CHARLESTON, S.C. (WCSC) – A South Carolina software company has agreed to a multi-million dollar settlement for a 2020 ransomware event that exposed the personal information of millions of consumers in the United States.
South Carolina Attorney General Alan Wilson announced that Blackbaud would pay $49.5 million to states settling allegations that the company violated state consumer protection laws, breach notification laws and HIPAA by not implementing reasonable data security.
Blackbaud’s software connects nonprofit organizations with donors and manages data about their constituents. That data includes contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information.
A 2020 data breach impacting 13,000 Blackbaud customers exposed the information of their consumers.
Wilson said Blackbaud will strengthen its data security and breach notifications moving forward including:
- Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
- Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
- Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
- Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.
- Personal information safeguards and controls requiring total database encryption and dark web monitoring.
- Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
- Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.
South Carolina will receive $730,449 from the settlement.
Copyright 2023 WCSC. All rights reserved.
