Blackbaud Reaches $50M Settlement With 49 States, District of Columbia Over 2020 Data Breach

Nonprofit technology provider Blackbaud reached a $49.5 million combined settlement with 49 states and the District of Columbia regarding the nonprofit technology provider’s 2020 data breach and its aftermath. 

The settlement, announced Oct. 5, involves violations of state consumer protection, data breach notification and personal information protection laws, as well as the federal Health Insurance Portability and Accountability Act (HIPPA), though the agreement does not require Blackbaud to admit to any wrongdoing, according to the settlement (opens as a pdf). 

The Office of the Indiana Attorney General — which co-led the investigation with the Office of the Vermont Attorney General — earned the largest settlement of $3.6 million, with other attorneys general netting various six- and seven-figure outcomes.

“Agreeing to donate funds to your favorite arts center or to your local hospital should not come with the risk that your personal financial and identifying information will be exposed through a ransomware attack, and nonprofits and schools that use this software need assurance that the product they are buying is secure,” New Jersey Attorney General Matthew J. Platkin said in a statement. “Firms that sell software as a service have an obligation to safeguard it at the highest level and must be immediately forthcoming and proactive if a cybertheft does occur.”

The Office of the North Carolina Attorney General disclosed its state received 313 security breach notices related to the Blackbaud ransomware attack, which impacted 78,697 North Carolinians and resulted in a $1.2 million settlement. 

Meanwhile, the New York State Attorney General Office, which will receive $2.9 million of the settlement, released the names of the more than 1,200 of affected organizations in New York, including the American Civil Liberties Union, Columbia University, Human Rights Watch, Ronald McDonald House of New York and Tuesday’s Children.

Colorado’s Office of the Attorney General noted its $785,000 Blackbaud settlement “can be used for any restitution where possible, consumer education, consumer fraud or antitrust enforcement, or efforts to advance the public welfare.”

Blackbaud agreed to pay $3 million to settle Securities and Exchange Commission charges in March. That penalty has been paid, according to the company’s latest SEC quarterly report, filed Aug. 3.

Additional legal proceedings include customer claims, customer constituent class actions and other governmental investigations, such as those from the U.S. Federal Trade Commission, U.S. Department of Health and Human Services, Office of the Australian Information Commissioner and Office of the Privacy Commissioner of Canada, as well as separate civil lawsuits from California and Indiana, according to Blackbaud’s latest SEC quarterly report. 

The breach, which occurred on July, 16, 2020, exposed data of more than a million donors from 13,000 organizations — roughly a quarter of Blackbaud’s customer base at the time. Though the company alerted affected customers of the breach, it erroneously mentioned that no personal information was stolen, which was later found to not be the case. Despite staff discovering personal information had been stolen, senior management was not notified due to a lack of disclosure controls and procedures, and the company continued to downplay the severity of the breach in meetings, quarterly earning calls and an SEC quarterly report.  

To date, the company has not found any evidence that the stolen data was ever disclosed publicly. 

“Blackbaud’s response to this massive breach of information was unacceptable on nearly all fronts, with the company essentially staying silent for months and then minimizing the real impact to customers,” Pennsylvania Attorney General Michelle A. Henry said in a statement. “The breach involved stolen social security numbers, health information, and other sensitive data, and consumers should have been informed right away.”

Blackbaud announced it plans to pay the settlement in full this month. 

“At Blackbaud, protecting customers’ and their constituents’ privacy has always been, and will continue to be, one of our most important priorities,” Mike Gianoni, president and CEO of Blackbaud, said in a statement. “Cyber-attacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape.”

Here’s an overview of what the settlement requires of Blackbaud moving forward.

Compliance With the Law

Blackbaud must comply with state and federal laws when it comes to the processing, storing and safeguarding of personal information. Additionally, it may not mislead customers or consumers about the privacy, security, confidentiality or integrity of consumer personal information. 

Incident Response Plan

Blackbaud must implement and maintain a written incident response plan to prepare for and respond to any future security incident. At a minimum, the phases should include preparation; detection and analysis; containment; eradication; recovery; and post-incident analysis and remediation. The company must also assess if there are additional “reasonably feasible training or technical measures” to decrease the risk of a recurrence of the 2020 security incident, in addition to testing and assessing its preparedness at least twice annually.

Breach Response and Notification

Blackbaud must also implement and maintain a breach response plan with policies and procedures on how to notify law enforcement, customers and regulators. This also requires twice-a-year exercises to test the plan’s effectiveness. Those activities might include policies for developing necessary staffing levels to handle higher-than-normal call volumes and employee training.

In the event of a breach where notification is required by law, Blackbaud must provide timely notification to affected nonprofits, so they can alert their donors and/or constituents. Additionally, language surrounding this must be included in all contracts made after Nov. 6 of this year. 

Information Security Program

Blackbaud must update its information security program by Feb. 5, 2024, to take “reasonable steps to protect the confidentiality, integrity and availability” of personal information and personal health information on the Blackbaud Network.” If Blackbaud acquires another product, that product must adhere to the information security program within two years of its acquisition.

When it comes to third-party vendors, they too must adhere to these new processes upon entering a new or renewed contract effective Feb. 5, 2024 or later.

Blackbaud also must employ these roles: 

Chief privacy officer. The person in this role will oversee the company’s compliance with privacy laws. 

Chief information security officer. The person in this role will monitor its information security program and notify the CEO of a security incident involving more than 10 customers within 48 hours of discovery. Blackbaud named Charles Miller to this role last year. 

Business information security officer. The person in this role will report security updates and risks to the chief information security officer. There may be more than one role at this level for different areas of the business. 

Chief technology officer. The person in this role will execute the strategy for utilizing technological resources.

Training Requirements

Employees with relevant job responsibilities must be trained at least annually on monitoring the information security program, as well as handling personal information and personal health information. 

Personal and Protected Health Information Safeguards and Controls

A governance process must be established to protect personal information by:  

• Storing backup files for “the minimum extent necessary to accomplish Blackbaud’s intended legitimate business purpose(s).” 
• Completing “total database encryption” of all databases, including third-party data storage and cloud providers. 
• Monitoring the dark web for Blackbaud data — and making necessary notifications if its data is discovered there.

Technical Safeguards and Controls

The settlement indicated a variety of technical security requirements Blackbaud is required to implement. Here’s the full list:

• Network segmentation. 
• Risk assessment.
• Penetration and security testing.
• Access control and account management.
• File Integrity monitoring.
• Unauthorized or malicious applications.
• Logging and monitoring.
• Change control.
• Asset inventory.
• Digital certificates.
• End-point detection and response.
• Intrusion detection and prevention tools.
• Threat management.
• Updates and patch management.
• Implementation benchmarks.

Assessment and Reporting Requirements

Blackbaud must engage an independent third party to assess its data security practices by June 6, 2024, and then every other year for seven years. The assessment report should be given to Blackbaud and the Indiana Attorney General. Within 180 days of the report, Blackbaud also must submit to the Indiana Attorney General a description of what actions were taken as a result of the findings, or why no action is necessary.