Tennessee Attorney General Announces $49.5 Million Multistate Settlement with Blackbaud for Data Breach
Attorney General Jonathan Skrmetti announced today that Blackbaud, a software company, reached a settlement with 49 attorneys general for its deficient data security practices and response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States. Blackbaud will pay $49.5 million to states as part of the settlement, with Tennessee receiving $882,312.00.
The 2020 data breach affected over 13,000 Blackbaud customers and their respective consumer constituents, exposing highly sensitive personal information. The settlement resolves allegations that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network. Blackbaud also failed to provide its customers with timely, complete, and accurate information regarding the breach, as required by law.
Under the settlement, Blackbaud agreed to strengthen its data security and breach notification practices, including implementing and maintaining incident and breach response plans, providing appropriate customer assistance, and enhancing employee training. Blackbaud will also be subject to third-party assessments of its compliance with the settlement for seven years.
Indiana and Vermont co-led the multistate investigation, assisted by the Executive Committee of Alabama, Arizona, Florida, Illinois, and New York, and joined by Tennessee and 43 other states.
You may read the settlement here.