Attorney General Rob Bonta | Official website
Attorney General Rob Bonta | Official website
California Attorney General Rob Bonta announced a settlement with Blackbaud, a South Carolina-based software company, over violations of consumer protection and privacy laws related to its data security practices. Blackbaud provides data management software to nonprofit organizations, storing information such as names, Social Security numbers, bank account details, and medical information.
In 2020, Blackbaud experienced a data breach due to inadequate security measures. The company subsequently made misleading statements about the adequacy of its data security efforts and the extent of the breach. These actions violated California's Reasonable Data Security Law, Unfair Competition Law, and False Advertising Law. Under the terms of the settlement, which requires court approval, Blackbaud will pay $6.75 million in penalties and must improve its data security and breach notification practices.
"Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public about the full impact of the data breach. This is simply unacceptable," said Attorney General Bonta. "Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents."
In July 2020, Blackbaud disclosed that a hacker had breached its network in May 2020 but claimed no personal data was accessed. Later, it was revealed that sensitive information including Social Security and bank account numbers had been compromised. Despite this discovery, timely and accurate information was not provided to those affected by the breach.
The California Department of Justice's investigation found that Blackbaud failed to implement basic security procedures such as multi-factor authentication for passwords and did not properly monitor suspicious activities on systems containing personal information. Additionally, the company did not keep up with evolving security standards and made deceptive claims about its pre-breach security practices.
The injunctive terms require Blackbaud to comply with stringent data security improvements including:
- Ensuring database backup files containing personal information are stored minimally and securely disposed of.
- Implementing password confidentiality and rotation or authentication protocols like multi-factor authentication.
- Enhancing policies and procedures for security infrastructure including network segmentation requirements and monitoring for suspicious activities.
A copy of the complaint and judgment can be found here [link] and here [link].
Alerts Sign-up