- Florida will receive more than $3 million as part of a multi-state legal challenge against software company Blackbaud, which suffered a ransomware attack in 2020, compromising the personal information of millions of individuals.
- All 50 states and Washington D.C. participated in the legal action, resulting in a total of $49.5 million being obtained and distributed among the participating states. Blackbaud provides software solutions to nonprofit entities and handles sensitive personal data.
- The ruling requires Blackbaud to enhance its data security and response capabilities, including the implementation of incident response plans, security investigations, and regular security preparedness exercises.
The state of Florida will receive more than $3 million as part of a multi-state legal challenge against software company Blackbaud fell victim to a ransomware attack in 2020 that left millions of individuals vulnerable to identity theft.
The legal action, undertaken by all 50 states and Washington D.C., resulted in a combined total of $49.5 million being obtained and distributed among all the states that participated as plaintiffs. Blackbaud, an international company headquartered in South Carolina, offers software solutions to a range of nonprofit entities such as charities, higher education institutions, and healthcare organizations.
The company’s software serves as a platform for its customers to engage with donors and handle a variety of personal data, encompassing Social Security numbers, driver’s license details, financial records, employment and wealth information, donation histories, and protected health information, all of which were accessed by hackers.
“We are holding Blackbaud, an international software company, accountable for a massive ransomware attack that compromised the personal information of potentially millions of consumers across the country, including those donating to charities, health care organizations and other nonprofits,” said Attorney General Ashley Moody in a statement. “Now, we’ve secured more than $49 million and the company must take steps to ensure customers’ personal data is protected.”
As part of the ruling, Blackbaud is required to bolster its data security and response capabilities. The agreement mandates the implementation and maintenance of incident response plans, investigations into security incidents, and documentation of response actions. It also calls for determining whether notification under Data Breach Notification Law or HIPAA is necessary and conducting regular exercises to assess preparedness for security incidents.
Additionally, the agreement mandates the creation of a breach response plan, including notification procedures for law enforcement, affected Blackbaud Customers, and regulators.
Per the legal order, Blackbaud is to establish and maintain an information security program (ISP) tailored to its operations’ size, complexity, and nature. This program will serve to safeguard personal and protected health information on the Blackbaud Network and include specific technical safeguards such as network segmentation, risk assessments, and penetration testing.