Commitments and Contingencies | 9. Commitments and Contingencies Leases We have operating leases for corporate offices, subleased offices and certain equipment and furniture. As of September 30, 2024, we did not have any operating leases that had not yet commenced. The following table summarizes the components of our lease expense: Three months ended September 30, Nine months ended September 30, (dollars in thousands) 2024 2023 2024 2023 Operating lease cost (1) $ 1,417 $ 2,216 $ 5,028 $ 6,905 Variable lease cost 271 357 883 1,184 Sublease income (914) (833) (2,518) (2,498) Net lease cost $ 774 $ 1,740 $ 3,393 $ 5,591 (1) Includes short-term lease costs, which were immaterial. Maturities of our operating lease liabilities as of September 30, 2024 were as follows: Years ending December 31, Operating leases 2024 - remaining $ 1,657 2025 6,277 2026 6,109 2027 6,207 2028 6,101 Thereafter 20,689 Total lease payments 47,040 Less: Amount representing interest 7,115 Present value of future payments $ 39,925 Other commitments The term loans under the 2024 Credit Facilities require periodic principal payments. The balance of the term loans and any amounts drawn on the revolving credit loans are due upon maturity of the 2024 Credit Facilities in April 2029. The Real Estate Loans also require periodic principal payments and the balance of the Real Estate Loans are due upon maturity in April 2038. We have contractual obligations for third-party technology used in our solutions and for other services we purchase as part of our normal operations. In certain cases, these arrangements require a minimum annual purchase commitment by us. As of September 30, 2024, the remaining aggregate minimum purchase commitment under these arrangements was approximately $206.8 million through 2029. Solution and service indemnifications In the ordinary course of business, we provide certain indemnifications of varying scope to customers against claims of intellectual property infringement made by third parties arising from the use of our solutions or services. We have not identified any losses that might be covered by these indemnifications. Legal proceedings We are subject to legal proceedings and claims that arise in the ordinary course of business, as well as certain other non-ordinary course proceedings, claims and investigations, as described below. We make a provision for a loss contingency when it is both probable that a material liability has been incurred and the amount of the loss can be reasonably estimated. If only a range of estimated losses can be determined, we accrue an amount within the range that, in our judgment, reflects the most likely outcome; if none of the estimates within that range is a better estimate than any other amount, we accrue the low end of the range. For proceedings in which an unfavorable outcome is reasonably possible but not probable and an estimate of the loss or range of losses arising from the proceeding can be made, we disclose such an estimate, if material. If such a loss or range of losses is not reasonably estimable, we disclose that fact. We review any such loss contingency provisions at least quarterly and adjust them to reflect the impacts of negotiations, settlements, rulings, advice of legal counsel and other information and events pertaining to a particular case. We recognize insurance recoveries, if any, when they are probable of receipt. All associated costs due to third-party service providers and consultants, including legal fees, are expensed as incurred. Legal proceedings are inherently unpredictable. However, we believe that we have valid defenses with respect to the legal matters pending or threatened against us and intend to defend ourselves vigorously against all claims asserted. It is possible that our consolidated financial position, results of operations or cash flows could be materially negatively affected in any particular period by an unfavorable resolution of one or more of such legal proceedings. Security incident As previously disclosed, we are subject to risks and uncertainties as a result of a ransomware attack against us in May 2020 in which a cybercriminal removed a copy of a subset of data from our self-hosted environment (the "Security Incident"). Based on the nature of the Security Incident, our research and third party (including law enforcement) investigation, we do not believe that any data went beyond the cybercriminal, has been misused, or has been disseminated or otherwise made available publicly. As a result of the Security Incident, we are currently subject to certain legal proceedings, claims and investigations, as discussed below, and could be the subject of additional legal proceedings, claims, inquiries and investigations in the future that might result in adverse judgments, settlements, fines, penalties or other resolution. To limit our exposure to losses related to claims against us, including data breaches such as the Security Incident, we maintain $50 million of insurance above a $250 thousand deductible payable by us. As noted below, this coverage reduced our fina ncial exposure related to the Security Incident in prior years. We recorded expenses and offsetting insurance recoveries related to the Security Incident as follows: Three months ended September 30, Nine months ended September 30, (dollars in thousands) 2024 2023 2024 2023 Gross expense $ 637 $ 4,086 $ 12,782 $ 48,646 Offsetting insurance recoveries — — — — Net expense $ 637 $ 4,086 $ 12,782 $ 48,646 The following summarizes our cumulative expenses, insurance recoveries recognized and insurance recoveries paid as of: (dollars in thousands) September 30, December 31, Cumulative gross expense $ 174,213 $ 161,431 Cumulative offsetting insurance recoveries recognized (50,000) (50,000) Cumulative net expense $ 124,213 $ 111,431 Cumulative offsetting insurance recoveries paid $ (50,000) $ (50,000) Recorded expenses have consisted primarily of payments to third-party service providers and consultants, including legal fees, settlement of