Press Release  Massachusetts To Receive Nearly $900,000 In Multistate Data Breach Settlement With Donor Database Company

BOSTON — Attorney General Andrea Joy Campbell announced today that Massachusetts, along with 49 other attorneys general, has reached a settlement with software company Blackbaud for its deficient data security practices and delayed response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States.  Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Massachusetts will receive almost $900,000 from the settlement. 

“In an era of increased cyber threats, it is absolutely crucial that companies take steps to protect personal and private consumer data from exploitation,” said AG Campbell, “I am proud of my office’s efforts in achieving this settlement for the public interest and for continuing to stand up to protect consumers across the Commonwealth.” 

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations.  Blackbaud’s customers use Blackbaud’s software to connect with donors and manage consumer data, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information.  This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers, and millions of consumers nationwide.   

Today’s settlement resolves allegations by Attorney General Campbell that Blackbaud violated the Massachusetts Data Breach Notification Law by failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law.  As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required.   

Today’s agreement also resolves allegations that Blackbaud violated the Massachusetts Data Security Regulations by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network. 

Under the settlement, Blackbaud has agreed to strengthen its breach notification practices going forward by providing appropriate assistance to its customers and supporting customers’ compliance with applicable notification requirements. Blackbaud has also agreed to reinforce its data security practices, including through: 

• Incident reporting to the CEO and Board,  
• Enhanced employee training, 
• Database encryption,  
• Dark web monitoring,  
• Implementation of technical security provisions like segmentation, patching, firewalls, and testing, 
• Third-party assessments of Blackbaud’s compliance with the settlement for 7 years. 

Joining AG Campbell in today’s settlement are Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming. 

If you believe that you have been the victim of a data breach, you may need to take steps to protect yourself from identity theft. For additional information on identity theft protection, consumers may visit the AG’s website. Guidance for businesses on data breaches can be found here. 

In Massachusetts, this matter was handled by Division Chief Jared Rinehimer of the AG’s Data Privacy and Security Division. 

###