Communications Litigation Today was a Warren News publication.

50 AGs Reach $49.5M Settlement With Blackbaud Over 2020 Data Breach

The attorneys general of 49 states and the District of Columbia reached a $49.5 million settlement with Blackbaud over the company’s data-security practices and its response to a 2020 data breach that exposed the personally identifiable information of millions of consumers, said Ohio AG Dave Yost (R), whose office coordinated the settlement. “Carelessness cannot justify the compromise of consumer data,” said Yost in a statement Thursday. “Companies must be committed to safeguarding personal information, meeting consumers’ rightful expectations of data privacy and protection,” he said. The settlement resolves allegations that Blackbaud violated state consumer protection laws, breach-notification laws and the Health Insurance Portability and Accountability Act, he said. The settlement obligates Blackbaud to “refrain from misrepresenting details of its processing, storing and safeguarding of personal information," said Yost. Blackbaud must “implement and maintain a breach response plan to ensure an appropriate response to any future security incident or breach,” he said. It also must establish breach-notification provisions that require Blackbaud “to provide appropriate assistance to its customers and support its customer compliance with applicable notification requirements,” he said. Blackbaud also agrees to allow “third-party assessments of its compliance with the settlement” for seven years, he said. Cyberattacks "are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape," said Blackbaud CEO Mike Gianoni in a statement Thursday.