On Gov. Newsom's Desk: Two New Nonprofit Bills
09.05.2024 | Linda J. Rosenthal, JD
When the news broke in July 2020 about the massive security breach against Blackbaud, perhaps the nonprofit sector’s leading provider of cloud-based data-management services, there was immediate alarm. By late September, fuller – and more disturbing – details emerged.
We wrote about it in Blackbaud Data Breach: Fallout for Nonprofits (September 29, 2020). The intrusion has been described as a series of classic “pfishing” maneuvers that grabbed the data supplied by nonprofits primarily from around the U.S. and the United Kingdom. It was followed up by the standard “ransom” demand for payment by Blackbaud to return the stolen data.
If the computer breach itself weren’t bad enough, Blackbaud’s handling of the mess compounded it exponentially. The data giant failed to discover it for at least three months in the spring of 2020, quietly paid an unknown amount of ransom in return for as-yet-unverifiable promises and representations by the cyber criminals, and did not disclose any of it until mid-July.
As more details seeped out in the following weeks, there were more questions than answers. By late-September, nonprofit clients had filed at least ten lawsuits for negligence, invasion of privacy, and breach of contract, among other claims. In particular, the plaintiffs allege that “… the company’s assurances that the hackers destroyed the information they stole is not reasonable.” They assert that “… as a result of the data breach, plaintiffs and thousands of other class member users suffered ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”
And now the legal jeopardy is spilling over to the nonprofit clients, which have contractual and statutory duties to their own end users whose personal data got mixed up in this mess. The title of a September 25, 2020, article by editor-in-chief Ruth Cambridge in The Nonprofit Quarterly aptly sums up this predicament: Lawsuits Proliferate in Blackbaud Incident: Nonprofits, Consult Your Lawyers.
Even in the midst of a catastrophic pandemic, nonprofits must be vigilant about the ever-present risk of cyber attacks. That responsibility is challenging enough without the added layer of complexity with the Blackbaud situation; that is, being in the middle of the chain of intrusion.
For Blackbaud clients, there are serious, immediate issues and concerns. “There are ‘… multitudes of not-for-profits [that] have received notification of the incident [but] are struggling with how to respond. The responses have been anything but uniform.’” On top of the breach itself, the “delays of several months have made the position of the nonprofit client that much more precarious.”
Among the many experts contributing advice to nonprofits on how to proceed is Allison Ward Davis of CapinCrouse LLP in Steps to Take After the Blackbaud Breach (August 7, 2020). For Blackbaud clients, a threshold issue is evaluating the “…real impact on” them. This inquiry will likely evolve as the weeks and months go by and more information is available. The steps that Ms. Davis recommended back in early August include:
“The Blackbaud breach,” Ms. Davis reminds us, “is not an anomaly. Reputable vendors are targeted all the time, and unfortunately, some of these attacks are successful and can affect your organization.”
All nonprofits should “proactively plan for vendor issues” to reduce the impact of a future breach. She recommends these steps:
Since our post in November 2016, Nonprofits And Cybersecurity: Make It A Priority, we’ve revisited this important topic several times because of the “pervasiveness of the threat of cyber attacks, and the catastrophic amount of damage that invariably follows a computer breach.”
The Blackbaud breach brings into sharper focus the breadth and scope of that threat, and calls for immediate reviews and action by all nonprofit organizations
— Linda J. Rosenthal, J.D., FPLG Information & Research Director