Tennessee Attorney General Jonathan Skrmetti announced Thursday the state will receive $882,312 from a multi-state settlement with software company Blackbaud.
The total settlement payout to the states is approximately $49.5 million.
The settlement comes as Blackbaud was found to have “deficient data security practices” in response to a 2020 ransomware event that “exposed the personal information of millions of consumers across the United States,” according to Skrmetti’s office.
The 2020 data breach affected over 13,000 of the company’s customers and its respective consumer constituents, exposing highly sensitive personal information.
Skrmetti’s office added that the settlement “resolves allegations that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network.”
The company also failed to provide its customers with “timely, complete, and accurate information regarding the breach, as required by law,” Skrmetti’s office notes.
Among other requirements, Blackbaud must do the following under this week’s settlement:
- Refrain from misrepresenting details of its processing, storing and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
- Implement and maintain a breach response plan to ensure an appropriate response to any future security incident or breach.
- Establish breach-notification provisions that, in the event of a breach, require Blackbaud to provide appropriate assistance to its customers and support its customer compliance with applicable notification requirements.
- Report security incidents to its CEO and board, provide enhanced employee training, and earmark appropriate resources and support for cybersecurity.
- Implement personal information safeguards and controls requiring total database encryption and dark web monitoring.
- Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
- Allow third-party assessments of its compliance with the settlement for seven years.
– – –
Kaitlin Housler is a reporter at The Tennessee Star and The Star News Network. Follow Kaitlin on X / Twitter.