Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
As described in the SEC Order, Blackbaud provides software used by non-profits to “manage data about their donors, including identifying information, donation history, and financial information”; that is, central to its business is software that “managed sensitive financial and personal data.” In mid-May 2020, the SEC alleged, Blackbaud’s tech personnel detected unauthorized access to the company’s systems and found messages demanding a ransom, claiming that the attacker had exfiltrated customer data. It turned out to be over a million files. After an investigation conducted in consultation with a third-party cybersecurity firm and communications with the attacker, the Order claimed, the company paid a ransom in exchange for the attacker’s promise to delete the exfiltrated data. The company identified which products and customers were affected—over 13,000—but, the SEC alleged, did not have the content of any of the exfiltrated files analyzed.
In mid-July, according to the Order, the company announced the breach on its website and notified the affected customers, stating, in both cases—without having analyzed the content of the files—that “[t]he cybercriminal did not access . . . bank account information, or social security numbers.” Following the announcement and notice, the SEC claimed, Blackbaud received over a thousand communications from customers, many raising concerns about unencrypted sensitive data—including social security numbers and bank account information—that had been provided. As a result, the SEC alleged, company personnel conducted further analyses and, by the end of July 2020, confirmed that, for some donors, bank account information and social security numbers had been exfiltrated by the attacker. Of course, that was not consistent with the information disclosed by the company in mid-July. However, the SEC alleged, “the personnel with this information about the broader scope of the impacted data did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.”
As a result, according to the Order, in analyst calls at the end of July, in responding to cybersecurity-related questions, the company did not answer questions about the nature of the data impacted. And, in its Form 10-Q filed August 4, the company’s discussion of the scope of the incident stated “only that ‘the cybercriminal removed a copy of a subset of data.’ In that discussion, the company made no reference to the attacker removing any sensitive donor data, and in particular made no mention of the exfiltration of donor social security numbers and bank account numbers.” The SEC viewed this omission as material, observing that the information conflicted with “the company’s unequivocal, and ultimately erroneous claims in the July 16, 2020 website post and customer notices.” In addition, even though the breach was disclosed in the Form 10-Q, the company’s cybersecurity risk factor in the same 10-Q—which specifically referred to the possible adverse effects of a cyberattack that “results in customer or donor personal or payment card data being obtained by unauthorized persons”—was framed in the hypothetical, omitting the “material fact that such customer or donor personal data was exfiltrated by the attacker.” (Emphasis added.) The SEC viewed these statements as misleading “because they perpetuated the false impression, started with the company’s earlier website post and customer notices, that the incident did not result in the attacker accessing highly sensitive donor data—data at the core of the company’s business as a service provider helping institutions manage donor relationships—when in fact the company’s personnel learned before August 4, 2020 that such data had been accessed and exfiltrated by the attacker.” Throughout this period, the company sold shares on a Form S-8.
In addition, the SEC alleged that, although Blackbaud’s primary business included providing software that managed sensitive financial and personal data, it did not have disclosure controls and procedures designed to ensure that information relevant to cybersecurity incidents and risks, including incidents involving the exposure of sensitive donor information, were communicated to the company’s senior management and other disclosure personnel. As a result, the SEC claimed, “relevant information related to the incident was never assessed from a disclosure perspective.”
Finally, at the end of September, the company filed a Form 8-K acknowledging that the attacker may have accessed sensitive donor data (social security numbers, bank accounts, passwords) and sent supplemental notices to affected customers.
The SEC charged Blackbaud with securities fraud in violation of Sections 17(a)(2) and (3) of the Securities Act (which does not require scienter), filing misleading periodic reports in violation of Section 13(a) of the Exchange Act and Rule 13a-13 thereunder, as well as Rule 12b-20 of the Exchange Act. Finally, the SEC charged that the company violated the disclosure controls and procedures provisions of Exchange Act Rule 13a-15(a). In settlement, the company agreed to pay $3 million as a civil penalty.
For more information about securities litigation, see the Cooley Securities Litigation + Enforcement blog.