Skip to main content

AG Nessel Announces $49.5 Million Multistate Settlement with Blackbaud for Data Breach Impacting Thousands of Nonprofits, Millions of Consumers

LANSING – Michigan Attorney General Dana Nessel announced that Michigan, along with 49 other attorneys general, has reached a settlement with software company Blackbaud for its deficient data security practices and response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States. Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Michigan will receive $1,150,595 from the settlement.

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. Blackbaud’s customers use its software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their respective consumer constituents.

“Companies that have access to our data have an obligation to provide security measures capable of resisting cyberattacks that may expose consumers’ most personal information,” said Nessel. "This settlement imposes new regulations on Blackbaud that will better secure its customer data and ensure that customers are notified of future breaches in a timely manner. Consumers should take precautions to protect their personal information, and this financial settlement will remind Blackbaud that prioritizing profits over customer data security can be a costly way to do business.”

This settlement resolves allegations by the attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network. Blackbaud then failed to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required.

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including: 

  • Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
  • Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
  • Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
  • Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity.
  • Personal information safeguards and controls requiring total database encryption and dark web monitoring.
  • Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing. 
  • Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.

AG Nessel encourages Michigan consumers to take steps to protect their information. For more information, please read the Attorney General’s Consumer Alert Data Breaches, What to do Next.

Your connection to consumer protection is just a click or phone call away. The Department provides a library of Consumer Alerts, which cover a wide range of topics, and can be reviewed on the Department’s website.

To file a complaint with the Attorney General, or get additional information, contact:

Consumer Protection Team 
P.O. Box 30213 
Lansing, MI 48909 
517-335-7599 
Fax: 517-241-3771 
Toll free: 877-765-8388 
Online complaint form

Indiana and Vermont co-led the multistate investigation, assisted by the Executive Committee consisting of Alabama, Arizona, Florida, Illinois, and New York, and joined by Alaska, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

###

Media Contact: