State regulators across the country continue to increase their focus on cyber security and data privacy compliance and enforcement. For years, cloud company Blackbaud, a service provider to thousands of nonprofit enterprises, has been in the news following its 2020 disclosure of a massive data breach that impacted over 13,000 Blackbaud customers. The fallout from that breach has included both private civil litigation and federal inquiries. Most recently, New York State Attorney General Letitia James, as part of a multistate coalition of 50 attorneys general (the “AGs”), reached a $49.5 million settlement with Blackbaud over that breach. The settlement resolves claims that Blackbaud violated state consumer protection laws, breach notification laws, and Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules.
Blackbaud’s customers—including thousands of charities, colleges and universities, religious and cultural institutions, and health care organizations—used its software to connect with donors and manage data about their stakeholders. Such data included highly sensitive information, such as contact and demographic information, Social Security numbers, driver’s license numbers, employment and financial information, donation history, and protected health information.
In July 2020, Blackbaud informed its customers that it had detected and interrupted a ransomware attack occurring on its systems from February 2020 through May 2020. However, before Blackbaud was able to stop the ransomware attack, an unauthorized third party accessed and copied certain data from its systems, some of which was unencrypted. As a result, highly sensitive information was exposed, impacting thousands of Blackbaud’s customers and millions of their constituents. Blackbaud was ultimately able to expel the intruder from its systems and paid a ransom in exchange for confirmation that any improperly accessed data was destroyed or would not be disseminated.
Despite these efforts, however, the AGs concluded that Blackbaud did not do enough to safeguard consumer privacy. For example, as part of their investigation, the AGs determined that Blackbaud failed to employ reasonable data security and fix known security gaps, allowing unauthorized entry to Blackbaud’s network. According to the AGs, Blackbaud also neglected to provide to its customers—as it was legally required to do—timely, complete, and accurate, information following the breach. As a result, some affected customers never received notice of the breach, or such notice was significantly delayed. This, in turn, impacted customers’ abilities to comply with required breach notifications and disclosures.
The Blackbaud settlement provides additional insight into aspects of an enterprise’s information security and privacy practices that are coming under increasing scrutiny from regulators, especially following a significant breach. Such areas include board and C-suite level involvement in information security governance and reporting, third-party testing, robust incident response planning, and personnel training. Under the terms of the settlement, Blackbaud agreed to enhance its data security and breach notification practices, including:
- Implementing and maintaining incident and breach response plans to prepare for and respond to future security incidents;
- Improving security incident reporting to the CEO and board;
- Updating breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers in the event of a future breach;
- Implementing employee training and dedicating additional resources to cybersecurity;
- Applying personal information safeguards and controls requiring total database encryption and dark web monitoring;
- Using specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing; and
- Permitting third-party assessments of Blackbaud’s compliance with the settlement for seven years.
Notably, the Blackbaud settlement comes on the heels of other recent enforcement action settlements by New York Attorney General James, including in the non-profit sector. For example, in September, Attorney General James reached an agreement with Marymount Manhattan College (“MMC”), a private non-profit liberal arts college in New York City. The settlement resolved claims relating to a substantial cyberattack in November 2021, which affected nearly 100,000 current and prospective MMC students, faculty, and alumni. The attorney general’s investigation concluded that MMC failed to adequately safeguard personal information, including by failing to use multi-factor authentication, not encrypting sensitive data, and failing to maintain updated security policies and firmware. Under the terms of the settlement agreement, MMC is required to invest $3.5 million to protect students’ online data over the next six years.
The MMC settlement appears to reflect New York’s seemingly increasing commitment to enforcement under the SHIELD Act, New York’s data security and breach reporting statute that requires covered entities to implement administrative, technical, and physical safeguards as part of their information security programs. The resolution with the AG is in addition to the $1.3 million class action settlement that MMC reached earlier this year with impacted individuals related to the 2021 breach.
Both the Blackbaud and MMC settlements highlight the increasing focus of state regulators across the country on data security practices, including those impacting the non-profit sector, and the hefty financial penalties that can follow findings of non-compliance, not to mention the substantial resources dedicated to cooperating with any investigative authorities. We anticipate that this trend will continue, putting a premium on planning and preparation for enterprises not only looking for compliance, but also building practical and efficient programs for responding if (and when) the worst comes to pass.