Blackbaud, Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the FTC over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION

COMMISSIONERS: Lina M. Khan, Chair; Rebecca Kelly Slaughter; Alvaro M. Bedoya; Melissa Holyoak; Andrew Ferguson

In the Matter of BLACKBAUD, INC., a corporation.

DOCKET NO. C-4804

COMPLAINT

• The Federal Trade Commission, having reason to believe that Blackbaud, Inc., a corporation, (“Blackbaud”), has violated the provisions of the Federal Trade Commission Act, 15 U.S.C. § 45, and it appearing to the Commission that this proceeding is in the public interest, alleges:
  • Respondent Blackbaud, Inc. is a Delaware corporation with its principal place of business at 65 Fairchild Street, Charleston, South Carolina 29492.
  • The acts and practices of Blackbaud alleged in this complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act, and constitute unfair and/or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act.

Summary of the Case

• Blackbaud failed to use appropriate information security practices to protect consumers’ personal information. These failures allowed an attacker to access Blackbaud’s customer databases and steal personal information relating to millions of U.S. consumers, as described in greater detail below.

Blackbaud’s Business Practices

• Blackbaud provides a variety of data services and financial, fundraising, and administrative software services to its customers, more than 45,000 companies, nonprofits, foundations, educational institutions, healthcare organizations, and individual consumers throughout the U.S. and abroad. It maintains a wide variety of consumers’ personal information on behalf of its customers, as described below in Paragraph 8.

• Blackbaud generates most of its U.S. revenues primarily from software solutions in cloud and hosted environments; payment and transaction services; software maintenance and support services; and professional services, including implementation, consulting, training, and analytic services. It earned annual revenues of approximately $1.1 billion in 2022.

Data Breach

• On February 7, 2020, an attacker gained access to Blackbaud’s self-hosted legacy product databases. The attacker remained undetected for over three months, until May 20, 2020, when a member of Blackbaud’s engineering team identified a suspicious login on a backup server. By the time Blackbaud discovered the breach, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which comprised of the personal information of millions of consumers.

• The attacker purportedly used a Blackbaud customer’s login and password to access the customer’s Blackbaud-hosted database. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts, subsequently creating new administrator accounts and ultimately exfiltrating massive amounts of consumer data belonging to Blackbaud’s customers.

• Blackbaud’s investigation found that the attacker had exfiltrated files in which millions of consumers’ personal information was not encrypted, including consumers’ full names, age, date of birth, social security numbers, home addresses, phone numbers, email addresses, financial information (including bank account information, estimated wealth, and identified assets), medical information (including patient and medical record identifiers, treating physician names, health insurance information, medical visit dates, and reasons for seeking medical treatment), gender, religious beliefs, marital status, spouse names, spouses’ donation history, employment information (including salary), educational information, and account credentials.

• Blackbaud’s deficient encryption practices magnified the severity of the data breach. For example, Blackbaud allowed customers to store social security numbers and bank account information in unencrypted fields not specifically designated for those purposes. It also allowed customers to upload attachments containing consumers’ personal information, which Blackbaud did not encrypt. Finally, Blackbaud did not encrypt its database backup files, which contained complete customer records from the products’ databases, even for former customers.

• Blackbaud’s failure to implement appropriate data retention policies further exacerbated the severity of the breach. Blackbaud did not enforce its own data retention policies, resulting in the company keeping customers’ consumer data for years longer than was necessary. In some instances, Blackbaud retained data belonging to former customers, customers who had switched to products not affected by the breach, and even potential customers for years longer than was necessary.

• Once detected, the attacker threatened to expose the stolen consumer data unless Blackbaud paid a ransom. Blackbaud eventually agreed to pay 24 Bitcoin (valued at $235,000 at the time) in exchange for the attacker’s promise to delete the stolen data. Blackbaud has not been able to conclusively verify that the attacker deleted the stolen data.

Blackbaud’s Deceptive Breach Notification Statements

• Blackbaud failed to notify its customers of the breach for two months after detection. It issued its first notice to its customers on July 16, 2020.

