Four years after a major data breach left Blackbaud, a leading provider of charity fundraising software, scrambling to protect sensitive data from donors to 13,000 nonprofits, the Federal Trade Commission ordered the company to delete unnecessary personal data and boost its cybersecurity safeguards.
The 2020 data breach exposed the personal information, including Social Security and bank-account numbers, of millions of nonprofit donors and clients. In October, the company agreed to pay $49.5 million to settle claims related to the breach, which sparked a cascade of class-action lawsuits against Blackbaud and some of the nonprofits affected.
“Blackbaud’s shoddy security and data-retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
The breach, which began in early 2020, went undetected for three months, according to the FTC, which blamed Blackbaud for failing to appropriately monitor for hacks and for holding onto vast amounts of sensitive unencrypted data. Once detected, the company waited two months to notify customers about the breach and then misled them about its severity.
In the aftermath, nonprofit clients like Human Rights Watch, Planned Parenthood, and the Boy Scouts of America were left to decide for themselves whether and how to disclose the breach to their supporters.
“Protecting our customers’ and their constituents’ privacy will always be of paramount importance,” said Mike Gianoni, president of Blackbaud in a statement that did not admit to fault in the data breach but emphasized that the FTC ruling represented closure as the company continues to “strengthen our cybersecurity and compliance programs with the goal of improving our resilience in an ever-changing threat landscape.”
Last March, Blackbaud agreed to pay a $3 million fine to the U.S. Securities and Exchange Commission for misleading investors but did not admit to wrongdoing.
As part of its ruling, the FTC will require that Blackbaud develop a comprehensive information-security program and a detailed plan for when and why it retains personal data.
In recent years, cybercrimes have more than doubled, according to FBI data. Nonprofits are particularly vulnerable since many don’t prioritize investing in cybersecurity.
That ought to change in light of rising attacks, says Amy Sample Ward, CEO of NTEN, a membership-based collective of nonprofit technology professionals.
“Even with more visibility around breaches, nonprofits are still very scared of what it means to try and address security,” says Ward, who noted that many nonprofits find themselves feeling too intimidated — or not tech-savvy enough — to question the data practices of their software providers, even as they purvey a growing body of A.I. tools reliant on large swaths of user data.
Yet taking the first steps toward cybersafety is not as difficult as it looks.
In fact, the kind of basic scenario testing, multi-factor authentication, and responsible data stewardship included in the FTC’s ruling could be a good place for both tech companies and nonprofits themselves to start, says Ward: “Everything they’re ordering Blackbaud to do, copy and paste. Your nonprofit should also do that.”