(The Center Square) – Oregon, along with the other 49 states and the District of Columbia, reached a settlement with software company Blackbaud over data security practices and its response to a 2020 ransomware event that exposed the personal information of millions of Americans.
“Blackbaud’s misconduct was nothing short of egregious. They showed real disregard for the impact their data breach had on the lives of millions of consumers and nonprofits and failed to live up to well-established legal and ethical standards,” Oregon Attorney General Ellen Rosenblum said in a press release. “While the money is significant, this is a case that demonstrates the importance of compliance with meaningful data security and breach notification practices going forward.”
Blackbaud downplayed the data beach and either offered a delayed notification or no notification to people impacted by the data breach, the release said.
Blackbaud agreed to make a $49.5 million payment to the states and to overhaul its data security and breach notification practices.
Oregon will receive $655,791 from the lawsuit; 174 Oregon organizations were impacted by the breach.
“Those funds will go toward supporting the state’s investigative, consumer protection, and consumer education efforts at the Oregon Department of Justice,” the release said.
Here are actions Blackbaud has agreed to take to strengthen its data security and breach notification practices, according to the release:
Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.Personal information safeguards and controls requiring total database encryption and dark web monitoring.Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.
Blackbaud provides software for many organizations, including “charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations,” according to the release.
“Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information,” the release said.
During the 2020 data breach, over 13,000 clients nationwide and their consumers were impacted.
Blackbaud said protecting customers always has been and will be a top priority.
“At Blackbaud, protecting customers’ and their constituents’ privacy has always been, and will continue to be, one of our most important priorities,” Mike Gianoni, president and CEO of Blackbaud, said in a press release. “Cyber-attacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape. We are pleased to fully resolve this matter and proud of our role as the essential software provider for purpose-driven organizations.”
The settlement comes seven months after the Securities and Exchange Commission reached a settlement with Blackbaud over inadequate disclosure controls. Blackaud had to pay $3 million, though the SEC never alleged any intentional misconduct by the company.