Blackbaud, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

AGENCY:

Federal Trade Commission.

ACTION:

Proposed consent agreement; request for comment.

SUMMARY:

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.

DATES:

Comments must be received on or before March 14, 2024.

ADDRESSES:

Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write “Blackbaud, Inc.; File No. 202 3181” on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, please mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Drop H–144 (Annex D), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT:

Cathlin Tully (202–326–3644), Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Pursuant to section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https://www.ftc.gov/news-events/commission-actions.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before March 14, 2024. Write “Blackbaud, Inc.; File No. 202 3181,” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.

Because of heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website. If you prefer to file your comment on paper, write “Blackbaud, Inc.; File No. 202 3181” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Drop H–144 (Annex D), Washington, DC 20580.

Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule § 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule § 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https://www.regulations.gov website—as legally required by FTC Rule § 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule § 4.9(c), and the General Counsel grants that request.

Visit the FTC website at https://www.ftc.gov to read this document and the news release describing the proposed settlement. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before March 14, 2024. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission (the “Commission”) has accepted, subject to final approval, an agreement containing consent order from Blackbaud, Inc. (“Respondent” or “Blackbaud”). The proposed consent order (“Proposed Order”) has been placed on the public record for 30 days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After 30 days, the Commission will again review the agreement, along with any comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the Proposed Order.

Blackbaud is a publicly traded South Carolina corporation that provides a variety of data services and financial, fundraising, and administrative software solutions to over 45,000 companies, nonprofits, foundations, educational institutions, healthcare organizations, and individual customers throughout the U.S. and abroad. Blackbaud maintains the personal information of millions of U.S. consumers that have donor, student, patient, and other relationships with Blackbaud's customers.

According to the FTC's Complaint, despite representing that it would protect consumers' data from unauthorized access through a variety of safeguards, from February through May 2020, Blackbaud's networks suffered a data breach from an attacker that exfiltrated data from thousands of Blackbaud customers. This data comprised millions of consumers' personal information, including, in some cases, sensitive information including social security numbers and financial information. Adding to the scope and severity of the breach was Blackbaud's indefinite retention of customer backup files, which impacted additional current, prospective, and former customers, whose consumer data would not have otherwise been impacted by the data breach. And when Blackbaud informed customers of the breach in July 2020, its initial breach notification statement inaccurately stated that the hacker had not stolen sensitive consumer data. Blackbaud did not correct this information until October 2020, despite knowing it was inaccurate only a couple of weeks after the initial breach notification.

The Commission's proposed five-count complaint alleges that Respondent violated section 5(a) of the FTC Act by (1) failing to employ reasonable information security practices to protect consumers' personal information; (2) failing to implement and enforce reasonable data retention practices; (3) failing to accurately communicate about the breach in its initial breach notification; (4) misrepresenting that it used appropriate safeguards to protect consumers' personal information; and (5) misrepresenting the scope of the breach by stating that consumers' personal information had not been impacted by the breach in its initial notification. With respect to the first count, the proposed complaint alleges that Respondent:

• failed to implement appropriate password controls, which resulted in employees often using default, weak or identical passwords;
• failed to apply adequate multifactor authentication for both employees and customers to protect sensitive consumer information;

• failed to prevent data theft by (1) monitoring for unauthorized attempts to transfer or exfiltrate consumers' personal information from its networks; (2) continuously logging and monitoring its systems and assets to identify data security events; and (3) performing regular assessments as to the effectiveness of protection measures;

• failed to implement and enforce appropriate data retention schedules and deletion practices for the vast amounts of consumers' personal information stored on its network;
• failed to patch outdated software and systems in a timely manner;
• failed to test, audit, assess or review its products' or applications' security features; and conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases;
• failed to implement appropriate firewall controls; and
• failed to implement appropriate network segmentation to prevent attackers from moving freely across its networks and databases.

The proposed complaint alleges that Respondent could have addressed each of these failures by implementing readily available and relatively low-cost security measures. With respect to the second count, the proposed complaint alleges that Respondent failed to implement and enforce reasonable data retention practices for sensitive consumer data maintained by its customers on its network. With respect to the third count, the proposed complaint alleges that Respondent failed to accurately communicate the scope and severity of the breach in its initial notification to consumers.

