Attorney General Schwalb Secures Over $350,000 From Software Firm Servicing Charities and Schools for Data Breach

Blackbaud’s Lax Security Protocols Led to Ransomware Attack That Impacted Thousands of District Residents and Businesses

WASHINGTON, DC – Attorney General Brian L. Schwalb today announced that, along with 49 other Attorneys General, the Office of the Attorney General (OAG) reached a settlement with software company Blackbaud, which provides software to nonprofits (primarily charities and schools), for its deficient data security practices and response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States, including thousands of District residents. Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and pay $355,210 to the District. 

“When consumers’ personal information is compromised, they are at heightened risk of identity theft, fraud, and scams where bad actors can steal their hard-earned money and assets,” said AG Schwalb. “Blackbaud’s security protocols were insufficient and resulted in a data breach that impacted thousands of businesses and millions of consumers across the country, including thousands of people here in the District. My office will continue to work collaboratively with our state-AG counterparts to ensure that every company with access to people’s private data abides by their legal responsibility to protect it. Consumer protection is and should remain a national, bipartisan priority.”

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations.  Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information.  The 2020 data breach exposed highly sensitive information, impacting over 13,000 Blackbaud customers and millions of their respective consumers.

Today’s settlement resolves allegations of the Attorneys General that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security systems and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, as well as allegations that Blackbaud then failed to provide its customers with timely, complete, or accurate information regarding the breach, as required by law.  As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required. 

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward. The settlement includes:

  • A prohibition against misrepresentations related to (1) the processing, storing, and safeguarding of personal information; (2) the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and (3) breach notification requirements under state law and HIPAA.
     
  • Provisions requiring implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
     
  • Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
     
  • Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.
     
  • Personal information safeguards and controls requiring total database encryption and dark web monitoring.
     
  • Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
     
  • Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.

The settlement agreement is available here.

In securing this settlement, AG Schwalb joined the Attorneys General of Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

Resources for District Residents

District residents who feel that their personal information has been compromised or that they’ve been the victim of a scam can file a complaint with the District of Columbia Attorney General’s Office of Consumer Protection by calling our hotline at (202) 442-9828, email (consumer.protection@dc.gov), or by writing to the Office of Consumer Protection at the Office of the Attorney General.

You may also file a complaint with the Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580; (877) 832-4357; www.ftc.gov.