Search company, investor...

Founded Year

1981

Stage

IPO | IPO

Date of IPO

8/15/2005

Market Cap

3.88B

Stock Price

69.14

About Blackbaud

Blackbaud focuses on powering social impact in the nonprofit and education sectors, as well as companies committed to social responsibility. The company offers a range of software solutions designed to enhance fundraising, nonprofit financial management, digital giving, grantmaking, corporate social responsibility, and education management. It primarily serves the nonprofit and education sectors, as well as companies committed to social responsibility. It was founded in 1981 and is based in Charleston, South Carolina.

Headquarters Location

2000 Daniel Island Drive

Charleston, South Carolina, 29492-7541,

United States

800-443-9441

Loading...

Loading...

Research containing Blackbaud

Get data-driven expert analysis from the CB Insights Intelligence Unit.

CB Insights Intelligence Analysts have mentioned Blackbaud in 1 CB Insights research brief, most recently on Jan 5, 2022.

Blackbaud Patents

Blackbaud has filed 5 patents.

The 3 most popular patent topics include:

  • banking technology
  • credit card terminology
  • credit cards
patents chart

Application Date

Grant Date

Title

Related Topics

Status

2/8/2019

4/27/2021

Payment systems, Credit cards, Credit card terminology, Banking technology, Data management

Grant

Application Date

2/8/2019

Grant Date

4/27/2021

Title

Related Topics

Payment systems, Credit cards, Credit card terminology, Banking technology, Data management

Status

Grant

Latest Blackbaud News

United States: FTC Brings First Standalone Section 5 Unfairness Claims For Unreasonable Data Retention And Inaccurate Breach Notice - Perkins Coie LLP

