Missouri Attorney General Andrew Bailey announced that his office, along with 49 other states, has reached a settlement with software company Blackbaud for its deficient data security in response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States. Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Missouri will receive over $800,000 from the settlement.
“I will always fight to protect Missourians’ right to keep their most personal information private, and to make sure companies operating in Missouri follow our privacy and disclosure laws,” said Attorney General Bailey. “I’m proud of the work my office did in this case. The Attorney General’s Office will never stop working to protect Missouri consumers.”
Blackbaud provides software to various nonprofit organizations, including charities, schools, churches, and healthcare organizations. Blackbaud’s customers use its software to connect with donors and manage data about their constituents, including demographic information. Social Security numbers, driver’s license numbers, financial information, donation history, and protected health information were also given to the company.
This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their respective consumer constituents.
The settlement resolves allegations that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, which allowed hackers to gain access to the network.
Blackbaud also failed to provide its customers with timely, complete, or accurate information regarding the breach, which is required by law.
As a result of their actions, the proper notification to consumers, whose personal information was exposed, was significantly delayed or never occurred at all. Blackbaud downplayed the incident and led its customers to believe that notification was not required.
Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including implementing enhanced training, notification and security processes.
Missouri’s settlement can be viewed by clicking or tapping here.