As more states create data privacy laws, plaintiffs face an increasingly complicated litigation landscape for privacy redress, and companies must mount even more complicated defense strategies. One such example is the ongoing multidistrict litigation proceeding against Blackbaud, Inc. in the District of South Carolina. In re Blackbaud, No. 3:20-mn-02972 (D.S.C. filed April 2, 2021), where plaintiffs from 20 states filed a single Consolidated Class Action Complaint. This case provides instructive initial issues for companies to take into consideration as they drive their  data-driven practices.

Blackbaud was hit with a ransomware attack between February and May 2020. Blackbaud, ultimately, complied and paid the ransom, but not before data had allegedly been breached.  From July 2020 through January 2021, Blackbaud notified its customers and other data subjects who had been affected, and according to the plaintiffs, contained conflicting information on exactly the type of data that was affected.