Office of the
Illinois Attorney General
Kwame Raoul

Breach Affected Thousands of Nonprofits and Millions of Consumers throughout U.S., Illinois to Receive $2.28 Million in Settlement

Chicago – Attorney General Kwame Raoul today announced that Illinois, along with 49 other attorneys general, has reached a settlement with software company Blackbaud concerning its data security practices and response to a 2020 data breach that exposed the personal information of millions of consumers across the United States. Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Illinois will receive $2.28 million from the settlement.

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, health care organizations, religious organizations and cultural organizations. Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history and protected health information. This type of highly-sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their respective consumer constituents. 

“Thousands of Illinoisans were affected by Blackbaud’s data breach,” Raoul said. “Our investigations led to meaningful reforms in the way data is handled, protecting consumers from future exposure and ensuring that if there is a future breach, consumers are properly informed and assistance is provided.”

Today’s settlement resolves allegations by Raoul and the attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network.

The attorneys general also alleged that Blackbaud failed to provide its customers with timely, complete or accurate information regarding the breach, as required by law. As a result of Blackbaud’s actions, and delayed notification, some of Blackbaud’s customers may have been confused as to whether they were required to notify their own customers.

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward by implementing:

• Personal information safeguards and controls requiring total database encryption and dark web monitoring.
• Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
• Breach response plans to prepare for and more appropriately respond to future security incidents and breaches, including adhering to breach notification requirements under state law and HIPAA.
• Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
• Security incident reporting to the CEO and board, enhanced employee training, and appropriate resources and support for cybersecurity.
• Third-party assessments of Blackbaud’s compliance with the settlement for seven years.

The attorneys general of Indiana and Vermont co-led the multistate investigation, assisted by the executive committee consisting of Attorney General Raoul and the attorneys general of Alabama, Arizona, Florida and New York. These attorneys general were joined in the settlement by Alaska, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin and Wyoming.

Bureau Chief Beth Blackston, Chief Privacy Officer Matt Van Hise, Privacy Counsel Carolyn Friedman and Assistant Attorney General Andrew Hong handled today’s settlement for Raoul’s Consumer Fraud Bureau.

-30-