Software provider Blackbaud Inc. said Thursday it will pay $49.5 million to 49 states and the District of Columbia to settle litigation filed in connection with a 2020 ransomware attack.
In March, the Charleston, South Carolina-based company agreed to pay $3 million to settle U.S. Securities and Exchange Commission charges it made misleading disclosures about the ransomware attack, which affected more than 13,000 customers.
In the SEC case, the agency had charged that although the company said the ransomware attacker had not accessed bank account information or Social Security numbers, some company employees learned that it had in fact done so, but they did not tell the senior managers responsible because the company did not maintain disclosure controls and procedures.
Blackbaud said in its statement on the multistate settlement that in addition to paying the $49.5 million, it agreed to comply with applicable laws; to not make misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements and similar matters; and to implement and improve certain cybersecurity programs and tools.
Blackbaud said it expects to pay the full settlement this month from its existing liquidity.
California is the lone state not to participate in the settlement. Blackbaud said in an 8-K filing with the SEC that the California attorney general “did not participate in the Multistate Investigation and has issued a separate Civil Investigative Demand related to the Security Incident, which has not been resolved.”