the previously disclosed SEC investigation, multi-state Attorneys General investigation, and Attorney General of the State of California investigation (discussed below), settlements of customer claims and accruals for certain loss contingencies. Not included in the expenses discussed above were costs associated with enhancements to our cybersecurity program. We present expenses and insurance recoveries related to the Security Incident in general and administrative expense on our unaudited, condensed consolidated statements of comprehensive income (loss) and as operating activities on our unaudited, condensed consolidated statements of cash flows. Total costs related to the Security Incident exceeded the limit of our insurance coverage during the first quarter of 2022. We expect to continue to experience significant expenses related to our response to the Security Incident, resolution of legal proceedings, claims and investigations, including those discussed below, and our efforts to further enhance our cybersecurity measures. For the three months ended September 30, 2024, we incurred net pre-tax expenses which were insignificant. For the nine months ended September 30, 2024, we incurred net pre-tax expenses of $12.8 million related to the Security Incident, which included $6.0 million for ongoing legal fees and a settlement of loss contingencies of $6.8 million. During the nine months ended September 30, 2024, we had net cash outlays of $15.1 million related to the Security Incident for ongoing legal fees and the $6.8 million paid during the third quarter of 2024 related to our settlement with the Attorney General of the State of California. In line with our policy, legal fees are expensed as incurred. For full year 2024, we currently expect pre-tax expenses of approximately $5.0 million to $10.0 million and cash outlays of approximately $8.0 million to $13.0 million for ongoing legal fees related to the Security Incident. Not included in these ranges are our previous settlements or current accruals for loss contingencies related to the matters discussed below. As of September 30, 2024, we have recorded approximately $0.7 million in aggregate liabilities for loss contingencies based primarily on recent negotiations with certain customers related to the Security Incident that we believed we could reasonably estimate in accordance with our loss contingency procedures described above. Our liabilities for loss contingencies are recorded in accrued expenses and other current liabilities on our unaudited, condensed consolidated balance sheets. It is reasonably possible that our estimated actual losses may change in the near term for those matters and be materially in excess of the amounts accrued, but we are unable at this time to reasonably estimate the possible additional loss. There are other Security Incident-related matters, including customer claims, customer constituent class actions and governmental investigations, for which we have not recorded a liability for a loss contingency as of September 30, 2024 because we are unable at this time to reasonably estimate the possible loss or range of loss. Each of these matters could, separately or in the aggregate, result in an adverse judgment, settlement, fine, penalty or other resolution, the amount, scope and timing of which we are currently unable to predict, but could have a material adverse impact on our results of operations, cash flows or financial condition. Customer claims. To date, we have received approximately 260 specific requests from customers for reimbursement of expenses incurred by them related to the Security Incident, all of which have been fully resolved and closed or are inactive and are considered by us to have been abandoned by the customers. We have also received approximately 400 reservations of the right to seek expense recovery in the future from customers or their attorneys in the U.S., U.K. and Canada related to the Security Incident, none of which resulted in claims submitted to us and are considered by us to have been abandoned by the customers. We have also received notices of proposed claims on behalf of a number of U.K. data subjects, which we are reviewing. In addition, insurance companies representing various customers’ interests through subrogation claims have contacted us, and certain insurance companies have filed subrogation claims in court, of which two cases remain active and unresolved. Customer constituent class actions. Presently, we are a defendant in putative consumer class action cases in U.S. federal courts (which have been consolidated under multi district litigation to a single federal court) and in Canadian courts alleging harm from the Security Incident. The plaintiffs in these cases, who purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys’ fees and other related relief. Lawsuits that are putative class actions require a plaintiff to satisfy a number of procedural requirements before proceeding to trial. These requirements include, among others, demonstration to a court that the law proscribes in some manner our activities, the making of factual allegations sufficient to suggest that our activities exceeded the limits of the law and a determination by the court—known as class certification—that the law permits a group of individuals to pursue the case together as a class. If these procedural requirements are not met, the lawsuit cannot proceed as a class action and the plaintiff may lose the financial incentive to proceed with the case. We are currently engaged in court proceedings to determine whether this will proceed as a class action, as described below. Frequently, a court’s determination as to these procedural requirements is subject to appeal to a higher court. As a result of these uncertainties, we may be unable to determine the probability of loss until, or after, a court has finally determined that a plaintiff has satisfied the applicable class action procedural requirements. Furthermore, for putative class actions, it is often not