Attorney General Ellison reaches settlement with Blackbaud for data breach

Blackbaud to overhaul data security and breach-notification practices after 2020 breach that exposed personal information of millions of Americans

Blackbaud failed to reveal breach for months, refused to provide customers with information about what data had been breached

Settlement worth $49.5M nationally, $780K to Minnesota

October 5, 2023 (SAINT PAUL) — Minnesota Attorney General Keith Ellison announced today that along with 49 other attorneys general, he has reached a settlement with software company Blackbaud for its deficient data-security practices and deficient response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States. Under the settlement, Blackbaud has agreed to overhaul its data security and breach-notification practices and make a $49.5 million payment to states. Minnesota will receive $780,273 from the settlement.  

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents.  

During the 2020 data breach, over 400 TB of data was stolen, including contact and demographic information, Social Security numbers, driver’s license numbers, payment card information, employment and wealth information, donation history, and protected health information. The breach impacted more than 13,000 Blackbaud customers and their respective consumer constituents. While the breach started as early as January 2020 and was discovered by Blackbaud by at least May 2020, Blackbaud did not announce the breach until at least two months later in July 2020. The initial notifications did not accurately represent the scope and severity of the breach, or its customer’s notification obligations. The company also initially refused to provide customers with information on what data was accessed during the breach, preventing them from taking steps necessary to protect themselves and inform affected consumers. Additionally, Blackbaud misled consumers by marketing its strong data-security practices, even though its data-security practices were woefully deficient. 

“This incident reflects one of the worst responses to a data breach I have seen to date,” Attorney General Ellison said. “Businesses that collect personal data need to both ensure that data is protected and respond appropriately to notify consumers if a data breach occurs. Blackbaud failed on both counts and put their customers at risk of financial and identity theft, breaches of privacy, and more in the process. This settlement reflects our commitment to holding companies accountable when they do not adequately protect Minnesota consumer data.” 

Today’s settlement resolves allegations of the attorneys general that Blackbaud violated state consumer-protection laws, breach-notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required. 

Under the settlement, Blackbaud has agreed to strengthen its data security and breach-notification practices going forward, including: 

• Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach-notification requirements under state law and HIPAA. 
• Implementation and maintenance of incident- and breach-response plans to prepare for and more appropriately respond to future security incidents and breaches. 
• Breach-notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach. 
• Security-incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity. 
• Personal information safeguards and controls requiring total database encryption and dark web monitoring.  
• Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing. 
• Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.  

Joining Attorney General Ellison in today’s settlement are the attorneys general of Indiana and Vermont, who co-led the multistate investigation; the attorneys general of Alabama, Arizona, Florida, Illinois, and New York, who served on the Executive Committee; and the attorneys general of Alaska, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.