The proposed complaint alleges that, with respect to counts one, two, and three, Respondent's failures caused, or are likely to cause, substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Such practices constitute unfair acts or practices under section 5 of the FTC Act.

With respect the fourth count, the proposed complaint alleges that, at various times, Respondent claimed that is used appropriate safeguards to protect consumers' personal information. The proposed complaint alleges that, in reality, and as noted above, Respondent failed to implement reasonable measures to protect consumer's personal information. Such representations were deceptive under section 5 of the FTC Act.

With respect to the fifth count, the proposed complaint alleges that, in its initial breach notification, Respondent claimed that consumers' personal information had not been subject to the breach. The proposed complaint alleges that, in reality, and as noted above, consumers' personal information had been exfiltrated by the attacker in the breach. Such representations were, therefore, deceptive under section 5 of the FTC Act.

Summary of the Proposed Order With Respondent

The Proposed Order contains injunctive relief designed to prevent Respondent from engaging in the same or similar acts or practices in the future. Part I prohibits Respondent from misrepresenting the extent (1) to which it maintains, uses, deletes or disclosed consumers' personal information; (2) to which it protects the privacy, security, availability, confidentiality, or integrity of consumers' personal information; or (3) of any future data security incident or unauthorized disclosure of consumers' personal information.

Part II requires Respondent to delete or destroy customer backup files containing consumers' personal information that are not being retained to provide its products or services and to refrain from maintaining consumers' personal information that is not necessary for the purposes for which it is maintained by Respondent. Part III requires that Respondent document and adhere to a retention schedule for its customer backup files containing consumers' personal information, including the purposes for which it maintains such information, the business needs for its retention, and the timeframe for its deletion.

Part IV requires that Respondent establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, availability, confidentiality, and integrity of consumers' personal information. Part V requires Respondent to obtain initial and biennial information security assessments by an independent, third-party professional for 20 years. Part VI requires Respondent to disclose all material facts to the assessor required by Part V and prohibits Respondent from misrepresenting any fact material to the assessments required by Part IV.

Part VII requires Respondent to submit an annual certification from its Chief Information Security Officer that the company has implemented the requirements of the Order and is not aware of any material noncompliance that has not been corrected or disclosed to the Commission. Part VIII requires Respondent to notify the Commission any time it notifies a federal, state, or local government that consumer personal information was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization.

Parts IX–XII are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Respondent to provide information or documents necessary for the Commission to monitor compliance. Part XIII states that the Proposed Order will remain in effect for 20 years, with certain exceptions.

The purpose of this analysis is to facilitate public comment on the Proposed Order, and it is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify the Proposed Order's terms in any way.

Joint Statement of Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya

Today the FTC brings an enforcement action against Blackbaud for a series of unfair and deceptive data security practices. Blackbaud provides backend services for a variety of entities, ranging from businesses and nonprofits to schools and healthcare organizations. As noted in the FTC's complaint, Blackbaud in 2020 was struck by a data breach that exposed the personal data of millions of Americans. The FTC charges that Blackbaud's reckless data retention practices rendered its security failures much more costly: by hoarding reams of data that it did not reasonably need, Blackbaud's breach exposed far more data. Moreover, Blackbaud's notification alerting victims of the breach included false statements, which Blackbaud did not correct until months later—and months after it knew the statements were false.

The FTC's complaint alleges that Blackbaud's practices violated Section 5's prohibition on unfair or deceptive practices. The complaint marks a new step forward by alleging standalone unfairness counts for (a) failure to implement and enforce reasonable data retention practices (Count II) and (b) failure to accurately communicate the scope and severity of the breach in its notification to consumers (Count III). Blackbaud's data retention failures exacerbated the harms of its data security failures because Blackbaud had failed to delete data it no longer needed. This action illustrates how indefinite retention of consumer data, which can lure hackers and magnify the harms stemming from a breach, is independently a prohibited unfair practice under the FTC Act. Similarly, Blackbaud's failure to accurately convey the scope and severity of the breach kept victims in the dark and delayed them from taking protective actions, making a bad situation even worse.

Today's action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers' data security. The Commission has also made clear that efforts to downplay the extent or severity of a data breach run afoul of the law.

We are grateful to the Division of Privacy and Identity Protection for their excellent work, which enables us to continue making key strides in protecting people's data. As businesses face fresh incentives to hoard data to train AI models, protecting Americans from unlawful data practices will be especially critical.