On February 1, 2024, the Federal Trade Commission announced a proposed settlement with Blackbaud Inc. (“Blackbaud”) in connection with alleged security failures that resulted in a breach of the company’s network and access to the personal data of millions of consumers. As part of the settlement, Blackbaud will be required to comply with a variety of obligations, including deleting personal data that the company does not have a need to retain.
In 2020, Blackbaud, which provides data services and financial, fundraising and administrative software services to companies, nonprofits and health care organizations, fell victim to hackers who accessed multiple Blackbaud-hosted environments and obtained sensitive personal data, including Social Security numbers and bank account information. According to the FTC’s complaint, when Blackbaud discovered the breach three months later, the company agreed to pay the hackers a ransom of 24 Bitcoin (about $250,000) to delete the data in their possession, but did not verify that the hackers actually deleted the data.
Among other allegations, the FTC asserted that Blackbaud failed to follow through on its representation to customers that the company takes “appropriate physical, electronic and procedural safeguards to protect . . . personal information” by failing to:
- monitor attempts by hackers to breach its networks;
- segment data to prevent hackers from easily accessing the company’s networks and databases;
- ensure data that is no longer needed is deleted;
- adequately implement multifactor authentication;
- test, review and assess the company’s security controls;
- encrypt sensitive data;
- implement adequate firewalls;
- timely dispose of data when it was no longer necessary for the purpose for which it was maintained; and
- prohibit employees from using default, weak, or identical passwords for their accounts.
The FTC also claimed that Blackbaud harmed consumers by waiting to notify its customers of the incident and misleading consumers about the extent of the stolen data. The FTC’s proposed consent order requires that Blackbaud:
- delete data that it no longer needs to provide products or services to its customers;
- refrain from misrepresenting its data security and data retention policies;
- develop a comprehensive information security program;
- put in place a data retention schedule; and
- notify the FTC if it experiences a future data breach that it is required to report to any other local, state or federal agency.
After a 30-day public comment period, the FTC will decide whether to make the proposed consent order final.