Blackbaud has now settled with all 50 states and the District of Columbia regarding the May 2020 data breach which has cost the firm millions in legal costs and fines. Blackbaud settled with the State of California for $6.75 million, which is still subject to court approval.

That brings the total to $56.25 million to settle with the states and another $3 million to settle with the Securities and Exchange Commission. The new deal must be approved by the Superior Court of the State of California of San Diego County.

California was the last holdout. The others states and the District of Columbia settled in October 2023.

Blackbaud released a statement. “Blackbaud has reached a settlement with the Attorney General of California, fully resolving the last remaining U.S. state attorney general investigation into the company’s 2020 security incident. The terms of the settlement with California are generally consistent with those to which Blackbaud agreed in settling with the other 49 state Attorneys General and the District of Columbia on October 5, 2023, as previously disclosed.”

According to a statement released by California Attorney General Rob Bonta, “Blackbaud’s failure to implement reasonable data security led to a data breach in 2020. Blackbaud then made misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach to its nonprofit customers and the public.”

The statement continued: “Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable. Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents.”

The injunctive terms require Blackbaud to comply with data security improvements to prevent future breaches including:

• Implementing a process for establishing that database backup files containing personal information will be stored to the minimum extent necessary, then ensuring the secure disposal of database backup files;
• Implementing password confidentiality and password-rotation or authentication protocol (e.g., multi-factor authentication) policies; and,
• Tightening policies and procedures of security infrastructure including network segmentation requirements and monitoring and alerting for suspicious activities.

A copy of the complaint and judgment can be found here and here.

Blackbaud recently won relief at a federal level. A plaintiff’s motion for class certification in the data breach case was last month rejected by a judge of the U.S. District Court for the District of South Carolina Columbia Division.

Judge Joseph F. Anderson Jr. indicated that a method proposed by the plaintiffs’ expert had not shown how class members would be determined. By some counts, the class size could have reached 1.5 million members, reflecting the number of records compromised.

The denial is one of the latest actions stemming from a data breach at the Charleston, South Carolina-based software and data services firm. Blackbaud was hacked in February 2020 and information on around 1.5 billion individuals from roughly 13,000 Blackbaud customers was compromised. The breach was not discovered by the company until May 14 of that year, and users were not notified until July 16. (https://thenonprofittimes.com/npt_articles/breaking-blackbaud-hacked-ransom-paid/).

Blackbaud ultimately paid a ransom in bitcoin in return for the hackers’ assurance that the data would be destroyed. Company officials have not disclosed the value of the ransom. Blackbaud officials said they had received confirmation that the data had been destroyed.

The post Blackbaud Settles With California For $6.75 Million appeared first on The NonProfit Times.

Source From Non Profit Times