McGuireWoods Richmond partner Janet Peyton was quoted in an Aug. 5, 2020, article in The Chronicle of Philanthropy about the challenges Blackbaud’s May 2020 ransomware attack has created for affected nonprofits.
Cloud software company Blackbaud is one of the world’s largest providers of education administration, fundraising and financial management software for nonprofits across the United States, the UK and Canada.
As reported, the company did not notify users until mid-July about the May data breach that involved personal data stored on its servers. Peyton called Blackbaud’s delay in notifying its customers “excessive” and said she suspects the scope of the breach could account for the delay. She also noted that Blackbaud’s assertion, following its payment of the ransom, that it has “no reason to believe that any data went beyond the cybercriminal, was or will be misused” seemed overly optimistic.
“I did find it odd that Blackbaud put so much emphasis on their belief that by paying the ransom, they were keeping their clients’ data safe somehow,” said Peyton, a member of McGuireWoods’ data privacy and security team, who represents several nonprofit clients impacted by the Blackbaud breach. “I would not put so much stock in the hacker.”
Organizations are now weighing ethical concerns and legal obligations tied to disclosing the breach to those whose data privacy was compromised, with careful consideration of varying state data privacy laws and the EU General Data Protection Regulation. Peyton noted, “Every Blackbaud customer is going to have to evaluate the nature of their specific data that was involved.”
For details on issues related to the breach and its implications for nonprofits, see a McGuireWoods July 27 Password Protected blog post Peyton co-authored with London associate Alice O’Donovan, “Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities?”