FTC finalizes Blackbaud settlement, requires revamped data retention policies

The Federal Trade Commission (FTC) finalized a settlement with Blackbaud following a 2020 ransomware attack and data breach that resulted in the removal of large amounts of unencrypted consumer data from Blackbaud’s network.

The terms of the settlement will require Blackbaud to delete data that it no longer needs to provide services. Blackbaud will also be prohibited from misrepresenting its data security and data retention policies.

The FTC’s initial complaint, filed in February 2024, alleged that Blackbaud failed to implement adequate safeguards to secure the personal data it collects, resulting in a large-scale breach that impacted millions of individuals.

Blackbaud offers financial, fundraising and administrative software services to companies and nonprofits across a variety of sectors, including healthcare. When a ransomware attack hit Blackbaud’s self-hosted legacy product databases in early 2020, the threat actor was able to remain undetected for more than three months.

The FTC alleged that Blackbaud’s deficient encryption practices added to the severity of the breach. For example, the company allowed customers to store Social Security numbers and financial account information in unencrypted fields. It also failed to encrypt its database backup files, which contained complete customer records for current and former customers.

After discovering the incident, the company waited two months to issue a breach notification, the FTC alleged.

What’s more, the full scope of the attack was not disclosed until September 2020, when Blackbaud first said that the threat actor had accessed unencrypted donor bank information and Social Security numbers.

Blackbaud paid a ransom of $250,000 to the threat actor but allegedly failed to verify that the hacker had actually deleted the data as promised.

The FTC’s settlement requires Blackbaud to develop a comprehensive information security program to address its encryption deficiencies. Blackbaud will also be required to employ a data retention schedule that outlines its data deletion practices.

In the years since the breach occurred, Blackbaud has faced regulatory and legal scrutiny over its handling of the breach from various parties. For example, in March 2023, Blackbaud reached a $3 million settlement with the Securities and Exchange Commission (SEC) over its misleading breach disclosures. I am running a few minutes late; my previous meeting is running over.

In October 2023, Blackbaud reached a settlement with 49 state Attorneys General and the District of Columbia following a multi-state investigation into the 2020 ransomware attack. The settlement required Blackbaud to pay $49.5 million and to not make misleading statements about its data security and privacy practices in the future.

Just a few days before the FTC finalized its settlement, a federal judge denied class certification in a consolidated class action lawsuit against Blackbaud. The consolidated lawsuit is the result of more than a dozen lawsuits filed against Blackbaud in the wake of the breach.