What Are My Rights After The Blackbaud Data Breach?

By Megan Swan. Last Updated 2nd December 2022. Welcome to our guide, which looks at data and news reports surrounding the Blackbaud data breach. If you’re asking ‘I suffered a psychological injury after a personal data breach, what are my rights?’ this guide could help.

What are my rights after the Blackbaud data breach guide blackbaud data breach blackbaud ransomware attack blackbaud data breach victims

These days, we give our personal information to many different organisations on a regular basis. One of the reasons the General Data Protection Regulation (GDPR) has been introduced is to give you more control over the way in which your information is used. If data is exploited, criminals can use it in identity thefts or to extort money from companies. That’s similar to what happened in the Blackbaud data breach that we’ll look at throughout this guide.

Your questions answered about Blackbaud data breach victims and how to claim compensation

As we proceed through the guide, we will look at what harm a data breach can cause and when you could be compensated for it. Furthermore, we’ll explain how much compensation might be payable.

The team at Accident Claims UK is here to help you if you can prove you have a valid claim for compensation. Our advisors offer a telephone assessment of your case and advice on your options. This is a free service and you’re under no obligation to make a claim.

However, if you can prove you endured financial loss or psychological harm, we could put you in touch with one of our data breach solicitors. If they agree to take on your claim, they will represent you on a No Win No Fee basis.

To talk to a specialist about your case today, please give us a call on 0800 073 8801. You can ask as many questions as necessary during your free case review. If you would like to know more about the Blackbaud data breach before calling, please continue reading.

Select A Section

A Guide On Claiming Compensation For The Blackbaud Data Breach

Organisations that decide how and why personal data is processed (data controllers) should implement strict security protocols to try and keep that information safe. An example of a data controller might be a university.

As well as protecting their own systems, they also need to be wary about how their service providers process personal data too. This is highlighted by the fact that the Blackbaud data breach affected many universities and charities in the UK but the data was stolen from the cloud software provider.

The UK enacted the GDPR into law via the Data Protection Act 2018. As a result, data controllers should have a lawful basis to process your personal data. While there are many ways this can be gained, it often begins with asking for your permission to use it.

If a personal data breach occurs, the data controller may need to inform the Information Commissioner’s Office (ICO) about it. They are the UK’s watchdog for matters relating to data protection. They are also concerned with other legislation like the Freedom of Information Act 2000.

What Can The ICO Do?

The ICO is able to launch investigations into personal data breach incidents. If failures are identified, they can tell the company to change the way they manage data. Additionally, they can hand out large financial penalties. However, the ICO can’t compensate you for the mental harm or financial loss caused by a data breach. That is the reason you would need to make your own claim.

If you do proceed with a claim, you should do so within the time limit. Generally, you will have 6 years to lodge your claim from the date you obtained knowledge of the breach. However, claims relating to human rights breaches have a limitation period of 1 year. Our specialists can check this period for you for free if you get in touch.

What Personal Data Could Organisations Using Blackbaud Hold About Me?

Blackbaud provides various software solutions for different types of organisations. In the higher education sector, their software is often used by universities to engage with their alumni, supporters and fundraisers. As a result, it is possible that a university could store information about you such as:

  • Your contact details (name, address, telephone number and email address).
  • Details of your academic history.
  • Information about your work.
  • Details about previous donations.
  • Bank account details.
  • Usernames and passwords.

Some universities only use Blackbaud software in relation to previous students. However, at others, current students and some staff may have details stored in the database. As some information could potentially help to identify individuals, it is covered by the GDPR. That means that if you can prove a data breach has caused you to suffer psychologically or financially, you could be eligible to claim compensation.

We are here to help when you’re ready to start the ball rolling. An advisor will guide you through the claims process and review your case for free. If you have sufficient evidence and your case has a reasonable chance, they could pass it on to one of our data breach lawyers. Remember, we provide a No Win No Fee service for all accepted claims.

What Are Personal Data Breach Claims Against Blackbaud?

Data breaches begin with some form of security problem. They lead to information about a data subject being lost, destroyed, disclosed, changed or accessed in an unauthorised way. (A data subject is a person whose data is being processed.) You could be compensated for psychological or financial harm that results, regardless of whether the breach was deliberate, accidental or unlawful.

As we will explain shortly, the Blackbaud breach was caused by cybercriminals. You may often read about tactics used to obtain digital data including phishing emails, firewall attacks, malware, ransomware and viruses. However, the GDPR is also concerned with physical data too. For example, where documents containing personal details are stored inside filing cabinets, they need to be locked when not in use.

You could make a personal data breach claim against a data controller if you can prove you’ve suffered financially or psychologically (or both) because of the breach.

If you would like to discuss whether you are entitled to seek compensation or not, please speak with our team today.

Steps A Data Controller Should Take After A Data Breach

As part of the GDPR, companies need to take action if a data breach is identified. Ideally, a data protection officer (or another appointed staff member) will have created an action plan that can be followed if a breach does occur. The steps that should be taken include:

  • Starting an investigation to learn what has happened, who is affected and what data was exposed.
  • Informing the ICO about the breach within 72 hours if it’s notifiable, and keeping them updated.
  • Telling any data subject who could be at risk about the data breach without undue delay.

