Attorney General Taylor announces settlement with Blackbaud Inc. regarding data breach

Anchorage, Alaska (KINY) - Alaska, along with 49 other attorneys general, has reached a settlement with software company Blackbaud for its deficient data security practices and response to a 2020 ransomware event.
gavel2

The 2020 event exposed the personal information of millions of consumers across the United States.

Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states.

Alaska will receive $358,925 from the settlement.

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations.

Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information.

This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their consumer constituents.

“Businesses need to think carefully about what data they collect about people and how they will protect it,” said Attorney General Taylor. “Every business that collects Alaskans’ personal information must comply with Alaska’s data breach notification laws.”

Thursday’s settlement resolves allegations of the attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. 

As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all.

Indiana and Vermont co-led the multistate investigation, assisted by the Executive Committee consisting of Alabama, Arizona, Florida, Illinois, and New York, and joined by Alaska, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.