On February 1, the Federal Trade Commission (FTC or “the Commission”) announced that it had reached a settlement with Blackbaud, a software company, resolving claims related to a 2020 data breach that resulted in the compromise of millions of consumers’ personal information. The FTC alleged that Blackbaud failed to secure consumers’ personal information by, among other things, failing to implement adequate encryption and data retention policies. The Commission further alleged that Blackbaud exacerbated the impact of the subsequent data breach by delaying its breach notifications and misrepresenting the scope and extent of the breach to affected customers. The FTC’s proposed order requires that Blackbaud take numerous steps to bolster its information security practices, such as improving its data retention policies and implementing a formal information security program that includes such safeguards as multi-factor authentication, improved access controls, and mandatory encryption.
This FTC settlement is the latest in a series of regulatory enforcement actions taken against Blackbaud in the wake of the 2020 data breach. In October 2023, the company reached a settlement with the Attorneys General (AGs) of 49 states and the District of Columbia, in which it agreed to pay $49.5 million and make a number of changes to its data security and breach notification practices, including, for example, the implementation of incident and breach response plans and specified security controls (e.g., encryption, dark web monitoring, network segmentation, intrusion detection, firewalls, and penetration testing). In March 2023, meanwhile, Blackbaud settled with the Securities and Exchange Commission (SEC) over allegations that it (i) made materially misleading statements in its securities filings regarding the data breach, and (ii) failed to maintain adequate disclosure controls designed to ensure that information it was required to disclose about the breach in its securities filings was accurately and timely disclosed. (You can find our summary of this enforcement action here). As part of that settlement, Blackbaud agreed to pay the SEC $3 million in penalties.
The FTC’s enforcement action against Blackbaud is notable for several reasons. First, it highlights several considerations that companies should bear in mind as they develop their cybersecurity and privacy compliance programs, including the FTC’s view of the need to develop clear data retention policies, implement appropriate security safeguards such as encryption, and ensure prompt and accurate data breach notifications. This FTC enforcement action (as well as those of the state AGs and SEC) are also notable because of the services that Blackbaud provides — specifically, the company is often used by nonprofit organizations for its financial management and fundraising services. These enforcement actions thus indicate that companies are not exempt from privacy and cybersecurity regulatory frameworks simply because they provide services for non-profits. Non-profits themselves (while not subject to FTC jurisdiction) have to increasingly focus on their own compliance obligations under some state privacy laws (such as in Colorado and Oregon).
In this post, we summarize key elements of the FTC’s complaint against Blackbaud, identify notable provisions in the accompanying proposed order, and discuss key takeaways for companies to apply in the context of their own cybersecurity and privacy compliance programs. To stay up-to-date on the latest developments in FTC cybersecurity and privacy enforcement, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
The Complaint
Background
Blackbaud is a South Carolina-based company that “provides a variety of data services and financial, fundraising, and administrative software services” to entities including “companies, nonprofits, foundations, educational institutions, healthcare organizations, and individual consumers.” In the course of providing services to these customers, Blackbaud maintains the personal information of millions of consumers.
The FTC’s complaint centers on a data breach that impacted Blackbaud beginning in February 2020. The breach began on February 7, 2020, when “an attacker gained access to Blackbaud’s self-hosted legacy product databases.” The attacker proceeded to steal data from tens of thousands of Blackbaud customers, which in turn resulted in the compromise of millions of consumers’ personal information. Blackbaud did not discover the breach until May 20, 2020, more than three months after the attacker initially gained access. The company’s subsequent investigation found that the attacker had stolen unencrypted files containing a vast array of consumer personal information including:
consumers’ full names, age, date of birth, social security numbers, home addresses, phone numbers, email addresses, financial information (including bank account information, estimated wealth, and identified assets), medical information (including patient and medical record identifiers, treating physician names, health insurance information, medical visit dates, and reasons for seeking medical treatment), gender, religious beliefs, marital status, spouse names, spouses’ donation history, employment information (including salary) educational information, and account credentials
Blackbaud ultimately agreed to pay a ransom to the attacker in order to prevent the attacker from exposing the stolen data. However, the FTC’s complaint asserts that “Blackbaud has not been able to conclusively verify that the attacker deleted the stolen data.”
Key Claims
The FTC complaint alleges that Blackbaud’s actions in relation to this breach included several unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, as outlined below.
