"Carelessness cannot justify the compromise of consumer data," Yost said. "Companies must be committed to safeguarding personal information, meeting consumers' rightful expectations of data privacy and protection."
Blackbaud provides software to nonprofit organizations — including charities, schools and healthcare agencies — to help them connect with donors and manage data consisting of demographic information, Social Security numbers, driver's license numbers, financial data, employment and wealth information, donation histories and protected health information.
The 2020 breach exposed this highly sensitive information of 13,000 Blackbaud clients, in turn affecting millions of consumers overall, according to the statement from Yost's office.
The settlement resolves allegations from 50 attorneys general that Blackbaud violated state consumer protection laws, breach-notification laws and Health Insurance Portability and Accountability Act.
The violations stemmed from the company's failure to establish reasonable data security and remediate the known security gaps, allowing unauthorized individuals to gain access to Blackbaud's network. Blackbaud also failed to promptly, completely or accurately inform its customers about the breach, as required by law. Blackbaud's lapses significantly delayed the process for notifying those whose personal information was compromised, and, in some cases, there was no notification at all, Yost's office stated.
©2023 Springfield News-Sun, Distributed by Tribune Content Agency, LLC.
