A Teachable Moment? Lessons Learned From The Blackbaud Data Security Breach
This past summer, many independent schools and other non-profits received a communication from Blackbaud, Inc. ("Blackbaud"), a popular cloud software company that many organizations use to record and manage data, from donor information, to school finances, to vendor relationships and beyond. The communication from Blackbaud notified schools that information contained on Blackbaud backup files had been accessed by a cybercriminal.
School IT departments and other administrators sprang into action to determine: (1) what information may have been accessed; (2) whether the school was required to (or otherwise should) report the breach to those whose information had been accessed; and (3) what, if anything, they should do in the future to protect their information.
Now that schools have weathered the immediate storm from the Blackbaud breach and made any required and/or optional notifications to the affected community members, the focus has shifted to the third element above - namely, how schools can best minimize the impact of any future data security breaches.
How We Got Here
In July of 2020, Blackbaud notified many of its clients that approximately two months earlier, Blackbaud had discovered and stopped a ransomware attack. Blackbaud's Cyber Security team -- working with independent forensics experts and law enforcement -- successfully prevented the cybercriminal from blocking Blackbaud's access to its own systems, and ultimately expelled the cybercriminal from Blackbaud's systems.
However, before Blackbaud locked the cybercriminal out, the cybercriminal removed a copy of a subset of data from Blackbaud's systems. According to Blackbaud, the cybercriminal did not access credit card information, bank account information, usernames, passwords, or Social Security numbers.
Additionally, Blackbaud paid the cybercriminal's demand and received confirmation that the data copy the cybercriminal removed had been destroyed. Blackbaud concluded that "[b]ased on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."
How Schools Responded
The most pressing questions for independent schools in the wake of the incident was whether (i) they were legally required to notify community members whose data was compromised, and/or (ii) whether they were legally required to notify governmental authorities (often the Attorney General of the state of residence of a person whose information was compromised) of the breach.
All fifty U.S. states and many international jurisdictions have laws protecting the "personal information" of their residents. Most of these laws were adopted in the last two decades in response to high-profile data security breaches that exposed individuals to identity theft. Though these data security laws vary widely in the definitions of "personal information" and specific mandates, they all require entities to protect certain sensitive information of residents, and subject entities to various notification requirements in the case of a data security breach.
According to Blackbaud, much of the information contained in its client databases that would have triggered notification obligations under most state data protection statutes was either not accessed by the cybercriminal or was accessed only in encrypted form. However, whether any notification requirements applied for any given school required careful consideration of a number of factors, including, but not limited to, (1) all the types of information contained in the school's Blackbaud database(s); (2) where the data subjects resided; and (3) the requirements of the data protection laws in those jurisdictions.
Analysis of these factors required close attention to detail, including advice of legal counsel. Some issues that complicated this analysis included the following:
• Whether unencrypted, sensitive information (credit card information, medical information, etc.) was contained in the "notes" field(s) of the relevant databases.
• Whether check images, or other documents containing sensitive information, were uploaded to the affected databases.
• Differing definitions of "personal information" triggering data breach notification obligations, based on the states of residence of the affected individuals. (For example, many states' data security laws include certain medical information in their definition of "personal information," while others do not.)
• Whether the relevant state laws required notification of state officials (in addition to the affected individuals).
• Whether the relevant state laws required schools to offer to pay for credit monitoring for affected individuals.
Schools maintain vast amounts of information regarding students, employees, parents, donors, alumni and vendors. Though some data security incidents (including breaches) may be unavoidable, legal requirements and principles of good stewardship dictate that schools take steps to secure that information to the greatest extent practicable.
Many of the institutions that were impacted most by the Blackbaud breach could have avoided or decreased their exposure. For instance, schools that keep medical information or credit card information in the notes fields of their fundraising databases and/or uploaded images of checks to these databases (1) typically had notification obligations in multiple jurisdictions; and (2) often had to spend numerous hours searching their databases. In some cases, school administrators had to read individual notes fields one-by-one in order to determine what (and whose) information may have been compromised.
Though the Blackbaud data breach had a far-reaching impact in the education and non-profit communities, the impact could have been much more severe. Based on information provided by Blackbaud, most of the truly sensitive information that was subject to the breach was encrypted, and the information that was exposed was apparently not disseminated beyond the cybercriminal responsible for the breach. Because of this, many schools did not have any statutory reporting obligations, and others had very limited obligations (for example, having to notify only a few alumni living in states with particularly broad definitions of personal information).
Nonetheless, the incident is a reminder for school administrators and IT professionals regarding the importance of protecting confidential information.
Going forward, schools should revisit their data protection policies and should consider adopting a comprehensive approach to data management and data security. At a minimum, such an approach would include:
• Strict compliance with applicable data protection laws (international, federal, state and local).
• Appointing a trusted administrator to oversee the school's data protection efforts.
• Adopting and/or updating a document destruction and retention plan.
• Adhering to clear standards regarding what information should -- and should not -- be entered into the school's databases (e.g., unencrypted "personal information" should not be entered into "notes fields").
• Establishing physical safeguards aimed at protecting the school's paper files.
• Conducting frequent audits of the school's electronic and physical files to flag potential data protection concerns.
• Careful analysis of the protections offered and the protocols followed by any vendors who have access to sensitive information about community members (e.g., ensuring that vendors encrypt "personal information" and other sensitive information).
• Regular, comprehensive employee professional development programming related to issues of data protection.
* * *
If you have any questions about data protection issues and/or responding to a data security breach, please feel free to reach out to one of our experienced education law attorneys, who regularly advise independent schools and other clients on these matters.