• However, in its July 2020 breach notification, Blackbaud misrepresented the scope and severity of the breach after conducting an exceedingly inadequate investigation. Blackbaud stated in its communications to customers:

  • "The cybercriminal did not access credit card information, bank account information, or social security numbers. . . No action is required on your end because no personal information about your constituents was accessed." (Exhibit A, Sample Blackbaud Customer Breach Notification (July 16, 2020))

• Although Blackbaud knew, as early as July 31, 2020, as part of its continuing post-breach investigation, that the attacker had exfiltrated consumers’ bank account numbers and social security numbers, Blackbaud did not disclose the extent of the breach to its customers until October 2020.

• Blackbaud’s deceptive statements, combined with the months-long delay in providing accurate notice about the breach, led many customers to believe that notification to their consumers was unnecessary. Due to this delay in notice, consumers suffered additional harm because they had no way to know that they needed to take any mitigating steps to protect themselves from identity theft.

• Since the breach, Blackbaud has received multiple complaints from consumers involving attempted identity theft and fraud using the personal information exposed in the breach (e.g., credit card, tax, and unemployment fraud). Blackbaud has since offered credit monitoring services to a limited subset of affected customers.

Blackbaud’s Deceptive Information Security Statements

• Blackbaud has made explicit representations about its information security practices that led customers to believe that it used reasonable and appropriate information security practices to protect consumers’ personal information.

• Blackbaud’s Privacy Policy on its website, dated December 17, 2019, included the following statement:

  • "Security of your Personal Information. We restrict access to personal information collected about you at our website to our employees, our affiliates’ employees, those who are otherwise specified in this Policy or others who need to know that information to provide the Services to you or in the course of conducting our business operations or activities. While no website can guarantee exhaustive security, we maintain appropriate physical, electronic, and procedural safeguards to protect your personal information collected via the website. We protect our databases with various physical, technical, and procedural measures and we restrict access to your information by unauthorized persons. We also advise all Blackbaud employees about their responsibility to protect customer data and we provide them with appropriate guidelines for adhering to our company’s business ethics standards and confidentiality policies. Inside Blackbaud, data is stored in password-controlled servers with limited access."
  • (Exhibit B, Blackbaud.com, Privacy Policy North America (December 17, 2019))

Blackbaud’s Information Security Practices

• Blackbaud failed to provide reasonable or appropriate security for the personal information that they collected and maintained about consumers. Among other things, Blackbaud failed to:

  • Implement appropriate password controls. As a result of this failure, employees often used default, weak, or identical passwords.

  • Apply adequate multifactor authentication for both employees and customers to protect sensitive consumer information. For example, Blackbaud failed to comply with industry standards and internal policies requiring multifactor authentication for remote access to sensitive environments.

  • Prevent data theft by monitoring for unauthorized attempts to transfer or exfiltrate consumers’ personal information outside the company’s networks; continuously log and monitor its systems and assets to identify data security events; and perform regular assessments as to the effectiveness of protection measures.

  • Implement and enforce appropriate data retention schedules and deletion practices for the vast amounts of consumers’ personal information stored on its network.

  • Patch outdated software and systems in a timely manner, leaving Blackbaud’s networks susceptible to attacks.

  • Test, audit, assess, or review its products’ or applications’ security features; and conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases.

  • Implement appropriate firewall controls. This failure resulted in an attacker making unauthorized connections from outside of Blackbaud’s networks.

  • Implement appropriate network segmentation to prevent attackers from moving freely across Blackbaud’s networks and databases.

The Impact of Blackbaud’s Failures on Consumers

• Respondent’s failures to provide reasonable security for the sensitive, personal consumer information they collected, transmitted, and stored has caused or is likely to cause substantial injury to consumers.

• Blackbaud’s failure to accurately communicate the scope and severity of the breach in its initial notification to its customers caused or is likely to cause substantial injury to consumers because they were not able to mitigate the effects of the breach in a timely manner.

• Consumers have also suffered, and will continue to suffer, additional injuries due to the significant amount of highly detailed and individualized personal information exposed.

• Blackbaud could have prevented or mitigated these failures described in Paragraph 19 through well-known, readily available, relatively low-cost measures. For example, Blackbaud could have required regular review of access permissions, enabled multi-factor authentication for all employees and customers, and implemented reasonable data retention practices. Any of these measures would likely have prevented the May 2020 breach or, at minimum, lessened its impact.

