Blackbaud, a popular supplier of automated fundraising tools and related technology services for nonprofits, schools and universities, last week began notifying customers worldwide that it was the victim of a ransomware attack that may have resulted in the unauthorized disclosure of customer data. Some of the Blackbaud services known to have been compromised include Altru, Financial Edge NXT, NetCommunity, and Raiser’s Edge NXT.

Blackbaud’s customer notice asserts that: it paid the ransom; it somehow confirmed that the cybercriminal’s copy was destroyed and not further shared; and financial account information was protected by encryption and not accessed by the cybercriminal. Nevertheless, the notice indicates that a “subset” of customer data may have been exposed to the cybercriminal, including other personal information about donors, students, or other customer constituents.

Blackbaud is directing customers to an incident response resource page on its website, including a “toolkit” for responding to the breach and addressing the potential regulatory obligations of customers to notify their constituents of the breach. The toolkit materials indicate that the compromise persisted over three months from February 7 to May 20, 2020.

Although Blackbaud customers should promptly review the company’s notice and suggested resources, organizations should also consider the following steps, which apply generally no matter which of your third party vendors experiences a security incident potentially involving constituent personal data:

  1.  Consult your incident response plan, vendor management policies, and cyber insurance coverage. If you don’t have these, make a note to correct that after this particular incident is under control. These policies, properly tested, ready organizations for the rush of decisions and communications that necessarily follow discovery of an information security incident. Some data breach insurance coverages come with incident response resources, including coverage for breach counsel and PR firms.
  2. Know exactly what categories of personal information were likely compromised. True, if personal financial account info was not accessed and was properly encrypted, most data breach notification laws will not be triggered. However, the legal definitions of protected personal information vary by statute, by state, and by country. Pursue answers from Blackbaud until you are satisfied. Understand what are Blackbaud’s obligations under the applicable Terms of Service to cooperate with your investigation and confirm that they have timely complied.
  3. Know where potentially impacted constituents are located. Breach notification requirements vary by jurisdiction. Individuals located in the European Union, for example, have broader rights in their personal info, which may require notification not required elsewhere. Prompt reporting and consultation may also be required by the applicable EU member state data protection authority under the GDPR. Because the compromise lasted 3 months and because Blackbaud took an additional 2 months to notify customers, timely reporting (if required) will be challenging.
  4. Document your incident response and decision making. Whether you decide to notify constituents or not, document your investigation, analysis, and decisions. In most cases, it is the data “owner” and not the service provider who is accountable for ensuring the protection of personal information. If ever called upon to demonstrate that you took appropriate action, your documentation should serve you well.
  5. Don’t go it alone. Although you may decide to notify constituents because you believe it is the right thing to do, whether, when, and how to do so involve legal questions and risk. Keep your legal team, including privacy and data security counsel, in the loop.

If you have any questions or would like additional information, please contact any member of our Privacy and Data Security team:

Sherwin M. Yoder, CIPP/US, CIPP/E, CIPM
(203) 784-3107; syoder@carmodylaw.com

Jennifer A. Calcagni
(203) 575-2648; jcalcagni@carmodylaw.com

Damian K. Gunningsmith
(203) 784-3185; dgunningsmith@carmodylaw.com

Todd Michaelis
(203) 578-4287; tmichaelis@carmodylaw.com

Tamara Nyce
(203) 578-4275; tnyce@carmodylaw.com

Arthur G. Schaier
(203) 575-2629; aschaier@carmodylaw.com