Blackbaud has to cough up a few million dollars more over 2020 ransomware attack

The fine was 0.61% of Blackbaud's 2022 revenue.

Well that'll teach 'em!

I'd be charged more than that if I overstayed in Lidl's car park.

The seven pages of the FTC's complaint against Blackbaud are well worth a read.

Some highlights:

==============================================================================================

Count I – Blackbaud’s Unfair Information Security Practices

... Blackbaud failed to take reasonable steps to prevent unauthorized access to sensitive consumer data ...

... Blackbaud’s actions caused or are likely to cause substantial injury to consumers ...

Count II – Blackbaud’s Unfair Data Retention Practices

... Blackbaud failed to implement and enforce reasonable data retention practices for sensitive consumer data ...

... Blackbaud’s actions caused or are likely to cause substantial injury to consumers ...

Count III—Blackbaud’s Unfair Inaccurate Breach Notification

... Blackbaud failed to accurately communicate the scope and severity of the breach ...

... Blackbaud’s actions caused or are likely to cause substantial injury to consumers ...

Count IV – Blackbaud’s Deceptive Security Statements

... Blackbaud has represented ... that they used appropriate safeguards to protect consumers’ ...

... In truth ... Blackbaud did not maintain appropriate safeguards ...

... the representation ... is false or misleading.

Count V – Blackbaud’s Deceptive Initial Breach Notification

... Blackbaud has represented ... that consumers’ personal information had not been subject to the breach ...

... In truth ... consumers’ personal information had been exfiltrated by the attacker ...

... the representation ... is false or misleading.

==============================================================================================

If I'd done all that I'd *expect* to go to jail.

Obviously it's one rule for muggins, and no rules at all, really, for billion-dollar companies.