
Attorney General Andrea Joy Campbell of Massachusetts formally announced yesterday, that a settlement has been agreed with software firm Blackbaud, relative to allegations of inadequate data security measures and a delayed response to a ransomware attack in 2020. The incident resulted in the exposure of confidential user information nationwide according to the Office of the Attorney General article. The settlement involves Blackbaud accepting to revamp its data security and breach notification procedures, on top of a monetary payment of $49.5 million to encompass the affected states. From this, Massachusetts will receive roughly $900,000.
In reference to the case, AG Campbell conveyed, "Guarding sensitive consumer information is of utmost importance in the face of growing cyber threats. I am honoured that our office was able to secure this settlement to benefit public interest and continue to defend consumers across the Commonwealth."
As a leading software services provider for diverse nonprofit organizations such as charities, hospitals, religious and cultural foundations, Blackbaud manages delicate user information including financial data, donation history and private health records. According to the Office of the Attorney General, the 2020 data breach affected more than 13,000 Blackbaud customers.
The agreement finalized, which allegations by Attorney General Campbell that Blackbaud transgressed Massachusetts Data Breach Notification Law by not supplying adequate, immediate and accurate data about the breach as obligated by legal guidelines. Blackbaud's handling of the situation caused significant notification delay to customers, with some never receiving alerts primarily due to the company's minimization of the event and persuasion that notification was unrequired as stated in the Office of the Attorney General report.
The settlement also addressed claims that Blackbaud had breached the Massachusetts Data Security Regulations. The company had allegedly failed to enforce standard data security measures and fix known vulnerabilities, thereby allowing unauthorized individuals to gain network access.
Alongside the monetary aspect, Blackbaud has vowed to enhance its breach notification procedures, offer adequate support to its clients, guarantee conformity with notification mandates, and implement more robust data security procedures. These measures include regular incident reports to their CEO and board, augmented employee training, database encryption, dark web sleuthing, and integration of technical security components like segmentation, patching, firewalls, and periodic testing. To ensure compliance with the agreement, Blackbaud have also consented to third-party audits for a period of seven years according to the Office of the Attorney General.
In addition to Massachusetts, multiple other states have partaken in this settlement, including Alabama, Alaska, Arkansas, Arizona, Colorado, Connecticut, Delaware, District of Columbia, Florida, to name a few.
Victims of data breaches are urged by the Attorney General's office to take preventive action to protect themselves from identity theft and to access further details on safeguarding personal data. Businesses can find breach-related matrices on the AG's official portal as stated in the Office of the Attorney General report.









