Data Security

More of the Same in the FTC’s Blackbaud Data Security Order

Published: Feb. 09, 2024

Four years ago—in early February 2020—Blackbaud, a software company that provides tools to schools, healthcare providers, and non-profit organizations, fell victim to a ransomware attack. That attack, which compromised data from some 13,000 Blackbaud customers, was disclosed several months later. Blackbaud has been in the crosshairs of regulators ever since. 

In October 2023, Blackbaud agreed to pay $49.5 million and undertake certain injunctive relief in settling consumer protection claims brought by the attorneys general of 49 states and the District of Columbia. Now, the Federal Trade Commission (“FTC”) has similarly settled with Blackbaud, addressing allegations that the company maintained inadequate security practices and were not forthcoming or timely in providing notice to those affected. The FTC’s order has two main parts. 

First, the FTC’s order requires Blackbaud to delete information collected from customers that is no longer being retained “in connection with providing products or services.” While the FTC has billed this as the centerpiece of its order, digital service providers are often contractually required to delete data from former customers and state privacy laws generally impose personal information retention limits on data that is no longer needed. The FTC’s order also requires Blackbaud to issue a publicly available retention schedule, something that is fast becoming a new standard in FTC orders (including in last month’s action against InMarket).

Second, the security requirements of the Blackbaud order largely parallel what the FTC adopted in its 2022 action against Drizly and FTC GLBA Security Safeguards that prescribe financial institution security controls. While the “Mandated Information Security Program” requirements are largely identical, Blackbaud faces new encryption requirements intended to address Blackbaud’s storage of extensive amounts of sensitive information (such as Social Security numbers, financial information, and medical information). Blackbaud will be required to encrypt the data contained in these sensitive data fields regardless of where that data is stored. Blackbaud must also obtain semi-annual independent third-party security assessments for the next twenty years. Finally, Blackbaud must notify the FTC within ten days of notifying any federal, state, or local entity about a covered security incident.

In some ways, the FTC’s order offers little new, largely parroting prior orders and adopting injunctive relief that mirrors the requirements imposed on Blackbaud by the state attorneys general. But there are a few things we can learn from this case. 

First, the FTC’s consistency in data security cases evidences the Commission’s view that programmatic security controls—written plans and procedures with employees tasked with completing them—are essential. In an effort to avoid the cost and burden of complying with 20-year injunctive orders, companies collecting consumer data should consider how their security program lines up against the FTC’s repeated orders and, where applicable, FTC Security Safeguards for financial institutions. 

Second, this order recognized the difficulty that software providers have in ensuring customer adoption of security patches. The order limits Blackbaud’s duties as to certain “Delayed Update Customers” (those who do not automatically implement software updates), but in exchange requires Blackbaud to assist such customers, upon the customer’s request, in updating software in a timely manner. 

A third potential takeaway pertains to how promptly and in what manner a company discloses a data incident to those potentially affected. Although each scenario will have its own circumstances, the FTC seems to suggest that two months was too long to notify potentially affected customers and that such notification should have included enough information so that affected customers could take action and mitigate the potential effects of the incident.

The FTC continues to be extremely active in security cases, setting new expectations for corporate behavior before, during, and after cyberattacks.  We will continue to monitor for the latest guidance for how these actions affect your security program.