News

AG Announces Multistate Settlement with Blackbaud

Eagle Times Staff
CONCORD, NH — New Hampshire Attorney General John Formella announced Thursday, Oct. 5, that New Hampshire, along with 49 other attorneys general, has reached a settlement with software company Blackbaud for its deficient data security practices and response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States.

Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. New Hampshire will receive $413,500 from the settlement.

“We will not tolerate concealment of important information from the public. In this case we are talking about non-profit organizations being left vulnerable and in the dark about their data being jeopardized. Companies storing consumers’ data have a responsibility to not only protect it, but to do the right thing when a breach occurs,” said Attorney General Formella. “We expect companies to follow the law by alerting customers and authorities of data breaches as soon as possible so everyone impacted can be aware and take appropriate steps to respond and safeguard themselves.”

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their respective consumer constituents.

Thursday’s settlement resolves allegations of the attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law.

As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required.

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward.

Avatar photo

As your daily newspaper, we are committed to providing you with important local news coverage for Sullivan County and the surrounding areas.