On June 13, 2024, the California Attorney General announced a $6.75 million judgment against Blackbaud regarding its data breach from 2020. (We had previously covered the FTC’s settlement in February here.) In the judgment with the California Attorney General, Blackbaud denied liability or any wrongdoing. Among other provisions, the consent’s provisions relating to data retention and access may be of interest to our readers.
By way of background, Blackbaud provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics services to various charitable organizations, including healthcare, religious, and educational institutions as well as various foundations. As a result, Blackbaud had personal information belonging to millions of consumers, including names, dates of birth, Social Security numbers, financial information, medical information, religious belief data, and account credentials. In other words, Blackbaud had a B2B relationship with its customers, but those customers collected personal information from their customers and uploaded that information to Blackbaud. Blackbaud had a privacy policy on its website that, according to the California Attorney General complaint, stated in part, “[w]e protect our databases with various physical, technical, and procedural measures and we restrict access to your information by unauthorized persons.” In addition, according to the complaint, when Blackbaud discovered the incident in July of 2020, Blackbaud thereafter repeatedly informed customers that no Social Security Numbers or bank account information had been accessed—despite learning in August that the statement was not accurate.
The California Attorney General complaint alleged two counts. The first count related to the company’s privacy statements prior to the security incident, which alleged a violation of California’s unfair competition law. The complaint alleged that the acts and practices that violated that law “include, but are not limited to, failing to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use modification, or disclosure in violation of Civil Code section 1798.81.5, subdivision (b).”
The second count alleged that the company had engaged in false advertising. “Blackbaud’s untrue or misleading statements include, but are not limited to, statements regarding its security measures in place at the time of the data breach and its statements regarding the data breach.”
Examples of “reasonable security procedures and practices”
The complaint listed some examples of “reasonable security procedures and practices” that the complaint alleged that Blackbaud had not implemented:
- “appropriate password controls, such as mandating all customers accessing sensitive environments rotate passwords and avoid default, weak, or identical password.”
- “mandate authentication protocols, like multi-factor authentication”
- “network segmentation”
- “adequately prevent its customers from storing personal information of customers, including Californians, in unencrypted fields even though these fields did not include the degree of security necessary for the storage of information of that nature.”
- “implementing an adequate inventory process . . . to detect and prevent personal information of consumer from being located outside designated, encrypted, locations.”
- “implement appropriate threat and intrusion detection”
- “Most troubling, Blackbaud stored data belonging to Blackbaud’s customers for years longer than necessary. . . . Had Blackbaud implemented data minimization principles or appropriate retention policies, it could have mitigated the threat actor’s exfiltration of data.”
Judgment
In addition to the $6.75 million payment, the California Attorney General’s final judgment contained important obligations for Blackbaud.
First, Blackbaud is required to have a Chief Privacy Officer (CPO), Chief Information Security Officer (CISO), one or more Business Information Security Officers to act as liaisons between the CISO and the business, and a Chief Technology Officer (CTO). Each of these roles must be filled by people with the appropriate training and experience and they must be provided reasonable resources and support to fulfill their functions. Blackbaud is required to notify the CPO and CISO of all Security Incidents.
Second, not surprisingly, Blackbaud is required to have a Security Incident Response Plan that requires Blackbaud to notify its customers on a timely basis. Recall that Blackbaud did not deal directly with consumers, but instead dealt with other businesses, which collected personal information that was provided to Blackbaud. With respect to each of Blackbaud’s customers being able to determine whether they had to provide notice to their consumers, Paragraph 20 the judgment states in part that Blackbaud must
offer Blackbaud Customers reasonable guidance, cooperate and/or assistance, including with respect to instructions on how to run queries and reports of Blackbaud Customer databases affected by the Security Incident so that Blackbaud Customers can determine whether they must provide notification to Consumers in time to allow such notification in accordance with the Data Breach Notification Law or HIPAA. If after a Blackbaud Customer has sought and received such guidance, cooperation and/or assistance, the Blackbaud Customer is unable to run such queries and reports itself, Blackbaud shall reasonably run such queries and reports for the Blackbaud Customers at no cost, if requested by the Blackbaud Customer.
Going forward, Blackbaud has to specify in its contracts the roles and responsibilities of Blackbaud and its customers in the event of an incident. (See Paragraph 21)
Third, with respect to vendor agreements, under Paragraph 29, Blackbaud must require vendors to “implement and maintain appropriate safeguards.” Blackbaud must also use commercially reasonable efforts to require vendors to notify Blackbaud within 72 hours (but not more than 5 business days) of “discovering any security incident that may give rise to a Breach.”
With respect to data, Paragraph 39 of the judgment requires that any database backup files must be “stored to the minimum extent necessary to accomplish Blackbaud’s intended legitimate business purpose(s) in storing the information in such database backup files on behalf of Blackbaud’s Customers.” In addition, Paragraph 41 requires that Blackbaud establish a governance process that “provides for the secure disposal, on a periodic basis, of Blackbaud Customer database backup files within Blackbaud’s control in accordance with written retention schedules.”
Our Take
This judgment provides some of the first clear guidance to companies on what constitutes a reasonable response with regard to the process for identifying individuals impacted by a breach. For example, Paragraph 20 requires, in part, that Blackbaud consider “information stored [by Blackbaud Customers] in fields not intended for PI and/or PHI” when Blackbaud determines whether notification to those customers is required under applicable laws. In other words, the Attorney General is requiring that Blackbaud assess not only the data where one would expect to find PI and PHI (such as account enrollment information), but also the locations that are not inherently meant to contain sensitive data, such as freeform text boxes. Thus, one cannot assume that PII does not exist in certain locations. Rather, a company impacted by Security Incident must reasonably interrogate the data and have a defensible plan to determine what data subjects and PII were impacted. A manual review of all documents and all data fields is unreasonable and infeasible. To withstand scrutiny, an assessment of the compromised data must show that decisions were reasonable and based on credible information and reasonable due diligence.
The judgment further calls in Paragraph 73 for Blackbaud to “retain and maintain documentation […] for a period of no less than seven years,” presumably making that data immune from the disposition schedule it mandates in Paragraph 41. This retention requirement would include, in part, databases that the Attorney General required Blackbaud to set up that allow Customers to query the data in order to assess their own legal obligations. Finally, the judgment demonstrates in Paragraph 30 that the California Attorney General’s preference is that companies hire Chief Privacy Officers (“CPO”) to supervise and manage their privacy obligations and manage strong security programs. This requirement is in line with other regulatory and administrative statements and settlements we have been following. Regulators view CPOs as mandatory for any company that collects, stores, and processes [and makes money] from consumer PII. As we often say to our clients, in the modern age, it is not if you will be the victim of a breach, but when. And one of the best tools we have to combat the most dire outcomes is personnel that is educated, capable, and dedicated.