By: Richard L. Smith
New Jersey's Attorney General, Matthew J. Platkin, announced today that the state, along with 49 other Attorneys General, has successfully reached a settlement with software company Blackbaud.
This resolution comes in response to Blackbaud's deficient data security practices and its inadequate response to a ransomware event that occurred in 2020.
This event resulted in the exposure of personal information belonging to millions of consumers across the United States.
Under the terms of the settlement, Blackbaud has committed to a comprehensive overhaul of its data security and breach notification practices.
Additionally, the company will make a payment of $49.5 million to the participating states. New Jersey's share of this settlement amounts to $1,083,802.
Blackbaud is a software provider that serves various nonprofit organizations, including charities, colleges and universities, K-12 schools, healthcare centers, faith-based groups, and cultural organizations.
These organizations rely on Blackbaud's software to manage personal data, which includes sensitive information like Social Security numbers, driver's license numbers, donation history, contact details, demographic data, and financial, employment and protected health information.
The data breach in question was discovered by Blackbaud on May 14, 2020.
However, the company did not publicly disclose the breach or commence informing its more than 13,000 impacted software customers until July 16, 2020.
These customers, in turn, began notifying the donors in their databases about the cyberattack.
Attorney General Platkin expressed concern about the security of personal information in such cases, stating, "Agreeing to donate funds to your favorite arts center or to your local hospital should not come with the risk that your personal financial and identifying information will be exposed through a ransomware attack, and nonprofits and schools that use this software need assurance that the product they are buying is secure."
The settlement addresses allegations that Blackbaud violated state consumer protection laws, breach notification laws, and the federal Health Insurance Portability and Accountability Act (HIPAA).
These violations stemmed from the company's failure to implement adequate data security measures and remedy known security vulnerabilities.
As a result, unauthorized individuals gained access to Blackbaud's network, and the company failed to provide timely, complete, or accurate information about the breach to its customers, as required by law.
In addition to the financial relief provided to the states, Blackbaud has agreed to strengthen its data security and breach notification practices.
These enhancements include prohibiting misrepresentations related to personal information processing and safeguarding, implementing and maintaining incident and breach response plans, and providing appropriate assistance to customers in the event of a breach.
The settlement also mandates security measures, such as total database encryption, dark web monitoring, network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
Indiana and Vermont led the multistate investigation, with the assistance of several other states, including New Jersey.
The settlement has been joined by a total of 50 states and the District of Columbia, reflecting the widespread concerns about data security and the importance of holding companies accountable for safeguarding personal information.
