SEC Charges Software Company for Downplaying Scope of Ransomware Attack in Public Disclosures
Last week, the U.S. Securities and Exchange Commission (“SEC”) announced a settlement with Blackbaud, Inc., a software provider, for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 of its customers. The recent charges continue a flurry of activity from the SEC Enforcement Division’s Crypto Assets and Cyber Unit related to cybersecurity incidents.
According to the SEC’s findings, Blackbaud discovered it was the victim of a ransomware attack in May 2020. Blackbaud provides software to non-profit organizations to allow those organizations to manage data about their donors and donations. The company’s investigation into the cyberattack indicated that the attack resulted in the unauthorized access—and exfiltration—of over a million files concerning over 13,000 of Blackbaud’s customers. Sometime in July 2020, Blackbaud learned that the attack resulted in the access of unencrypted donor bank account information and social security numbers for certain of the impacted customers—contrary to the disclosure on Blackbaud’s website posted days earlier.
The SEC’s involvement stems from Blackbaud’s August 2020 10-Q filing that discussed the ransomware attack, but “omitted  material information about the scope of the attack, and misleadingly characterized the risk of exfiltration of  sensitive donor information as hypothetical.” In particular, the company stated (i) as to the specific incident, that the attacker simply “removed a copy of a subset of data” and (ii) as to cybersecurity risks generally, a compromise of donor information “could adversely affect” the company’s operations. According to the SEC, such statements were misleading “because they perpetuated the false impression . . . that the incident did not result in the attacker accessing highly sensitive donor data.” The SEC charged Blackbaud with violations of Sections 17(a)(2) and (3) of the Securities Act.
As announced last week, the company agreed to settle the charges for $3,000,000. While this incident has likely been put to rest, the SEC has shown no signs of slowing down its enforcement actions against companies related to cybersecurity and data privacy. Privacy World will be here to monitor for the next action. Stay tuned.