Attorney General Matthew J. Platkin announced today that New Jersey, along with 49 other Attorneys General, has reached a settlement with software company Blackbaud for its deficient data security practices and inadequate response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States.
Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Of that amount, New Jersey will receive $1,083,802.
Blackbaud provides software to various nonprofit organizations, including charities, colleges and universities, K-12 schools, healthcare centers, faith-based groups, and cultural organizations. These customers use Blackbaud’s software to connect with donors and manage personal data, including Social Security numbers, driver’s license numbers, donation history, contact details, demographic data, and financial, employment, and protected health information. This highly sensitive data was exposed during a data breach Blackbaud discovered on May 14, 2020. However, Blackbaud did not publicly announce the breach or begin informing its more than 13,000 impacted software customers until July 16, 2020, who then, in turn, began telling the donors in their databases about the attack.
“Agreeing to donate funds to your favorite arts center or to your local hospital should not come with the risk that your personal financial and identifying information will be exposed through a ransomware attack, and nonprofits and schools that use this software need assurance that the product they are buying is secure,” said Attorney General Platkin. “Firms that sell software as a service have an obligation to safeguard it at the highest level and must be immediately forthcoming and proactive if a cybertheft does occur.”
“The information that was breached here is among the most sensitive and personal data that exists,” said Division of Consumer Affairs Acting Director Cari Fais. “Firms that develop software to manage such information must continually refine their products to guard them from the types of attack we saw here and ensure that their clients are protected from new and emerging threats.”
The settlement resolves the multistate investigation of allegations that Blackbaud violated state consumer protection laws, breach notification laws, and the federal Health Insurance Portability and Accountability Act (“HIPAA”) by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. As a result, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all.
In addition to providing monetary relief to the states, Blackbaud has agreed to strengthen its future data security and breach notification practices. These terms include:
- Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information, the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse, and breach notification requirements under state law and HIPAA.
- Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
- Appropriate assistance to Blackbaud customers, including to ensure customers’ compliance with applicable notification requirements in the event of a breach.
- Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.
- Personal information safeguards and controls requiring total database encryption and dark web monitoring.
- Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
- Third-party assessments of Blackbaud’s compliance with the settlement for seven years.
Indiana and Vermont co-led the multistate investigation, assisted by Alabama, Arizona, Florida, Illinois, and New York. The settlement was joined by Alaska, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.
Representing New Jersey in the Blackbaud multistate investigation were Deputy Attorney General Gina Pittore and Assistant Section Chief Thomas Huynh of the Data Privacy and Cybersecurity Section within the Division of Law’s Affirmative Civil Enforcement Practice Group, under the supervision of Data Privacy & Cybersecurity Section Chief Kashif Chand, Assistant Attorney General Jennifer S. Schiefelbein, and Division of Law Deputy Director Jason W. Rockwell.