Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California: AG announces $6.75M settlement with Blackbaud

On June 13, 2024, the California Attorney General (AG), Rob Bonta, announced that they had reached a $6.75 million settlement with Blackbaud Inc., a South Carolina-based software company, in relation to violations of consumer protection and privacy laws.  

Background to the case

The AG noted that in July 2020, Blackbaud announced that in May 2020, a hacker breached the company's network but did not access consumers' personal data, however, it was found soon after that the hacker accessed personal data. The personal data affected included social security and bank account numbers.

Findings of the California Department of Justice

Following its investigation, the California Department of Justice found that Blackbaud failed to carry out basic security procedures that would have fixed known vulnerabilities, which led to the data breach. Furthermore, it was found that Blackbaud failed to stay apprised of evolving security standards and made deceptive pre-breach representations relating to its security practices as well as misrepresentations about the breach.


The AG detailed that it had reached a settlement with Blackbaud for violations of the Reasonable Data Security Law, the Unfair Competition Law, and the First Advertising Law. Blackbaud will pay $6.75 million and comply with the following injunctive terms:

  • implementing a process for establishing that database backup files containing personal information will be stored to the minimum extent necessary and ensuring the secure disposal of database backup files;

  • implementing password confidentiality and password-rotation or authentication protocol policies; and

  • tightening policies and procedures relating to security infrastructure.

You can read the press release here, the copy of the complaint here, and the judgment here.