• These harms were not reasonably avoidable by consumers, as consumers had no way to know about Respondents’ information security failures described in Paragraph 19 above.

Violation of the FTC Act

• The acts and practices of Respondent, as alleged in this Complaint, constitute unfair and/or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act.

Count I. Blackbaud’s Unfair Information Security Practices

• Through the means described in Paragraphs 6 to 11 and 19-24, Blackbaud failed to take reasonable steps to prevent unauthorized access to sensitive consumer data maintained by its customers on its network.

• Blackbaud’s actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.

• Therefore, Blackbaud’s practices as described in Paragraph 19 above constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. §§ 45(a) and 45(n).

Count II. Blackbaud’s Unfair Data Retention Practices

• Through the means described in Paragraph 10, Blackbaud failed to implement and enforce reasonable data retention practices for sensitive consumer data maintained by its customers on its network.

• Blackbaud’s actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.

• Therefore, Blackbaud’s practices as described in Paragraph 19(d) above constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. §§ 45(a) and 45(n).

Count III. Blackbaud’s Unfair Inaccurate Breach Notification

• Through the means described in Paragraphs 12 to 16 and 21, Blackbaud failed to accurately communicate the scope and severity of the breach in its initial notification to customers.

• Blackbaud’s actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.

• Therefore, Blackbaud’s practices described in Paragraphs 12 and 13 above constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. §§ 45(a) and 45(n).

 Count IV. Blackbaud’s Deceptive Security Statements

• Through the means described in Paragraphs 17 to 18, Blackbaud has represented, directly or indirectly, expressly or by implication, that they used appropriate safeguards to protect consumers’ personal information.

• In truth and in fact, as set forth in Paragraph 19, Blackbaud did not maintain appropriate safeguards to protect consumers’ personal information. Therefore, the representation set forth in Paragraph 18 is false or misleading.

Count V. Blackbaud’s Deceptive Initial Breach Notification

• Through the means described in Paragraphs 12 to 13, Blackbaud has represented, directly or indirectly, expressly or by implication, that consumers’ personal information had not been subject to the breach in its first notification.

• In truth and in fact, as set forth in Paragraphs 14 to 16, consumers’ personal information had been exfiltrated by the attacker in the breach. Therefore, the representation set forth in Paragraph 13 is false or misleading.

THEREFORE, the Federal Trade Commission this 17th day of May, 2024, has issued this complaint against Respondent.

By the Commission, Commissioner Ferguson not participating and Commissioner Holyoak recused.

April J. Tabor

Secretary

SEAL:

DECISION AND ORDER

DECISION

The Federal Trade Commission (“Commission”) initiated an investigation of certain acts and practices of the Respondent named in the caption. The Commission’s Bureau of Consumer Protection (“BCP”) prepared and furnished the Respondent with a draft Complaint. BCP proposed presenting the draft Complaint to the Commission for consideration. If issued by the Commission, the draft Complaint would charge the Respondent with violations of the Federal Trade Commission Act.

Respondent and BCP thereafter executed an Agreement Containing Consent Order (“Consent Agreement”). The Consent Agreement includes:

• Statements by Respondent that it neither admits nor denies any of the allegations in the draft Complaint, except as specifically stated in this Decision and Order, and that only for purposes of this action, it admits the facts necessary to establish jurisdiction.
• Waivers and other provisions as required by the Commission’s Rules.

The Commission considered the matter and determined that it had reason to believe that Respondent violated the Federal Trade Commission Act, and that a Complaint should issue stating its charges. The Commission accepted the executed Consent Agreement and placed it on the public record for thirty (30) days for receipt and consideration of public comments. The Commission duly considered any comments received from interested persons pursuant to Section 2.34 of its Rules, 16 C.F.R. § 2.34. Now, in further conformity with Rule 2.34, the Commission issues its Complaint, makes the following Findings, and issues the following Order. The parties agree that this Order resolves all allegations in the Complaint.

Findings

• Respondent Blackbaud, Inc. (“Blackbaud”) is a Delaware corporation with its principal place of business at 65 Fairchild Street, Charleston, South Carolina 29492.

• The Commission has jurisdiction over the subject matter of this proceeding and over the Respondent, and the proceeding is in the public interest.

