Blackbaud Settles Ransomware Data Breach Lawsuit for $49.5 Million
Blackbaud, a software company that provides customer relationship management (CRM) software to nonprofits, has agreed to pay $49.5 million to settle a lawsuit over a 2020 ransomware data breach.
The breach affected more than 13,000 of Blackbaud’s customers, including many nonprofits.
The lawsuit was filed by a group of state attorneys general who alleged that Blackbaud had failed to take adequate security measures to protect its customers’ data. Blackbaud has denied any wrongdoing, but it has agreed to settle the lawsuit to avoid further litigation.
“Carelessness cannot justify the compromise of consumer data. Companies must be committed to safeguarding personal information, meeting consumers’ rightful expectations of data privacy and protection,” said Ohio Attorney General Dave Yost.
As part of the settlement, Blackbaud also has to:
- Implement and maintain a breach response plan
- Provide appropriate assistance to its customers in the event of a breach
- Report security incidents to its CEO and board and provide enhanced employee training
- Implement personal information safeguards and controls requiring total database encryption and dark web monitoring
- Improve defenses via network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing
- Allow third-party assessments of its compliance with the settlement for seven years
The settlement will be paid to the affected nonprofits and will be used to fund cybersecurity improvements and provide credit monitoring services to victims of the breach.