On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.
Blackbaud’s handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminal’s ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.
Much of the affected data was of a nature that would not trigger notice requirements in the United States, because the elements that constitute “sensitive” data in the U.S. (such as usernames, passwords and social security numbers) were encrypted. However, there are a handful of states (notably Washington and North Dakota) that have notification statutes requiring notice to affected individuals if other kinds of information is accessed, such as names together with dates of birth, and was the case for many of Blackbaud’s customers.
The bigger issue, however, is for those U.S.-based entities who actively target individuals in the European Union. For example, many colleges and universities in the United States actively recruit prospective students or donors in the European Union. These types of recruitment activities are likely to bring them in scope of the EU’s General Data Protection Regulation (GDPR).
The GDPR is a far-reaching piece of European legislation which applies to organizations outside the EU and includes draconian financial sanctions for non-compliance. Moreover, the standard for notification to individuals and data protection authorities in the EU is much lower than in most U.S. states. The GDPR requires that data breaches are reported to European data protection supervisory authorities unless the breach is “unlikely to result in a risk to the rights and freedoms of individuals”. This requires the affected institution to perform a thorough, documented risk assessment in each case.
Larger institutions may have already analyzed the need to comply with the GDPR and will therefore be aware that, if they are in scope of the GDPR, they may be required to report the breach both to the individuals concerned and to the relevant data protection supervisory authority in the EU. However, many smaller institutions may not have performed that analysis. This situation may find them needing to report the breach, but in doing so perhaps also alerting the data protection authorities to the fact that they may be subject to GDPR and may not be compliant in other ways. For instance, the GDPR requires specific contractual terms (including terms relating to the handling of data breaches) to be in place between customers and vendors where vendors process personal data on behalf of the customer.
The attack on Blackbaud is a major data breach. It may serve as a catalyst for U.S. non-profits to take a longer look at the GDPR and analyze their own need to comply.
Affected organizations both in and outside the EU should be working to determine what data has been compromised and whether they need to notify the local supervisory authority. The breach should also prompt all organizations to review any vendor contracts where personal data is involved, with a particular focus on ensuring that (a) the responsibility for data breach falls on the vendor and (b) strict notification timescales are imposed on the vendor (with the aim of preventing the lengthy delay in informing customers that has occurred in the Blackbaud case). Organizations that are subject to GDPR should also ensure that they implement GDPR-compliant vendor contracts.