ORDER

Definitions

• "Covered Incident" means any incident that results in Respondent notifying, pursuant to a statutory or regulatory requirement, any U.S. federal, state, or local government entity that information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization.

• "Covered Information" means information from or about an individual consumer stored by Respondent’s customers within Respondent’s product databases including:

  • A first and last name;
  • A home or physical address;
  • An email address or other online contact information, such as an instant messaging user identifier or a screen name;
  • A mobile or other telephone number;
  • A driver’s license or other government-issued identification number;
  • Date of birth; or
  • Bank account, credit card, or debit card information.

• "Delayed Update Customers" are Respondent’s customers to whom Respondent makes updates available but who do not automatically implement such updates due to the complexity of Respondent’s customers implementing such updates into Respondent’s customers’ environments and business practices.

• "Delete," "Deleted," or "Deletion" means to remove Covered Information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.

• "Respondent" means Blackbaud, Inc., a Delaware corporation, and its successors and assigns.

Provisions

I . Prohibition against Misrepresentations about Privacy and Security

IT IS ORDERED that Respondent, Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication:

• The extent to which Respondent maintains, uses, Deletes, or discloses any Covered Information;
• The extent to which Respondent protects the privacy, security, availability, confidentiality, or integrity of any Covered Information; or
• The extent of any Covered Incident or unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of Covered Information.

II. Mandated Data Deletion

IT IS FURTHER ORDERED that Respondent must:

• Within 90 days after the Order Effective Date, delete or destroy Respondent customer backup files containing Covered Information that is not being retained in connection with providing products or services to Respondent’s customers unless otherwise requested by Respondent’s customers. Respondent must provide a written statement to the Commission, pursuant to the Provision entitled Compliance Reports and Notices, confirming that all such data has been deleted or destroyed, specifically enumerating which types of information were deleted or destroyed.

• Refrain from maintaining any Covered Information not necessary for the purpose(s) for which such information is stored and/or maintained by Respondent.

Provided, however, that any Covered Information that Respondent is otherwise required to delete or destroy pursuant to this provision may be retained, and may be disclosed, as requested by a government agency or otherwise required by law, regulation, court order, or other legal obligation, including as required by rules applicable to the safeguarding of evidence in pending litigation. In each written statement to the Commission required by this provision, Respondent shall describe in detail any Covered Information that Respondent retains on any of these bases and the specific government agency, law, regulation, court order, or other legal obligation that prohibits Respondent from deleting or destroying such information. Within thirty (30) days after the obligation to retain the information has ended, Respondent shall provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that Respondent has deleted or destroyed such information.

III. Data Retention Limits

IT IS FURTHER ORDERED that Respondent, in connection with the storage, maintenance, use, or disclosure of, or provision of access to, Covered Information, must:

• Within 90 days of the Order Effective Date, document, make publicly available on its website(s), and adhere to a retention schedule for Respondent customer backup files containing Covered Information. This retention schedule must set forth:

  • The purpose or purposes for which Covered Information is maintained by Respondent.
  • The specific business needs for Respondent retaining such Covered Information.
  • A set timeframe for deletion of Covered Information that precludes indefinite retention of any Covered Information. For clarity, the requirements of this Provision III.A shall additionally apply to the databases containing the Covered Information of former customers and customers who migrate to a different Respondent product.

• Within 90 days after the Order Effective Date, provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, describing the retention schedule for Respondent customer backup files containing Covered Information made publicly available on its website(s).

IV. Mandated Information Security Program

IT IS FURTHER ORDERED that Respondent, and any business that Respondent controls directly or indirectly in connection with the maintenance, use, or disclosure of, or provision of access to, Covered Information, must, within ninety (90) days of the Order Effective Date, establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, confidentiality, and integrity of such Covered Information ("Information Security Program"). Delayed Update Customers are exempt from the initial 90-day timing requirement, but Respondent will assist Delayed Update Customers, upon their approval, to update their software in a timely manner. To satisfy this requirement, Respondent must, at a minimum:

• Document in writing the content, implementation, and maintenance of the Information Security Program.

• Provide the written Information Security Program and any evaluations or updates thereof to Respondent’s board of directors or governing body or, if no such body exists, to a senior officer of Respondent responsible for Respondent’s Information Security Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident.

• Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program.

• Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in:

  • The unauthorized storage, maintenance, alteration, use, or disclosure of, or provision of access to, Covered Information; or
  • The misuse, loss, theft, and unauthorized alteration, destruction, or other compromise of Covered Information.

• Design, implement, maintain, and document safeguards within Respondent’s control that address the internal and external risks identified in response to the assessment. Each safeguard must be based on:

  • The volume and sensitivity of the Covered Information at risk.
  • The likelihood that the risk could result in the unauthorized storage, maintenance, use, or disclosure of, or provision of access to, Covered Information; or
  • The misuse, loss, theft, unauthorized alteration, destruction, or other compromise of Covered Information.

• Safeguards must include:

  • A written information security policy with accompanying written standards or procedures detailing the implementation of safeguards and how compliance is assessed and enforced.
  • Security education for internal and external risks, including training for employees and developers on security policies and secure software development principles.
  • Policies requiring employees, contractors, and third parties to secure accounts with strong, unique passwords and prevent password reuse or rotation.
  • Multi-factor authentication for all employees and contractors accessing assets with Covered Information, resistant to phishing attacks, and equivalent or stronger security measures as required.
  • Technical measures to log and monitor access to Covered Information and limit access based on job function and need-to-know.
  • Technical measures to safeguard against unauthorized access to Covered Information, including intrusion prevention/detection systems, data loss prevention tools, and firewalls.

• Respondent must assess the sufficiency of safeguards at least once every twelve (12) months, and following a Covered Incident, to ensure risks are addressed and the Information Security Program is modified as needed.

• Respondent must test and monitor the effectiveness of safeguards, including vulnerability scanning every four months and penetration testing at least once a year.

• Respondent must select and retain service providers capable of safeguarding Covered Information and require them contractually to maintain adequate safeguards.

• The Information Security Program must be evaluated and adjusted in light of material changes to Respondent’s operations, a Covered Incident, or new technological methods. At a minimum, the program must be evaluated at least once every twelve (12) months and modified as necessary based on results.

V. Information Security Assessments by a Third Party

IT IS FURTHER ORDERED that, in connection with compliance with Provision IV of this Order titled Mandated Information Security Program, Respondent must obtain initial and biennial assessments ("Assessments"):

• The Assessments must be obtained from a qualified, objective, independent third-party professional ("Assessor"), who:

  • Uses procedures and standards generally accepted in the profession.
  • Conducts an independent review of the Information Security Program.
  • Retains all documents relevant to each Assessment for five (5) years after completion of such Assessment.
  • Will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessor on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim. Respondent may satisfy the requirements to obtain Assessments through the use of assessments that are also intended to meet the requirements of other regulatory mandates to which Respondent is subject, provided that such assessments meet the requirements of the Information Security Program set forth in this Order.

• For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in their sole discretion.

• The reporting period for the Assessments must cover:

  • At least the first 180 days after the Information Security Program is established for the initial Assessment.
  • Each 2-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.

• Each Assessment must, for the entire assessment period:

  • Determine whether Respondent has implemented and maintained the Information Security Program required by Provision IV of this Order.
  • Assess the effectiveness of Respondent's implementation and maintenance of sub-Provisions IV.A-I.
  • Identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.
  • Address the status of gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program that were identified in any prior Assessment required by this Order.
  • Identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is:
    • Appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile.
    • Sufficient to justify the Assessor's findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondent's management, and state the number of hours that each member of the Assessor's assessment team worked on the Assessment.
    • To the extent that Respondent revises, updates, or adds one or more safeguards required under Provision IV during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.

• The initial Assessment must be completed within one hundred and twenty (120) days after the end of the reporting period for the initial Assessment. Each subsequent biennial Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Blackbaud, FTC File No. 2023181.” All subsequent biennial Assessments must be retained by Respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.

VI. Cooperation with Third Party Information Security Assessor

IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in connection with any Assessment required by Provision V of this Order titled Information Security Assessments by a Third Party, must:

• Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.

• Provide or otherwise make available to the Assessor information about Respondent’s network(s) and all of Respondent’s IT assets that maintain Covered Information so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s) and IT assets deemed in scope.

• Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s:

  • Determination of whether Respondent has implemented and maintained the Information Security Program required by Provision IV of this Order.
  • Assessment of the effectiveness of the implementation and maintenance of sub-Provisions IV.A-I.
  • Identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.

