February 6, 2024

FTC settles with Blackbaud to resolve data protection deficiencies

On February 1, 2024, the US Federal Trade Commission announced that it reached a settlement with Blackbaud Inc., a South Carolina-based computer software services company, to resolve allegations that it failed to implement reasonable and appropriate safeguards to protect the personal data of customers from unfair or deceptive practices, in violation of Section 5 of the Federal Trade Commission Act, 15 USC §§ 45(a) and 45(n).  According to the FTC, Blackbaud’s lax security practices led to a data breach in February 2020 that enabled a threat actor to access the personal data of millions of consumers, including Social Security and bank account numbers.  The FTC also reported that the company waited nearly two months to notify customers about the breach and then misrepresented the scope and severity of the breach.

According to the FTC’s complaint, the  threat actor remained undetected for more than three months, until May 2020, before Blackbaud discovered that a customer’s login and password had been used to gain unauthorized access to its network.  Blackbaud reportedly paid the threat actor, who had threatened to expose the stolen data, a ransom of 24 Bitcoin (valued at approximately $250,000) in exchange for a promise to delete the stolen data – information that company was never able to actually verify.  The FTC also alleged in the complaint that Blackbaud’s deficient encryption practices and failure to implement appropriate data retention policies led to the breach and “exacerbated the severity of the data breach.”

In a 3-0 vote, the Commission decided to issue the complaint and accept Blackbaud’s proposed settlement.  The settlement requires the company to delete data that is not necessary to provide products or services to its customers and prohibits the company from misrepresenting its data security and retention policies.  Blackbaud is also required to develop a comprehensive information security program that will address the issues identified in the FTC’s complaint.  In addition, Blackbaud must establish a data retention schedule that details why it maintains personal data and when personal data must be deleted.  Blackbaud’s compliance with the settlement agreement will also be monitored and verified by a third party assessor who, among other things, must obtain initial and biennial assessments of the company’s information security program for a period of 20 years.  The company is also required to provide the FTC with annual certifications, covered incident reports, and compliance reports as specified in the settlement.

FTC Press Release | FTC Complaint | Decision and Order | Joint Statement