Penalty Amount
$49,500,000
Blackbaud, a cloud company providing donor management software, experienced a 2020 data breach exposing personal information of millions of donors through its nonprofit customers. A multistate investigation found Blackbaud failed to implement adequate data security and delayed breach notifications. As a result, Blackbaud agreed to pay $49.5 million and overhaul its security practices.
Blackbaud must pay $49.5 million to the states, implement and maintain incident response plans, enhance security measures including encryption and monitoring, undergo third-party assessments for seven years, and discontinue misrepresentations about data safety.
In-house legal teams should review all vendor and data processing agreements with cloud service providers and SaaS vendors, particularly those handling sensitive donor, customer, or constituent data. Focus on clauses governing data security obligations (e.g., specific security frameworks, encryption, access controls), breach notification requirements (including timelines and content), audit and inspection rights, indemnification for data breaches, and limitations of liability. Given the findings of inadequate security and delayed notification, contracts should be amended to include more prescriptive security controls, shorter notification windows (e.g., 72 hours), mandatory reporting of security audits, and clear remedies for non-compliance. Additionally, review customer agreements to ensure robust data protection commitments are flowed down to end-users.
Entity
Blackbaud
Industry
TechnologyOfficial Press Release
https://ag.ny.gov/press-release/2023/attorney-general-james-and-multistate-coalition-secure-495-million-cloud-company
blackbaud avc ny
https://ag.ny.gov/sites/default/files/settlements-agreements/blackbaud-avc-ny.pdf
blackbaud impacted ny list
https://ag.ny.gov/sites/default/files/2023-10/blackbaud-impacted-ny-list.pdf
New York Attorney General Enforcement Page
https://ag.ny.gov/press-releases
"Blackbaud"
"$49.5 million"
"state consumer protection laws, breach notification laws, and HIPAA"
"failed to implement reasonable data security and fix known security gaps"
"neglected to provide its customers with timely, complete, or accurate information regarding the breach"
$6.8M
California Attorney General Rob Bonta announced a $6.75 million settlement with software company Blackbaud over a 2020 data breach that exposed consumers' personal information including Social Security numbers, bank account details, and medical data. Blackbaud was found to have inadequate data security practices, failed to timely and accurately notify impacted individuals of the breach, and made misleading public disclosures about the breach and its pre-breach security measures. The settlement requires Blackbaud to pay penalties and implement enhanced data security and breach notification protocols.
$49.5M
Blackbaud, a software company, experienced a ransomware attack in 2020 that exposed sensitive personal information, including protected health data, due to inadequate security practices and delayed breach notification. A multistate investigation resulted in a $49.5 million settlement, requiring Blackbaud to enhance data security, implement breach response plans, and undergo third-party assessments.
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning businesses against engaging in price gouging on transportation services during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential goods and services during market disruptions, with potential penalties of up to $25,000 per violation. No specific enforcement action against a particular entity was announced, only a general warning for businesses and a call for consumers to report suspected price gouging.
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning residents of potential price gouging by transportation service providers during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential services like transportation during market disruptions. No specific privacy violations or enforcement actions against individual entities were announced in the alert.
This press release announces New York Attorney General Letitia James leading a coalition of 21 state attorneys general, the District of Columbia, and Pennsylvania’s Governor in filing an amicus brief with the U.S. Supreme Court to stay a Fifth Circuit ruling that would reinstate in-person dispensing requirements for mifepristone, a medication used for abortion. The coalition argues the ruling is scientifically unsupported, would restrict telehealth access to reproductive care, and undermines state sovereignty over abortion policy post-Dobbs. This is not a privacy-related enforcement action, as the content addresses reproductive health policy rather than data privacy violations.
$5.0M
New York Attorney General Letitia James secured a $5 million settlement from cryptocurrency platform Uphold HQ, Inc. for promoting Cred’s fraudulent CredEarn investment product as safe and reliable, when Cred was making risky loans to uncreditworthy borrowers in China. Uphold also falsely claimed Cred had comprehensive insurance and promoted the product without registering as a broker or commodity broker-dealer under New York law. As part of the settlement, Uphold will pay $5 million to harmed investors, remit $545,189 from Cred’s bankruptcy to customers, improve due diligence policies for third-party products, and register as a broker with the OAG.