Blackbaud to Pay Millions to Settle With 49 States, D.C.

Software giant Blackbaud has agreed to pay $49.5 million to settle investigations by 49 states and the District of Columbia regarding a May 2020 data breach that impacted more than 1 million files from 13,000 clients worldwide. The Attorney General of the State of California did not participate in the multistate agreement and has issued a separate Civil Investigative Demand related to the security incident, which is still pending.

The breach has cost the Charleston, South Carolina, provider of software to nonprofits millions more in legal expenses, according to disclosures during its quarterly stockholder reports. The estimate was up to $30 million during the past year.

The attack happened on Feb. 7, 2020, went undetected until May 14, and users were not notified until July. The first time anyone at Blackbaud knew there was a problem was May 14 when there was a suspicious log-in on an internal server, Blackbaud officials told The NonProfit Times during 2020. Blackbaud officials at the time said the entrance was through a data center server and did not get to its cloud operations.

Blackbaud officials also initially announced that sensitive donor information had not been stolen. That was not the case.

All traces of the cybercriminal and the attempt to regain access ceased by June 3, according to a timeline provided by a Blackbaud official. That’s when assessing the extent of the damage to the system and to data became more of the focus.

The cybercriminals continued to contact Blackbaud with a Bitcoin ransom demand and on June 18 provided what was purported to be a statement of involved files. A third-party forensic assessor provided a confidential report to Blackbaud on June 25. That’s when a detailed analysis was begun to correlate the forensic data with customer and product lists to determine and re-confirm all instances of any customer being part of the incident and which product was used by the client.

Access to MinistryWatch content is free. However, we hope you will support our work with your prayers and financial gifts. To make a donation, click here.

The incident was first reported by The NonProfit Times on July 16, 2020 and updated with more information two weeks later.

Along with the cash settlement which will be paid during October, Blackbaud management agreed to comply with applicable laws, not to make misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements and similar matters and to implement and improve certain cybersecurity programs and tools.

The agreement to build in better security also extends to any firm Blackbaud might acquire. Blackbaud has been on an acquisition spree the past few years.

“Cyber-attacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape. We are pleased to fully resolve this matter and proud of our role as the essential software provider for purpose-driven organizations,” Blackbaud President & CEO Mike Gianoni said via a statement.

The deal is a 46-page Assurance of Voluntary Compliance entered into by the Attorney General of Indiana, who led the multi-state settlement and Blackbaud and included all of Blackbaud’s United States subsidiaries, affiliates, agents, representatives, employees, successors. The agreement outlines issues with alleged unfair or deceptive acts and practices law, personal information protection law, and data breach notification law, as well as the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Blackbaud agreed to, among other issues:

* Implement and maintain written incident response plan(s) to prepare for and respond to security incidents;

* Investigate security incidents;

* Maintain documentation sufficient to show the investigative and responsive actions taken in connection with each security incident and the determination as to whether notification under the Data Breach Notification Law or HIPAA is required;

* Assess whether there are reasonably feasible training or technical measures, in addition to those already in place, that would materially decrease the risk of the same type of security incident from reoccurring;

* Revise and update its Incident Response Plan, as necessary, to adapt to any changes to the Blackbaud network. Such a plan shall, at a minimum, identify and describe the following phases: a. Preparation; b. Detection and Analysis; c. Containment; d. Eradication; e. Recovery; and f. Post-Incident Analysis and Remediation; and,

* Conduct, at a minimum, table-top exercises twice a year to test and assess its preparedness to respond to a security incident.

The attorneys general from each state participating in the settlement can investigate and prosecute should it be determined Blackbaud is not complying with elements of the agreement.

Blackbaud is a publicly-traded company (NASDAQ: BLKB) with a market cap of $3.74 billion. It opened Friday (Oct. 6) at $68.79 a share, with a 52-week high of $78.71 and a low of $49.84. The high point of the stock price was earlier this year when a group of inside investors tried to take the firm private with a $4 billion offer the board rejected.

This article was originally published by The NonProfit Times.