Blackbaud agrees to $49.5 million settlement with AGs of almost all 50 states

The attorneys common of 49 states and Washington, D.C., agreed to a $49.5 million settlement with software program firm Blackbaud over a 2020 information breach that uncovered the delicate information of tens of millions.

The corporate — which serves nonprofits like charities, faculties and healthcare businesses — introduced a ransomware assault in July 2020 that concerned the theft of troves of demographic info, Social Safety numbers, driver’s license numbers, monetary information, employment and wealth info, donation histories and guarded well being info.

The assault uncovered info from greater than 13,000 of Blackbaud’s enterprise clients and tens of millions of downstream customers.

Blackbaud confronted a lawsuit from legal professional generals from each state aside from California for violating state shopper safety legal guidelines, breach-notification legal guidelines and the federal Well being Insurance coverage Portability and Accountability Act (HIPAA).

The corporate was accused of failing to implement information safety measures or remediate fundamental safety gaps. The lawsuit mentioned Blackbaud allowed “unauthorized people to achieve entry to Blackbaud’s community” and “additionally did not promptly, fully or precisely inform its clients concerning the breach, as required by regulation.”

The corporate’s failures “considerably delayed the method for notifying these whose private info was compromised, and, in some circumstances, there was no notification in any respect.”

Each state concerned within the case will get a reduce of the $49.5 million. Ohio Legal professional Common Dave Yost, who secured $1.3 million for Ohio, mentioned carelessness “can’t justify the compromise of shopper information.

“Firms have to be dedicated to safeguarding private info, assembly customers’ rightful expectations of knowledge privateness and safety,” he mentioned.

On July 16, 2020, Blackbaud introduced that ransomware attackers had not gained entry to donor checking account info or Social Safety numbers, however this was later confirmed false.

When the corporate’s IT workers realized the error days after the primary assertion was launched, they didn’t inform senior administration. The corporate additionally didn’t disclose this info in its quarterly report back to the SEC the next month.

In March, Blackbaud paid a $3 million settlement to the Securities and Change Fee associated to the incident.

Along with the superb being paid to every state, Blackbaud is required to:

• Clarify the way it handles buyer information
• Implement a knowledge breach response plan;
• Create a mechanism to help clients within the occasion of a breach
• Report all incidents to the corporate’s CEO and board
• Present worker cybersecurity coaching
• Implement safeguards for the dealing with of non-public info
• Implement community segmentation, patch administration methods and extra
• Enable third-party testing of its compliance with the settlement for 7 years

The actions taken towards Blackbaud are a part of a rising effort by state officers to punish massive firms for failing to guard delicate buyer info.

Two weeks in the past, New York Legal professional Common Letitia James used a settlement to pressure a neighborhood faculty to take a position $3.5 million into cybersecurity after a 2021 information breach leaked troves of delicate details about nearly 200,000 folks.

James and different attorneys common have joined forces to superb firms like clothes big Shein, Carnival Cruises, grocery chain Wegmans, retailer Sports activities Warehouse, insurer EyeMed, OneMain Monetary Group and extra.