I Suffered A Psychological Injury After A Personal Data Breach, What Are My Rights?
These days, we give our personal information to many different organisations on a regular basis. One of the reasons the General Data Protection Regulation (GDPR) has been introduced is to give you more control over the way in which your information is used. If data is exploited, criminals can use it in identity thefts or to extort money from companies. That’s similar to what happened in the Blackbaud data breach that we’ll look at throughout this guide.
As we proceed through the guide, we will look at what harm a data breach can cause and when you could be compensated for it. Furthermore, we’ll explain how much compensation might be payable.
The team at Accident Claims UK is here to help you if you can prove you have a valid claim for compensation. Our advisors offer a telephone assessment of your case and advice on your options. This is a free service and you’re under no obligation to make a claim.
However, if you can prove you endured financial loss or psychological harm, we could put you in touch with one of our data breach solicitors. If they agree to take on your claim, they will represent you on a No Win No Fee basis.
To talk to a specialist about your case today, please give us a call on 0800 073 8801. You can ask as many questions as necessary during your free case review. If you would like to know more about the Blackbaud data breach before calling, please continue reading.
Select A Section
- A Guide On Claiming Compensation For The Blackbaud Data Breach
- What Personal Data Could Organisations Using Blackbaud Hold About Me?
- What Are Personal Data Breach Claims Against Blackbaud?
- Steps A Data Controller Should Take After A Data Breach
- What Happened In The Blackbaud Data Breach?
- When Are You Eligible To Claim For A GDPR Data Breach?
- What Documentation And Evidence Do I Need To Claim For A Data Breach?
- Blackbaud Data Breach Compensation Calculator
- Non-Material Damages That Could Be Claimed Under The GDPR
- No Win No Fee Personal Data Breach Claims Against Blackbaud
- Contact An Advisor
- FAQs On The Blackbaud Data Breach
- Related Guides
A Guide On Claiming Compensation For The Blackbaud Data Breach
Organisations that decide how and why personal data is processed (data controllers) should implement strict security protocols to try and keep that information safe. An example of a data controller might be a university.
As well as protecting their own systems, they also need to be wary about how their service providers process personal data too. This is highlighted by the fact that the Blackbaud data breach affected many universities and charities in the UK but the data was stolen from the cloud software provider.
The UK enacted the GDPR into law via the Data Protection Act 2018. As a result, data controllers should have a lawful basis to process your personal data. While there are many ways this can be gained, it often begins with asking for your permission to use it.
If a personal data breach occurs, the data controller may need to inform the Information Commissioner’s Office (ICO) about it. They are the UK’s watchdog for matters relating to data protection. They are also concerned with other legislation like the Freedom of Information Act 2000.
What Can The ICO Do?
The ICO is able to launch investigations into personal data breach incidents. If failures are identified, they can tell the company to change the way they manage data. Additionally, they can hand out large financial penalties. However, the ICO can’t compensate you for the mental harm or financial loss caused by a data breach. That is the reason you would need to make your own claim.
If you do proceed with a claim, you should do so within the time limit. Generally, you will have 6 years to lodge your claim from the date you obtained knowledge of the breach. However, claims relating to human rights breaches have a limitation period of 1 year. Our specialists can check this period for you for free if you get in touch.
What Personal Data Could Organisations Using Blackbaud Hold About Me?
Blackbaud provides various software solutions for different types of organisations. In the higher education sector, their software is often used by universities to engage with their alumni, supporters and fundraisers. As a result, it is possible that a university could store information about you such as:
- Your contact details (name, address, telephone number and email address).
- Details of your academic history.
- Information about your work.
- Details about previous donations.
- Bank account details.
- Usernames and passwords.
Some universities only use Blackbaud software in relation to previous students. However, at others, current students and some staff may have details stored in the database. As some information could potentially help to identify individuals, it is covered by the GDPR. That means that if you can prove a data breach has caused you to suffer psychologically or financially, you could be eligible to claim compensation.
We are here to help when you’re ready to start the ball rolling. An advisor will guide you through the claims process and review your case for free. If you have sufficient evidence and your case has a reasonable chance, they could pass it on to one of our data breach lawyers. Remember, we provide a No Win No Fee service for all accepted claims.
What Are Personal Data Breach Claims Against Blackbaud?
Data breaches begin with some form of security problem. They lead to information about a data subject being lost, destroyed, disclosed, changed or accessed in an unauthorised way. (A data subject is a person whose data is being processed.) You could be compensated for psychological or financial harm that results, regardless of whether the breach was deliberate, accidental or unlawful.
