FTC Order Will Require Blackbaud to Delete Unnecessary Data Boost Safeguards to Settle Charges its Lax Security Practices Led to Data Breach Federal Trade Commission

pAn official website of the United States governmentppHeres how you knowpp
The gov means its official

Federal government websites often end in gov or mil Before sharing sensitive information make sure youre on a federal government site
pp
The site is secure

The https ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely
ppWe enforce federal competition and consumer protection laws that prevent anticompetitive deceptive and unfair business practicesppView EnforcementppFind legal resources and guidance to understand your business responsibilities and comply with the lawppBrowse legal resourcesppView all Competition Matters Blog postsppWe work to advance government policies that protect consumers and promote competitionppView PolicyppFind legal resources and guidance to understand your business responsibilities and comply with the lawppBrowse legal resourcesppMemo from Chair Lina M Khan to commission staff and commissioners regarding the vision and priorities for the FTCppLearn moreppView all Technology Blog postsppLearn more about your rights as a consumer and how to spot and avoid scams Find the resources you need to understand how consumer protection law impacts your businessppVisit militaryconsumergovppVisit consumergovppVisit Competition CountsppCompetition GuidanceppView News and EventsppView more EventsppSign up for the latest newspp         ppTrack enforcement and policy developments from the Commissions open meetingsppExplore refund statistics including where refunds were sent and the dollar amounts refunded with this visualizationppOur mission is protecting consumers and competition by preventing anticompetitive deceptive and unfair business practices through law enforcement advocacy and education without unduly burdening legitimate business activityppLearn more about the FTCppLina M Khan was sworn in as Chair of the Federal Trade Commission on June 15 2021ppChair Lina M KhanppLooking for legal documents or records Search the Legal Library insteadppLooking for legal documents or records Search the Legal Library insteadppTagsppSouth Carolinabased Blackbaud Inc will be required to delete personal data that it doesnt need to retain as part of a settlement with the Federal Trade Commission over charges that the companys lax security allowed a hacker to breach the companys network and access the personal data of millions of consumers including Social Security and bank account numbersppppIn its complaint the FTC says that Blackbaud which provides data services and financial fundraising and administrative software services to companies nonprofits healthcare organizations and others failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients ppppBlackbauds shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers said Samuel Levine Director of the FTCs Bureau of Consumer Protection Companies have a responsibility to secure data they maintain and to delete data they no longer needppppThe FTC says that despite promising customers that it takes appropriate physical electronic and procedural safeguards to protect your personal information Blackbaud deceived users by failing to put in place such safeguards For example the company failed to monitor attempts by hackers to breach its networks segment data to prevent hackers from easily accessing its networks and databases ensure data that is no longer needed is deleted adequately implement multifactor authentication and test review and assess its security controls In addition the company allowed employees to use default weak or identical passwords for their accounts according to the complaintppppAs a result of these failures a hacker in early 2020 accessed a customers Blackbaudhosted database according to the complaint Once logged in the attacker was able to freely move across multiple Blackbaudhosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts according to the complaint The breach went undetected for three months allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbauds customersppppIn addition to failing to encrypt sensitive data and implement adequate firewalls to help protect it Blackbaud held onto data far longer than was necessary for the purpose for which it was maintained including information belonging to former customers according to the complaint ppppOnce the company detected the breach Blackbaud agreed to pay a ransom of 24 Bitcoin worth about 250000 after the hacker threatened to expose the stolen data The company never verified however that the hacker actually deleted the stolen data according to the complaintppppAt the same time the company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen telling customers they did not need to take any action in response to the breach according to the complaint Even though it knew as early as the end of July 2020 that the hacker had obtained sensitive data including Social Security and bank account information the company waited another two months before it told its customers about the full scope of the breach The FTC says this delay harmed consumers who were unable to take steps to protect themselves from potential identity theft and other potential harms resulting from the breachppppIn addition to requiring Blackbaud to delete data that it no longer needs to provide products or services to its customers the proposed order will prohibit the company from misrepresenting its data security and data retention policies The proposed order also will require Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTCs complaint In addition the company will also be required to put in place a data retention schedule that would detail why it maintains personal data and when it will delete such information The proposed order also requires that Blackbaud notify the FTC if it experiences a future data breach that it is required to report to any other local state or federal agencyppppThe Commission voted 30 to issue the administrative complaint and to accept the proposed consent agreement with Blackbaud FTC Chair Lina M Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a joint statementppppThe FTC will publish a description of the consent agreement package in the Federal Register soon The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final Instructions for filing comments will appear in the published notice Once processed comments will be posted on RegulationsgovppppNOTE The Commission issues an administrative complaint when it has reason to believe that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest When the Commission issues a consent order on a final basis it carries the force of law with respect to future actions Each violation of such an order may result in a civil penalty of up to 51744 ppppThe lead staff attorneys on this matter are Cathlin Tully and Kamay Lafalaise from the FTCs Bureau of Consumer ProtectionppThe Federal Trade Commission works to promote competition and protect and educate consumers Learn more about consumer topics at consumerftcgov or report fraud scams and bad business practices at ReportFraudftcgov Follow the FTC on social media read consumer alerts and the business blog and sign up to get the latest FTC news and alerts ppBlog FTC says Blackbauds lax security allowed hacker to steal sensitive data and thats just the beginning of the storyppppData Breach Response A Guide for BusinessppppData Securityp