As we will explain later, any letter or email (proving the breach) that is sent to you could be useful evidence to support a claim. However, on its own, it does not entitle you to compensation. For that to happen, you will need further evidence that shows you’ve suffered psychological harm or financial loss because of the breach.

What Happened In The Blackbaud Data Breach?

In May 2020, Blackbaud’s servers were hacked by cybercriminals. While inside the system, the hackers managed to steal a subset of data.

Early news reports into the incident suggested that 10 universities had been affected, but this increased to more universities and other organisations later on.

The types of data that were exposed in the leak included names, phone numbers, addresses, email addresses, donation history and event attendance. Initially, the company said banking details were not included, though this changed in later reports.

As required by the GDPR, the affected organisations contacted the data subjects who might have been at risk.

The company decided to pay the ransom to the hackers. In return, they received confirmation that the data had been destroyed.

Report: https://www.bbc.co.uk/news/technology-53516413

Our advisors could help you if you can prove you have a valid claim. Get in touch to find out more.

When Are You Eligible To Claim For A GDPR Data Breach?

As we have shown already, you could be eligible for compensation if a GDPR breach has caused you to suffer. As well as a right to seek compensation, you also have several rights provided by the GDPR. Data subjects have a right to:

  1. Be told when their personal information is going to be processed.
  2. Have data portability.
  3. Request that errors are corrected.
  4. Ask for personal information to be erased.
  5. Restrict the ways in which personal data is used.
  6. Access their personal data.
  7. Object to personal information usage.

Furthermore, you have additional rights that relate to how personal data is used in profiling or automatic decision-making processes. To understand your rights fully, please take a look at the ICO website.

What Documentation And Evidence Do I Need To Claim For A Data Breach?

Data breach claims are the same as other types of claims in that you must supply evidence to substantiate your claim. This needs to prove that the breach took place and that you were harmed psychologically or financially as a result. The types of evidence that could help include:

  • Bank statements to demonstrate the amount of money you have lost.
  • Medical records that show the conditions you have been diagnosed with because of the breach.
  • An ICO report detailing the findings of an investigation into the breach.
  • Any communication from the defendant confirming the breach took place and that your data was included in it.

If you don’t have everything listed above, don’t worry. Give our team a call and they will review the evidence you have available. Should you have the appropriate evidence, they could connect you with a data breach solicitor.

Blackbaud Data Breach Compensation Calculator

Now we are going to spend some time reviewing potential compensation payments for mental harm that can result from data breaches. Although we have shown some amounts in our compensation table, you’ll receive a more personalised estimate after your claim has been reviewed by an advisor.

When discussing personal data breach compensation, it’s important to consider a case heard by the Court of Appeal. During the case of Vidal-Hall and others v Google Inc [2015], two pertinent decisions were made:

  1. When no money has been lost because of a personal data breach, you are still allowed to seek damages for psychological injuries that result from it.
  2. Should compensation be awarded, it should be based on the values used for injuries in personal injury claims.

To demonstrate how much could be paid for psychological injuries, please take a look at the compensation table below. The figures come from the Judicial College Guidelines as it is used in personal injury cases. Solicitors may use the publication to value injuries.

Harm Notes Amount
Psychological Suffering Severe – The person will have serious problems with several aspects of life and the prognosis will be very bad. £54,830 to £115,730
Psychological Suffering Moderately Severe – A more positive prognosis despite suffering with several problems. £19,070 to £54,830
Psychological Suffering Moderate – The person will have made significant improvements, despite suffering with significant problems. £5,860 to £19,070
Psychological Suffering Less Severe – Several factors will be taken into consideration when awarding compensation, such as how long the person suffered for. £1,540 to £5,860
Anxiety Disorder Severe – All aspects of the person’s life will be negatively impacted, and they will be unable to function the same as pre-trauma. £59,860 to £100,670
Anxiety Disorder Moderately Severe – A better prognosis and the person will be able to make some recovery with help from a professional. £23,150 to £59,860
Anxiety Disorder Moderate – Any continuing effects will not be major following a large recovery. £8,180 to £23,150
Anxiety Disorder Less Severe – Within 1-2 years a virtual full recovery will have been made. £3,950 to £8,180

Evidencing Your Claim

When claiming for the mental harm the data breach caused or worsened, you should attend a medical assessment. That’s due to the fact that you must provide evidence relating to the severity of your injuries. The assessment could also help prove whether your injuries were caused or worsened by the data breach. If it finds that your injuries weren’t related, it could affect your claim.

In most cases, our data breach lawyers can arrange local appointments. The meeting is run by an independent specialist. They try to find out how you have suffered and also provide a prognosis for the future. This will be achieved by referring to your medical records and discussing your mental health with you.

Once they have completed their assessment, they will provide a medical report for your solicitor. The solicitor would use this report to aid their valuation of compensation for psychological damage.

Non-Material Damages That Could Be Claimed Under The GDPR

Claiming compensation is not as easy as telling the defendant how much money you’d like. You need to file a comprehensive claim that details how you’ve suffered and how you may suffer in the future. This all needs to be backed up by evidence.

