintiffs seek a corrective notice.

In another post this morning, the Fourth Circuit held that an entity’s claims about the importance of data security to them was not actionable. So I guess the “We take your privacy and security very seriously” is not actionable?

 

 

Related posts:

  • Blackbaud Data Breach: Non-Profit Foundations (Part One)
  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
  • FTC Order Will Require Blackbaud to Delete Unnecessary Data, Boost Safeguards to Settle Charges its Lax Security Practices Led to Data Breach
  • Almost 11 million patients impacted by Blackbaud incident — and still counting
Category: Commentaries and AnalysesMalwareOf Note

Post navigation

← CERT-In’s directions on reporting data breach will hold companies accountable: Experts
Fourth Circuit Holds Statements About Importance of Data Security Not Actionable →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.