Table of Contents
Blackbaud’s Data Breach Settlement
The fundraising software company Blackbaud has agreed to settle claims related to a 2020 data breach by paying $49.5 million. The agreement was reached with the attorneys general of 49 states and Washington, D.C. The breach exposed sensitive information from 13,000 nonprofits which included health records, Social Security numbers, and financial information.
Details of the Breach
According to Indiana Attorney General Todd Rokita, the data exposed in the breach were from the nonprofits, universities, hospitals, and religious organizations that the company serves. Blackbaud first publicly acknowledged that an outside actor had gained access to its data on July 16, 2020. However, the attorneys general accuse the company of downplaying the extent and sensitivity of the data that had been stolen. It was estimated that over a million files were exposed.
Aftermath of the Breach
In response to the breach, Blackbaud ended up paying a ransom to the intruders, under the agreement that they would delete the stolen data. Since the breach, Blackbaud has committed to strengthening its data security practices and improving customer notifications in the event of future breaches. The settlement also includes an obligation for Blackbaud to have an outside party assess its compliance with the terms for seven years, although the company did not admit to any wrongdoing as part of the agreement.
Financial Impact on Blackbaud
Blackbaud, in a statement, has confirmed that it expects to pay the full settlement amounts in October. Out of all the other states, Indiana will receive the highest amount from the settlement, almost $3.6 million, according to Attorney General Todd Rokita's office. Additionally, in March, the U.S. Security's and Exchange Commission settled charges against Blackbaud for misleading investors about the data that was stolen in the breach. Although Blackbaud did not admit any wrongdoing, it agreed to pay a $3 million fine to the SEC.
Agreement and Future Improvements
As a response to the ransomware attack and resulting data breach that occurred in May 2020, nonprofit service provider Blackbaud agreed to a $49.5 million settlement with attorneys general from 49 U.S. states. The agreement resolves the multistate investigation, and Blackbaud as part of the settlement, has committed to significant enhancements in its data security practices.
Data Security Practices Enhancement
Blackbaud, under the terms of the settlement, is obligated to implement and maintain a comprehensive breach response plan. The company will also provide appropriate support to its customers in case of a future security incident and report such security incidents promptly to its CEO and the board.
Personal Information Safeguards and Controls
The company will be deploying a range of personal information safeguards and controls. These control measures include database encryption, dark web monitoring, network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing. These enhancements aim to provide a more secure environment for consumer data, to prevent any possible repeats of data breaches in the future.
Assessment of Compliance with Settlement
An external party will assess Blackbaud's compliance with the terms of the settlement for seven years. This measure ensures that Blackbaud complies with the conditions agreed upon in the settlement and continues to implement and maintain the agreed-upon security standards and practices. Although Blackbaud did not acknowledge any wrongdoing as part of the settlement, the company is obligated to make significant changes to its data security practices.
Previous Charges and Settlements
Before the recent settlement related to the data breach, Blackbaud had faced actions from the U.S. Securities and Exchange Commission (SEC). These actions stemmed from allegations that the company misled its investors about the nature of the information stolen during the breach.
SEC’s Allegations and Settlement
According to the SEC, Blackbaud initially reported that no sensitive data like bank information and Social Security numbers were accessed during the breach. However, subsequent internal investigations found that such data had in fact been accessed, but this information wasn't reported to the company's senior leaders. The SEC deemed this as misleading to Blackbaud's investors.
Blackbaud’s Response and Fine
In response to the SEC's charges, Blackbaud agreed to settle by paying a fine of $3 million. However, similar to the state settlement, the company did not admit any wrongdoing in the matter.
Impact on States
The settlement agreed upon in the Blackbaud data breach case has significant financial implications for the states involved. An impressive sum from the agreed amount of $49.5 million will be divided among the 49 states and Washington, D.C., that were involved in bringing the claims against the company.
Indiana’s Settlement Share
Out of all the states, Indiana is set to receive the highest amount from the settlement agreement. The office of Indiana Attorney General Todd Rokita, who co-led the investigation into the data breach, announced that Indiana will receive nearly $3.6 million under the terms of the settlement with Blackbaud. This settlement amount is the largest to be awarded to any of the states involved in the case.
