Attorney General Ashley Moody led a multistate action against Blackbaud and secured $49.5 million from the software company over a massive 2020 ransomware attack. The attack is estimated to have compromised the personal information of millions of consumers across the United States. Due to the action, Blackbaud is required to overhaul its data security and breach notification practices to strengthen and increase data protection for consumers. Blackbaud is also required to pay $49.5 million to the states, with Florida receiving more than $3 million.
Attorney General Ashley Moody said, “We are holding Blackbaud, an international software company, accountable for a massive ransomware attack that compromised the personal information of potentially millions of consumers across the country, including those donating to charities, health care organizations and other nonprofits. Now, we’ve secured more than $49 million and the company must take steps to ensure customers’ personal data is protected.”
Blackbaud, a South Carolina based international company, provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, health care organizations, religious organizations, and cultural organizations. Blackbaud customers use Blackbaud’s software to connect with donors and manage personal data, including Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history and protected health information. The 2020 data breach exposed this highly sensitive information, impacting more than 13,000 Blackbaud customers and its donors.
Today’s action resolves allegations that Blackbaud violated state consumer protection laws, breach-notification laws, and the Health Insurance Portability and Accountability Act by failing to implement reasonable data security and remediate known security gaps.
In addition, Blackbaud must now strengthen its data security and breach-notification practices going forward. The company will implement:
- Personal information safeguards and controls requiring total database encryption and dark-web monitoring;
- Incident and breach response plans to prepare for, and more appropriately respond to, future security incidents and breaches;
- Breach-notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach; and
- Security-incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.
The following states and districts also participated in the investigation: Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming.
Original source can be found here.