United States of America: Issued ruling in Texas Attorneys General investigation into Blackbaud regarding data breach

On 11 December 2023, the Texas Attorney General announced a settlement in the investigation into Blackbaud regarding the data breach. Blackbaud develops software for nonprofit organisations, colleges, universities, healthcare centres, and others. Its software is used by these organisations to connect with donors and manage personal data, such as social security numbers, donation history, contact details, or protected health information. In 2020, a ransomware incident led to the exposure of consumers' personal data. Under the allegations of breaching the law by failing to have reasonable data security measures in place, and for failing to inform the consumers about the data breach, Blackbaud reached a settlement with the State of Texas, under which Blackbaud has agreed to strengthen its data security and breach notification practices, including implementing specific security requirements related to database encryption, network segmentation, access controls, timely patch management, and dark web monitoring. Blackbaud has also agreed to make a payment of USD 49.5 million to 50 states participating in a multistate settlement relating to the same 2020 data breach. Texas will collect over USD 2’766’000 of the total multistate settlement.