June 21, 2024

California AG announces $6.75 million settlement with Blackbaud to resolve 2020 data breach

On June 13, 2024, the California Attorney General’s Office announced a $6.75 million settlement with Blackbaud, Inc. – a South Carolina-based provider of data management software and services to nonprofits – to resolve allegations that the company misled the public regarding the full impact of a 2020 data breach and made misleading statements about its data security practices prior to the breach, in violation of California’s Reasonable Data Security Law, Unfair Competition Law, and False Advertising Law (related to data security).

Per the complaint, Blackbaud initially announced that no personal information had been affected by the 2020 breach; upon discovering that the hacker had accessed sensitive personal information (including Social Security Numbers and bank account information), it failed to provide impacted individuals with accurate, updated information in a timely manner. Moreover, an investigation by the CA Department of Justice found that, prior to the breach, Blackbaud failed to implement basic administrative and technical security procedures that would have protected against known vulnerabilities.

In addition to the financial penalty, the injunctive terms require Blackbaud to maintain robust data security measures to prevent future breaches.

California AG Press Release | Complaint | Judgment