Attorney General Phil Weiser announces $49.5 million multistate settlement with software company Blackbaud over 2020 data breach
Oct. 5, 2023 (DENVER) – Attorney General Phil Weiser joined 49 other attorneys general in a settlement with software company Blackbaud for its deficient data security practices and inadequate response to a 2020 ransomware event that affected thousands of nonprofits and millions of consumers across the country. Under the settlement, Blackbaud agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Colorado will receive over $785,000 from the settlement.
Blackbaud provides contact and donor management software to 13,000 nonprofit and government organizations, including charitable, education, health care, religious, and cultural organizations. The 2020 breach exposed contact and demographic information, Social Security and driver’s license numbers, financial and employment information, donation history, and protected health information.
Today’s settlement resolves allegations that Blackbaud violated state and federal consumer protection, data security, and health information laws by failing to implement reasonable data security and remediate known security gaps, allowing criminals to gain access to Blackbaud’s network. The company then failed in their obligation to provide customers with timely, accurate information about the incident. Affected consumers received significantly delayed notifications about the event or no notification at all. Blackbaud also downplayed the incident, leading customers to believe that no notification was required.
“Blackbaud failed the organizations that relied on the company for cybersecurity, and in doing so broke the law,” said Weiser. “While we can’t go back and undo the harm consumers experienced, this bipartisan coalition of attorneys general fought to ensure community institutions and consumers will be better protected in the future.”
Under the settlement, Blackbaud agrees to strengthen its data security and breach notification practices. This includes prohibiting the company from misrepresentations related to the handling of, and responsibilities related to, personal data. The company will also be required to implement plans for adequate responses to future breaches, including providing customers with all required compliance support, notifications to company leadership, employee training, adopting best cybersecurity practices, and undergoing independent compliance checks for seven years.
The $785,000 Blackbaud will pay can be used for any restitution where possible, consumer education, consumer fraud or antitrust enforcement, or efforts to advance the public welfare.
Community Education and Communications Manager
(720) 508-6769 office | (303) 990-6691 cell