It is common for a company to sue for a data breach, as in the case of Blackbaud. In addition, the ransomware becomes more and more part of the mix (Ransomware + Theft + Leakage = Data Breach), as hacking gangs first steal data from their victims and then threaten to leak it if the victims refuse to pay the ransom requested of them.
Ransomware raises another issue regarding data breaches, but also the possible legal consequences faced by the organizations that are being breached. In particular, a large number of organizations affected by ransomware said they were able to recover systems from backups. However, they paid a ransom to their attackers, in exchange for the latter promising to delete all the stolen data and not provide it or sell it to others.
But can organizations ensure that intruders keep their promise? This is a question raised by the lawsuit against Blackbaud (provider) in cloud computing based in South Carolina). The American company that provides services to thousands of charities, universities, healthcare organizations and others, suffered an attack of data disappearance and ransomware in May.
Meanwhile, many questions remain unanswered about Blackbaud's breach, as the company spotted the intrusion in May but began informing its customers in July. Victims of this security incident include organizations in Europe, which means that Blackbaud must comply with the EU General Data Protection Regulation (GDPR), which requires regulators to be notified within 72 hours of any breach of what happened and what was stolen. Blackbaud has not yet responded to Information Security Media Group's request for clarification on when it first informed European regulators about the incident.
In addition, Blackbaud issued a notice of breach stating that it had paid a ransom to secure a promise from the attackers that they would delete all stolen data. Blackbaud added that the attackers did not have access to credit card information, bank account details or social security numbers. She also pointed out that the protection of her clients' data is her first priority, so she paid the ransom requested, receiving assurances from the intruders that the stolen data had been destroyed.
Following notice of the breach, Blackbaud received a lawsuit on 12 August filed by the Whitfield Bryson & Mason LLP on behalf of their resident USA William Allen, whose private information was compromised as a result of the breach. The lawsuit seeks, in part, seven years of prepaid identity theft monitoring for victims. Also, according to the lawsuit, the company's security defense was inadequate, while the intruders may have compromised a huge volume of PII, including social security numbers, credit cards and bank accounts.
One of the company's attorneys, Matthew Lee, has argued that the PIIs of tens of thousands of people may have been breached, so these individuals may be at risk of identity theft for the rest of their lives.
The lawsuit also alleges the company allegedly paid the intruders in an effort to protect victims. Lee stressed that he does not believe that someone who has broken into a company's system can keep his promise to destroy the data he stole.
Many data breaches trigger lawsuits alleging that the breached organization had "bad" and inadequate controls security and that the victims have received adequate compensation. But at least in the United States, very few of these lawsuits are successful. Lawyers say this is due to the fact that many courts have ruled that victims should be harmed and such harm can only be proven by financial loss.
According to lawyer Mark Rasch, who is an adviser to the Kohrman, Jackson & Krantz law firm on net privacy breaches, the courts were reluctant to find compensation for data breach victims as a result of simply exposing certain types of personal information because the victim could not show real harm as a result of the violation, other than the harm he theoretically claims to have suffered, as a result of which he fears that at some point in the future, his identity may be stolen. Rasch added that if one looks at the history of data breaches, the first breaches were credit card details and the damage was that someone would steal money from a victim's account.
Regulations on the notification of data breaches by States are designed to ensure that affected consumers are informed in a timely manner so that they can take the necessary measures to safeguard their PII.
However, banks or credit card companies are often the first to detect a breach because they notice a series of unusual charges on all cards. Thus, they cancel cards and issue new ones, while card issuers usually compensate for any fraud that occurs. Thus, the mitigation has already taken place before the notification of the data breach, according to Rasch. Many infringing organizations also offer at least one year of prepaid identity theft services if credit cards, social security numbers or other data that may be used for identity theft purposes have been exposed.
However, this does not prevent many lawsuits from raising allegations of breach of privacy. However, in the US, the loss requires the appearance of financial loss and the privacy has no value in dollars. Rasch said that the fact that no dollar value is attributed to privacy means that it is not valued.
As for Blackbaud, what about the lawsuit strategy that seeks to accuse the company of paying ransom to intruders as part of its effort to protect stolen data? Rasch says this could work in Blackbaud's favor, as it shows that the company took deliberate steps to try to manage the incident and mitigate its impact, rather than trying to cover up the incident. Finally, Rasch stressed that the company does not pay them hacker for their silence, but to destroy the stolen data, and this is not necessarily something irrational.