Blackbaud agrees to $49.5 million settlement with AGs of nearly all 50 states

The attorneys general of 49 states and Washington, D.C., agreed to a $49.5 million settlement with software company Blackbaud over a 2020 data breach that exposed the sensitive data of millions.

The company — which serves nonprofits like charities, schools and healthcare agencies — announced a ransomware attack in July 2020 that involved the theft of troves of demographic information, Social Security numbers, driver’s license numbers, financial data, employment and wealth information, donation histories and protected health information.

The attack exposed information from more than 13,000 of Blackbaud’s business customers and millions of downstream users.

Blackbaud faced a lawsuit from attorney generals from every state except for California for violating state consumer protection laws, breach-notification laws and the federal Health Insurance Portability and Accountability Act (HIPAA).

The company was accused of failing to implement data security measures or remediate basic security gaps. The lawsuit said Blackbaud allowed “unauthorized individuals to gain access to Blackbaud’s network” and “also failed to promptly, completely or accurately inform its customers about the breach, as required by law.”

The company’s failures “significantly delayed the process for notifying those whose personal information was compromised, and, in some cases, there was no notification at all.”

Every state involved in the case will get a cut of the $49.5 million. Ohio Attorney General Dave Yost, who secured $1.3 million for Ohio, said carelessness “cannot justify the compromise of consumer data.

“Companies must be committed to safeguarding personal information, meeting consumers’ rightful expectations of data privacy and protection,” he said.

On July 16, 2020, Blackbaud announced that ransomware attackers had not gained access to donor bank account information or Social Security numbers, but this was later proven false.

When the company’s IT staff realized the error days after the first statement was released, they did not inform senior management. The company also did not disclose this information in its quarterly report to the SEC the following month.

In March, Blackbaud paid a $3 million settlement to the Securities and Exchange Commission related to the incident.

In addition to the fine being paid to each state, Blackbaud is required to:

• Explain how it handles customer data
• Implement a data breach response plan;
• Create a mechanism to assist customers in the event of a breach
• Report all incidents to the company’s CEO and board
• Provide employee cybersecurity training
• Implement safeguards for the handling of personal information
• Implement network segmentation, patch management systems and more
• Allow third-party testing of its compliance with the settlement for 7 years

The actions taken against Blackbaud are part of a growing effort by state officials to punish large companies for failing to protect sensitive customer information.

Two weeks ago, New York Attorney General Letitia James used a settlement to force a local college to invest $3.5 million into cybersecurity after a 2021 data breach leaked troves of sensitive information about almost 200,000 people.

James and other attorneys general have joined forces to fine companies like clothing giant Shein, Carnival Cruises, grocery chain Wegmans, retailer Sports Warehouse, insurer EyeMed, OneMain Financial Group and more.