Attorney General James and Multistate Coalition Secure $49.5 Million from Cloud Company for Data Breach

Blackbaud’s 2020 Data Breach Exposed Donor Information of Thousands of Nonprofit Organizations Nationwide
Multistate Investigation Found Blackbaud Failed to Implement Strong Data Security Measures to Protect Donors’ Personal Information from Data Breaches

NEW YORK – New York Attorney General Letitia James and a multistate coalition of 50 attorneys general reached a $49.5 million agreement with cloud company Blackbaud over a massive data breach that impacted thousands of nonprofit institutions, including charities, colleges and universities, and health care organizations in New York and across the country. Blackbaud provides donor data management software and, in 2020, experienced a data breach that exposed the personal information of its customers and millions of their donors and constituents. As a result of today’s agreement, Blackbaud has agreed to overhaul its data security and breach notification practices and pay $49.5 million to the affected states, of which New York will receive $2.9 million.

“New Yorkers, and all Americans, deserve to know that their personal information is secure and protected,” said Attorney General James. “Blackbaud was supposed to safeguard the private information held by nonprofits regarding donors and customers, but instead its poor data security measures put everyone at risk. There is no excuse for a cloud company to have poor data security measures. As data breaches become more pervasive, my office will continue to ensure companies are securing their networks against these attacks.”

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, and healthcare, religious, and cultural organizations. Blackbaud’s customers use its software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 institutions that were Blackbaud customers and millions of their respective consumer constituents. Blackbaud paid the threat actor a ransom and was provided evidence that the stolen data was deleted.

Thousands of New York institutions were affected by Blackbaud’s data breach. A full list can be found here.

Today’s settlement resolves claims made by Attorney General James and the coalition of 50 attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA. The multistate investigation found that Blackbaud failed to implement reasonable data security and fix known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network. Following the breach, Blackbaud neglected to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. As a result, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all, as Blackbaud downplayed the incident and led its customers to believe that no notification was required.

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including:

  • Discontinuing misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
  • Implementing and maintaining incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
  • Updating breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
  • Improving security incident reporting to the CEO and board, employee training, and appropriate resources and support for cybersecurity.
  • Applying personal information safeguards and controls requiring total database encryption and dark web monitoring.
  • Using specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
  • Implementing third-party assessments of Blackbaud’s compliance with the settlement for seven years.

Joining Attorney General James in today’s multistate agreement are the attorneys general of Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. This past May, Attorney General James secured $300,000 from Sports Warehouse for failing to protect the data of 2.5 million customers. Also in May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In December 2022, Attorney General James secured $200,000 from student cap and gown producer Herff Jones for failing to protect consumers’ personal information. In October 2022, Attorney General James announced a $1.9 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect their personal information following a data breach.

This matter was handled by Deputy Bureau Chief Clark Russell, with special assistance from Internet and Technology Analyst Nishaant Goswamy, of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.