Software company Blackbaud agreed to pay $49.5 million in a multistate settlement addressing charges related to a 2020 cyberattack that exposed the personal data of approximately 13,000 consumers.

As part of the agreement including 49 states and the District of Columbia, Indiana will receive the largest share at $3.6 million, Indiana Attorney General Todd Rokita announced in a press release earlier this month. A settlement with the state of California is still pending, according to a public filing.

The settlement resolves allegations Blackbaud violated state consumer protection and breach notification laws and the Health Insurance Portability and Accountability Act by failing to implement reasonable data security and provide its customers with timely, complete, or accurate information regarding the breach.

The details: In May 2020, Blackbaud discovered a ransomware attack that exposed sensitive donor information, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information, according to an administrative order with the state of Indiana.

Nearly two months later, Blackbaud publicly announced the incident and began notifying impacted customers. It failed to analyze the contents of the stolen data before disclosure because of a lack of communication between the information technology and senior management teams, per the order.

Compliance considerations: Blackbaud agreed to overhaul its data security and breach notification practices in reaching settlement.

This work must include implementation of an incident response plan with a six-step program for mitigating a breach:

  1. Preparation
  2. Detection and analysis
  3. Containment
  4. Eradication
  5. Recovery
  6. Post-incident analysis and remediation.

The order also requires the company to hire a chief privacy officer and enhance other areas of its compliance, training, reporting, and assessment procedures.

In March, Blackbaud agreed to pay $3 million to settle allegations from the Securities and Exchange Commission regarding misleading disclosures following the attack.

Company response: In a statement, Blackbaud President and Chief Executive Mike Gianoni said the company is “pleased to fully resolve this matter” and that protecting customer privacy is “one of our most important priorities.”

“Cyberattacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape,” Gianoni added.

Blackbaud agreed to the settlement without admitting fault or liability.