Oregon will receive $655,791

Attorney General Ellen Rosenblum announced today that Oregon, along with all 50 states and the District of Columbia, has reached a settlement with software company Blackbaud for its deficient data security practices and, particularly, its response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States.

“Blackbaud’s misconduct was nothing short of egregious. They showed real disregard for the impact their data breach had on the lives of millions of consumers and non-profits and failed to live up to well-established legal and ethical standards,” said AG Rosenblum. “While the money is significant,  this is a case that demonstrates the importance of compliance with meaningful data security and breach notification practices going forward.”

Blackbaud downplayed the incident and led its customers to believe that notification was not required. As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all.

Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to the states. Oregon, which is home to 174 organizations that were impacted by the breach, will receive $655,791.00 from the settlement. Those funds will go toward supporting the state’s investigative, consumer protection and consumer education efforts at the Oregon Department of Justice.

Today’s settlement resolves allegations of the attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law.  Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including:

1. Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
2. Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
3. Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
4. Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.
5. Personal information safeguards and controls requiring total database encryption and dark web monitoring.
6. Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
7. Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their respective consumer constituents.

The Oregon investigative and litigation team included lawyers and staff from the Consumer Protection Section of the Oregon Department of Justice.