On February 1, 2024, the Federal Trade Commission (FTC) entered into a proposed settlement requiring Blackbaud Inc. (“Blackbaud”) to delete personal data it no longer needs to retain and improve its data security practices. announced that it had been reached. Resolving FTC complaints against Blackbaud stemming from 2020 ransomware attacks. Notably, the settlement does not include any fines, and Blackbaud “does not admit or deny any of the FTC’s allegations,” according to Blackbaud’s press release.1
Specifically, Blackbaud, a technology provider that provides data services and financial, fundraising, and management software services to businesses, nonprofits, healthcare organizations, and others, experienced a ransomware attack in 2020. In this attack, a hacker used a customer’s credentials to access his Blackbaud network. According to the FTC’s complaint, the hackers created new administrator accounts and stole personal data from millions of consumers, including names, dates of birth, addresses, Social Security numbers, and bank account numbers. Undetected for 3 months. The FTC alleged that Blackbaud did not take “appropriate safeguards to secure the vast amount of personal data it holds as part of the services it provides to its customers.” As a result of that flaw, such as a failure to segment data or delete data no longer needed, a hacker was able to infiltrate one of his Blackbaud customer databases and move through the Blackbaud-hosted environment. I did.
Below we detail the notable requirements of the parties’ proposed settlement (order).
Delete data:
Under the terms of the order, Blackbaud has 90 days to complete the following data governance tasks:
- Delete files containing targeted information2 It is not required for the provision of services unless the consumer requests otherwise.3
- Create a publicly available data retention schedule on your website to establish: (1) The purpose for which the information is retained. (2) your specific business needs to maintain the covered information; (3) Term of deletion that precludes indefinite retention.Four
- Submit a written statement to the FTC that describes your retention schedule.Five
Other data governance requirements:
In addition to data deletion requirements, the order requires, among other things, that Blackbaud implement an information security program, comply with established data retention limits, and evaluate its security program and provide annual certification to the FTC. It also stipulates.
Information security program. In addition to data deletion, Blackbaud must implement and maintain a written information security program within his 90 days. Such a program should include:
- Provide your information security program, along with updates and assessments, to the responsible senior executive and the board of directors (or equivalent governing body) at least annually and within 30 days of the incident in question.6
- Designate a qualified employee to coordinate the program.
- Document internal and external risks to the security, confidentiality, and integrity of covered information at least annually.
- Design security measures based on the amount and sensitivity of the information involved, and use features such as multi-factor authentication, access control measures, and encryption of sensitive information to control internal and external risks.
- Test safeguards, such as vulnerability scans and penetration tests, at least once a year and within 30 days of the incident of interest.
- Select a service provider that protects your information and that can be contractually required to implement and maintain safeguards.7
Data retention limits. Blackbaud must refrain from retaining Covered Information not necessary for its storage purposes and must not misrepresent: (1) Scope of use, deletion, or disclosure of covered information; (2) the extent to which the privacy, security, availability, confidentiality, or integrity of the covered information is protected; (3) the extent of any unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other violation of the Covered Incident or Covered Information;8
Third party evaluation. The order also requires Blackbaud to obtain a biennial assessment of its information security program from a qualified third party and certify compliance with the order annually through the company’s chief information security officer (CISO), triggering a notification. Provides that covered incidents must be reported to the federal and state authorities. From the notification he will within 10 days or notify the local body.9
annual certification. One year after the date of issuance of the order, and each year thereafter, Blackbaud must submit the following certification from the Chief Information Security Officer to her FTC: (1) Blackbaud has established, implemented and maintained the requirements of this Order; (2) Blackbaud is not aware of any material noncompliance that (a) has not been corrected or (b) has not been disclosed to the FTC; (3) Contains a brief description of all “Covered Incidents” during the certification period.Ten
Reporting eligible incidents. Blackbaud must report covered incidents to his FTC within 10 days of notification to the federal, state, and local authorities. The report must include specific details such as the date of the incident, a description of the facts, information affected, number of people affected, and corrective actions taken.11
The terms of the order expire 20 years after the date of issuance, absent any allegations of violation.
If you would like to learn more about this enforcement and how it may affect your organization, please contact a member of Akin’s Cybersecurity, Privacy and Data Protection team.
1According to a statement from Blackbaud, “Blackbaud has reached an agreement with the Federal Trade Commission in connection with 2020 security incidents” https://www.blackbaud.com/newsroom/article/blackbaud-reaches-agreement-with- the-federal-trade-commission -2020 security incident related (February 2, 2024)
2 The FTC has specified that “covered information” includes: “means information from or about individual consumers that is stored by Defendants’ customers in Defendants’ product databases, including: (c) email addresses or instant messaging user IDs; (d) Mobile phone number or other telephone number; (e) Driver’s license or other government-issued identification number; (f) Date of birth; or (g) Bank account, credit card, or debit card information.”
3 decisions and orders, Regarding issues with Blackbaud Inc.FTC No. 2023181 (February 1, 2024) “Order”.
Four ID. At 7 o’clock.
Five ID.
6 “Covered Incident” means that “the Defendant, pursuant to the requirements of any law or regulation, discloses that the individual consumer’s information or information about the individual consumer exists or is reasonably believed to be in the possession of a U.S. Refers to any incident that results in notification to a federal, state, or local government that is accessed, obtained, or publicly disclosed without authorization. ” ID. At 5 o’clock.
7 ID. From 7:00 to 10:00.
8 ID. At six o’clock.
9 ID. From 11:00 to 14:00.
Ten ID. At 1pm.
11 ID. At 2pm.