possible to reasonably estimate the possible loss or a range of loss amounts, even where we have determined that a loss is reasonably possible. Generally, class actions involve a large number of people and raise complex legal and factual issues that result in uncertainty as to their outcome and, ultimately, making it difficult for us to estimate the amount of damages that a plaintiff might successfully prove. This analysis is further complicated by the fact that the plaintiffs lack contractual privity with us. On May 14, 2024, the United States District Court for the District of South Carolina (the "Court") issued a memorandum opinion and order (1) denying the multi district litigation plaintiffs' motion for class certification because of the plaintiffs' failure to meet their burden of proof as to ascertainability, (2) granting our motion to exclude the multi district litigation plaintiffs' expert on the issue of ascertainability, and (3) denying the multi district litigation plaintiffs' motion to exclude our expert on the issue of ascertainability. Further, the Court denied as moot all other pending motions. On May 28, 2024, the plaintiffs filed a petition for permission to appeal under Rule 23(f) of the Federal Rules of Civil Procedure with the Fourth Circuit Court of Appeals (the “Fourth Circuit”), and we subsequently filed an opposition to such petition. On July 30, 2024, the Fourth Circuit denied the plaintiffs' petition. This litigation remains ongoing. Governmental investigations. As previously disclosed, we are subject to an ongoing investigation by the U.S. Department of Health and Human Services. We also responded to inquiries from the Office of the Australian Information Commissioner in September 2020 and the Office of the Privacy Commissioner of Canada in October 2020. On June 13, 2024, we agreed to a Final Judgment and Permanent Injunction with the Attorney General of the State of California (the "Final Judgment") relating to the Security Incident. This settlement fully resolved the last remaining U.S. state attorney general investigation into the Security Incident. Under the terms of the settlement, we agreed to comply with applicable laws; not to make misleading statements related to our data protection, privacy, security, confidentiality, integrity, breach notification requirements, and similar matters; and to implement and improve certain cybersecurity programs and tools. The terms of the settlement with California are generally consistent with those to which we agreed in settling with the other 49 state Attorneys General and the District of Columbia on October 5, 2023, as discussed below. As part of the settlement, we also agreed to pay a total of $6.8 million to the State of California. This amount was fully accrued as a contingent liability in the Company's financial statements as of March 31, 2024 and June 30, 2024, and subsequently paid in the third quarter of 2024. Nothing contained in the Final Judgment is intended to be, and shall not in any event be construed or deemed to be, an admission or concession or evidence of any liability or wrongdoing whatsoever on the part of Blackbaud or any fact or violation of law, rule, or regulation. For more information, see the Final Judgment and Permanent Injunction of the State of California, County of San Diego that was furnished as Exhibit 99.1 to our Current Report on Form 8-K filed with the SEC on June 14, 2024. On May 20, 2024, the U.S. Federal Trade Commission (the "FTC") finalized an Order (the “FTC Order”) evidencing its settlement with us in connection with the Security Incident. As part of the FTC Order, we were not fined and were not otherwise required to make any payment. Furthermore, we agreed to the FTC Order without admitting or denying any of the FTC’s allegations, except as expressly stated otherwise in the FTC Order. The settlement described in the FTC Order fully resolved the FTC investigation. For more information, see the form of proposed order that was furnished as Exhibit 99.2 to our Current Report on Form 8-K filed with the SEC on February 2, 2024 and is identical in substance to the final FTC Order, and in Note 11 to our audited consolidated financial statements contained in our Annual Report on Form 10-K filed with the SEC on February 21, 2024. On October 5, 2023, we entered into separate, substantially similar Administrative Orders with each of 49 state Attorneys General and the District of Columbia relating to the Security Incident which fully resolved the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident. On March 9, 2023, we reached a settlement with the SEC in connection with the Security Incident that fully resolved the previously disclosed SEC investigation of the Security Incident. On September 28, 2021, the Information Commissioner’s Office in the United Kingdom under the U.K. Data Protection Act 2018 notified us that it has closed its investigation of the Security Incident. On September 24, 2021, we received notice from the Spanish Data Protection Authority that it has concluded its investigation of the Security Incident. On January 15, 2021, we were notified by the Data Protection Commission of Ireland that it has concluded its investigation of the Security Incident. For more information about these completed government investigations and related actions, see Note 11 to our audited consolidated financial statements contained in our Annual Report on Form 10-K filed with the SEC on February 21, 2024. We continue to cooperate with all ongoing investigations, which include various requests for documents, policies, narratives and communications, as well as requests to interview or depose various Company-related personnel. As noted above, each of these separate governmental investigations could result in adverse judgments, settlements, fines, penalties or other resolution, the amount, scope and timing of which we are currently unable to predict, but could have a material adverse impact on our results of operations, cash flows or financial condition. |