Feb 16, 2024

To print this article, all you need is to be registered or login on Mondaq.com. On February 1, 2024, the Federal Trade Commission (FTC)announced a complaint and proposed consent order against Blackbaud, Inc.concerning a 2020 data security incident that included a ransomwaredemand and payment. According to the FTC's complaint,Blackbaud's allegedly unfair and misleading conduct includednot just deficient data security practices but also a delay inproviding accurate notice to its business customers about thebreach, including the inclusion of deceptive statements about thescope and severity of the breach in its initial notice to thosecustomers. The FTC highlighted that this case is the first time ithas brought standalone Section 5 unfairness claims arising out ofthe alleged failure to (1) implement and enforce reasonable dataretention practices and (2) accurately communicate the severity andscope of the breach. The Blackbaud Security Incident and Notice to Customers Blackbaud provides a variety of software products and servicesto nonprofits, foundations, educational institutions, andhealthcare organizations, including database services for trackingdonors and donations. The complaint alleges that on February 7,2020, an attacker used a customer's login to gain access to acustomer's Blackbaud-hosted database. According to thecomplaint, the attacker was then able to leverage vulnerabilitiesto move across Blackbaud-hosted environments and exfiltrate filescontaining millions of items of consumers' personal informationmaintained by Blackbaud customers on the Blackbaud network. The FTCalleged the personal information included full names, birthdates,Social Security numbers, home addresses, phone numbers, emailaddresses, financial information (such as bank account information,estimated wealth, and identified assets), medical information (suchas patient and medical record identifiers, treating physiciannames, health insurance information, medical visit dates, andreasons for seeking medical treatment), genders, religious beliefs,marital statuses, spouse names, spouses' donation history,employment information (including salary), educational information,and account credentials. According to the complaint, the foregoingdata was not encrypted because (1) Blackbaud allowed its customersto store Social Security numbers and bank account information inunencrypted fields not specifically designated for these purposes;(2) Blackbaud allowed customers to upload attachments containingconsumers' personal information, which Blackbaud did notencrypt; and (3) Blackbaud did not encrypt its database backupfiles containing complete records from customers and formercustomers. The complaint alleges that, after the intrusion was discoveredon May 20, 2020, the attackers demanded a ransom. AlthoughBlackbaud paid $235,000 in Bitcoin, the FTC highlighted in itscomplaint that Blackbaud has not been able to "conclusivelyverify" the stolen data was deleted. The complaint allegesthat Blackbaud failed to notify its customers of the incident fortwo more months, until July 16, 2020, following an investigationcharacterized by the complaint as "exceedinglyinadequate." In addition, the FTC alleges that this firstnotice to customers stated that no credit card information, bankaccount information, or Social Security numbers had been accessedand that "[n]o action is required on your end becauseno personal information about your constituents wasaccessed." Although Blackbaud allegedly knew as ofJuly 31, 2020, that bank account numbers and Social Securitynumbers had been exfiltrated, this fact was not disclosed to itscustomers until October 2020. The FTC's Claims and Proposed Order All five of the FTC's claims are brought under Section 5 ofthe FTC Act, 15 U.S.C. § 45(a), for deceptive or unfair actsor practices. Notably, the complaint brings three novel claims: Unfair data retention practices. The FTCalleges that Blackbaud engaged in an unfair practice by failing toimplement and enforce reasonable data retention practices forsensitive consumer data maintained by customers in its network.According to the complaint, Blackbaud kept its customers'consumer data for years longer than necessary, contrary to its ownpolicies—including, in some instances, the data of formercustomers and prospective customers. Unfair, inaccurate initial breachnotification. The FTC alleges that Blackbaud's initialJuly 2020 notification to customers regarding the breach failed toaccurately communicate the scope and severity of the breach andthat this was an unfair act. The unfairness claim is predicated onboth Blackbaud's allegedly inaccurate statement about the scopeof the personal information that had been exposed and themonths-long delay before Blackbaud provided a second, accuratenotice about the scope of that data. (Blackbaud's March 2023 settlement with the SEC alsoconcerned Blackbaud's July 2020 notification to its customers,which the SEC alleged was misleading to investors about the impactof the incident.) Deceptive initial breach notification.Relatedly, the FTC also alleges that the July 2020 initial noticecontaining an inaccurate statement about the extent of compromisedconsumer data was deceptive under Section 5. In addition, the complaint also brings two claims familiar inFTC data security cases: Unfair information security practices. The FTCalleges that Blackbaud failed to take a variety of reasonable stepsto prevent unauthorized access to sensitive personal information(e.g., allegedly deficient encryption practices and a laundry listof assertedly lax security practices, such as allowance of weakpasswords, lack of multifactor authentication to protect sensitiveinformation, deficient threat monitoring, and failure to timelypatch outdated software and systems). Deceptive security statements. The FTC allegesthat a statement in the Blackbaud website privacy policy thatBlackbaud provided "appropriate" safeguards to protectpersonal information collected via the website was deceptive. The Proposed Order Like the complaint, the proposed order contains a mixture ofprovisions that are standard fare in FTC data security consentorders and others that are less common. Among the former categoryare provisions prohibiting Blackbaud from making misrepresentationsabout its privacy and data security practices, requiring it toinstitute a comprehensive data security program subject tothird-party independent biennial assessments, and necessitatingthat it provide the FTC with reports on data breaches that resultin Blackbaud reporting the incident to authorities under federal,state, or local law. The order also includes several additionalrequirements that are not unprecedented but that the FTC hasincluded only in a subset of data security orders, depending on thealleged facts of the case: Mandatory data deletion. Requiring deletion byBlackbaud of its customer backup files that contain consumers'personal information that is not being retained in connection withproviding products or services to Blackbaud's customers. Data retention. Requiring Blackbaud to makepublicly available and adhere to a retention schedule for customerbackup files containing consumers' personal information, toinclude (1) the purposes for maintaining that personal information,(2) Blackbaud's specific business needs for retaining thatpersonal information, and (3) the set time frames for the deletionof that personal information (i.e., no indefinite retention). Takeaways As the three FTC commissioners highlighted in their joint statement on the case , this isthe first time the FTC has alleged that retaining data for longerthan necessary was, by itself, an unfair practice under Section5—although such data retention has previously beenincluded among several data security shortcomings that allegedlyrendered practices unfair under Section 5 (as in, for example, the complaint against Chegg, Inc. ). By allegingthis as a "standalone" unfairness claim, the FTCunderscores the importance it is placing on data deletion from botha privacy and a data security standpoint. This case is also the first time that the FTC hasalleged that a failure to accurately communicate the scope andseverity of a breach was an unfair practice, as thecommissioners also noted in their statement . This highlights that the FTC is aptto scrutinize a reassuring message about the limited scope of adata security incident, even if it is true for most affectedindividuals. If the message later turns out to be inaccurate as itpertains to some portion of the affected population, the FTC maysee the statement as deceptive when made and reflective of a poorinvestigation. Finally, the FTC alleges that despite paying a ransomto the attacker, Blackbaud was unable to "conclusivelyverify" that the exfiltrated data had been destroyed.Given the multitude of ways that data can be copied, transferred,hidden, or recovered, it is difficult to see how remote datadeletion could ever be "conclusively verified," let alonewhen engaging with a criminal organization operating in an unknownlocation—although there have not been confirmed reports thatthe data at issue in the Blackbaud incident has since been releasedor misused. Left unaddressed in the complaint is what a company inBlackbaud's situation should have done in negotiations with theattacker that would have provided any greater protection toconsumers. The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances. AUTHOR(S)

