The Blackbaud Data Security Breach: Important New Developments
Just last month, we wrote about a data security breach that affected Blackbaud, Inc. ("Blackbaud"). As many independent schools and other non-profits know well, Blackbaud is a cloud software company that stores and manages data, from donor information to finances to vendor relationships and beyond. This data breach involved information related to school constituents (e.g., students and families, donors, alumni, faculty, and vendors). As explained in our September article, many schools - typically with the help of legal counsel - were forced to grapple with whether they were legally required to inform any constituents of the breach (or, if not, whether they wanted to voluntarily inform either all or some community members).
Recently, some independent schools have received one or two additional communications from Blackbaud concerning the same data security breach. In response to these updates, schools may need to immediately reevaluate whether any additional information has been breached and whether the school is subject to any new notification obligations.
Recap Of The Initial Breach
In July of 2020, Blackbaud notified many of its clients that approximately two months earlier, Blackbaud had discovered and stopped a ransomware attack. Blackbaud noted that, as a result, some client information was potentially exposed. At the time, however, Blackbaud claimed that the cybercriminal did not access credit card information, bank account information, usernames, passwords, or Social Security numbers.
In response, some schools determined that the information that was exposed to the breach (often information that was entered into the notes fields of their databases) qualified as "personal information" of the schools' constituents under relevant data security laws. Accordingly, under those applicable laws, the schools were subject to mandatory notification obligations to affected individuals, state agencies, or both.
Notification To State Attorneys General
In mid-September, Blackbaud sent entities who had been subject to the earlier data breach an email including the following key information:
We notified law enforcement when the [earlier data breach] incident occurred and are communicating with state Attorneys General from multiple states, who are evaluating the security incident. As a part of the state Attorneys' General inquiry, Blackbaud has been asked to provide the names of those organizations whose data was a part of the data security incident.
(Emphasis in original.) It would be speculative to say why the Attorneys General requested the names of the affected organizations. However, given the magnitude of the breach, it is understandable that these officials may be further investigating the matter. At this point, there is no reason to believe that any independent school's response to the breach is the subject of an investigation. Further, we are not aware of any schools that have been contacted by any Attorney General. Should that occur, we strongly recommend that such schools contact legal counsel before engaging in substantive conversations with the government authority.
Notification Of Additional Information Subject To The Breach
Even more recently, a number of independent schools received an email from Blackbaud in which the company stated:
Since we contacted you in July about your organization's involvement in the security incident, we discovered some additional information for some customers that we did not know about earlier.
The email then outlines which fields - specific to the school - comprise this "additional information." Perhaps most concerning is Blackbaud's statement that unencrypted Social Security Numbers of certain constituents were apparently included in the data breach.
Schools that received this notification likely must engage in the same process outlined in our September article. In summary, this means the school - with the assistance of legal counsel - should move swiftly to determine (1) what additional information was subject to the breach; (2) where the affected individuals reside; and (3) the requirements of the data protection laws in those jurisdictions.
Given what we currently understand based on the information provided by Blackbaud, it is possible that some schools may now have new (and perhaps significant) notification obligations - both with regard to the affected individuals and to state agencies. Further, because Social Security Numbers may have been exposed, certain schools may be required to offer credit monitoring to affected individuals.
* * *
If you have any questions about data protection issues and/or responding to the Blackbaud data security breach, please feel free to reach out to one of our experienced education law attorneys, who regularly advise independent schools and other clients on these matters.