WATERBURY — Vermont will receive $3 million as part of a multistate settlement with a software company over a 2020 data breach that affected more than 15,000 people in the state.
Vermont Attorney General Charity Clark announced the state’s share of the overall nationwide $49.5 million settlement with the firm Blackbaud Inc. during a press conference Thursday at the Waterbury State Office Complex.
“I want to emphasize that implementing good data practices is not only required by law, it is good business practices,” Clark said. “It is much cheaper to implement good data practices than it is to do the cleanup for the mistakes after the fact.”
Vermont and Indiana co-led the multistate investigation, with 50 attorneys generals from 49 states plus the District of Columbia joining the case, Clark said. California was the lone state that did not participate in the settlement, according to Clark.
The settlement resolves claims that Blackbaud, a Delaware corporation headquartered in Charleston, South Carolina, had insufficient data security procedures in place at the time of the data breach, did not provide a timely response and “downplayed” what occurred, Clark said.
It also resolves allegations that Blackbaud violated state consumer protection laws, breach notification laws and health care privacy laws.
Blackbaud, according to its website, provides software to a host of nonprofit organizations such as those in the health care industry, education providers, foundations, charities, and arts and cultural groups.
“Blackbaud’s customers use its software to connect with donors and manage data about them, including contact and demographic information, Social Security numbers, driver’s license information, financial information and protected health information,” Clark said.
Blackbaud was affected by a ransomware breach in 2020 in which a hacker obtained a “massive amount of highly sensitive information” from more than 13,000 Blackbaud customers, Clark said, resulting in the exposure of millions of consumers’ information across the country.
In Vermont, Clark said, at least 15,000 people had their personal information exposed in the breach.
A spokesperson for Blackbaud referred comment to a press release the company issued Thursday addressing the settlement.
“Cyber-attacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape,” Mike Gianoni, president and CEO of Blackbaud, said in the release.
“We are pleased,” he added, “to fully resolve this matter and proud of our role as the essential software provider for purpose-driven organizations.”
According to the settlement agreement, Blackbaud discovered the ransomware attack on May 14, 2020. It publicly announced the incident two months later, according to the document, and began notifying impacted customers.
In addition to paying the $49.5 million penalty, Clark said, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, to improve employee training and to obtain third-party assessments of Blackbaud’s compliance with this settlement every year for the next seven years.
The $3 million Vermont receives from the settlement will go to the state’s general fund, and the Legislature will determine how that money will be spent, according to Clark.
