BALTIMORE, MD—Maryland Attorney General Anthony G. Brown this week announced that the State has reached a multistate settlement with Blackbaud, Inc., a software company, to resolve allegations that Blackbaud failed to protect consumers’ personal information when it experienced a data breach in 2020 that impacted thousands of nonprofit organizations nationwide, including 290 nonprofits in Maryland. Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to the states, of which Maryland will receive $820,156.
Blackbaud provides software to manage constituent data, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. This type of highly sensitive data was exposed during the 2020 data breach, impacting over 13,000 Blackbaud nonprofit organizations nationwide.
Today’s settlement resolves allegations that Blackbaud violated Maryland’s Consumer Protection Act, Personal Information Protection Act, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by failing to implement reasonable data security and remediate known security gaps, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. The states contend Blackbaud downplayed the incident and either delayed or never provided notification to the consumers whose personal information was exposed in the breach.
“Adequate protection of sensitive personal information is critical to helping consumers avoid the painful experience of identity and financial theft,” said Attorney General Brown. “Marylanders deserve assurances that their personal information will remain private and protected.”
Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including:
- Developing incident and breach response plans to prepare for and more appropriately respond to and give notice of future security incidents and breaches;
- Providing appropriate assistance to its customers to support customers’ compliance with applicable notification requirements in the event of a breach;
- Encrypting its databases containing consumers’ personal information and monitoring the dark web;
- Employing specific security requirements that include network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing; and
- Undergoing third-party assessments of Blackbaud’s compliance with the settlement for seven years.
In this settlement, Attorney General Brown joins the Attorneys General of Alaska, Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.
Photo by Sora Shimazaki from Pexels
