A company that supplies cloud fundraising and accounting software to the charity and not-for-profit sector announced yesterday that it experienced a ransomware attack in May 2020. Blackbaud is the company behind such programs as Raiser’s Edge NXT, eTapestry, and The Financial Edge. The company’s press release discussing the breach can be found on their website.
Blackbaud’s affected clients should have received a notification with the specific details of what data may have been impacted. That being said, we are encouraging charities and not-for-profit organizations to verify whether they have used, or are currently using, any Blackbaud software and to contact Blackbaud for confirmation regardless of whether or not they received a notification.
If your organization was affected, you should take the following steps : 1) understand the contents of the notification and obtain clarification from Blackbaud if you do not; 2) understand the nature of the information at issue, whether any personal information was at risk, and assess your organization’s legal requirements as an entity “in control” of the information that was breached; and 3) assess whether your organization has a legal or other obligation to notify any individuals, including donors, or other affected individuals of the breach.
Your organization must understand that while Blackbaud is its service provider, any potential legal or contractual obligations, including potential notification requirements with respect to the particular individuals involved or reports to Privacy Commissioners, likely fall on the particular charity or not-for-profit organization.
Moreover, regardless of the type of software your organization uses, charities and not-for-profits must ensure they have their own internal policies and practices to safeguard against cybersecurity incidents and take steps to inquire with their service providers how they protect data.
If your organization was affected, or your organization was not affected but would like to ensure it is better protected, we can assist. Please reach out to the authors or any member of our Social Impact or Privacy, Cybersecurity, and Technology Law teams. More information about our teams can be found on Miller Thomson LLP’s website.