California Attorney General Rob Bonta has reached a significant settlement with Blackbaud, a South Carolina-based software company, imposing a $6.75 million penalty for breaches of consumer protection and privacy laws. The settlement arises from Blackbaud’s failure to uphold adequate data security practices, which resulted in a notable data breach in 2020. This breach compromised sensitive personal information, including Social Security numbers, bank account details, and medical information, stored within Blackbaud’s data management software used by nonprofit organizations.
The investigation revealed that Blackbaud not only failed to implement fundamental security measures like multi-factor authentication but also neglected to promptly disclose the breach’s full impact to affected parties. Initially downplaying the severity of the breach, Blackbaud’s misleading statements about its security efforts and the extent of compromised data further exacerbated the situation. This disregard for transparency and diligence in safeguarding sensitive information violated California’s Reasonable Data Security Law, Unfair Competition Law, and False Advertising Law related to data security.
As part of the settlement terms awaiting court approval, Blackbaud is mandated to implement comprehensive improvements to its data security infrastructure. These include strict protocols for storing and disposing of database backup files containing personal information, enhanced password management policies such as confidentiality and rotation, and robust monitoring systems to detect and respond to suspicious activities promptly. The measures aim to prevent future breaches and ensure that Blackbaud prioritizes the protection of consumer data and maintains compliance with evolving security standards.
Attorney General Bonta emphasized that the settlement aims to hold Blackbaud accountable for its lapses in data security and the subsequent misleading communication to consumers and nonprofit organizations. By enforcing stringent security enhancements and transparency requirements, the settlement seeks to restore trust and confidence in Blackbaud’s handling of sensitive information among its nonprofit clientele and the public. This case underscores the critical importance of proactive data protection measures and truthful disclosure practices in mitigating the risks posed by cybersecurity threats in today’s digital landscape.
Reference:
