Brianna Soltys and Kristin L. Bryan of Squire Patton Boggs write that the the Judicial Panel on Multidistrict Litigation, which had consolidated all federal lawsuits against Blackbaud in the District of South Carolina, has rejected plaintiffs’ motion to require Blackbaud to issue a corrective notice.
As a brief reminder: Blackbaud provides third-party services for entities in the medical sector who want to manage mailings seeking donations. They also provide services to the education sector. When they were the victim of a ransomware attack, they decided to pay the ransom to prevent their clients’ data from being dumped or sold on the dark web. But even with that, lawsuits were filed in state and federal courts. SuspectFile tracked the education sector clients of Blackbaud who disclosed the breach while DataBreaches tracked the medical sector.
With respect to the federal suits, Soltys and Bryan explain:
While these suits center on the question of whether Blackbaud had a sufficient security system, the most recent dispute in the federal litigation involves Blackbaud’s response and public communications regarding that data breach. Specifically, Plaintiffs asserted that the notice Blackbaud provided on its website misrepresented the “type of data stolen,” and failed to “take into account the harm class members faced as a result of the breach.” Accordingly, Plaintiffs moved for an order requiring Blackbaud to send a “corrective notice” to its customers and the public.
The Plaintiffs’ motion, however, quickly ran into a problem under the First Amendment. As the District of South Carolina noted, a court generally cannot restrain a party’s speech unless there it is necessary to prevent serious misconduct, and that need outweighs the party’s free-speech rights. In the class action context, courts have held that there is a “serious threat to the fairness of the litigation process” that can justify a limitation on speech when one party disseminates “misleading communications to class members” concerning their rights related to the pending litigation – for example, a court might order a corrective notice to prevent a party from coercing putative class members into unknowingly waiving their rights.
Read more at The National Law Review.
DataBreaches is not aware of whether any researchers or litigation experts have tracked how often courts actually do order corrective notices. This court’s order seems to focus on rights to the pending litigation, but I’m not sure I understand why plaintiff’s in some class actions couldn’t successfully argue that a defendant had not disclosed information vital to assess their risk of harm and vital to assessing whether class members might want to waive any rights in the class action. As an example, if some plaintiffs raised the issue of whether a defendant should be required to issue a corrective notice because defendants had knowingly withheld information that people’s information had already appeared on the dark web on a leak site or for sale, what might a court decide? Is it still a First Amendment issue?
DataBreaches knows a number of very smart lawyers follow this blog. Please consider this an encouragement or request to dive more into this issue and explain how withholding information that data have already been dumped on the dark web might be handled by a court if plaintiffs seek a corrective notice.
In another post this morning, the Fourth Circuit held that an entity’s claims about the importance of data security to them was not actionable. So I guess the “We take your privacy and security very seriously” is not actionable?