California Attorney General Rob Bonta announced a settlement with Blackbaud, a South Carolina-based software company, for violating consumer protection and privacy laws due to its data security practices. Blackbaud provides data management software to nonprofit organizations that store sensitive information such as names, Social Security numbers, bank account details, and medical information. The company's failure to implement adequate data security measures led to a breach in 2020. Following the breach, Blackbaud made misleading statements regarding its data security efforts and the extent of the breach.
Under the settlement, which is subject to court approval, Blackbaud must pay $6.75 million in penalties and comply with requirements to enhance its data security and breach notification practices.
"Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable," said Attorney General Bonta. "Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents."
In July 2020, Blackbaud announced that a hacker had breached its network in May 2020 but claimed no personal data was accessed. However, it was later discovered that personal data, including Social Security and bank account numbers, had been accessed. Despite this discovery, timely and accurate information was not provided to those affected by the breach.
The California Department of Justice's investigation found that Blackbaud failed to implement basic security procedures such as multi-factor authentication for passwords and did not properly monitor suspicious activity on systems containing personal information. The company also failed to keep up with evolving security standards and made deceptive representations about its security practices both before and after the breach.
The injunctive terms require Blackbaud to comply with several robust data security improvements:
- Implementing processes ensuring database backup files containing personal information are stored minimally and securely disposed of.
- Enforcing password confidentiality and rotation or authentication protocols like multi-factor authentication.
- Tightening policies and procedures related to security infrastructure including network segmentation requirements and monitoring for suspicious activities.
A copy of the complaint and judgment can be found here.