Blackbaud Frequently Asked Questions (FAQ)

  • When was Blackbaud founded?

    Blackbaud was founded in 1981.

  • Where is Blackbaud's headquarters?

    Blackbaud's headquarters is located at 2000 Daniel Island Drive, Charleston.

  • What is Blackbaud's latest funding round?

    Blackbaud's latest funding round is IPO.

  • Who are the investors of Blackbaud?

    Investors of Blackbaud include JMI Equity and Hellman & Friedman.

  • Who are Blackbaud's competitors?

    Competitors of Blackbaud include Humanitru, iRaiser, Salsa Labs, Chezuba, iModules Software and 7 more.

Loading...

Compare Blackbaud to Competitors

NationBuilder Logo
NationBuilder

NationBuilder operates as a mission-driven software company. It builds the infrastructure for a world of creators by helping leaders develop and organize thriving communities. It helps to establish a web presence with social hooks, run campaigns or causes, raise funds, and manage volunteer initiatives. The company was founded in 2009 and is based in Los Angeles, California.

i
i360

i360 is a data-driven technology company that specializes in providing innovative products and services for political and commercial applications. The company offers a suite of tools for data management, predictive modeling, and market research, designed to enable clients to understand their audience and make data-driven decisions. i360 primarily serves sectors such as advocacy, advertising, political campaigns, consultancies, financial services, official offices, and nonprofits. It was founded in 2009 and is based in Arlington, Virginia.

Stan World Logo
Stan World

Stan World develops a metaverse platform for virtual fan parties. It facilitates virtual hangouts, music video streaming, lively interaction, dance, and photo sessions with their favorite artists. It was founded in 2019 and is based in Los Angeles, Californi.

Microsoft Dynamics 365 Logo
Microsoft Dynamics 365

Microsoft Dynamics 365 is a portfolio platform of intelligent business applications and software. Its products include software tools for customer insights, supply chain management, human resources, marketing, fraud protection, and more. Microsoft Dynamics 365 was founded in 2016 and is based in Redmond, Washington.

N
Neon One

Neon One operates as a technology company focusing on providing software solutions for the nonprofit sector. The company offers a range of products that help nonprofits manage their fundraising, communications, events, and volunteers. These products include customer relationship management (CRM) tools, website creation tools, peer-to-peer fundraising solutions, and event and ticketing management platforms. It was founded in 2018 and is based in Chicago, Illinois.

Clearbrief Logo
Clearbrief

Clearbrief is a company that focuses on integrating artificial intelligence into legal writing, operating within the legal technology sector. The company offers a platform that provides instant factual and legal insights into documents being drafted, with features such as automatic generation of hyperlinked timelines, detection of factual weaknesses in opposing counsel's briefs, and instant generation of exhibits for filing. Clearbrief primarily serves law firms, courts, and government agencies. It was founded in 2020 and is based in Seattle, Washington.

Loading...

CBI websites generally use certain cookies to enable better interactions with our sites and services. Use of these cookies, which may be stored on your device, permits us to improve and customize your experience. You can read more about your cookie choices at our privacy policy here. By continuing to use this site you are consenting to these choices.