Keep data secure.
Safely dispose after use.
Tell people the truth.
We’re not suggesting that the principles of sound data security can be boiled down to a haiku, but there are certain fundamentals every business should follow. The FTC’s proposed action against Blackbaud, Inc., alleges that the company’s failure to implement some of those basics resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. But that’s just the start of where the FTC says Blackbaud violated the law.
South Carolina-based Blackbaud provides a wide variety of data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organizations. In that capacity, the company maintains a mountain of sensitive information about people – for example, names, dates of birth, banking information, estimated wealth, known assets, medical and health insurance information, religious beliefs, donation history, and account credentials. To reassure companies using its services, Blackbaud made explicit representations that it used reasonable and appropriate security to protect consumers’ personal information.
You’ll want to read the complaint for details, but the FTC says that in early 2020, an attacker purportedly used a Blackbaud customer’s login and password to access certain Blackbaud databases. The attacker rummaged around undetected for three months until Blackbaud finally spotted a suspicious login on a backup server. But by then, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which compromised the personal information of millions of consumers.
Once detected, the attacker threatened to expose the data unless Blackbaud paid a ransom. Blackbaud eventually agreed to pay 24 Bitcoin – then valued at about $250,000 – in exchange for the attacker’s promise to delete the stolen data. But Blackbaud hasn’t been able to verify that the attacker actually followed through with their part of the bargain.
The FTC says Blackbaud’s deficient encryption practices magnified the severity of the data breach. For example, according to the complaint, Blackbaud allowed customers to store Social Security numbers and bank account information in unencrypted fields; let them upload attachments containing consumers’ personal information, which Blackbaud also didn’t encrypt; and didn’t encrypt its database backup files.
Also exacerbating the severity of the breach was the fact that Blackbaud didn’t enforce its own data retention policies, meaning that Blackbaud kept consumer data even when it no longer had a legitimate business need to maintain it. As a result, the FTC says that some of the personal information the attacker stole should have been securely destroyed by Blackbaud years earlier.
Many FTC data security allegations might end there, but the complaint against Blackbaud includes another disturbing charge. After conducting an investigation into the breach that the FTC describes as “exceedingly inadequate,” Blackbaud finally notified customers in July 2020, but – according to the complaint – misrepresented the scope and severity of the breach. Here’s how Blackbaud played down what happened: “The cybercriminal did not access credit card information, bank account information, or social security numbers. . . No action is required on your end because no personal information about your constituents was accessed.”
The FTC says that led many Blackbaud customers to conclude they didn’t need to notify their own consumers of the breach. But as part of its continuing post-breach investigation, it became clear to Blackbaud that the attacker had, in fact, stolen consumers’ bank account numbers and Social Security numbers. But the FTC says Blackbaud didn’t disclose the extent of the breach to customers until October 2020. As the complaint alleges, “Due to this delay in notice, consumers suffered additional harm because they had no way to know that they needed to take any mitigating steps to protect themselves from identity theft.” Indeed, Blackbaud has received multiple complaints from consumers about attempted identity theft and fraud involving personal information exposed during the breach.
Count I of the complaint alleges that Blackbaud failed to take reasonable steps to prevent unauthorized access to sensitive consumer data maintained by its customers on its network – an unfair practice that violated the FTC Act. Count II charges that Blackbaud failed to implement and enforce reasonable data retention practices. Count III addresses the company’s failure to accurately communicate the scope and severity of the breach in its initial notification to customers. In Count IV, the FTC alleges that Blackbaud misrepresented that it used appropriate safeguards to protect consumers’ personal information. And Count V challenges Blackbaud’s misrepresentation in its first notification that consumers’ personal information hadn’t been subject to the breach.
The proposed order requires Blackbaud to delete data it no longer needs, requires the company to implement a comprehensive information security program, and mandates a data retention schedule that explains why Blackbaud maintains personal data and when it will delete it. Blackbaud also must notify the FTC if it experiences a future data breach that the company is required to report to any other local, state or federal agency. Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days.
What advice can your company take from the FTC’s action against Blackbaud?
Consider your data security practices in light of the lapses alleged in the complaint against Blackbaud. Appropriate data security isn’t a one-size-fits all proposition, but taking a look at missteps that resulted in law enforcement action against other companies can help improve practices at your business. The FTC cites multiple ways in which Blackbaud failed to provide appropriate security for the personal information it maintained. Read Paragraph 19 of the complaint for details, but among other things, the FTC says the company failed to implement appropriate password controls, didn’t follow industry standards and its own internal policies regarding multifactor authentication, didn’t monitor for unauthorized attempts to transfer consumers’ personal information, and failed to implement appropriate network segmentation to prevent attackers from moving freely across Blackbaud’s networks and databases.
Securely dispose of sensitive information once you no longer have a business need to maintain it. A key part of your company’s data retention policy is your data destruction policy. Don’t collect information without a legitimate business need. Store it safely while it’s in your possession. And dispose of it securely when that business need passes. Holding on to sensitive data “just because” is an unwise strategy.
If you experience a breach, tell the truth – and tell it promptly. Companies that experience a data breach have legal obligations under federal and state notification statutes. If your company experiences a breach covered by any of those laws, conduct a thorough investigation as quickly as possible and be candid with customers about what happened. Dragging your feet or failing to give accurate information will only compound the injury. As explained in the FTC’s Data Breach Response: A Guide for Business, by having a “What if . . . .” plan in place before the need arises, you can quickly mobilize resources toward recovery.