Blackbaud, a software company that was the subject of a multistate investigation for a 2020 data breach, has reached a settlement for $49.5 million with the attorneys general (AGs) of 49 states (not including California) and the District of Columbia, led by Indiana and Vermont.

Blackbaud provides software to nonprofits such as health care, educational, religious, and cultural organizations. The multistate investigation stems from a 2020 ransomware attack that exposed over a million files related to 13,000 Blackbaud customers, including primarily nonprofit entities, and included sensitive information (contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information) from millions of nonprofit donors and others.

The AGs claimed Blackbaud’s data security practices were insufficient in both preventing and responding to the incident, alleging it violated states’ consumer protection laws, certain state privacy laws, breach notification laws, and the Health Insurance Portability and Accountability Act (HIPAA).

The settlement commits Blackbaud to comply with the relevant laws and adds additional obligations, including requiring Blackbaud to:

  • Not make misrepresentations or fail to state material facts regarding the extent to which Blackbaud maintains and/or protects privacy, security, and confidentiality of PI or PHI of consumers.
  • Implement and maintain a written incident response plan to prepare for and respond to security incidents and breaches, including twice a year tabletop exercises.”
  • Implement and maintain a comprehensive information security program, including complying with access controls consistent with NIST publications; employing a CPO, CISO and CTO; and providing security incident reports to the CEO and Board.
  • Provide specialized training to employees responsible for implementing, maintaining, or monitoring the information security program.
  • Maintain and comply with a governance process that protects and keeps PI and PHI for minimum extent necessary to accomplish Blackbaud’s intended legitimate business purposes.
  • Search and monitor the dark web for Blackbaud data.
  • Comply with a number of specific technical safeguards and controls related to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
  • Engage an independent third party to conduct assessments of its general data security practices, which includes a risk assessment that complies with HIPAA, for at least 7 years.

The terms of the settlement also include a Most Favored Nation” (MFN) clause, stating that if Blackbaud comes to a similar resolution with attorneys general of other states (not including this multistate) within a year with more favorable injunctive terms, the parties will meet and confer and may negotiate regarding the differing terms. Because 49 states already settled through this multistate resolution, it appears this MFN is intended to address a potential future California settlement.

Blackbaud also faced federal regulatory allegations from the Securities and Exchange Commission and agreed in March 2023 to pay $3 million to resolve claims that it crafted misleading disclosures about the attack.

The commitments made by Blackbaud under the settlement, and the AGs’ history of data breach investigations, underscore the importance of having a mature security and data breach program for companies that collect, store, or process personal information—particularly any personal information that may be deemed as sensitive. Companies dealing in PI and sensitive PI should ensure that (1) prior to any incidents, there are appropriate security programs and breach response plans in place; and (2) upon discovery of an incident, the company responds promptly and appropriately without any misstatements of material fact, including by complying with the state data breach notification laws of all of the relevant states.

State AGs have been active in investigating data breaches for years, well before any state had specific data breach notification or comprehensive privacy laws. Some major recent multistate resolutions included Home Depot (2020) and Equifax (2019) resulting in millions of dollars in payments to the states. This area poses huge risk; case in point, mere days after the Blackbaud settlement, Pennsylvania Attorney General Michelle Henry announced a $1 million settlement with Rutter’s, a convenience store chain, for a data breach of customers’ payment card information.