As we will explain shortly, the Blackbaud breach was caused by cybercriminals. You may often read about tactics used to obtain digital data including phishing emails, firewall attacks, malware, ransomware and viruses. However, the GDPR is also concerned with physical data too. For example, where documents containing personal details are stored inside filing cabinets, they need to be locked when not in use.
You could make a personal data breach claim against a data controller if you can prove you’ve suffered financially or psychologically (or both) because of the breach.
Steps A Data Controller Should Take After A Data Breach
As part of the GDPR, companies need to take action if a data breach is identified. Ideally, a data protection officer (or another appointed staff member) will have created an action plan that can be followed if a breach does occur. The steps that should be taken include:
- Starting an investigation to learn what has happened, who is affected and what data was exposed.
- Informing the ICO about the breach within 72 hours if it’s notifiable, and keeping them updated.
- Telling any data subject who could be at risk about the data breach without undue delay.
As we will explain later, any letter or email (proving the breach) that is sent to you could be useful evidence to support a claim. However, on its own, it does not entitle you to compensation. For that to happen, you will need further evidence that shows you’ve suffered psychological harm or financial loss because of the breach.
What Happened In The Blackbaud Data Breach?
In May 2020, Blackbaud’s servers were hacked by cybercriminals. While inside the system, the hackers managed to steal a subset of data.
Early news reports into the incident suggested that 10 universities had been affected, but this increased to more universities and other organisations later on.
The types of data that were exposed in the leak included names, phone numbers, addresses, email addresses, donation history and event attendance. Initially, the company said banking details were not included, though this changed in later reports.
As required by the GDPR, the affected organisations contacted the data subjects who might have been at risk.
The company decided to pay the ransom to the hackers. In return, they received confirmation that the data had been destroyed.
When Are You Eligible To Claim For A GDPR Data Breach?
As we have shown already, you could be eligible for compensation if a GDPR breach has caused you to suffer. As well as a right to seek compensation, you also have several rights provided by the GDPR. Data subjects have a right to:
- Be told when their personal information is going to be processed.
- Have data portability.
- Request that errors are corrected.
- Ask for personal information to be erased.
- Restrict the ways in which personal data is used.
- Access their personal data.
- Object to personal information usage.
Furthermore, you have additional rights that relate to how personal data is used in profiling or automatic decision-making processes. To understand your rights fully, please take a look at the ICO website.
What Documentation And Evidence Do I Need To Claim For A Data Breach?
Data breach claims are the same as other types of claims in that you must supply evidence to substantiate your claim. This needs to prove that the breach took place and that you were harmed psychologically or financially as a result. The types of evidence that could help include:
- Bank statements to demonstrate the amount of money you have lost.
- Medical records that show the conditions you have been diagnosed with because of the breach.
- An ICO report detailing the findings of an investigation into the breach.
- Any communication from the defendant confirming the breach took place and that your data was included in it.
If you don’t have everything listed above, don’t worry. Give our team a call and they will review the evidence you have available. Should you have the appropriate evidence, they could connect you with a data breach solicitor.
Blackbaud Data Breach Compensation Calculator
Now we are going to spend some time reviewing potential compensation payments for mental harm that can result from data breaches. Although we have shown some amounts in our compensation table, you’ll receive a more personalised estimate after your claim has been reviewed by an advisor.
When discussing personal data breach compensation, it’s important to consider a case heard by the Court of Appeal. During the case of Vidal-Hall and others v Google Inc , two pertinent decisions were made:
- When no money has been lost because of a personal data breach, you are still allowed to seek damages for psychological injuries that result from it.
- Should compensation be awarded, it should be based on the values used for injuries in personal injury claims.
To demonstrate how much could be paid for psychological injuries, please take a look at the compensation table below. The figures come from the Judicial College Guidelines as it is used in personal injury cases. Solicitors may use the publication to value injuries.
|Claim / Injury||Level of Severity||Compensation Bracket|
based on factors such as:
1) ability to cope with life
3) effect on relationships
4) whether treatment will help
|Severe||£51,460 to £108,620|
|Moderately Severe||£17,900 to £51,460|
|Moderate||£5,500 to £17,900|
|Less Severe||Up to £5,500
|Post-Traumatic Stress Disorder (PTSD)||Severe||£56,180 to £94,470|
|Moderately Severe||£21,730 to £56,180|
|Moderate||£7,680 to £21,730|
|Less Severe||Up to £7,680|
Evidencing Your Claim
When claiming for the mental harm the data breach caused or worsened, you should attend a medical assessment. That’s due to the fact that you must provide evidence relating to the severity of your injuries. The assessment could also help prove whether your injuries were caused or worsened by the data breach. If it finds that your injuries weren’t related, it could affect your claim.
