Blackbaud data breach settlement overview:
- Who: Blackbaud Inc. agreed to pay $49.5 million to a total of 49 states and the District of Columbia to resolve 2020 data breach claims.
- Why: Blackbaud was accused of failing to enact reasonable security safeguards to prevent the breach and violating breach notification laws with the way it responded to the incident.
- Where: The settlement will benefit 49 states, excluding California, and the District of Columbia.
Computer software corporation Blackbaud agreed to pay $49.5 million to a total of 49 U.S. states and the District of Columbia to resolve claims surrounding its response to a 2020 data breach.
The states and the District of Columbia argued Blackbaud failed to have reasonable security in place to protect data belonging to more than 13,000 nonprofits and millions of their constituents and donors.
Blackbaud also pledged to overhaul its data security and breach notification policies and promised to avoid making misleading statements about its privacy, security and related obligations going forward, according to the settlement agreement.
“(Blackbaud) had an obligation to safeguard this information, and they failed,” Connecticut Attorney General William Tong says in a statement. “Our settlement forces Blackbaud to adopt stringent data security and breach notification practices going forward.”
Blackbaud promises to better report data security incidents, according to settlement
Blackbaud disclosed the data breach in July 2020, announcing at the time it was the victim of a ransomware attack that allowed customer information to fall into the hands of unauthorized third parties.
The states and the District of Columbia argued Blackbaud broke several laws in the wake of the breach, including their consumer protection and breach notification laws and the federal Health Insurance Portability and Accountability Act.
In addition to committing to improve its data security practices, Blackbaud promised to do a better job at reporting incidents to its CEO and board and to enhance its training, resources and support for cybersecurity, according to the settlement.
Blackbaud also agreed to implement a third-party assessment of its settlement compliance for a period of at least seven years.
Were you affected by the Blackbaud data breach? Let us know in the comments.
Read About More Class Action Lawsuits & Class Action Settlements: