author photo
By Bruce Sussman
Wed | Sep 2, 2020 | 7:36 AM PDT

There is an interesting legal twist coming to us now in a lawsuit filed following a 2020 ransomware incident—an attack where cybercriminals exfiltrated data from the company and then threatened to publish it.

The class action lawsuit is going after Blackbaud, which provides marketing and fundraising software in the cloud, used by thousands of charities, universities, and healthcare organizations in North America and Europe.

New ransomware attack strategy, new legal challenges 

Ransomware has evolved in 2020, with the more sophisticated cyber threat actors now using it to not only encrypt systems, but also to steal corporate data and then threaten to publish it unless a ransom is paid.

This is exactly what happened to Blackbaud, according to the company's data breach announcement:

"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."

This sounds hopeful, right? You pay the ransom, the ransomware operators destroy the data they stole from you and your customers, and now you can sleep at night. Or can you?

The lawsuit against Blackbaud specifically calls out this new twist in ransomware attacks and the decision to pay cybercriminals in cases like this.

From the class action lawsuit:

"Plaintiff and Class Members' identities and Private Information are now at risk because of Defendant's negligent conduct as the Private Information that Defendant collected and maintained was in the hands of data thieves.

Defendant cannot reasonably maintain that the data thieves destroyed the subset copy simply because Defendant paid the ransom and the data thieves confirmed the copy was destroyed.

In fact, the notices advise the affected individuals to monitor their own credit, suspicious account activity, and notify the school or non-profit of suspicious activity related to his or her credit."

Are the victims in this case really better off because of the ransomware payment?

Cyber law continuing to evolve through ransomware cases like this

SecureWorld asked Rebecca Rakoski, Managing Partner at XPAN Law Group, about this case. XPAN focuses on cybersecurity and privacy law:

"It can certainly be argued that paying ransom does not protect the victim, especially if the data is already exfiltrated. It's the old horse is already out of the barn adage.  What is not clear is how a court would receive this type of argument," says Rakoski.

"That being said, it certainly is creative and indicative of what I think we can expect to see going forward. Data subjects and consumers are starting, more and more, to enforce rights around their personal data. Organizations need to really take proactive security and privacy seriously, and especially where there are laws around those types of measures."

Laws such as the New York SHIELD Act, for example.

Now we wait and we watch. We'll see how the court views this argument that paying the ransom offers no assurance to those impacted by a ransomware attack.