February 1, 2024 at 05:25PM
Blackbaud settled with the FTC after poor security and data retention led to a 2020 ransomware attack affecting millions of people. The company is ordered to improve security, delete unneeded customer data, and create an information security program. Blackbaud must also establish a data retention schedule and notify the FTC of any data breaches.
From the meeting notes, it is clear that Blackbaud has faced significant challenges related to poor security and reckless data retention practices, which resulted in a ransomware attack and a data breach impacting millions of individuals. The Federal Trade Commission (FTC) has taken action against Blackbaud, leading to a settlement that includes several key measures to improve the company’s security and data retention protocols.
The FTC’s complaint highlights multiple failures in Blackbaud’s security practices, including inadequate monitoring of hacker attempts, weak password policies, and insufficient data segmentation and deletion processes. As part of the settlement, Blackbaud has been ordered to enhance its security measures and ensure timely deletion of unnecessary customer data. Additionally, the company must establish a data retention schedule and promptly report any future data breaches to the FTC and relevant authorities.
Furthermore, Blackbaud has experienced legal and financial repercussions, including a $3 million settlement with the SEC for failure to disclose the full impact of the ransomware attack and a $49.5 million settlement as part of a multi-state investigation led by attorneys general from 49 U.S. states. The company has also been criticized for downplaying the severity of the breach in its communications.
Overall, the meeting notes highlight the critical need for Blackbaud to significantly improve its data security and retention practices to prevent future breaches and restore trust among consumers and regulatory authorities.