Ransomware attack on cloud-services provider affects charities and not-for-profits

17 juillet 2020 | Nicole K. D’Aoust, David Krebs

( Disponible en anglais seulement )

A company that supplies cloud fundraising and accounting software to the charity and not-for-profit sector announced yesterday that it experienced a ransomware attack in May 2020.  Blackbaud is the company behind such programs as Raiser’s Edge NXT, eTapestry, and The Financial Edge. The company’s press release discussing the breach can be found on their website.

Blackbaud’s affected clients should have received a notification with the specific details of what data may have been impacted.  That being said, we are encouraging charities and not-for-profit organizations to verify whether they have used, or are currently using, any Blackbaud software and to contact Blackbaud for confirmation regardless of whether or not they received a notification.

If your organization was affected, you should take the following steps : 1) understand the contents of the notification and obtain clarification from Blackbaud if you do not; 2) understand the nature of the information at issue, whether any personal information was at risk, and assess your organization’s legal requirements as an entity “in control” of the information that was breached; and 3) assess whether your organization has a legal or other obligation to notify any individuals, including donors, or other affected individuals of the breach.

Your organization must understand that while Blackbaud is its service provider, any potential legal or contractual obligations, including potential notification requirements with respect to the particular individuals involved or reports to Privacy Commissioners, likely fall on the particular charity or not-for-profit organization.

Moreover, regardless of the type of software your organization uses, charities and not-for-profits must ensure they have their own internal policies and practices to safeguard against cybersecurity incidents and take steps to inquire with their service providers how they protect data.

If your organization was affected, or your organization was not affected but would like to ensure it is better protected, we can assist.  Please reach out to the authors or any member of our Social Impact or Privacy, Cybersecurity, and Technology Law teams.  More information about our teams can be found on Miller Thomson LLP’s website.

Avis de non-responsabilité

Cette publication est fournie à titre informatif uniquement. Elle peut contenir des éléments provenant d'autres sources et nous ne garantissons pas son exactitude. Cette publication n'est ni un avis ni un conseil juridique.

Miller Thomson S.E.N.C.R.L., s.r.l. utilise vos coordonnées dans le but de vous envoyer des communications électroniques portant sur des questions juridiques, des séminaires ou des événements susceptibles de vous intéresser. Si vous avez des questions concernant nos pratiques d'information ou nos obligations en vertu de la Loi canadienne anti-pourriel, veuillez faire parvenir un courriel à privacy@millerthomson.com.

© 2023 Miller Thomson S.E.N.C.R.L., s.r.l. Cette publication peut être reproduite et distribuée intégralement sous réserve qu'aucune modification n'y soit apportée, que ce soit dans sa forme ou son contenu. Toute autre forme de reproduction ou de distribution nécessite le consentement écrit préalable de Miller Thomson S.E.N.C.R.L., s.r.l. qui peut être obtenu en faisant parvenir un courriel à newsletters@millerthomson.com.