Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: FTC issues enforcement decision against Blackbaud for data security failures

On February 1, 2024, the Federal Trade Commission (FTC) announced that it had filed a proposed order against Blackbaud, Inc. (Blackbaud) for violation of the Federal Trade Commission Act (the FTC Act).

Background to the case

The FTC explained that on February 7, 2020, Blackbaud was subject to a data breach, which was only discovered in May 2020. The third party, who used a customer's login and password to freely move across multiple Blackbaud-hosted environments, was able to create new administrator accounts and exfiltrate a large amount of data. In addition, the FTC outlined that the third party had access to non-encrypted personal information including, the consumer's full name, age, date of birth, social security numbers (SSNs), home address, financial information, medical information, gender, marital status, and employment information.

Findings of the FTC

The FTC determined that Blackbaud's deficient encryption practices magnified the severity of the data breach, allowing customers to store SSNs and bank account information in unencrypted fields.

Likewise, the FTC found Blackbaud's data retention policies exacerbated the severity of the breach, failing to enforce its own retention policy, keeping customers' data and potential customers' data years longer than necessary.

Blackbaud also failed to notify customers of the breach until two months after its detection, in July 2020, and in the notification to customers, misrepresented the scope and severity of the breach after conducting an inadequate investigation. Blackbaud stated that the third party did not access credit card information, bank account information, or SSNs, and provided that no action was required by customers alleging that no personal information about constituents was accessed. Despite knowing that such personal information had been accessed, and only later disclosing the extent of the breach in October 2020.

The FTC held that Blackbaud made misrepresentations about its information security practices, leading customers to believe that it used reasonable and appropriate information security practices. However, FTC detailed that Blackbaud failed to do so by failing to implement appropriate password controls, apply adequate multifactor authentication, prevent theft by monitoring unauthorized attempts to transfer or exfiltrate customer data, patch outdated software, and implement appropriate firewall controls.

Accordingly, the FTC held that Blackbaud violated Section 5(a) of the FTC Act.

Outcomes

In light of the above, the FTC's proposed order provides that Blackbaud must not misrepresent, in any manner, expressly or by implication:

  • the extent of use, deletion, or disclosure of covered information;
  • the extent to which privacy, security, availability, confidentiality, or integrity of covered information is protected; or
  • the extent of any covered incident or unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of covered information.

The FTC's proposed order also stipulates that Blackbaud must:

  • make publicly available and implement a retention schedule;
  • implement and maintain an information security program, including:
    • the designation of a qualified employee or employees;
    • multi-factor authentication;
    • access control measures; and
    • encryption; and
  • contractually require service providers to implement and maintain sufficient safeguards.

You can read the press release here, the complaint here, and the proposed order here.

Update: May 23, 2024

On May 20, 2024, the FTC announced the finalized order in response to the data breach. The finalized order requires Blackbaud to:

  • delete data that is no longer needed for providing its products and services; 
  • ensure that it does not misrepresent its data security and data retention policies in the future; 
  • develop a comprehensive information security program to address the issues outlined by the FTC in its complaint;  
  • implement a data retention schedule that outlines data retention practices; and 
  • notify the FTC in the event of a future data breach that requires reporting to any other local, state, or federal agency. 

You can read the press release here and the final order here.