Shawdesh Desk:

New York Attorney General Letitia James, leading a coalition of 50 attorneys general, has secured a $49.5 million settlement from cloud company Blackbaud, following a colossal data breach that affected thousands of non-profit institutions across the country, accordingto a press release from her office.

The organizations, comprising charities, colleges, universities, and healthcare providers, used Blackbaud’s donor data management software which unfortunately fell prey to a data breach in 2020, resulting in the exposure of personal information of customers and millions of donors.

Attorney General James stated, “New Yorkers, and all Americans, deserve to know that their personal information is secure and protected. Blackbaud was supposed to safeguard the private information held by nonprofits regarding donors and customers, but instead its poor data security measures put everyone at risk. There is no excuse for a cloud company to have poor data security measures.”

Blackbaud’s software, used by a variety of non-profit organizations, manages data about constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information.

This highly sensitive information was exposed during the 2020 data breach, impacting over 13,000 institutions that were Blackbaud customers and millions of their respective consumer constituents.

The settlement resolves claims that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA. The multistate investigation found that Blackbaud failed to implement reasonable data security and fix known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network.

Following the breach, Blackbaud neglected to provide its customers with timely, complete, or accurate information regarding the breach, as required by law.

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices, including discontinuing misrepresentations related to personal information safeguarding, implementing and maintaining incident and breach response plans, improving security incident reporting to the CEO and board, applying personal information safeguards and controls, using specific security requirements, and implementing third-party assessments of Blackbaud’s compliance with the settlement for seven years.

This multistate agreement includes attorneys general from 49 states (all but California) and the District of Columbia, marking a significant step forward in data security enforcement and consumer protection.