Blackbaud Inc., a publicly traded software maker that experienced a large-scale data breach in 2020, has agreed to settle a lawsuit that the Federal Trade Commission brought over the incident.

The FTC announced the agreement on Thursday. Under the terms of the settlement, Blackbaud will be required to overhaul its cybersecurity program. Additionally, the FTC has ordered the company to revise its data retention practices.

South Carolina-based Blackbaud provides software for organizations such as nonprofits and healthcare providers. Charities use the company’s cloud applications to coordinate their fundraising efforts. Blackbaud also provides applications for other use cases, such as managing school tuitions and selling tickets to art exhibitions.

In February 2020, a hacker managed to breach the account of a Blackbaud customer. The threat actor then used that account to access tens of thousands of other organizations’ Blackbaud environments. According to the FTC, those environments contained data belonging to millions of consumers including names, addresses, financial information and other records.

The lawsuit that the agency brought over the incident accused Blackbaud of failing to implement effective cybersecurity controls ahead of the breach. In particular, the FTC charged that the company didn’t require employees to use strong passwords and neglected to monitor its network for malicious activity. Furthermore, the agency found that Blackbaud failed to adequately review and test its cybersecurity procedures.

The company’s data retention practices were another focus of the lawsuit. According to the FTC, Blackbaud stored more user information than was strictly necessary, which increased the scope of the 2020 breach. The agency charged that the company retained information belonging to current users, former customers and potential customers for years longer than it should have.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC also took issue with the manner in which Blackbaud responded to the breach. The company only detected the incident in March 2020, three months after the hacker first gained access to its network. It notified customers two months later and failed to disclose the full scope of the incident in the initial alert.

Under Blackbaud’s newly announced settlement with the FTC, the company must develop a comprehensive cybersecurity program. Additionally, it will have to delete personal information that doesn’t necessarily have to be retained. As part of the latter commitment, Blackbaud must implement a data retention schedule detailing the reasons it stores personal information as well as the time frame in which that information will be deleted.

Should the company experience a breach in the future, it will have to notify the FTC. This provision of the settlement applies to cybersecurity incidents that must be reported to “any other local, state, or federal agency.” Likewise in the interest of improving transparency, the FTC’s order prohibits Blackbaud from misrepresenting its data security and data retention policies. 

The agency will release the text of the settlement in the near future. The FTC plans to invite comments from the public for 30 days, after which it will decide whether to finalize the agreement.

Photo of FTC headquarters: Carol Highsmith/Wikimedia