In most cases, our data breach lawyers can arrange local appointments. The meeting is run by an independent specialist. They try to find out how you have suffered and also provide a prognosis for the future. This will be achieved by referring to your medical records and discussing your mental health with you.
Once they have completed their assessment, they will provide a medical report for your solicitor. The solicitor would use this report to aid their valuation of compensation for psychological damage.
Non-Material Damages That Could Be Claimed Under The GDPR
Claiming compensation is not as easy as telling the defendant how much money you’d like. You need to file a comprehensive claim that details how you’ve suffered and how you may suffer in the future. This all needs to be backed up by evidence.
Data breach claims can be split up into two heads of compensation. They are material and non-material damages. In regards to material damages, you would be asking to be compensated for financial losses, including any costs and expenses you have incurred because of the data breach.
You could begin by working out how much has already been lost as a result of the breach. However, you might need to consider future losses as well. That’s because you might continue to lose out financially if your personal details are being sold on the dark web, for example.
When seeking non-material damages, you are asking to be compensated for the psychological suffering and pain caused by the breach. This could be for psychiatric injuries like distress, anxiety and depression.
Initially, your non-material damages claim could be based on psychological harm that has been previously diagnosed. Then you might need to claim for any future suffering that has been indicated by your medical report.
As you can see, there is quite a bit to think about before you send your claim to the defendant. That’s why many seek a solicitor’s help when making data breach claims. We believe that their skills could help you.
No Win No Fee Personal Data Breach Claims Against Blackbaud
It can be quite daunting, starting a compensation claim. For many, the thought of paying a solicitor’s fees after losing the case is concerning. However, you need not worry about that if you work with us. That’s because our data breach solicitors provide a No Win No Fee service for all claims that are accepted.
Before your claim can begin, a solicitor will need to vet it first. If they agree to take it on, you will be sent a Conditional Fee Agreement (a formal term for a No Win No Fee agreement). This contract explains the conditions under which your solicitor will be paid. Furthermore, it will show that:
- Advance payment of the solicitor’s fees is not required.
- You don’t have to pay for your solicitor’s work while the claim proceeds.
- Should your case not be successful, then you won’t be liable for the solicitor’s fees at all.
In the event that you are compensated, your solicitor will deduct a success fee from your settlement amount. This is a small percentage that is listed in the agreement so you will be aware of it at the start of your case. Importantly, success fees are capped by law.
Contact An Advisor
We have almost come to the end of our article on the ransomware attack that affected Blackbaud customers. If you are now thinking about claiming for distress, anxiety or other conditions caused by the breach, you can:
- Freephone our advisors on 0800 073 8801.
- Ask one of our online advisors about your options in the live chat.
- Arrange a callback at a convenient time via our online claims form.
When you enquire about claiming, we’ll review your case for free with you. Additionally, we will provide advice on your options. You don’t have to claim but if your case is suitable and you have evidence, we could connect you with a data breach solicitor to help you. Should they take on your case, you will benefit from our No Win No Fee service.
FAQs On The Blackbaud Data Breach
In this section, we have tried to answer some common questions relating to the Blackbaud hack. If you need any further questions answering, please get in touch.
Who Are Blackbaud?
Blackbaud is a software company that offers different solutions to different sectors. In higher education, its database system is often used to help universities keep in touch with fundraisers, alumni and supporters.
How Was Blackbaud Breached And What Type Of Breach Occurred?
Blackbaud provides a cloud-based service to some of its customers. A subset of customer data was illegally downloaded and the hackers issued a ransom for its release.
What Type Of Data Was Compromised?
Initially, the Blackbaud data breach was thought to have only contained information such as names, addresses, email address and event attendance. However, it was later reported that in some cases, passwords and banking details were also exposed.
Thank you for reading about the Blackbaud data breach. For your reference, we have added some additional guides and resources for you below. Should you need anything further, please get in touch.
How Organisations Should Respond To A Personal Data Breach: This ICO guide gives insight into the reporting process.
NHS Service Locator: You can use this tool to find NHS addresses which could be useful if you need to obtain copies of medical records.
For further support, please take a look at some of our other guides below.
Distress Caused By Data Breaches: Details of how you could become distressed following a breach.
University Data Breaches: Advice on starting a claim if harmed by a data protection breach at university.
Employer Data Breaches: Further information on when an employer data breach could entitle you to compensation.
Thank you for reading our guide about the Blackbaud data breach.
Guide by BH
Edited by RV