Stuck in the Middle
Blackbaud is a Software as a Service (“SaaS”) provider for more than 45,000 nonprofit organizations, foundations, universities, and health care providers worldwide. Last year Blackbaud suffered a data breach and a subset of its databases were stolen.  The data subset contained client information used for fundraisings, marketing, financial management, and other nonprofit activities. In the subsequent report sent to customers Blackbaud stated that they were able to expel the hackers from the network, but also admitted to paying the hackers to destroy the stolen data.
Blackbaud notified its customers and provided sample notification letters in case its customers wanted to notify donors, alumni, and volunteers who were now the victims of the data breach. But, Blackbaud left the ultimate decision to their customers about whether to notify the victims and their regulators. Initially the company claimed that no financial information was stolen, however, it later admitted that in some instances SSNs and credit card data were compromised.  This left many smaller nonprofits in a quandary as to what to do, how to analyze the legal consequences, and whether notification was even necessary. Even now, many months later, the breach continues to have ramifications for small nonprofit and volunteer organizations.
The fallout from the hack has affected numerous nonprofits, many of whom cannot afford large forensics investigations. And the victims, whose information was part of the data breach, had no knowledge of the third-party service provider and have no contractual relationship with Blackbaud. This has left the victims with no recourse but to sue the nonprofits.
In a recent case, an individual has sued the Rady Children’s Hospital of San Diego for the Blackbaud breach. In the pleadings the plaintiff claimed that the:
Defendant failed to protect the medical information of the patients’ whose information was involved in the Data Breach, as conceded in Defendant’s notification letters. 
The hospital in its motion to dismiss compared the action to the classic case of “shooting the messenger” and followed by stating:
The Complaint fails to allege facts to demonstrate that Plaintiff has any viable claim against Rady as a result of a breach of a third party’s (Blackbaud’s) computer systems. Simply put, neither the statutory claims nor the common law claims that Plaintiff attempts to allege are viable against Rady. If Blackbaud was negligent or violated Plaintiff’s privacy or violated any statutory duty owed to Plaintiff, Plaintiff’s remedy is against Blackbaud, not Rady. 
As more companies utilize SaaS providers, such “stuck in the middle” positions are inevitable. Hackers know large tranches of documents exist at the service provider level and will target such service providers rather than the smaller individual client companies. But the good news is companies can protect themselves and their data by reviewing and asking the right questions for any SaaS contract. In particular, companies should:
- Know the service provider’s obligation in the event of a data breach. For instance, are they obligated to cooperate with the client? Do they maintain their own cyber insurance? And, what are the service provider’s obligations in the event notification is necessary?
- Review the service provider’s obligations to provide its analysis to the client; or, will each client be obligated to perform its own analysis? The service provider is in the best position to conduct the investigation and make the critical determination of fact.
- Ensure that the service provider is meeting its obligations by asking for and reviewing annual independent certifications or audits such as a SOC1 or a SOC2. These certifications, or lack thereof, could provide insight as to the commitment of the service provider to the security and integrity of your data.
Hackers are honing in on SaaS providers as larger targets as they have large amounts of data from many different organizations. Information is not necessarily more secure just because it resides with a large SaaS provider. Companies should take precautions to protect and secure their data wherever it resides. SaaS contracts should be subjected to an attorney review to protect the company from the liability resulting from third-party data breaches. When in doubt, ask an attorney to review key terms for your agreement before signing. Negotiating and incorporating protections before a contract is signed may be the only chance a company has to establish protections from liability.
 John Doe v. Rady Children’s Hospital-San Diego, 3:21-CV-0114, S.D. CAL., Document 1 p 10.
 John Doe v. Rady Children’s Hospital-San Diego, 3:21-CV-0114, S.D. CAL., Document 12 p 8.