COLUMBUS, Ohio) — Ohio Attorney General Dave Yost and 49 other attorneys general have announced a $49.5 million settlement with Blackbaud, Inc. over the software company’s data-security practices and its response to a breach in 2020 that exposed the personal information of millions of consumers.
Ohio will receive nearly $1.3 million from the multistate settlement.
“Carelessness cannot justify the compromise of consumer data,” Yost said. “Companies must be committed to safeguarding personal information, meeting consumers’ rightful expectations of data privacy and protection.”
Blackbaud provides software solutions to nonprofit organizations – including charities, schools and healthcare agencies – to help them connect with donors and manage data about their constituencies.
The data consists of demographic information, Social Security numbers, driver’s license numbers, financial data, employment and wealth information, donation histories and protected health information.
Specifically, the 2020 breach exposed this highly sensitive information of more than 13,000 Blackbaud business customers and those businesses’ customers – affecting millions of consumers overall.
The settlement resolves allegations from the attorneys general that Blackbaud violated state consumer protection laws, breach-notification laws and Health Insurance Portability and Accountability Act (HIPAA).
The violations stemmed from the company’s failure to establish reasonable data security and remediate the known security gaps, allowing unauthorized individuals to gain access to Blackbaud’s network.
Blackbaud also failed to promptly, completely or accurately inform its customers about the breach, as required by law.
Blackbaud’s lapses significantly delayed the process for notifying those whose personal information was compromised, and, in some cases, there was no notification at all.
Under the settlement, Blackbaud must, among other requirements:
- Refrain from misrepresenting details of its processing, storing and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
- Implement and maintain a breach response plan to ensure an appropriate response to any future security incident or breach.
- Establish breach-notification provisions that, in the event of a breach, require Blackbaud to provide appropriate assistance to its customers and support its customer compliance with applicable notification requirements.
- Report security incidents to its CEO and board, provide enhanced employee training, and earmark appropriate resources and support for cybersecurity.
- Implement personal information safeguards and controls requiring total database encryption and dark web monitoring.
- Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
- Allow third-party assessments of its compliance with the settlement for seven years.
Joining Yost in the agreement are the attorneys general of Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming.