Strengthening Your Data Security with Lessons from Blackbaud’s FTC Settlement
In today’s digital landscape, securing sensitive data has become a critical responsibility for businesses of all sizes. The recent settlement between Blackbaud, a South Carolina-based data services provider, and the Federal Trade Commission (“FTC”) offers important lessons for companies regarding data security, retention policies, and breach response strategies. Blackbaud’s failure to protect consumer data adequately and communicate transparently about a significant breach serves as a caution for every organization that handles sensitive personal information.
Blackbaud provides essential services to thousands of companies, including nonprofits, educational institutions, and healthcare organizations. However, in 2020, the company’s lax security measures led to a data breach that exposed sensitive information, including Social Security numbers, bank account details, and health data, affecting millions of consumers. According to the FTC, Blackbaud’s weak security protocols enabled a hacker to breach the system and go undetected for several months. During this time, the attacker stole vast amounts of unencrypted data, using it for malicious purposes.
What went wrong? The FTC’s complaint outlines several critical failures on Blackbaud’s part. Notably, the company failed to implement basic cybersecurity safeguards, such as encryption for sensitive data and multifactor authentication for user accounts. It also did not monitor for unusual network activity or enforce strong password protocols for its employees. As a result, when a hacker gained access to the network in early 2020, Blackbaud’s inadequate controls allowed the attacker to move freely across its systems, extracting sensitive consumer information with ease. This breach was only discovered after the hacker had been active for three months, allowing significant damage to occur before any action was taken.
The settlement also reveals that Blackbaud mishandled its data retention practices. The FTC asserts that the company stored unnecessary personal information long after it had ceased to be needed for business purposes, which amplified the scale of the breach. The FTC’s order mandates that Blackbaud delete data it no longer needs and implement a comprehensive data retention policy. This highlights a crucial point for all businesses: it’s not enough to secure the data you retain; you must also have a clear plan for deleting data when it no longer serves a legitimate business purpose.
Moreover, Blackbaud’s delayed response to the breach further exacerbated the situation. The company waited nearly two months before notifying affected customers and initially downplayed the severity of the breach. This delay prevented many consumers from taking timely action to protect themselves from identity theft and fraud. For businesses, this underscores the importance of having a clear, proactive incident response plan. In the event of a breach, organizations must act swiftly, notify affected parties immediately, and provide accurate, detailed information about the extent of the breach.
Blackbaud’s case illustrates several key takeaways for businesses to enhance their data security practices and avoid similar pitfalls. First, companies must ensure they have robust cybersecurity measures in place, including encryption, multifactor authentication, and network monitoring. A failure to do so could leave your systems vulnerable to attacks, putting sensitive data at risk.
Second, businesses should adopt stringent data retention and destruction policies. Holding onto unnecessary sensitive information not only violates best practices but can also increase the risk of exposure in the event of a breach. Secure disposal of data should be a part of any comprehensive data management strategy.
Finally, companies must prioritize transparency and responsiveness in the event of a breach. Prompt notification and a clear communication strategy can help mitigate the impact of a data breach on affected individuals and maintain customer trust.
By learning from Blackbaud’s mistakes, businesses can take proactive steps to protect their data, maintain compliance with regulations, and safeguard consumer data. Data security is not just about protecting information; it’s about building a culture of responsibility, transparency, and vigilance. With the increasing sophistication of cyber threats, now is the time for companies to review and strengthen their data security policies to avoid facing the same legal and reputational consequences Blackbaud is now dealing with.
If you would like to read more about this case and others, visit our Case Studies Library.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.