Privacy & Information Security Law Blog

On March 9, 2023, the U.S. Securities and Exchange Commission (SEC) announced settled administrative charges against Blackbaud Inc. The case stems from disclosures Blackbaud made to investors regarding a 2020 ransomware attack that targeted donor data management software the company provides to non-profit organizations.

The SEC’s order alleges that Blackbaud initially announced details of the incident on the company’s website and notified impacted customers in July 2020. In the website post and related notices, the company indicated that the threat actor did not access any donor bank account information or social security numbers. Within days of these statements, however, the SEC observed that the company’s technology and customer relations personnel learned that these claims with respect to bank account information and social security numbers were untrue. Nevertheless, according to the SEC, the company filed a quarterly report on Form 10-Q in August 2020 that discussed the incident, but omitted material information about the scope of the attack, and misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical. At the end of September 2020, the SEC’s order alleges that Blackbaud disclosed for the first time that the attacker accessed unencrypted donor bank account information and social security numbers for certain of the impacted customers.

The SEC’s order finds that Blackbaud violated the antifraud provisions of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933; the reporting provisions of Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20 and 13a-13 thereunder; and the disclosure controls provisions of Rule 13a-15(a). The SEC accepted Blackbaud’s settlement offer, which included a cease-and-desist order and a $3 million civil monetary penalty. We note that this amount is three times the penalty assessed against another public company in a similar 2021 case.

The settlement underscores both the perils for public companies that make incomplete investor disclosures about cybersecurity events as well as the challenges that U.S.-listed companies will face when the SEC adopts its proposed rules on cybersecurity disclosure, which the agency has reported may come as soon as April 2023. The SEC has identified cybersecurity as an enforcement priority, and has recently been increasing attorney staffing in its specialized enforcement unit that targets cybersecurity and cryptocurrency frauds. The agency has also been making increased use of enforcement cases to demonstrate market failures that necessitate rulemaking in support of its ambitious rulemaking agenda, and more such SEC enforcement cases can be expected.