On February 1, 2024, the Federal Trade Commission (FTC) announced a complaint and proposed consent order against Blackbaud, Inc. regarding a 2020 data security incident involving ransomware requests and payments. According to the FTC’s complaint, Blackbaud’s unfair and misleading practices include not only poor data security practices but also false statements about the scope and severity of the breach, including misrepresentations about the scope and severity of the breach. It is said that this included a delay in notifying the parties accurately. Initial notification to those customers. The FTC asserts that this action raises independent Section 5 tortiousness claims stemming from the failure to (1) implement and enforce reasonable data retention practices and (2) accurately communicate the seriousness and scope of the breach. He emphasized that it was his first time doing so.
Blackbaud Security Incident and Customer Notice
Blackbaud provides a variety of software products and services to nonprofit organizations, foundations, educational institutions, and healthcare organizations, including database services to track donors and donations. The complaint alleges that on February 7, 2020, an attacker used the customer’s login information to access the customer’s Blackbaud-hosted database. According to the complaint, the attacker used the vulnerability to move between Blackbaud-hosted environments and on the Blackbaud network, including millions of items of consumer personal information controlled by Blackbaud customers. I was able to leak the files. The FTC states that personal information includes name, date of birth, Social Security number, home address, telephone number, email address, financial information (such as bank account information, estimated wealth, and identified assets), and medical information (such as patient and medical information). information, etc.). record identifier, attending physician’s name, health insurance information, date of visit, reason for visit), gender, religious beliefs, marital status, spouse’s name, spouse’s contribution history, employment information (including salary), educational information, and account information. Credentials. According to the complaint, the aforementioned data was not encrypted because (1) Blackbaud tells its customers that it stores social security numbers and bank account information in unencrypted fields not specifically designated for that purpose; was allowed. (2) Blackbaud allowed its customers to upload attachments containing consumers’ personal information, which Blackbaud did not encrypt; (3) Blackbaud did not encrypt his files, database backups containing complete records from customers and former customers;
The complaint alleges that the attackers demanded a ransom after the intrusion was discovered on May 20, 2020. Blackbaud paid $235,000 in Bitcoin, but the FTC stressed in its complaint that Blackbaud has not been able to “conclusively verify” that the stolen data has been deleted. The complaint alleges that Blackbaud did not notify customers about the incident for another two months, until July 16, 2020, following an investigation it characterized as “highly inadequate.” Additionally, the FTC alleges that this initial notice to the customer stated that his credit card information, bank account information, and Social Security number were not accessed, alleging that: I am.[n]o No action is required on your part as no personal information about your voters is accessed.Blackbaud allegedly knew as of July 31, 2020 that bank account numbers and Social Security numbers had been compromised, but this fact was not disclosed to customers until October 2020.
FTC Claims and Proposed Order
All five FTC claims are brought under Section 5 of the FTC Act, 15 USC § 45(a) for deceptive or unfair acts or practices. Notably, the complaint includes three novel allegations:
- Unfair data retention practices. The FTC alleges that Blackbaud engaged in unfair conduct by failing to implement and enforce reasonable data retention practices for sensitive consumer data held by customers in its network. According to the complaint, Blackbaud kept its customers’ consumer data for longer than necessary, including in some cases data about former and prospective customers, contrary to its own policies.
- Unfair and inaccurate initial infringement notification. The FTC alleges that Blackbaud first notified customers of the breach in July 2020, but failed to accurately communicate the scope and seriousness of the breach, which was unfair. The allegation of impropriety stems from Blackbaud’s inaccurate statements about the scope of personal information exposed and the months-long delay before Blackbaud provided a second accurate notification of the scope of that data. It assumes both. (Blackbaud’s March 2023 settlement with the SEC also relates to a July 2020 notice to Blackbaud’s customers, which the SEC said misled investors about the impact of the incident.) (He claimed that it was a thing.)
- Deceptive Initial Infringement Notification. Relatedly, the FTC also alleges that the initial notification in July 2020, which contained inaccurate statements regarding the scope of consumer data that had been compromised, was deceptive under Section 5.
Additionally, the complaint raises two allegations familiar from FTC data security litigation.
- Unfair Information Security Practices. The FTC alleges that Blackbaud failed to take various reasonable steps to prevent unauthorized access to sensitive personal information (e.g., using insufficient encryption techniques and allowing weak passwords). , a long list of allegedly lax security practices, such as lack of multi-factor authentication, insufficient protection of sensitive information, inadequate threat monitoring, and failure to timely patch outdated software and systems).
- False Security Statements. The FTC alleges that Blackbaud’s website privacy policy was deceptive in stating that Blackbaud provided “adequate” safeguards to protect personal information collected through its website.
suggested order
Like the complaint, the proposed order includes a mix of standard provisions of FTC data security consent orders, as well as other, less common provisions. The former category includes provisions prohibiting Blackbaud from making any misrepresentations about its privacy and data security practices, and the establishment of a comprehensive data security program subject to independent biennial evaluation by a third party. and provisions requiring the FTC to provide data breach reports. As a result, Blackbaud may report the incident to authorities under federal, state, or local law. The order also includes several additional requirements, which, while not without precedent, the FTC has included only in a subset of its data security orders, depending on the alleged facts of the case.
- Required data deletion. Request that Blackbaud delete any customer backup files that contain consumer personal information that is not maintained in connection with the provision of products or services to Blackbaud’s customers.
- Data retention. Require Blackbaud to release customer backup files containing consumers’ personal information and adhere to retention schedules. (1) the purposes for which the personal information is retained; (2) Blackbaud’s specific business needs for retaining the personal information; and (3) the established period of time for deletion of the personal information ( (that is, there is no indefinite retention).
Take-out
- As three FTC commissioners emphasized in a joint statement on this case: This is the first time the FTC has asserted that retaining data for longer than necessary is itself an unfair practice under Section 5.-However, such data retention has previously been subject to several data security shortcomings that allegedly made practices unfair under Sec. Such). By asserting this as an “independent” claim, the FTC emphasizes the importance it places on data deletion from both privacy and data security perspectives.
- The case is also the first time the FTC has alleged misconduct by failing to accurately communicate the scope and severity of the violations., as the commissioner also pointed out in the statement. This highlights the FTC’s tendency to scrutinize messages that provide reassurance that data security incidents are limited in scope, even if they apply to most affected individuals. If a message pertains to some of the affected people and is later found to be inaccurate, the FTC may conclude that the statement was deceptive at the time it was made and reflects insufficient investigation. It may be considered that there is.
- Finally, the FTC claims that even though Blackbaud paid the ransom to the attackers, it could not “conclusively verify” that the leaked data was destroyed. Given the many ways data can be copied, transferred, hidden, and restored, how can remote data deletion be “conclusively verified”, let alone when involving criminal organizations operating in unknown locations? ” It is difficult to understand how it can be done. There are no confirmed reports that the data at issue in the Blackbaud incident was subsequently released or misused. What the complaint does not mention is that companies in Blackbaud’s situation should have provided consumers with stronger protections in their negotiations with the attackers.
[View source.]