1. Unfair Information Security Practices. The complaint alleges that Blackbaud engaged in unfair information security practices by “fail[ing] to take reasonable steps to prevent unauthorized access to sensitive consumer data.” Most notably, the Commission asserts that Blackbaud allowed its customers to store consumer personal information — including highly sensitive data such as social security numbers and bank account information — in an unencrypted form. The complaint identifies a number of additional security practices that Blackbaud allegedly failed to implement, such as password controls, multifactor authentication, network segmentation, and monitoring of data transfers.
2. Unfair Data Retention Practices. The complaint criticizes Blackbaud’s alleged failure to implement the company’s data retention policies, which the Commission asserts resulted in Blackbaud “keeping customer’s consumer data for years longer than was necessary” and even retaining data pertaining to former or potential customers.
3. Unfair and Deceptive Breach Notifications. The complaint argues that the breach notifications that Blackbaud delivered to its customers were both delayed and misleading. The complaint notes Blackbaud did not deliver any sort of breach notification until July 16, 2020 — about two months after it first detected the breach. And in that notification, Blackbaud allegedly told its customers that “no personal information about your constituents was accessed.” The complaint goes on to allege that Blackbaud knew by July 31, 2020 that the breach had resulted in the exfiltration of bank account and social security numbers, but did not disclose that fact to its customers until October 2020.
4. Deceptive Security Statements. Finally, the complaint asserts that Blackbaud deceived consumers by asserting in a pre-data breach privacy policy that, among other things, it “maintain[ed] appropriate physical, electronic and procedural safeguards to protect your personal information.”
The Proposed Order
The proposed order imposes several notable requirements on Blackbaud, including:
1. Data Deletion and Retention. The order imposes two key requirements on Blackbaud related to its deletion and retention of consumer personal information. First, Blackbaud will be required to, within 90 days of the order taking effect, delete all covered information that “is not being retained in connection with providing products or services to [Blackbaud’s] customers unless otherwise requested by [those] customers.” Second, Blackbaud must develop, implement, and make publicly available a data retention policy related to its customer backup files containing personal information that describes the purposes and business needs for Blackbaud’s maintenance and retention of said information, as well as a concrete timeframe (i.e., not an indefinite timeframe) for its retention of such information.
2. Information Security Program. Blackbaud will be required to implement a formal information security program (subject to evaluation by a third-party assessor) that implements a number of specified security safeguards, including, for example: employee training, password controls, multifactor authentication, enhanced access controls, monitoring and logging for data transfers and data security events, protections against unauthorized access (e.g., intrusion detection and prevention, firewalls, segmentation), testing and monitoring of safeguard effectiveness (e.g., through vulnerability scanning and penetration testing), and encryption.
3. Incident Reporting. Blackbaud will be required to provide the FTC with an incident report within 10 days of providing a data breach notification to any federal, state, or local government entity.
Key Takeaways
1. Data Retention Policies. This enforcement action highlights the need for companies to develop and implement appropriate policies related to their retention and deletion of consumer personal information. In particular, the proposed order suggests that such policies should clearly articulate the purposes and business needs underlying a company’s collection and retention of personal information and lay out concrete timelines for the deletion of such information. In other words, retention policies featuring opaque, indefinite deletion timelines may not pass muster in the FTC’s eyes.
2. Appropriate Security Safeguards. As with many of its past cybersecurity and data privacy enforcement actions, the Blackbaud complaint and proposed order help to elucidate what types of security practices a company should implement in order to be viewed by the FTC as providing reasonable security safeguards for consumer personal information. In particular, this enforcement action highlights the importance of encrypting consumer personal information. Ideally, companies should seek to encrypt as much consumer personal information as possible. However, the FTC order makes clear that, at minimum, such encryption should be applied to particularly sensitive personal information, such as social security numbers, bank account information, and medical information.
3. Timely and Accurate Data Breach Notifications. Finally, this enforcement action — in line with other recent FTC enforcement activity — highlights the need for companies to deliver prompt and accurate data breach notifications to affected consumers. In the complaint, the FTC critiqued Blackbaud on both fronts, alleging that the company unnecessarily delayed both its July 2020 and October 2020 data breach notifications to its customers and misrepresented the nature of the breach in the former. Thus, as we have previously written, companies seeking to minimize enforcement risk should move quickly in the wake of a data breach to determine the scope of the incident and enable prompt and accurate notification of affected individuals.