VII. Annual Certification

IT IS FURTHER ORDERED that Respondent must:

• One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from Respondent’s Chief Information Security Officer responsible for Respondent’s Information Security Program that:
  • Respondent has established, implemented, and maintained the requirements of this Order.
  • Respondent is not aware of any material noncompliance that has not been:
    • Corrected.
    • Disclosed to the Commission.
  • Include a brief description of all Covered Incidents during the certified period. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.
• Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Blackbaud, FTC File No. 2023181.”

VIII. Covered Incident Reports

IT IS FURTHER ORDERED that, within ten (10) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondent must submit a report to the Commission. The report must include, to the extent possible:

• The date, estimated date, or estimated date range when the Covered Incident occurred.
• A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known.
• A description of each type of information that was affected by the Covered Incident.
• The number of Respondent’s customers affected by the Covered Incident.
• The acts that Respondent has taken to date to remediate the Covered Incident and protect Covered Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident.
• A representative copy of any materially different notice sent by Respondent to its customers, or to any U.S. federal, state, or local government entity.

Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Blackbaud Inc., FTC File No. 2023181.”

IX. Order Acknowledgments

IT IS FURTHER ORDERED that Respondent must obtain acknowledgments of receipt of this Order:

• Respondent, within 10 days after the Order Effective Date, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.

• For 20 years after issuance of this Order, Respondent must deliver a copy of this Order to:

  • All principals, officers, and directors.
  • All employees having managerial responsibilities for cybersecurity, privacy, and the collection, use, or disclosure of Covered Information, and all agents and representatives who participate in cybersecurity, privacy, and the collection, use, or disclosure of Covered Information.
  • Any business entity resulting from any change in structure as set forth in Provision X. Delivery must occur within 10 days of the Order Effective Date for current personnel. For all others, delivery must occur before they assume their responsibilities.

• From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.

X. Compliance Reporting

IT IS FURTHER ORDERED that Respondent must make timely submissions to the Commission:

• One year after issuance of this Order, Respondent must submit a compliance report, sworn under penalty of perjury. Respondent must:

  • Identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent.
  • Identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses.
  • Describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales.
  • Describe in detail whether and how Respondent is in compliance with each Provision of this Order.
  • Provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.

• For 20 years after issuance of this Order, Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following:

  • Any designated point of contact.
  • The structure of any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

• Respondent must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.

• Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.

• Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Blackbaud, Inc.”

XI. Recordkeeping

IT IS FURTHER ORDERED that Respondent must create certain records for 20 years after issuance of the Order and retain each such record for 5 years. Specifically, Respondent must create and retain the following records:

• Accounting records showing the revenues from all goods or services sold.
• Personnel records showing, for each person providing services relating to Covered Information, whether as an employee or otherwise, that person’s:
  • Name.
  • Addresses.
  • Telephone numbers.
  • Job title or position.
  • Dates of service.
  • If applicable, the reason for termination.
• Records of all consumer complaints regarding security, privacy, or identity theft related to Covered Information whether received directly or indirectly, such as through a third party, and any response.
• All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.
• A copy of each widely disseminated, unique advertisement or other marketing material that references or otherwise relates to Respondent’s privacy and data security practices.

XII. Compliance Monitoring

IT IS FURTHER ORDERED that, for the purpose of monitoring Respondent’s compliance with this Order:

• Within 14 days of receipt of a written request from a representative of the Commission, Respondent must:

  • Submit additional compliance reports or other requested information, which must be sworn under penalty of perjury.
  • Appear for depositions and produce documents for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.

• For matters concerning this Order, the Commission is authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview any employee or other person affiliated with Respondent who has agreed to such an interview. The person interviewed may have counsel present.

• The Commission may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.

XIII. Order Effective Dates

IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order (the “Order Effective Date”). This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:

• Any Provision in this Order that terminates in less than 20 years.
• This Order’s application to any Respondent that is not named as a defendant in such complaint.
• This Order if such complaint is filed after the Order has terminated pursuant to this Provision.

Provided further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.

By the Commission, Commissioner Ferguson not participating and Commissioner Holyoak recused.

April J. Tabor

Secretary

SEAL:

ISSUED: May 17, 2024