On February 1, the Federal Trade Commission (FTC or the “Commission”) announced that the software company Blackbaud has been ordered to resolve claims related to a 2020 data breach that resulted in the compromise of millions of consumers’ personal information. announced that they had reached a settlement. . The FTC alleged that Blackbaud failed to protect consumers’ personal information, including by failing to implement adequate encryption and data retention policies. The Commission further alleged that Blackbaud further exacerbated the impact of subsequent data breaches by delaying breach notification and misrepresenting the scope and scope of the breach to affected customers. The FTC’s proposed order would require Blackbaud to improve its information security, including improving its data retention policies and implementing a formal information security program that includes safeguards such as multi-factor authentication, improved access controls, and mandatory encryption. A number of steps are required to strengthen practices.
The FTC settlement is the latest in a series of regulatory enforcement actions taken against Blackbaud following the 2020 data breach. In October 2023, the company reached a settlement with 49 state attorneys general (AGs) and the District of Columbia, agreeing to pay $49.5 million and make a number of changes to its data security and breach notification practices, including: Did. For example, incident and breach response plans and implementation of specific security controls (encryption, dark web monitoring, network segmentation, intrusion detection, firewalls, penetration testing, etc.). Meanwhile, in March 2023, Blackbaud (i) made materially misleading statements in its securities filings regarding the data breach; and (ii) information required to be disclosed regarding violations of its securities filings. was disclosed accurately and in a timely manner. (A summary of this enforcement action can be found here). As part of that settlement, Blackbaud agreed to pay a $3 million penalty to the SEC.
The FTC’s enforcement action against Blackbaud is noteworthy for several reasons. First, we highlight several considerations that companies should keep in mind as they develop cybersecurity and privacy compliance programs. This includes his FTC views on the need to develop clear data retention policies, implement appropriate security safeguards such as encryption, and ensure prompt and accurate data. Violation Notice. This FTC enforcement action (as well as state AG and SEC enforcement actions) is also notable because of the services Blackbaud provides. Specifically, the company is often used by nonprofit organizations for financial management and fundraising services. These enforcement actions therefore demonstrate that companies are not exempt from privacy and cybersecurity regulatory frameworks simply because they provide services for non-commercial use. Nonprofits themselves (although not under the jurisdiction of the FTC) must increasingly focus on their compliance obligations under some state privacy laws (such as Colorado and Oregon).
This post summarizes the key elements of the FTC’s complaint against Blackbaud, identifies notable provisions of the accompanying proposed order, and provides key takeaways that companies should apply in the context of their cybersecurity and privacy compliance programs. I will explain. To stay up to date on the FTC’s cybersecurity and privacy enforcement, subscribe to WilmerHale’s Privacy and Cybersecurity Law Blog.
complaint
background
Blackbaud is a South Carolina-based company that provides “a wide range of data services, financial, fundraising, and management software services to organizations such as businesses, nonprofit organizations, foundations, educational institutions, healthcare organizations, and individual consumers.” It offers. In the process of serving these customers, Blackbaud stores the personal information of millions of consumers.
The FTC’s complaint focuses on a data breach that affected Blackbaud starting in February 2020. The breach began on February 7, 2020, when “an attacker accessed his Blackbaud self-hosted legacy product database.” The attacker continued to steal data from tens of thousands of his Blackbaud customers, resulting in the personal information of millions of consumers being compromised. Blackbaud discovered the breach on May 20, 2020, more than three months after the attackers first gained access. The company’s subsequent investigation revealed that the attackers stole unencrypted files containing vast amounts of consumer personal information, including:
Consumer’s name, age, date of birth, social security number, home address, telephone number, email address, financial information (including bank account information, estimated assets, identified assets), medical information (patient and medical records) name of treating physician, health insurance information, date of visit, reason for visit), gender, religious beliefs, marital status, spouse’s name, spouse’s donation history, employment information (including salary), educational background information, Account information
Blackbaud ultimately agreed to pay a ransom to the attackers to prevent them from publishing the stolen data. However, the FTC’s complaint alleges that “Blackbaud has not been able to conclusively confirm that the attackers deleted the stolen data.”
main claim
The FTC’s complaint alleges that Blackbaud’s conduct in connection with this violation included several unfair or deceptive acts or practices that violate Section 5 of the FTC Act, as outlined below.
