(September 9) A U.S. donor is suing software giant Blackbaud after receiving notices from two of the charities affected by a recent Blackbaud data breach where it had to pay cyber attackers a ransom to regain control of their NetCommunity and RaisersEdge platforms, The NonProfit Times is reporting in Blackbaud Faces Class Action Lawsuit After Data Breach.
“The plaintiff seeks to compel Blackbaud to increase its data security practices in unspecified ways, to change practices that led to the breach, to pay for both actual and punitive damages and to pay attorneys’ fees and costs,” said the magazine.
‘Private information was maintained on defendant’s computer network in a condition vulnerable to cyberattacks,’ the suit alleges.”
On August 25th The Charity Report ran a story entitled Blackbaud Data Breach: The impact on Canadian charities and what we still don’t know, in which a blog written by two Miller Thomson lawyers, Nicole D’aoust and David Krebs, were quoted,
“Your organization must understand that while Blackbaud is its service provider,” the blog stated, “any potential legal or contractual obligations, including potential notification requirement with respect to the particular individuals involved or report to Privacy Commissioners likely fall on the particular charity or not-for-profit organization.
Charities, especially charities undertaking capital campaigns and are cultivating large donors, often keep personal data about their prospective donors on the donor data base, especially large hospitals and universities. The information could range from the names of their spouse and children, their estimated net worth, details about donations they’ve given to other organizations, to the names of their pets and events they’ve attended.
The question raised by the Blackbaud data breach is the safety of donor data and whether charities using the Blackbaud platform liable for any compromise in the privacy of the data. The Charity Report raised these questions with Miller Thomson, who declined to offer further explanation saying, “our firm is unable to comment on your requested questions.”
“We have received a breach report from Blackbaud and will be examining the report in order to determine next steps,” The Office of the Privacy Commissioner told The Charity Report. “We have not received any complaints. Due to confidentiality provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA) we cannot offer further details about this matter at this time.”
A guide to making a complaint to The Office of the Privacy Commissioner can be found here: Guide to the PIPEDA complaint process.