Blackbaud, which suffered a data breach of its customers’ data in a ransomware attack in 2020, in which it admitted paying the ransom in a double extortion attack [view related posts], is facing multiple class action cases following the attack. The cases have been consolidated in multi-district litigation and now comprise 29 cases.

The federal judge overseeing the cases has refused to dismiss all of the claims that the plaintiffs alleged against Blackbaud, and ruled that Blackbaud must face claims of violation of the California Consumer Privacy Act (CCPA), deceptive and unfair trade practice allegations made by Florida and New York plaintiffs, and a separate claim by a California plaintiff alleging the compromise of medical information.

The judge declared that the plaintiffs had sufficiently alleged that Blackbaud was a “business” as that term is defined in CCPA partly because Blackbaud was a registered data broker in the state of California.

The judge did dismiss several state statutory claims that had been made by the plaintiffs. We will continue to watch this case and Blackbaud’s defenses to the CCPA claims.