Blackbaud Settles with FTC Over 2020 Data Breach: Comprehensive Corrective Measures and Compliance Obligations Outlined

Blackbaud, a software company, is set to undertake substantial corrective measures as part of a proposed settlement with the Federal Trade Commission (FTC) following a significant data breach in 2020. The FTC asserted that Blackbaud's deficient data security protocols allowed cybercriminals to pilfer sensitive information, including Social Security and bank account numbers. The proposed settlement, which comes after Blackbaud agreed to a $49.5 million multistate settlement in October related to the same breach, outlines specific compliance obligations for the company.

The FTC's complaint delineates several inadequacies in Blackbaud's security practices, including a failure to monitor hacking attempts, segment data effectively, delete unnecessary data, implement robust multifactor authentication, and adequately test security controls. The breach, initiated by a ransomware attack, remained undetected for three months. Upon discovering the intrusion, Blackbaud reportedly paid a ransom of 24 bitcoins (equivalent to $250,000 at the time) to the hackers for the purported deletion of stolen data. Notably, the company did not verify whether the hackers indeed carried out the data deletion, according to the FTC's complaint.

The proposed settlement mandates that Blackbaud take specific remedial actions, including the deletion of backup files containing covered information that is not essential for providing products or services. Additionally, the company is required to enforce data retention limits, establish a comprehensive information security program, undergo an information security assessment conducted by a third party, annually certify its data security program with the assistance of the chief information security officer, and implement robust compliance reporting, monitoring, and recordkeeping practices.

In response to the settlement, Blackbaud's President and CEO, Mike Gianoni, expressed satisfaction, stating, "We are pleased to resolve this matter with the FTC. Protecting our customers' and their constituents' privacy will always be of paramount importance to Blackbaud." Gianoni further emphasized the company's commitment to enhancing cybersecurity and compliance programs to bolster resilience in an ever-evolving threat landscape. It is noteworthy that Blackbaud agreed to the settlement without admitting or denying the FTC's findings, signaling a cooperative approach in addressing the regulatory concerns.

By fLEXI tEAM