Chicago

Software Company Blackbaud to Pay $49.5M in Landmark Data Breach Settlement, Spearheaded by IL Attorney General

AI Assisted Icon
Published on October 06, 2023
Software Company Blackbaud to Pay $49.5M in Landmark Data Breach Settlement, Spearheaded by IL Attorney GeneralSource: Google Street Viewc

Illinois Attorney General Kwame Raoul announced a landmark settlement with software company Blackbaud, which will pay $49.5 million as part of a multistate agreement with 49 other attorneys general. This settlement responds to a 2020 data breach that exposed personal consumer information and is an allegation that Blackbaud violated state consumer protection laws, breach notification laws, and the Health Insurance Portability and Accountability Act (HIPAA)m according to the Office of The Attorney General.

To handle contact and demographic details, Social Security numbers, driver's license numbers, financial information, employment and wealth information, donation history, and protected health information, Blackbaud's customers rely on it. In the 2020 data breach, this sensitive data of over 13,000 Blackbaud customers and their respective consumer constituents got exposed [source].

Regarding the settlement, Attorney General Raoul stated, "Thousands of Illinoisans were affected by Blackbaud’s data breach. Our investigations led to reforms in data handling, protecting consumers from future exposure and ensuring that consumers are properly informed and assisted if there is a future breach", as detailed in the press release.

As part of the settlement, Blackbaud will revamp its data security practices, improve its breach notification process, and will pay the agreed sum of $49.5 million. Illinois, in specific will receive $2.28 million.

  • Personal information safeguards and controls will be implemented, including total database encryption and dark web monitoring.
  • There will be specific security requirements like network segmentation, patch management, intrusion detection, firewalls, access controls, logging, and monitoring, as well as penetration testing.
  • Development of breach response plans will prepare and handle future security incidents and breaches, such as adherence to state law and HIPAA notification requirements.
  • To grasp their respective notification obligations in an unfortunate case of a breach, provisions for breach notifications will aid Blackbaud to provide prompt assistance to its customers.
  • Security incidents are to be reported to the CEO and board, enhance employee training, and allocate appropriate resources and support for cybersecurity.
  • To comply with the settlement, the company will undergo third-party assessments for a period of seven years.

This settlement highlights how critical stringent data security measures and swift notification practices are when potential breaches occur, and it serves as a precedent in holding software companies accountable for their data security practices.

As we progress in a digital era, the storing, sharing, and utilization of confidential information across networks and platforms continues. This amplifies the need to safeguard this information from unauthorized access and potential misuse. The Blackbaud case serves as a reminder of the necessity of more stringent data security practices, considering the frequency of data breaches.

Raoul and his colleagues' efforts throughout the nation led to impactful reforms in data handling and the protection of American consumers. This settlement ensures that organizations in breach of privacy and data security protocols, like Blackbaud, are held accountable and that precautionary measures are implemented to prevent future occurrences.