Press Release

INDIANAPOLIS — Attorney General Todd Rokita continued his leadership in the fight to hold tech companies accountable for consumer privacy on Oct. 5, announcing a $49.5 million multi-state settlement with the software company Blackbaud.

“Nonprofits doing their great work rely and depend on vendors like Blackbaud to protect sensitive and private information,” Rokita said. “This type of leak is unacceptable, and we fought back on behalf of Hoosiers.”

Rokita, with the Attorney General of Vermont, led a coalition of 50 attorneys general to investigate the incident and negotiate a settlement after its deficient data security practices and response to a 2020 data breach that exposed the personal information of millions of consumers. Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and also make a $49.5 million payment to states.

As lead state, Indiana will receive nearly $3.6 million from the settlement, more than any other state.

“While it doesn’t make up for Blackbaud’s negligence, I am glad we have held them accountable for their actions,” Rokita said.

Blackbaud provides software to various nonprofit organizations, including charities, schools, churches, and healthcare organizations. Blackbaud’s customers use their software to connect with donors and manage data about their constituents, including demographic information. Social Security numbers, driver’s license numbers, financial information, donation history, and protected health information were also given to the company.

This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their respective consumer constituents.

The settlement resolves allegations that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, which allowed hackers to gain access to the network.

Blackbaud also failed to provide its customers with timely, complete, or accurate information regarding the breach, which is required by law.

As a result of their actions, the proper notification to consumers, whose personal information was exposed, was significantly delayed or never occurred at all. Blackbaud downplayed the incident and led its customers to believe that notification was not required.

Under the settlement led by Rokita and his office. Blackbaud has agreed to strengthen its data security and breach notification practices going forward.