On February 1, 2024, the Federal Trade Commission announced a complaint and proposed consent order against Blackbaud, Inc. concerning a 2020 data security incident that included a ransomware demand and payment. According to the FTC’s complaint, Blackbaud’s allegedly unfair and misleading conduct included not just deficient data security practices but also a delay in providing accurate notice to its business customers about the breach, including the inclusion of deceptive statements about the scope and severity of the breach in its initial notice to those customers.
The FTC highlighted that this case is the first time it has brought standalone Section 5 unfairness claims arising out of the alleged failure to (1) implement and enforce reasonable data retention practices and (2) accurately communicate the severity and scope of the breach.
Read the full Update here.
