On October 5, 2023, the New Jersey Attorney General (AG) alongside 49 other AGs published an Assurance of Voluntary Compliance, in which it came to a settlement of $49.5 million with Blackbaud, Inc., for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the New Jersey Personal Information Protection law, Data Breach Notification Law, and Consumer Protection Law, following a data breach.

Background to the settlement

In particular, the AG noted that the data breach occurred after Blackbaud discovered a ransomware attack that resulted in unauthorized access to and exfiltration of sensitive donor information in May 2020, publicly notifying the incident in July 2020. The AG provided that the data breach affected over 1 million files relating to over 13,000 Blackbaud customers.

Findings of the AG

After the AG's investigation, and following the notification from Blackbaud, the AG determined that Blackbaud failed to implement reasonable data security and remediate known security gaps, allowing unauthorized persons to gain access to Blackbaud's network, and then failed to provide customers with timely, or accurate information regarding the breach. Notably, notification to Blackbaud customers whose personal information was exposed was significantly delayed or never provided at all.

Outcomes

As a result of Blackbaud's failings, and in addition to the settlement of $49.5 million, the AG stated that Blackbaud is required to strengthen its future data security and breach notification procedures. Specifically, this includes:

• a prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information, the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse, and breach notification requirements under state law and HIPAA;
• implementing and maintaining a written incident response plan to prepare for and respond to security incidents which describes at minimum, preparation, detection and analysis, containment, eradication, recovery, and post-incident analysis and remediation;
• implementing and maintaining a breach response plan that contains policies and procedures for notification and coordination with law enforcement, and affected Blackbaud customers as appropriate;
• implementing and maintaining a comprehensive information security program;
• within the information security program, ensure the Chief Information Security Officer and Business Information Security Officers receive specialized training;
• storing personal information and personal health information to the minimum extent necessary to accomplish Blackbaud's intended legitimate business purposes;
• implementing specific technical safeguards and controls such as:
  • risk assessment programs in line with the National Institute of Standards and Technology (NIST) Cybersecurity Framework;
  • access control and account management;
  • logging and monitoring operational activities; and
  • asset inventories to classify Blackbaud network assets; and
• conducting a third-party assessment of Blackbaud's compliance with the requirements of the settlement for seven years.

You can read the press release here and the settlement here.