Oct. 5, 2023
Carson City, NV – Today, Nevada Attorney General Aaron D. Ford announced that his office, along with 49 other attorneys general, has reached a settlement with software company Blackbaud for its deficient data security practices and response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States. Under the settlement, Blackbaud has agreed to significantly improve its data security and breach notification practices and make a $49.5 million payment to states. Nevada will receive $559,828 from the settlement.
Blackbaud’s customers include various nonprofit organizations such as charities; higher education institutions; K-12 schools; healthcare organizations; religious organizations; and cultural organizations. These customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information; Social Security numbers; driver’s license numbers; financial information; employment and wealth information; donation history; and protected health information. The 2020 data breach exposed this highly sensitive information and impacted over 13,000 Blackbaud customers and their respective consumer constituents.
“I don’t want this incident to undermine the benevolence of those who give to charity,” said AG Ford. “Donating to a charity or other non-profit organization is an investment of time and money, and consumers that make that investment for the benefit of others should feel confident their sensitive personal information will be protected.”
Today’s settlement resolves allegations that Blackbaud violated state consumer protection laws, breach notification laws and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons access to Blackbaud’s network. Further, the attorneys general alleged that Blackbaud’s deficient notification efforts, coupled with attempts to downplay the incident, delayed notifications to its customers or led its customers to believe that notification was not required.
Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including:
- Prohibiting misrepresentations related to the processing, storing and safeguarding of personal information;
- Implementing and maintaining incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches;
- Creating breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach;
- Implementing security incident reporting to the CEO and Board, enhanced employee training and appropriate resources and support for cybersecurity;
- Implementing personal information safeguards and controls requiring total database encryption and dark web monitoring;
- Putting in place specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring and penetration testing; and
- Requiring third-party assessments of Blackbaud’s compliance with the settlement for 7 years.
The multistate investigation was led by the attorneys general of Indiana and Vermont. In signing onto the settlement, AG Ford joins the lead states along with the attorneys general of Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin and Wyoming.