More nonprofits are notifying their donors about the ransomware attack on software company Blackbaud, which the company disclosed on July 16. Some organizations are consulting legal experts and weighing ethical concerns as they evaluate whether they need to disclose the breach to their supporters.
On Thursday night, Planned Parenthood sent a note to supporters notifying them that many of the group’s chapters had been affected by the data breach. In all, 35 organizations affiliated with Planned Parenthood were affected.
“Unfortunately, the criminal was able to remove a portion of the data stored on the company’s servers, which included some information about you and other donors, such as street addresses or phone numbers,” chief development officer Jethro Miller wrote in the note to supporters.
“Blackbaud discovered and contained this attack in May of this year. Unfortunately, the company did not notify its clients — including Planned Parenthood — until mid-July. To say the least, we find this delay unacceptable, and we are extremely dissatisfied with Blackbaud’s lack of transparency around this incident,” the email says. The notice echoes bold statements sent last week from institutions including the American Civil Liberties Union.
Blackbaud’s delay in notifying its customers seems “excessive,” says Janet Peyton, a lawyer with McGuireWoods, who specializes in data privacy and security. In her work, she helps nonprofit and higher-education clients take steps to improve data security and manage-compliance issues in the aftermath of a data breach. But, Peyton says, several factors could account for the delay.
“I suspect that the scope was so large that that’s why it took so long,” she says.
The Chronicle has asked Blackbaud for information on the number of groups affected, the reason for the delay in notifying nonprofit customers, and the firm’s use of third-party dark-web monitoring intended to detect trafficking of the copied data, which several charities mentioned in their statements to supporters. A spokeswoman for the company did not reply by our deadline.
Many state laws about data-breach notification require that third-party vendors like Blackbaud notify customers immediately, Peyton says. But with a ransomware breach, it can take time to evaluate the situation and get to the point where the company is confident it understands the scope of the breach.
When law-enforcement agencies are involved, they sometimes ask the company not to go public because it would negatively affect the investigation, she says. Blackbaud says an FBI investigation into the breach continues, although the company has not said that is the reason for the delay in notifying customers.
The criminal succeeded in removing a copy of some customer data that included fields like donor names, addresses, contact information, and giving history, according to statements from nonprofits and news reports. Blackbaud paid a ransom of an undisclosed amount to encourage the cybercriminals to destroy the copy of the stolen data, “with confirmation that the copy they removed had been destroyed,” the company said in a statement.
“We have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.”
Peyton found that part of the notice puzzling.
“I did find it odd that Blackbaud put so much emphasis on their belief that by paying the ransom, they were keeping their clients’ data safe somehow,” she says. “I would not put so much stock in the hacker.”
Some nonprofits are evaluating whether they have a legal obligation to disclose the breach to their supporters or other individuals whose data was compromised.
The patchwork of state data-privacy laws and the European Union’s General Data Protection Regulation governing personal data make this tricky.
Organizations in the EU that store or process Europeans’ data must comply with the GDPR. Those outside the EU must comply if they are “targeting” or “monitoring” individuals there. In Britain, where Blackbaud has a significant number of clients, the data breach has gotten more attention. Under the GDPR, organizations affected by a data breach (both the data processor and the charity) that may have exposed Europeans’ personal information are required to notify a data-protection authority within 72 hours. It’s not clear whether Blackbaud contacted regulators within that timeframe. Blackbaud customers were notified of the May breach on July 16. In Britain, more than 125 charities had reported the breach to the Information Commissioner’s Office as of last week, the BBC reported.
In the United States, most states do not require disclosure of breaches where this kind of donor data was accessed. But Washington State and North Dakota do if a donor’s name and date of birth were accessed. Washington State’s law also has a “harm threshold” requiring that companies or organizations notify any resident who is at risk of harm because of the unauthorized acquisition of data.
“There’s often a decision to be made either because you trip some state [statutes] and not others or because someone in a leadership position has a strong sense of wanting to be completely transparent,” Peyton says.
“Every Blackbaud customer is going to have to evaluate the nature of their specific data that was involved,” she says.
The George W. Bush Presidential Center, Save the Children, Human Rights Watch, the Boy Scouts of America, and Texas Tech University are just a few groups that recently notified their supporters and other contacts of the breach.
Based on the notices Peyton received from organizations she personally supports, “it looks to me as though there was a bit of a rush to notify,” she says.
“I have a sense that nonprofits felt pressure from each other to make a notice,” she says, adding that she finds that concerning. “If they rushed out and noticed quickly without doing a full legal analysis, they might find that the notice didn’t include what it needed to.”
In addition, she says, “there’s always some risk of alienating donors when no notice was required.”
Notify People or Not?
Some organizations are still weighing how to respond. Alicia Cipriano is the development coordinator at Newport Restoration Foundation, which works to preserve historical homes and buildings in Newport, R.I.
Her organization was informed it was affected by the ransomware attack at Blackbaud. But the data that was compromised was taken not from the group’s donor database but from ResearchPoint, Blackbaud’s prospecting tool that gathers public wealth information, such as real-estate holdings, to build profiles of current and potential donors.
Cipriano says she’s struggling with whether to let people know about the breach. “It affects a very small group of people who would be considered our major donors — a pool of about 120 — some of whom do give to us, others who do not,” she said in an email.
Blackbaud has assured its customers that the cybercriminal did not take any credit-card or Social Security numbers or bank information.
“It’s a conundrum,” she says. “Is this information really considered private or sensitive?” she writes. “Do I really want to let these people know that we have donor profiles or are actively doing research on them?”
She thinks that fact may surprise people. She’s working with a current board member to bring new people onto the organization’s board. The board member was shocked to learn that there are tools that can gather this kind of information, Cipriano says.
“I’m at a bit of a loss as to how to handle it — or not — with our donors,” she says. “They don’t know what system we use. Do they care? I’m not really sure.”
