Penalty Amount
$49,500,000
Blackbaud, a software company, experienced a ransomware attack in 2020 that exposed sensitive personal information, including protected health data, due to inadequate security practices and delayed breach notification. A multistate investigation resulted in a $49.5 million settlement, requiring Blackbaud to enhance data security, implement breach response plans, and undergo third-party assessments.
Blackbaud must pay $49.5 million to the states, implement and maintain incident response plans, provide assistance to customers for breach notifications, enhance cybersecurity training and resources, implement total database encryption and dark web monitoring, meet specific security requirements, and undergo third-party assessments for seven years.
In-house legal teams should review all vendor and customer agreements where Blackbaud acts as a data processor or service provider, particularly those involving protected health information (PHI) or other sensitive personal data. Key clauses to scrutinize include data security obligations (e.g., encryption, access controls), breach notification timelines and procedures, HIPAA compliance terms (including Business Associate Agreement requirements), audit and assessment rights, indemnification provisions, and data retention/deletion schedules. Given the settlement's focus on inadequate security and delayed notification, contracts may need amendments to mandate specific security controls (like multi-factor authentication), shorten notification windows (e.g., 72 hours), require regular third-party security audits, and impose clearer PHI handling and subprocessor management requirements to ensure compliance with state consumer protection and breach notification laws.
Entity
Blackbaud
Industry
TechnologyOfficial Press Release
https://www.njoag.gov/ag-platkin-announces-49-5-million-multistate-settlement-with-blackbaud-to-resolve-2020-data-breach/
2023 1004 BlackBaud AVC filed
https://www.nj.gov/oag/newsreleases23/2023-1004_BlackBaud-AVC-filed.pdf
New Jersey Attorney General Enforcement Page
https://www.njoag.gov/about/divisions-and-offices/division-of-consumer-affairs/
"Blackbaud"
"$49.5 million"
"state consumer protection laws, breach notification laws, and the federal Health Insurance Portability and Accountability Act (“HIPAA”)"
"by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach"
$6.8M
California Attorney General Rob Bonta announced a $6.75 million settlement with software company Blackbaud over a 2020 data breach that exposed consumers' personal information including Social Security numbers, bank account details, and medical data. Blackbaud was found to have inadequate data security practices, failed to timely and accurately notify impacted individuals of the breach, and made misleading public disclosures about the breach and its pre-breach security measures. The settlement requires Blackbaud to pay penalties and implement enhanced data security and breach notification protocols.
$49.5M
Blackbaud, a cloud company providing donor management software, experienced a 2020 data breach exposing personal information of millions of donors through its nonprofit customers. A multistate investigation found Blackbaud failed to implement adequate data security and delayed breach notifications. As a result, Blackbaud agreed to pay $49.5 million and overhaul its security practices.
$100K
New Jersey Attorney General Jennifer Davenport and the Division of Consumer Affairs announced a Consent Order with King Distribution LLC and 17 related retail smoke shops, resolving allegations that the companies illegally sold flavored vapor products in violation of New Jersey’s consumer protection laws. The Consent Order imposes a $100,000 civil penalty, requires reimbursement of $22,279 in investigation costs, and prohibits the companies from selling or distributing flavored vapor products in New Jersey. The enforcement action is part of New Jersey’s ongoing efforts to protect youth from flavored vape products, which have been permanently banned in the state since January 2020.
The New Jersey Bureau of Securities issued a Cease and Desist Order on April 30, 2026, against Titan Macro Finance for operating an investment fraud scheme via WhatsApp and Instagram that defrauded at least one New Jersey investor of $64,000. The scheme involved unregistered broker-dealer activity, fake trading profits, and undisclosed fees to access investor funds. The action was coordinated with the California Department of Financial Protection and Innovation, which issued a similar order against the entity for violating California’s Commodity Code.
New Jersey Attorney General Jennifer Davenport and the Bureau of Securities issued a public warning to state residents about fraudulent investment schemes proliferating on Meta-owned platforms including Facebook, Instagram, and WhatsApp. The alert details common scam tactics such as pump-and-dump schemes, confidence scams, and fraudulent cryptocurrency offerings, and provides tips for residents to avoid victimization. No enforcement action against any entity was announced in this release.
New Jersey Attorney General Jennifer Davenport led a bipartisan coalition of 27 state attorneys general in submitting a comment letter to the Federal Trade Commission urging federal rulemaking to regulate hidden and deceptive rental housing fees. The AG also issued guidance clarifying New Jersey’s new $50 rental application fee cap, effective May 1, 2026, warning that deceptive fee practices may violate the New Jersey Consumer Fraud Act. No specific enforcement action against a named individual entity was announced, with enforcement of the fee cap set to begin May 1, 2026.