Data breach claims can be split up into two heads of compensation. They are material and non-material damages. In regards to material damages, you would be asking to be compensated for financial losses, including any costs and expenses you have incurred because of the data breach.

You could begin by working out how much has already been lost as a result of the breach. However, you might need to consider future losses as well. That’s because you might continue to lose out financially if your personal details are being sold on the dark web, for example.

When seeking non-material damages, you are asking to be compensated for the psychological suffering and pain caused by the breach. This could be for psychiatric injuries like distress, anxiety and depression.

Initially, your non-material damages claim could be based on psychological harm that has been previously diagnosed. Then you might need to claim for any future suffering that has been indicated by your medical report.

As you can see, there is quite a bit to think about before you send your claim to the defendant. That’s why many seek a solicitor’s help when making data breach claims. We believe that their skills could help you.

To find out if one of our solicitors could represent you, why not call our team today? You’ll be offered free legal advice and your case will be reviewed on a no-obligation basis.

Blackbaud Data Breach Claim – No Win No Fee Legal Help

If your personal data were to be compromised in a Blackbaud data breach, compensation could be awarded to you for any mental suffering and financial losses you experienced. To find out whether you are eligible to make a personal data breach claim, you can call our advisors, who can offer you free legal advice. Should they find that you have a solid basis for a claim, they could connect you with a No Win No Fee solicitor.

A No Win No Fee solicitor could offer you a Conditional Fee Agreement. Generally, the benefits of claiming with a No Win No Fee solicitor are:

  • You usually don’t have to pay the solicitor anything upfront for them to start working on your case.
  • If the claim is unsuccessful, you generally aren’t expected to pay for the solicitor’s services.
  • However, if the solicitor is successful, you will pay them a success fee. This is a legally capped amount taken from your compensation.

Do not hesitate to contact our advisors should your personal information be involved in a Blackbaud data breach.

Contact An Advisor

We have almost come to the end of our article on the ransomware attack that affected Blackbaud customers. If you are now thinking about claiming for distress, anxiety or other conditions caused by the breach, you can:

  • Freephone our advisors on 0800 073 8801.
  • Ask one of our online advisors about your options in the live chat.
  • Arrange a callback at a convenient time via our online claims form.

When you enquire about claiming, we’ll review your case for free with you. Additionally, we will provide advice on your options. You don’t have to claim but if your case is suitable and you have evidence, we could connect you with a data breach solicitor to help you. Should they take on your case, you will benefit from our No Win No Fee service.

FAQs On The Blackbaud Data Breach

In this section, we have tried to answer some common questions relating to the Blackbaud hack. If you need any further questions answering, please get in touch.

Who Are Blackbaud?

Blackbaud is a software company that offers different solutions to different sectors. In higher education, its database system is often used to help universities keep in touch with fundraisers, alumni and supporters.

How Was Blackbaud Breached And What Type Of Breach Occurred?

Blackbaud provides a cloud-based service to some of its customers. A subset of customer data was illegally downloaded and the hackers issued a ransom for its release.

What Type Of Data Was Compromised?

Initially, the Blackbaud data breach was thought to have only contained information such as names, addresses, email address and event attendance. However, it was later reported that in some cases, passwords and banking details were also exposed.

Data breach statistics

The Information Commissioner’s Office (ICO) collates statistics for data breaches that have occurred across certain periods. Looking at the security incident trends for Q4 2021/22, we can see how many data security incident reports were made by industry.

From the chart below, we can see that the highest number of incidents were reported in the health sector. 

"blackbaud data breach blackbaud ransomware attack blackbaud data breach victims (blackbaud is a brand, so be careful with how these keywords are used)"

The second chart, seen below, shows that the highest number of data breach incidents reported in Q4 2021/22 were due to data being e-mailed to the wrong recipient.

"blackbaud data breach blackbaud ransomware attack blackbaud data breach victims (blackbaud is a brand, so be careful with how these keywords are used)"

If your personal data was compromised due to a Blackbaud data breach, such as a Blackbaud ransomware attack, you can get in touch with our advisors at any time for a free eligibility check. Blackbaud data breach victims could potentially claim compensation for any psychological or financial harm they may have suffered.

Related Guides

Thank you for reading about the Blackbaud data breach. For your reference, we have added some additional guides and resources for you below. Should you need anything further, please get in touch.

How Organisations Should Respond To A Personal Data Breach: This ICO guide gives insight into the reporting process.

Anxiety Symptoms: Information on the behavioural, psychological and physical symptoms of anxiety.

NHS Service Locator: You can use this tool to find NHS addresses which could be useful if you need to obtain copies of medical records.

For further support, please take a look at some of our other guides below.

Distress Caused By Data Breaches: Details of how you could become distressed following a breach.

University Data Breaches: Advice on starting a claim if harmed by a data protection breach at university.

Employer Data Breaches: Further information on when an employer data breach could entitle you to compensation.

Thank you for reading our guide about the Blackbaud data breach.

Guide by BH

Edited by RV