The Federal Trade Commission (FTC) has finalized a settlement with Blackbaud, a provider of financial, fundraising, and administrative software, following a 2020 ransomware attack that led to a massive data breach. This settlement requires Blackbaud to implement stringent data security measures and establish a comprehensive data retention schedule.
The 2020 ransomware attack on Blackbaud exposed large amounts of unencrypted consumer data, affecting millions of individuals across various sectors, including healthcare. The FTC’s complaint, filed in February 2024, accused Blackbaud of failing to secure the personal data it collects adequately. Key failures included allowing customers to store sensitive information like Social Security numbers and financial account details in unencrypted fields and failing to encrypt database backup files.
As part of the settlement, Blackbaud is prohibited from misrepresenting its data security and retention practices. The company is required to delete data that is no longer necessary for providing services, addressing a significant gap that contributed to the breach’s severity. Additionally, Blackbaud must develop a robust information security program to rectify its encryption deficiencies.
FTC Chair Lina Khan emphasized the importance of this settlement, stating, “This action underscores the necessity for companies to maintain rigorous data security practices and to be transparent about their policies. Consumers deserve to have their personal information safeguarded and to be promptly informed when breaches occur.”
The settlement follows a series of regulatory and legal actions against Blackbaud. In March 2023, the company reached a $3 million settlement with the Securities and Exchange Commission (SEC) over misleading breach disclosures. By October 2023, Blackbaud settled with 49 state Attorneys General and the District of Columbia, agreeing to pay $49.5 million and to refrain from making misleading statements about its data security practices.
Despite these settlements, Blackbaud faced additional legal challenges. Just days before the FTC settlement was finalized, a federal judge denied class certification in a consolidated class action lawsuit related to the breach. This lawsuit stemmed from over a dozen individual lawsuits filed against Blackbaud in the aftermath of the incident.