HELENA – Attorney General Austin Knudsen announced today that Montana, along with 49 other states, has reached a settlement with software company Blackbaud for its deficient data security practices and response to a 2020 data breach which exposed the information of millions of consumers across the United States, including Montana.
Under the settlement, Montana will receive $388,649 of a total $49.5 million payment to the affected states. Blackbaud has also agreed to overhaul its data security and breach notification practices.
Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. The company’s customers use the software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, impacting 26 organizations in Montana.
The settlement resolves allegations of the attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required.
Attorney General Knudsen urges anyone who believes they have been impacted by a data security breach to take the following steps to protect themselves:
- Monitor your credit. Credit monitoring services track your credit report and alert you whenever a change is made, such as a new account or a large purchase. Most services will notify you within 24 hours of any change to your credit report;
- Consider placing a free credit freeze on your credit report. Identity thieves will not be able to open a new credit account in your name while the freeze is in place. You can place a credit freeze by contacting each of the three major credit bureaus:
- Experian: https://www.equifax.com/personal/credit-report-services/credit-freeze/ or +1 (888) 766-0008
- Experian: https://www.experian.com/freeze/center.html or +1 (888) 397-3742
- TransUnion: https://www.transunion.com/credit-freeze or +1 (800) 680-7289;
- Place a fraud alert on your credit report. A fraud alert tells lenders and creditors to take extra steps to verify your identity before issuing credit. You can place a fraud alert by contacting any one of the three major credit bureaus; and
- Additional Resources. If you believe you are a victim of identity theft, go to identitytheft.gov for assistance on how to report it and recover from it—or contact the Department of Justice’s Office of Consumer Protection at 406-444-4500 for help.
To strengthen its data security and breach notification practices under the settlement, the Blackbaud agreed to:
- Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
- Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
- Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
- Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.
- Personal information safeguards and controls requiring total database encryption and dark web monitoring.
- Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
- Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.
###