Attorney General Charity Clark announced today that she, along with 49 other attorneys general, has reached a settlement with software company Blackbaud for its deficient data security practices and response to a 2020 ransomware event that exposed the personal information of millions of consumers across the nation. Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. As one of the states leading the investigation into Blackbaud, Vermont will receive $3 million from the settlement.
“Any company that collects Vermonters’ data has a responsibility to protect that data, and to ensure that affected consumers receive notice if that protection fails,” said Attorney General Clark. “Implementing good data security practices, such as data minimization, can protect not only consumers but also businesses that suffer a data breach.”
Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their respective consumer constituents, including more than 15,000 Vermonters.
Today’s settlement resolves allegations that Blackbaud violated state consumer protection laws, data breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network -- and then failed to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required.
Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including requiring that, in the event of future breaches, Blackbaud provide accurate and legally sufficient notifications, implement and maintain incident and breach response plans, provide appropriate assistance to help customers comply with notification requirements, take various other steps to increase training and resources, and obtain third-party assessments of Blackbaud’s compliance with this settlement each year for the next seven years.
This incident underscores the importance of the best practices in data privacy that Attorney General Clark has encouraged, including data minimization to limit and/or eliminate private sector retention of unnecessary or superfluous consumer information. October is Cyber Security Awareness Month, and Attorney General Clark is taking this opportunity to reemphasize the importance of these best practices for businesses and consumers. Additional information and resources are available at ago.vermont.gov/privacy-data-security or by calling the Attorney General’s Consumer Assistance Program at 1-800-649-2424.
Vermont co-led the multistate investigation with Indiana. They were joined in the settlement by Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.
A copy of the settlement is available here.
CONTACT: Lauren Jandl, Chief of Staff, 802-828-3171