1. Unfair Information Security Practices. The complaint alleges that Blackbaud engaged in unfair information security practices through “failings.”[ing] Take reasonable steps to prevent unauthorized access to sensitive consumer data. Most notably, Blackbaud does not allow its customers to store consumers’ personal information, including sensitive data such as social security numbers and bank account information, in an unencrypted format. This is what the European Commission claims. The complaint identifies a number of additional security practices that Blackbaud allegedly failed to implement, including password controls, multi-factor authentication, network segmentation, and data transfer monitoring.
2. Unfair data retention practices. The complaint criticizes Blackbaud’s alleged failure to enforce its data retention policies, resulting in Blackbaud “retaining customers’ consumer data for years longer than necessary” and even retaining former customers’ data. The European Commission alleges that it even retained data on customers and potential customers.
3. Unfair and deceptive infringement notifications. The complaint alleges that the infringement notices Blackbaud delivered to customers were delayed and misleading. The complaint notes that he did not serve any infringement notices until July 16, 2020, approximately two months after Blackbaud first detected the infringement. In the notice, Blackbaud allegedly told customers that “no personal information about voters was accessed.” The complaint further states that Blackbaud knew by July 31, 2020 that bank accounts and Social Security numbers had been compromised as a result of this breach, but did not disclose that fact to customers until October 2020. It is claimed that
4. Deceptive Security Statements. Finally, the complaint alleges that Blackbaud’s pre-breach privacy policy, among other things,[ed] Appropriate physical, electronic, and procedural safeguards to protect your personal information. ”
suggested order
The proposed order imposes several notable requirements on Blackbaud, including:
1. Data Deletion and Retention. The Order imposes two important requirements on Blackbaud related to the deletion and retention of consumers’ personal information. First, Blackbaud must delete all “covered information not maintained in connection with the provision of products or services” within 90 days of the effective date of the order. [Blackbaud’s] Unless otherwise requested by the customer, [those] client. ” Second, Blackbaud must develop, implement, and publish data retention policies related to customer backup files containing personal information. This policy describes the purpose and business needs for Blackbaud’s maintenance and retention of such information, and the specific period of time (i.e., such information will not be retained indefinitely).
2. Information Security Program. Blackbaud maintains a formal information security program that implements a number of designated security safeguards, including employee training, password controls, multi-factor authentication, enhanced access controls, and monitoring (subject to evaluation by a third-party assessor). must be implemented. logging of data transfer and data security events, protection against unauthorized access (e.g. intrusion detection and prevention, firewalls, segmentation), testing and monitoring of safeguard effectiveness (e.g. vulnerability scanning and penetration testing), and encryption.
3. Reporting Incidents. Blackbaud is required to file an incident report with the FTC within 10 days of filing a data breach notification with a federal, state, or local government.
Important points
1. Data Retention Policy. This enforcement action highlights the need for companies to develop and implement appropriate policies related to their retention. and Deletion of Consumer Personal Information. In particular, the proposed order would require that such policies clarify the purposes and business needs underlying a company’s collection and retention of personal information and provide a specific schedule for deleting such information. suggests that there is a need. In other words, retention policies that feature opaque and indefinite deletion schedules may not pass in the eyes of the FTC.
2. Appropriate Security Safeguards. As with many of its past cybersecurity and data privacy enforcement actions, Blackbaud’s complaint and proposed order will address the question of how companies should be considered by the FTC to provide reasonable security protections for consumers’ personal information. It helps clarify what types of security practices need to be implemented. In particular, this enforcement action emphasizes the importance of encrypting consumers’ personal information. Ideally, companies should strive to encrypt as much of their consumers’ personal information as possible. However, the FTC order makes clear that at a minimum, such encryption should be applied to particularly sensitive personal information, such as Social Security numbers, bank account information, and medical information.
3. Timely and Accurate Data Breach Notification. Finally, this enforcement action, like other recent FTC enforcement actions, emphasizes the need for companies to deliver prompt and accurate data breach notifications to affected consumers. In its complaint, the FTC criticizes Blackbaud on both sides, alleging that the company unnecessarily delayed data breach notifications to customers in both July 2020 and October 2020, and misrepresented the nature of the breach in the former. insisted. Therefore, as we’ve written previously, companies that want to minimize law enforcement risk should act quickly after a data breach occurs to determine the scope of the incident and promptly and accurately notify affected individuals. You need to be able to do it.
