Blackbaud Inc. has agreed to pay nearly $50 million to settle allegations from 50 attorneys general over the software provider’s poor data security and lax response to ransomware attacks that exposed donor information of over 13,000 nonprofit groups and organizations.
The deal will hold Blackbaud to new cybersecurity standards following a 2020 incident involving its software that charities, schools, and other organizations use to manage donor outreach. Hackers held for ransom the donation history, Social Security numbers, and other sensitive personal information, while Blackbaud waited two months before informing clients of the issue.
The coalition of attorneys general said Thursday in announcing the settlement that the company could have prevented the situation with enhanced security practices.
The wide-reaching agreement is the latest fallout for Blackbaud, which faces several proposed class actions over its response to the data breach. In March, the Securities and Exchange commission also fined the company $3 million for omitting information about the breach from a quarterly report describing the hack’s effect on nonprofit donations information.
Blackbaud’s information technology staff, despite knowing the true severity of the breach for several days, failed to properly communicate new details to upper management because the company lacked effective disclosure methods, the SEC found in its investigation.
The attorneys general were investigating whether Blackbaud’s response violated federal health privacy protections and state consumer protection and data breach laws. Indiana and Vermont officials co-led the multistate investigation, according to Platkin’s press release, assisted by Alabama, Arizona, Florida, Illinois, and New York.
The top law enforcement officials from the District of Columbia and all US states except California signed onto the deal with the company.
“Agreeing to donate funds to your favorite arts center or to your local hospital should not come with the risk that your personal financial and identifying information will be exposed through a ransomware attack, and nonprofits and schools that use this software need assurance that the product they are buying is secure,” New Jersey Attorney General Platkin said in a press release.
“Cyber-attacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape,” Blackbaud CEO Mike Gianoni said in a press release. “We are pleased to fully resolve this matter and proud of our role as the essential software provider for purpose-driven organizations.”
The company agreed to undertake seven measures centered around stronger cybersecurity protections and improved breach notification processes, prescribed by the attorneys general.
Both the SEC and state officials faulted the amount of information Blackbaud shared about the hack and when. The settlement measures include implementing a cyber incident response plan and informing the CEO of security breaches.
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.