The
The
Background
The breach underlying the complaint occurred in
The complaint notes that Blackbaud's investigation concluded that the attacker exfiltrated files containing millions of consumers' unencrypted personal information, including sensitive data, such as social security numbers, financial information, medical information, and religious beliefs. Blackbaud ultimately paid the attacker
FTC Allegations
Novel Unfairness Claims
The
Unfair Data Retention Practices
The
Unfair Inaccurate Breach Notification
The
"The cybercriminal did not access credit card information, bank account information or social security numbers....
No action is required on your end because no personal information about your constituents was accessed." (emphasis in original)
The complaint asserts that Blackbaud issued this customer breach notification after Blackbaud conducted "an exceedingly inadequate investigation." And, although Blackbaud allegedly confirmed on
Additional Claims
The
-
Blackbaud's initial communication to consumers (discussed above) inaccurately stated that no consumers' personal information had been subject to the breach.
- Blackbaud's website privacy policy deceptively stated that the company would protect personal information by, among other things, maintaining "appropriate, physical, electronic and procedural safeguards."
- Blackbaud failed to adopt various reasonable measures to prevent unauthorized access to sensitive consumer data maintained by its networks, such as implementing appropriate password controls, applying adequate multifactor authentication for both employees and customers, and patching outdated software and systems in a timely manner.
The Order
The Order would, among other things, prohibit Blackbaud from making misrepresentations about its privacy and data security practices, require Blackbaud to implement a comprehensive information security program subject to biennial assessments, create and maintain a retention schedule for certain company records, and require the company's chief information security officer to submit annual compliance certifications. The Order also contains two requirements that are not commonly included in data security orders: (1) mandating that Blackbaud delete customer backup files containing consumers' personal information when those files are not being retained in connection with providing products or services to Blackbaud's customers (unless otherwise requested by their customers) and (2) obligating Blackbaud to make publicly available on its website(s), and adhere to, a retention schedule for customer backup files containing consumers' personal information that sets forth (a) the purpose(s) for which such personal information is maintained, (b) the specific needs for the company retaining such personal information, and (c) a set timeframe for deleting such personal information with no indefinite retention periods.
Takeaways for Businesses
The Order serves as an important reminder that lax data retention and deletion practices can significantly elevate a company's cybersecurity risk profile. Simply put, the more data a company keeps unnecessarily, the more data may be vulnerable to a security breach. The
The authors of this blog post and their colleagues in the Arnold & Porter Privacy, Cybersecurity & Data Strategy practice group are available to provide counsel on the
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
Arnold & Porter
601 Mass. Ave., NW
DC 20001-3743
Tel: 202942.5000
Fax: 202942.5999
E-mail: anna.shelkin@arnoldporter.com
URL: www.arnoldporter.com
© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source