A 2020 data breach involving nonprofit technology provider Blackbaud has been resolved in California, with the tech vendor paying $6.75 million in penalties and agreeing to cybersecurity improvements — much like it did for the settlement involving 49 other states and the District of Columbia.
The state of California maintained the breach violated its Reasonable Data Security Law, Unfair Competition Law and the False Advertising Law. To settle with the state, Blackbaud has agreed to strengthen its data security and breach notification practices, such as minimizing backup storage that contains personal information; implementing a policy, such as multi-factor authentication; and improving security policies for monitoring suspicious activity.
“Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach,” Bonta said in a statement. “This is simply unacceptable. [The] settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents.”
The Blackbaud Data Breach
Unauthorized access to Blackbaud’s systems went unnoticed in February 2020 until staffers detected suspicious activity three months later, according to the Securities and Exchange Commission (SEC), which settled with Blackbaud for $3 million and improved cybersecurity in another case. After paying a ransom to prevent further damage, Blackbaud found at least 1 million affected files from more than 13,000 nonprofit customers — about a quarter of its customers as of July 2020.
The SEC added that Blackbaud erroneously claimed personal information, such as bank account information and social security numbers were not included, but the software provider learned that they were just five days later. However, initial reports were not updated or corrected — even in quarterly calls and reports.
The state claimed in its original complaint (opens as a pdf) against the software company that Blackbaud had data vulnerabilities, stored unencrypted data and maintained customer data for longer than necessary. The state requested a $2,500 penalty against each infraction of state laws in its civil complaint, dated June 12.
Along with the SEC, Blackbaud previously settled with the other 49 states and the District of Columbia, sharing $49.5 million last year . The company also settled with the Federal Trade Commission, agreeing to improved security measures earlier this year.
California Settlement With Blackbaud
Like the other settlements, the June 13 California settlement (opens as a pdf) included no admission of liability.
The requirements of Blackbaud in the California settlement largely match the other state settlements. Here’s a brief overview of each section of the settlement.
Compliance With the Law
Blackbaud is required to comply with California state laws, including the Consumer Protection Law, Personal Information Protection Law and Data Breach Notification Law, and not misrepresent customers regarding a security incident that compromises their personal information.
Security Incident Response Plan
Blackbaud must implement and maintain a written incident response plan to prepare for and respond to any future security incident. At a minimum, the phases should include preparation; detection and analysis; containment; eradication; recovery; and post-incident analysis and remediation. The company must also assess if there are additional “reasonably feasible training or technical measures” to decrease the risk of a recurrence of the 2020 security incident, in addition to testing and assessing its preparedness at least twice annually.
Breach Response and Notification
Blackbaud must also implement and maintain a breach response plan with policies and procedures on how to notify law enforcement, customers and regulators. This also requires twice-a-year exercises to test the plan’s effectiveness. Those activities might include policies for developing necessary staffing levels to handle higher-than-normal call volumes and employee training.
In the event of a breach where notification is required by law, Blackbaud must provide timely notification to affected nonprofits, so they can alert their donors and/or constituents. Additionally, language surrounding this must be included in all contracts made within 30 days of the settlement.
Information Security Program
Also, within 30 days of the settlement, Blackbaud must update its information security program to take “reasonable steps to protect the confidentiality, integrity and availability” of personal information and personal health information it collects. If Blackbaud acquires another product, that product must adhere to the information security program within two years of its acquisition.
When it comes to third-party vendors, they too must adhere to these new processes upon entering a new or renewed contract.
Blackbaud also must employ these roles:
- Chief privacy officer. The person in this role will oversee the company’s compliance with privacy laws.
- Chief information security officer. The person in this role will monitor its information security program and notify the CEO of a security incident involving more than 10 customers within 48 hours of discovery. Blackbaud named Charles Miller to this role last year.
- Business information security officer. The person in this role will report security updates and risks to the chief information security officer. There may be more than one role at this level for different areas of the business.
- Chief technology officer. The person in this role will execute the strategy for utilizing technological resources.
Training Requirements
Employees with relevant job responsibilities must be trained on monitoring the information security program, as well as handling personal information and personal health information within 30 days of the settlement.
Personal and Protected Health Information Safeguards and Controls
A governance process must be established to protect personal information by:
- Storing backup files for “the minimum extent necessary to accomplish Blackbaud’s intended legitimate business purpose(s).”
- Completing “total database encryption” of all databases, including third-party data storage and cloud providers.
- Monitoring the dark web for Blackbaud data — and making necessary notifications if its data is discovered there.
Technical Safeguards and Controls
The settlement indicated a variety of technical security requirements Blackbaud is required to implement. Here’s the full list:
- Network segmentation.
- Risk assessment.
- Penetration and security testing.
- Access control and account management.
- File Integrity monitoring.
- Unauthorized or malicious applications.
- Logging and monitoring.
- Change control.
- Asset inventory.
- Digital certificates.
- End-point detection and response.
- Intrusion detection and prevention tools.
- Threat management.
- Updates and patch management.
- Implementation benchmarks.
Assessment and Reporting Requirements
Blackbaud must engage an independent third party to assess its data security practices within 30 days of the settlement, and then every other year for seven years. The assessment report should be given to Blackbaud and the Indiana Attorney General. Within 180 days of the report, Blackbaud also must submit to the Indiana Attorney General a description of what actions were taken as a result of the findings, or why no action is necessary.
Related story: Got Hacked? Your Donors Know It