Attorney General Mayes Announces $49.5 Million Settlement with Software Company Blackbaud for Data Breach

PHOENIX – Attorney General Kris Mayes today announced that the Arizona Attorney General’s Office, along with 49 other state attorneys general, has reached a settlement with software company Blackbaud for its deficient data security practices and for its response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States.
“In today’s digital world, companies must stringently safeguard data to ensure consumer privacy,” said Attorney General Mayes. “Bad actors will stop at nothing to exploit vulnerabilities, and it is incumbent upon companies like Blackbaud to be proactive, transparent, and accountable in their cybersecurity measures. The significant settlement we’ve reached not only holds Blackbaud accountable for past deficiencies but also ensures that consumers are better protected moving forward.”
Under the settlement, Blackbaud has agreed to overhaul its data security and data breach notification practices and make a $49.5 million payment to states. Arizona will receive more than $1.8 million from the settlement.
Today’s settlement resolves allegations of the attorneys general that Blackbaud violated state consumer protection laws, data breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law.
As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required.
Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including:
• Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
• Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
• Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
• Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.
• Personal information safeguards and controls requiring total database encryption and dark web monitoring.
• Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
• Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.
Indiana and Vermont co-led the multistate investigation, assisted by Alabama, Arizona, Florida, Illinois, and New York, and joined by Alaska, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.