Blackbaud Settles for $49.5 Million After 2020 Data Breach; New Jersey Receives Over $1 Million

Software company collaborates with 50 states to bolster data protection, improving security protocols and breach responses.

Morristown, NJ - New Jersey's Attorney General, Matthew J. Platkin, unveiled today a joint settlement reached between software developer Blackbaud and New Jersey, as well as 49 other states. This resolution addresses the company’s 2020 ransomware incident, which compromised the private details of millions across the U.S.

Under this agreement, Blackbaud has pledged to revamp its data protection measures and communication strategies in case of future breaches. Furthermore, a sum of $49.5 million will be disbursed among the states, with New Jersey's share being $1,083,802.

Serving a broad clientele, including nonprofits, educational institutions, healthcare centers, and religious and cultural groups, Blackbaud’s software aids these entities in donor relations and managing vital personal information. This includes sensitive data such as Social Security numbers, contact details, and financial records. Unfortunately, this data was laid bare during a breach the company unearthed on May 14, 2020. Despite the early discovery, the public and the company's over 13,000 software users weren't informed until July 16, 2020. Following this, the software's users began alerting their donors about the security incident.

“Agreeing to donate funds to your favorite arts center or to your local hospital should not come with the risk that your personal financial and identifying information will be exposed through a ransomware attack, and nonprofits and schools that use this software need assurance that the product they are buying is secure,” said Attorney General Platkin.

Acting Director Cari Fais of the Division of Consumer Affairs further emphasized the gravity of the breached data, asserting the critical need for software companies to perpetually enhance their defenses against evolving cyber threats.

The settlement concludes the extensive multistate investigation into claims that Blackbaud breached state consumer protection regulations, notification mandates, and the federal Health Insurance Portability and Accountability Act (“HIPAA”). These infringements stem from the company's inadequate data defenses and their failure to promptly and accurately inform customers about the breach, leading to delays or complete omission of notifications to affected individuals.

As part of the new terms, Blackbaud has committed to:

• Avoid misleading claims related to data protection and security incident communication.
• Introduce and uphold protocols to effectively handle potential breaches.
• Support clients in adhering to requisite notification protocols in case of data breaches.
• Regularly report security incidents to the company’s top brass, train employees on cybersecurity, and allocate suitable resources for digital protection.
• Ensure comprehensive database encryption and surveillance of the dark web.
• Fulfill specific security requirements encompassing network separation, intrusion detection, and penetration testing.
• Permit third-party evaluations of Blackbaud’s adherence to the settlement for the upcoming seven years.

The investigation was spearheaded by Indiana and Vermont, with participation from multiple other states, including New Jersey. Representing New Jersey in this case were Deputy Attorney General Gina Pittore, Assistant Section Chief Thomas Huynh, and others from the Division of Law's Data Privacy and Cybersecurity Section.