FTC Aims To Settle Charges With Blackbaud Over 2020 Data Breach

Enforcement Edge: Shining Light on Government Enforcement

By Claire A. Fahlman Jason T. Raylesberg Emily A. Dorner Nancy L. Perkins

The FTC recently announced a proposed settlement with Blackbaud Inc. to resolve charges that the data services provider’s inadequate data security safeguards enabled a hacker to breach the company’s network in early 2020 and access millions of consumers’ personal data. As the three FTC commissioners underscored in a joint statement, this case marks the first time the FTC has brought standalone Section 5 unfairness claims for the alleged failure to enforce reasonable retention practices and provide customers with accurate information about the severity and scope of the breach. The proposed settlement, to be formalized through a Decision and Order (the Order), would, among other things, mandate that Blackbaud delete certain backup copies of customer files containing consumers’ personal information and commit to a retention schedule for personal information that meets specific content and timing requirements.

The FTC is not the only regulator to have negotiated a settlement with Blackbaud for claims related to the 2020 security breach. Last year, the SEC agreed to settle its charges that the company made materially misleading statements about the breach in its securities filings, and more recently, Blackbaud agreed to pay US$49.5 million to 49 state Attorneys General and the District of Columbia to resolve charges stemming from the breach.

Background

The breach underlying the complaint occurred in February 2020, when a malicious actor gained access to Blackbaud’s self-hosted legacy product databases by using a customer’s login information. The attacker allegedly leveraged existing vulnerabilities and local administrator accounts to move freely across multiple Blackbaud-hosted environments. Blackbaud allegedly did not discover the breach until May 20, 2020, at which time the hacker had “stolen data from tens of thousands of Blackbaud’s customers, which comprised the personal information of millions of consumers.”

The complaint notes that Blackbaud’s investigation concluded that the attacker exfiltrated files containing millions of consumers’ unencrypted personal information, including sensitive data, such as social security numbers, financial information, medical information, and religious beliefs. Blackbaud ultimately paid the attacker $235,000 in Bitcoin to delete the stolen data, but “has not been able to conclusively verify” that the data was ever deleted.

FTC Allegations

Novel Unfairness Claims

The FTC brought five claims under Section 5 of the FTC Act for deceptive or unfair acts or practices, including unprecedented standalone counts for unfair data retention practices and unfair inaccurate breach notification.

Unfair Data Retention Practices

The FTC alleged that Blackbaud’s failure to implement and enforce reasonable data retention policies exacerbated the breach. The complaint alleges that, by keeping customers’ consumer data for years longer than necessary, including data belonging to former and prospective customers, Blackbaud violated its own data retention policies.

Unfair Inaccurate Breach Notification

The FTC charged that Blackbaud failed to communicate accurately the scope and severity of the breach in its initial notification to customers about the security incident in July 2020. That communication stated:

“The cybercriminal did not access credit card information, bank account information or social security numbers.…

No action is required on your end because no personal information about your constituents was accessed.” (emphasis in original)

The complaint asserts that Blackbaud issued this customer breach notification after Blackbaud conducted “an exceedingly inadequate investigation.” And, although Blackbaud allegedly confirmed on July 31, 2020 that the attacker had exfiltrated consumers’ bank account and social security numbers, Blackbaud failed to disclose the extent of the breach to its customers until October 2020. In the FTC’s view, the company’s delay and deceptive statements to customers exacerbated harm to those customers’ consumers, who therefore were not able to timely learn whether they needed to take steps to minimize the risk of identity theft.

Additional Claims

The FTC brought three additional claims under Section 5 for deceptive initial breach notification, deceptive security statements, and unfair information security practices. Specifically, the FTC alleged that:

Blackbaud’s initial communication to consumers (discussed above) inaccurately stated that no consumers’ personal information had been subject to the breach.
Blackbaud’s website privacy policy deceptively stated that the company would protect personal information by, among other things, maintaining “appropriate, physical, electronic and procedural safeguards.”
Blackbaud failed to adopt various reasonable measures to prevent unauthorized access to sensitive consumer data maintained by its networks, such as implementing appropriate password controls, applying adequate multifactor authentication for both employees and customers, and patching outdated software and systems in a timely manner.

The Order

The Order would, among other things, prohibit Blackbaud from making misrepresentations about its privacy and data security practices, require Blackbaud to implement a comprehensive information security program subject to biennial assessments, create and maintain a retention schedule for certain company records, and require the company’s chief information security officer to submit annual compliance certifications. The Order also contains two requirements that are not commonly included in data security orders: (1) mandating that Blackbaud delete customer backup files containing consumers’ personal information when those files are not being retained in connection with providing products or services to Blackbaud’s customers (unless otherwise requested by their customers) and (2) obligating Blackbaud to make publicly available on its website(s), and adhere to, a retention schedule for customer backup files containing consumers’ personal information that sets forth (a) the purpose(s) for which such personal information is maintained, (b) the specific needs for the company retaining such personal information, and (c) a set timeframe for deleting such personal information with no indefinite retention periods.

Takeaways for Businesses

The Order serves as an important reminder that lax data retention and deletion practices can significantly elevate a company’s cybersecurity risk profile. Simply put, the more data a company keeps unnecessarily, the more data may be vulnerable to a security breach. The FTC’s action also underscores how critical it is for companies to implement sophisticated incident response procedures that allow them to quickly and thoroughly investigate any data security incident and provide accurate information to all relevant stakeholders in a timely fashion. The FTC’s position that these practices are “unfair” and thereby violate Section 5 signals increased regulatory scrutiny of such practices going forward.

The authors of this blog post and their colleagues in the Arnold & Porter Privacy, Cybersecurity & Data Strategy practice group are available to provide counsel on the FTC’s actions in this area, enforcement brought by the FTC and other regulators, records retention, information governance and security, and more broadly on privacy and security compliance.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.