June 9, 2023

Volume XIII, Number 160


June 08, 2023

Subscribe to Latest Legal News and Analysis

June 07, 2023

Subscribe to Latest Legal News and Analysis

June 06, 2023

Subscribe to Latest Legal News and Analysis

SEC Charges Software Company for Downplaying Scope of Ransomware Attack in Public Disclosures

Last week, the U.S. Securities and Exchange Commission (“SEC”) announced a settlement with Blackbaud, Inc., a software provider, for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 of its customers.  The recent charges continue a flurry of activity from the SEC Enforcement Division’s Crypto Assets and Cyber Unit related to cybersecurity incidents.

According to the SEC’s findings, Blackbaud discovered it was the victim of a ransomware attack in May 2020.  Blackbaud provides software to non-profit organizations to allow those organizations to manage data about their donors and donations.  The company’s investigation into the cyberattack indicated that the attack resulted in the unauthorized access—and exfiltration—of over a million files concerning over 13,000 of Blackbaud’s customers.  Sometime in July 2020, Blackbaud learned that the attack resulted in the access of unencrypted donor bank account information and social security numbers for certain of the impacted customers—contrary to the disclosure on Blackbaud’s website posted days earlier.

The SEC’s involvement stems from Blackbaud’s August 2020 10-Q filing that discussed the ransomware attack, but “omitted [] material information about the scope of the attack, and misleadingly characterized the risk of exfiltration of [] sensitive donor information as hypothetical.”  In particular, the company stated (i) as to the specific incident, that the attacker simply “removed a copy of a subset of data” and (ii) as to cybersecurity risks generally, a compromise of donor information “could adversely affect” the company’s operations.  According to the SEC, such statements were misleading “because they perpetuated the false impression . . . that the incident did not result in the attacker accessing highly sensitive donor data.”  The SEC charged Blackbaud with violations of Sections 17(a)(2) and (3) of the Securities Act.

As announced last week, the company agreed to settle the charges for $3,000,000.  While this incident has likely been put to rest, the SEC has shown no signs of slowing down its enforcement actions against companies related to cybersecurity and data privacy.  Privacy World will be here to monitor for the next action.  Stay tuned.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XIII, Number 74

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

James M. Brennan Litigation Lawyer Squire Patton Boggs

James (Jim) Brennan is an associate in the Litigation Practice Group, where he represents clients in complex commercial litigation matters in state and federal courts. Prior to joining the firm, Jim clerked for Chief Judge D. Brooks Smith of the US Court of Appeals for the Third Circuit. Before that, he was an associate at an AmLaw 100 law firm in New York City.