Security News > 2021 > August > Blackbaud – firm that paid off crooks after 2020 ransomware attack – fails to get California privacy law claim dropped

A judge in South Carolina has struck out a number of claims in a consolidated class-action suit alleging cloud CRM provider Blackbaud didn't do enough to prevent a 2020 ransomware attack, but allegations under California's Consumer Privacy Act will move forward.

US district judge J Michelle Childs said in a 33-page ruling [PDF] that "Blackbaud's alleged registration as a 'data broker' suggests that it is also a 'business' under the CCPA." The firm had previously argued it did not qualify as a "Business" regulated by the CCPA, California's GDPR-ish data privacy regulations that came into effect in July 2020.

The CCPA claim, if successful, could net statutory damages of up to $750 per violation for the California plaintiffs.

Another of the claims, filed under Florida's Deceptive and Unfair Trade Practices Act, was that Blackbaud "Engaged in a deceptive act or unfair practice" by allegedly making "Misrepresentations and omissions about its security efforts and the scope of the ransomware attack." Judge Childs also decided the Florida claim would move forward in part, seeking injunctive relief, but denied a claim for damages under the same law.

Claimants from New Jersey, South Carolina, and Pennsylvania all had their claims struck out when the judge granted Blackbaud's motion to dismiss them.

The New York plaintiffs also saw some success, with the judge denying Blackbaud's motion to dismiss their claim under NY's General Business Law Section 349, which makes unlawful any "Deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/08/17/ccpa_blackbaud/